ENEE 457: E-Cash and Bitcoin

Similar documents
Computer Security. 14. Blockchain & Bitcoin. Paul Krzyzanowski. Rutgers University. Spring 2019

Problem: Equivocation!

Smalltalk 3/30/15. The Mathematics of Bitcoin Brian Heinold

Blockchain. CS 240: Computing Systems and Concurrency Lecture 20. Marco Canini

Bitcoin and Blockchain

Chapter 13. Digital Cash. Information Security/System Security p. 570/626

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

SpaceMint Overcoming Bitcoin s waste of energy

Security Analysis of Bitcoin. Dibyojyoti Mukherjee Jaswant Katragadda Yashwant Gazula

Blockchains & Cryptocurrencies

Consensus & Blockchain

Bitcoin (Part I) Ken Calvert Keeping Current Seminar 22 January Keeping Current 1

How Bitcoin achieves Decentralization. How Bitcoin achieves Decentralization

Bitcoin. CS6450: Distributed Systems Lecture 20 Ryan Stutsman

Applied cryptography

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

Bitcoin, Security for Cloud & Big Data

Lecture 3. Introduction to Cryptocurrencies

Bitcoin, a decentralized and trustless protocol

EECS 498 Introduction to Distributed Systems

Jan Møller Co-founder, CTO Chainalysis

Introduction to Bitcoin I

P2P BitCoin: Technical details

Ensimag - 4MMSR Network Security Student Seminar. Bitcoin: A peer-to-peer Electronic Cash System Satoshi Nakamoto

University of Duisburg-Essen Bismarckstr Duisburg Germany HOW BITCOIN WORKS. Matthäus Wander. June 29, 2011

The power of Blockchain: Smart Contracts. Foteini Baldimtsi

BITCOIN PROTOCOL & CONSENSUS: A HIGH LEVEL OVERVIEW

Digital Currencies: Algorithms and Protocols

Blockchain, Cryptocurrency, Smart Contracts and Initial Coin Offerings: A Technical Perspective

Bitcoin (and why it uses SO much energy)

Biomedical Security. Cipher Block Chaining and Applications

Biomedical Security. Some Security News 10/5/2018. Erwin M. Bakker

International Journal of Computer Engineering and Applications, Volume XIII, Issue II, Feb. 19, ISSN

Security (and finale) Dan Ports, CSEP 552

ICS 421 & ICS 690. Bitcoin & Blockchain. Assoc. Prof. Lipyeow Lim Information & Computer Sciences Department University of Hawai`i at Mānoa

Analyzing Bitcoin Security. Philippe Camacho

Distributed Algorithms Bitcoin

BLOCKCHAIN Blockchains and Transactions Part II A Deeper Dive

Who wants to be a millionaire? A class in creating your own cryptocurrency

Radix - Public Node Incentives

Page Total

Key concepts of blockchain

Ergo platform. Dmitry Meshkov

Anupam Datta CMU. Fall 2015

CSE 5852, Modern Cryptography: Foundations Fall Lecture 26. pk = (p,g,g x ) y. (p,g,g x ) xr + y Check g xr +y =(g x ) r.

Proof-of-Stake Protocol v3.0

Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts. Yashar Dehkan Asl

Proof of Stake Made Simple with Casper

Bitcoin. Arni Par ov. December 17, 2013

Let's build a blockchain!

What is Bitcoin? Consensus technology has the power to do for economics what the internet did for information - Dan Larimer

SOME OF THE PROBLEMS IN BLOCKCHAIN TODAY

What is Proof of Work?

Introduc)on to Bitcoin

ILCOIN White Paper. In ILCOIN We Trust ILCOIN

What is Bitcoin? How Bitcoin Works. Outline. Outline. Bitcoin. Problems with Centralization

Payment systems. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Distributed Ledger Technology & Fintech Applications. Hart Montgomery, NFIC 2017

A Gentle Introduction To Bitcoin Mining

REM: Resource Efficient Mining for Blockchains

Cryptography and Cryptocurrencies. Intro to Cryptography and Cryptocurrencies

Reliability, distributed consensus and blockchain COSC412

The Blockchain. Josh Vorick

Biomedical and Healthcare Applications for Blockchain. Tiffany J. Callahan Computational Bioscience Program Hunter/Kahn Labs

Blockchain Certification Protocol (BCP)

Anupam Datta CMU. Spring 2017

Lecture 6. Mechanics of Bitcoin

Crypto tricks: Proof of work, Hash chaining

I. Introduction. II. Security, Coinage and Attacks

Ergo platform overview

About cryptocurrencies and blockchains part 1. Jyväskylä 17th of April 2018 Henri Heinonen

The security and insecurity of blockchains and smart contracts

Brown University. Yana Hrytsenko. Final Project: Blockchain for PKI: Using Blockchain data structure for Public Key. Infrastructure.

Security, Privacy and Interoperability in Payment- Channel Networks

Introduction to Cryptocurrency Ecosystem. By Raj Thimmiah

CS 251: Bitcoin and Crypto Currencies Fall 2015

BLOCKCHAIN The foundation behind Bitcoin

Darkcoin: Peer to Peer Crypto Currency with Anonymous Blockchain Transactions and an Improved Proof of Work System

ECC: Peer-to-Peer Electronic Cash with Trustless Network Services

Bitcoin/Namecoin/*coin: On Bitcoin like protocols and their relation to other IT-Security issues

DIGITAL ASSET RESEARCH

Upgrading Bitcoin: Segregated Witness. Dr. Johnson Lau Bitcoin Core Contributor Co-author of Segregated Witness BIPs March-2016

Blockchain, cryptography, and consensus

Security: Focus of Control

Technical White Paper of. MOAC Mother of All Chains. June 8 th, 2017

TOPPERCASH TOPPERCASH WHITEPAPER REFORM THE BEST OF BLOCKCHAIN

On the impact of propogation delay on mining rewards in Bitcoin. Xuan Wen 1. Abstract

Blockchain without Bitcoin. Muralidhar Gopinath October 19, 2017 University at Albany

BLOCKCHAIN CADEC Pär Wenåker & Peter Larsson

Bitcoin. Tom Anderson

Ergo platform: from prototypes to a survivable cryptocurrency

BYZANTINE CONSENSUS THROUGH BITCOIN S PROOF- OF-WORK

Using Chains for what They re Good For

Bitcoin: A Peer-to-Peer Electronic Cash System

An Introduction to Blockchain and Distributed Ledger Technology

Proof-of-Work & Bitcoin

CRUDE COINS.

BITCOIN MECHANICS AND OPTIMIZATIONS. Max Fang Philip Hayes

Bitcoin: A Peer-to-Peer Electronic Cash System

Transcription:

ENEE 457: E-Cash and Bitcoin Charalampos (Babis) Papamanthou cpap@umd.edu

Money today

Any problems? Cash is cumbersome and can be forged Credit card transactions require centralized online bank are not secure can reveal private information to the bank charge arbitrary fees

First attempt: E-cash, 1982 Addressed mainly the privacy issue Still centralized Not that secure: Double spending could still take place but the attacker would be caught later

Main idea Unforgeability of cash via unforgeability of signatures To withdraw one e-coin Alice picks a serial number x, asks the bank to sign x, and the e-coin is coin = (sig_sk(x),x) Bank registers that that x has been issued for Alice To pay Bob one e-coin to buy coffee Alice sends coin to Bob To accept payment Bob verifies signature in coin To deposit Bob sends coin to the bank Bank checks x and updates Bob s and Alice s $ amounts

What can go wrong? Bob can first deposit coin and then continue spending coin The coin that is propagated is useless Solution: When Bob deposits coin ask bank to sign x PK_bob where PK_bob is a one-time PK that only Bob knows the SK_bob When Bob needs to spend, it sends the coin sig_sk(x PK_A) and a sig under SK_bob that I, Bob, send this to Alice Note that this cannot be propagated anymore

But double-spending Bob can send coin to two different entities Double spending The only way to catch it is whenever you receive a payment, ask the bank whether the serial number is valid Oh you are reintroducing the bank again (Bitcoin will help here)

Privacy problems of the above approach The flow of money When you withdraw the bank associates you real identity with PK_A When someone deposits, bank sees PK_A, so bank knows who you are transacting with! Idea: Use blind signatures! Get the bank to sign something without knowing what is being signed After you receive the signature, retrieve the original signature Possible with RSA (send x * r ^ e, sig is x^d * r, retrieve by dividing with r)

HOW DO YOU SOLVE DOUBLE SPENDING WITHOUT USING THE CENTRALIZED BANK?

November 2008

January 2009 today

Exciting technology underlying Bitcoin: Blockchain Distributed algorithms Cryptography Distributed consensus in practice, for the first time! Many applications, beyond cryptocurrencies!

But what is this blockchain? Block 3 Block 2 message 1 message 2 message 3 message k Block 1

Rule 1: Global read & rule-based write Block 3 Block 2 message 1 message 2 message 3 message k Block 1

Rule 2: Strict ordering of messages Block 4 Block 3 Block 2 Block 1 message 1 message 2 message 3 message k TX1: Bob sends 5 to Alice TX2: Alice sends 5 to Amazon TX3: George sends 6 to Tim

Rule 3: No message can be modified Block 4 Block 3 Block 2 message 1 message 2 message 3 message k Block 1

How to implement this abstraction? Controlled by Amazon Potentially no global read Message modifications Failures (not always up) Peer-to-peer network with state replication Periodic consensus on a new block Lots of results from distributed computing theory To hack the system you need a lot of effort www.blockchain.com

What else can we do with blockchains? Smart contracts (e.g., Ethereum) Do away with lawyers, trusted parties and escrows to enforce contracts! Bitcoin is the simplest contract: Allow money flow from A to B only if A has enough balance But how about more complicated conditions? www.etherscan.io

Bitcoin

What is Bitcoin? It is a decentralized payment system that allows its users to transfer value to each other with no central authority or third party involved. It has units of value which can be exchanged for real money. Bitcoin -> the system bitcoins -> the units of value

Bitcoin value Bitcoin market capital: approx. 114 billion USD (September 2018) Current price: 1 BTC = 6,599 USD

Bitcoin value

Bitcoin users Anyone can participate in the Bitcoin network Users are not registered by any authority Address Alice PK: huk67h9fyg Bob PK: p2pknb7frt Address SK: z4pxc2kkn3 SK: n52hb9klp Bitcoin uses Elliptic Curve DSA signatures Looks like a random 257-bit number Easy to store/share as a QR code

Bitcoin transactions Alice PK: huk67h9fyg SK: z4pxc2kkn3 Alice sends 1 to Bob Bob PK: p2pknb7frt SK: n52hb9klp

Bitcoin transactions Alice PK: huk67h9fyg SK: z4pxc2kkn3 huk67h9fyg sends 1 Transaction to p2pknb7frt Bob PK: p2pknb7frt SK: n52hb9klp

Bitcoin transactions Alice PK: huk67h9fyg SK: z4pxc2kkn3 huk67h9fyg sends 1 Transaction to p2pknb7frt Bob PK: p2pknb7frt SK: n52hb9klp What if? huk67h9fyg sends 1 to p2pknb7frt

Bitcoin transactions Based on digital signatures Alice PK: huk67h9fyg SK: z4pxc2kkn3 huk67h9fyg sends 1 Transaction to p2pknb7frt Bob PK: p2pknb7frt SK: n52hb9klp Signed under Alice s SK! A transaction is accepted only if the signature verifies

Bitcoin s three main components Network: How can we share transactions? Transaction Ledger: How do we check validity of transactions Consensus: How can we agree on one global history of transactions?

Joining the Bitcoin P2P network 1 Hello World! I m ready to Bitcoin! 5 getaddr() 8 getaddr() 1, 7 getaddr() 7 6 3 2 4

Transaction propagation (flooding) 1 5 Already heard that! 8 A B 6 A B A B 7 A B A B 4 A B New tx! A B A B 3 A B A B 2 A B

Bitcoin s three main components Network: How can we share transactions? Transaction Ledger: How do we check validity of transactions Consensus: How can we agree on one global history of transactions?

Bitcoin s three main components Transaction Ledger: How do we check validity of transactions By storing a public history of all transactions ever!

Why do we need a transaction history? Bob Alice s account has 5

Why do we need a transaction history? Double-spending must be prevented! Bob Alice s account has 5 Charlie

Why do we need transaction history? Double-spending must be prevented! Traditional approach: ask the bank Bob Alice s account has 5

Why do we need transaction history? Double-spending must be prevented! Traditional approach: ask the bank Probably the most important problem with electronic currencies Bob Alice s account has 5 Who can we ask now?

Transaction Ledger Alice sends 1 Time t to Bob Stores every transaction and is used to check users balances Alice sends 0.7 to Chris Bob sends 1.2 to Dave Dave sends 0.2 to Chris Bob sends 1 Time t+1 to Carol

Transaction Ledger Alice sends 1 to Bob Alice sends 0.7 to Chris Bob sends 1.2 Time t to Dave Stores every transaction and is used to check users balances Example Time t Dave sends 0.2 to Chris Bob sends 1 Time t+1 to Carol Alice 2 5 Bob

Transaction Ledger Alice sends 1 to Bob Alice sends 0.7 to Chris Bob sends 1.2 Time t to Dave Stores every transaction and is used to check users balances Example Time t Time t+1 Dave sends 0.2 to Chris Bob sends 1 Time t+1 to Carol Alice Bob Alice Bob 2 5 0.3 4.8

Block Transaction Ledger: Blockchain Alice sends 1 to Bob Alice sends 0.7 to Chris Bob sends 1.2 Time t to Dave Required properties: 1) Append-only 2) Cannot revise existing blocks 3) Global Who maintains it? o The users themselves! 1 5 Dave sends 0.2 to Chris 8 7 Bob sends 1 Time t+1 to Carol 6 4 3 2

Block Transaction Ledger: Bitcoin Blockchain Alice sends 1 to Bob Alice sends 0.7 to Chris Bob sends 1.2 Time t to Dave Required properties: 1) Append only 2) Cannot revise existing blocks 3) Global Who maintains it? o The users themselves! 1 5 Dave sends 0.2 to Chris 8 7 Bob sends 1 Time t+1 to Carol 6 Miners: special types of users 4 3 2

Bitcoin s three main components Network: How can we share transactions? Transaction Ledger: How do we check validity of transactions Consensus: How can we agree on one global history of transactions?

Bitcoin s three main components Consensus: How can we agree on one global history of transactions?

Who chooses the next block? Every transaction is broadcast to all users

Who chooses the next block? Every transaction is broadcast to all users Jan sends 0.2 to Alice Do we agree on this block for time t+1? Miners voting majority wins Time t+1 Alice sends 1 to Bob Alice sends 0.7 to Chris Bob sends 1.2 Dave sends 0.2 to Dave to Chris Yes No Yes Yes Yes Works well if majority of miners is honest!

Majority of what? What does majority mean in a system where everyone can participate? Sybils: Multiple identities belonging to the same (malicious) user Bitcoin solution: Majority is defined as the majority of computational power!

Consensus based on computational power Proof-of-work To measure a user s computational power ask him to solve a puzzle: puzzle should be difficult to solve but a solution should be easily verifiable The puzzle used in Bitcoin is based on the cryptographic hash function SHA256

Consensus based on computational power Proof-of-work To measure a user s computational power ask him to solve a puzzle: puzzle should be difficult to solve but, a solution should be easily verifiable The puzzle used in Bitcoin is based on the cryptographic hash function SHA256 Puzzle: Given small y find x such that SHA256(x) < y Target

How is a new block added? 1) Payer announces transaction Puzzle: Given small y find x such that SHA256(x) < y 2) Miners receive & check transaction v 1 Dave sends 1 to Carol Alice Alice sends 1 to Bob Broadcast Miners v 2 v m Bob sends 1 to Eve Alice sends 1 to Bob 3) Miners compete to solve puzzle Pool of transactions not yet on the chain Block t-1 Alice sends 1 to Bob Alice sends 0.7 to Chris Bob sends 1.2 Dave sends 0.2 to Dave to Chris Find x such that SHA256(v 1,,v m, Block t, x) < y 4) New block announcement Block t Alice sends 1 to Bob Alice sends 0.7 to Chris I found a new block! Bob sends 1.2 Dave sends 0.2 to Dave to Chris Blockchain at time t v 1 Dave sends 1 v 2 v m to Carol Bob sends 1 to Eve Alice sends 1 to Bob Pool of transactions not yet on the chain Block B

What if multiple miners solve the puzzle? I found a new block! Block B Block B I found a new block! New block t+1 Time t+1 Time t-1 Time t Time t+1 Time t+2 Longest chain (eventually) wins Fork New block t+1

The rules of Nakamoto consensus All blocks must reference the previous blockchain header append-only All blocks must be well-formed all included transactions are valid Blocks must include a computational puzzle solution mining is difficult Longest chain is the true blockchain at any time New blocks mint X new Bitcoins that are awarded to the miner mining is rewarding Incentives should favor honest behavior

Transaction confirmation As a merchant, how long do you wait before you consider a transaction confirmed? Alice sends 5 to Bob Alice Bob Time t Time t+4 Time t+1 Time t+2

Transaction confirmation As a merchant, how long do you wait before you consider a transaction confirmed? Alice Bob Time t Time t+4 Time t+1 Time t+2 Fork Time t+2 Time t+3 Time t+5 This chain includes a different transaction from Alice Time t+3

Transaction confirmation As a merchant, how long do you wait before you consider a transaction confirmed? Alice sends 5 to Bob Alice Bob Time t Time t+4 Time t+1 Time t+2 Time t+3 Time t+5 Time t+6 Security property of Nakamoto consensus: Exponential Convegence o Probability of forking decreases exponentially with # of subsequent blocks Heuristic rule enforced in practice: 6 blocks is safe (1 hour in real-world)

Some numbers about Bitcoin 10 min. expected mining time per block o enforced by changing the target value y; currently 69+ leading 0 s 1 Mb size of each block Total blocks mined so far ~543,000 100 M satoshis per bitcoin (smallest possible denomination) Current bitcoin reward 12.5 BTC (~443,000 USD) o (halved every 210,000 blocks; originally 50 BTC) ~21M total bitcoins maximum o expected to exhaust by year 2040 o already mined ~80% of these

https://www.blockchain.com/explorer

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback