How Bitcoin achieves Decentralization. How Bitcoin achieves Decentralization

Similar documents
Distributed Coordination! Distr. Systems: Fundamental Characteristics!

Lecture 3. Introduction to Cryptocurrencies

How Bitcoin Achieves Decentralization

Blockchain, Cryptocurrency, Smart Contracts and Initial Coin Offerings: A Technical Perspective

ENEE 457: E-Cash and Bitcoin

Bitcoin and Cryptocurrency Technologies. Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller, Steven Goldfeder

Chapter 13. Digital Cash. Information Security/System Security p. 570/626

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Blockchain. CS 240: Computing Systems and Concurrency Lecture 20. Marco Canini

Problem: Equivocation!

Consensus & Blockchain

Bitcoin and Blockchain

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Bitcoin. CS6450: Distributed Systems Lecture 20 Ryan Stutsman

Computer Security. 14. Blockchain & Bitcoin. Paul Krzyzanowski. Rutgers University. Spring 2019

Distributed Algorithms Bitcoin

University of Duisburg-Essen Bismarckstr Duisburg Germany HOW BITCOIN WORKS. Matthäus Wander. June 29, 2011

SpaceMint Overcoming Bitcoin s waste of energy

Coordination 1. To do. Mutual exclusion Election algorithms Next time: Global state. q q q

BYZANTINE CONSENSUS THROUGH BITCOIN S PROOF- OF-WORK

Coordination and Agreement

Smalltalk 3/30/15. The Mathematics of Bitcoin Brian Heinold

Applied cryptography

Ensimag - 4MMSR Network Security Student Seminar. Bitcoin: A peer-to-peer Electronic Cash System Satoshi Nakamoto

Distributed Systems. coordination Johan Montelius ID2201. Distributed Systems ID2201

Security (and finale) Dan Ports, CSEP 552

Bitcoin, Security for Cloud & Big Data

TOPPERCASH TOPPERCASH WHITEPAPER REFORM THE BEST OF BLOCKCHAIN

Introduction to Cryptoeconomics

Introduction to Cryptocurrency Ecosystem. By Raj Thimmiah

Biomedical Security. Some Security News 10/5/2018. Erwin M. Bakker

Transactions as Proof-of-Stake! by Daniel Larimer!

Biomedical Security. Cipher Block Chaining and Applications

Biomedical and Healthcare Applications for Blockchain. Tiffany J. Callahan Computational Bioscience Program Hunter/Kahn Labs

P2P BitCoin: Technical details

Introduction to Bitcoin I

CS 251: Bitcoin and Crypto Currencies Fall 2015

Whitepaper Rcoin Global

Who wants to be a millionaire? A class in creating your own cryptocurrency

Alternatives to Blockchains. Sarah Meiklejohn (University College London)

Process groups and message ordering

Verteilte Systeme/Distributed Systems Ch. 5: Various distributed algorithms

BITCOIN MECHANICS AND OPTIMIZATIONS. Max Fang Philip Hayes

Several of these problems are motivated by trying to use solutiions used in `centralized computing to distributed computing

Let's build a blockchain!

Clock Synchronization. Synchronization. Clock Synchronization Algorithms. Physical Clock Synchronization. Tanenbaum Chapter 6 plus additional papers

As a 3rd generation currency, not only are transactions secured, private and fast, you actually get paid for holding DigitalPrice coins.

Blockchains & Cryptocurrencies

Proof of Stake Made Simple with Casper

hard to perform, easy to verify

Bitcoin, a decentralized and trustless protocol

Algorand: Scaling Byzantine Agreements for Cryptocurrencies

SCP: A Computationally Scalable Byzantine Consensus Protocol for Blockchains

Proof-of-Work & Bitcoin

CONSENSUS PROTOCOLS & BLOCKCHAINS. Techruption Lecture March 16 th, 2017 Maarten Everts (TNO & University of Twente)

Event Ordering Silberschatz, Galvin and Gagne. Operating System Concepts

Technical White Paper of. MOAC Mother of All Chains. June 8 th, 2017

BITCOIN PROTOCOL & CONSENSUS: A HIGH LEVEL OVERVIEW

CSE 486/586 Distributed Systems

PROCESS SYNCHRONIZATION

Analyzing Bitcoin Security. Philippe Camacho

EECS 498 Introduction to Distributed Systems

Algorithms and protocols for distributed systems

Radix - Public Node Incentives

Zero-Knowledge proof of knowledge transfer. Perm summer school on blockchain 2018

CS455: Introduction to Distributed Systems [Spring 2018] Dept. Of Computer Science, Colorado State University

What is Proof of Work?

Ergo platform. Dmitry Meshkov

Mutual Exclusion. A Centralized Algorithm

Anupam Datta CMU. Fall 2015

Distributed Synchronization. EECS 591 Farnam Jahanian University of Michigan

REM: Resource Efficient Mining for Blockchains

Bitcoin (and why it uses SO much energy)

CRUDE COINS.

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

CS 455: INTRODUCTION TO DISTRIBUTED SYSTEMS [DISTRIBUTED MUTUAL EXCLUSION] Frequently asked questions from the previous class survey

Bitcoin (Part I) Ken Calvert Keeping Current Seminar 22 January Keeping Current 1

Security Analysis of Bitcoin. Dibyojyoti Mukherjee Jaswant Katragadda Yashwant Gazula

Mutual Exclusion in DS

On the impact of propogation delay on mining rewards in Bitcoin. Xuan Wen 1. Abstract

The security and insecurity of blockchains and smart contracts

Software Security. Final Exam Preparation. Be aware, there is no guarantee for the correctness of the answers!

Lecture 9. Anonymity in Cryptocurrencies

Formally Specifying Blockchain Protocols

SmartPool: practical decentralized pool mining. Loi Luu, Yaron Velner, Jason Teutsch, and Prateek Saxena August 18, 2017

Chapter 16: Distributed Synchronization

CS 251: Bitcoin and Cryptocurrencies Fall 2016

Distributed Mutual Exclusion

Blockchain Certification Protocol (BCP)

Anupam Datta CMU. Spring 2017

I. Introduction. II. Security, Coinage and Attacks

Chapter 18: Distributed

Reliability, distributed consensus and blockchain COSC412

Hybrid Consensus. Tai-Ning Liao, Xian-Ming Pan, Zhao-Heng Chiu, Imu Lin 1/65

Distributed Systems 8L for Part IB

Concurrency: Mutual Exclusion and Synchronization

A Gentle Introduction To Bitcoin Mining

Advanced Topics in Distributed Systems. Dr. Ayman A. Abdel-Hamid. Computer Science Department Virginia Tech

Bitcoin. Arni Par ov. December 17, 2013

Proof-of-Stake Protocol v3.0

Transcription:

Centralization vs. Decentralization Distributed Consensus Consensus without Identity, using a Block Chain Incentives and Proof of Work Putting it all together Centralization vs. Decentralization Distributed Consensus Consensus without Identity, using a Block Chain Incentives and Proof of Work Putting it all together 1

Simple Example: Mutual Exclusion (*) Recall: Mutual exclusion in shared-memory systems: bool lock; /* init to FALSE */ while (TRUE) { while (TestAndSet(lock)) no_op; critical section; lock = FALSE; remainder section; } Distributed Mutual Exclusion (D.M.E.): Centralized Approach (*) P 1 P 2 P 3 1 2 3 coordinator 1. Send request message to coordinator to enter critical section (C.S.) 2. If C.S. is free, the coordinator sends a reply message. Otherwise it queues request and delays sending reply message until C.S. becomes free. 3. When leaving C.S., send a release message to inform coordinator. Characteristics: ensures mutual exclusion service is fair small number of messages required fully dependent on coordinator 2

D.M.E.: Fully Distributed Approach (*) Basic idea: Before entering C.S., ask and wait until you get permission from everybody else. request(p i,ts) reply P i Upon receipt of a message request(p j, TS j ) at node P i : 1. if P i does not want to enter C.S., immediately send a reply to P j. 2. if P i is in C.S., defer reply to P j. 3. if P i is trying to enter C.S., compare TS i with TS j. If TS i > TS j (i.e. P j asked first ), send reply to P j ; otherwise defer reply. Fully Distributed Approach: Example (*) Scenario: P 1 and P 3 want to enter C.S. P 1 P 2 P 3 req(p 1,10) Enter C.S. reply req(p 1,10) req(p 3,4) reply reply req(p 3,4) reply Enter C.S. 3

D.M.E. Fully Distributed Approach (*) The Good: ensures mutual exclusion P i deadlock free starvation free number of messages per critical section: 2(n-1) The Bad: The processes need to know identity of all other processes involved ( join & leave protocols needed) The Ugly: One failed process brings the whole scheme down! D.M.E.: Token-Passing Approach (*) token P i logical ring Token is passed from process to process (in logical ring) Only process owning a token can enter C.S. After leaving the C.S., token is forwarded Characteristics: mutual exclusion guaranteed no starvation number of messages per C.S. varies Problems: Process failure (new logical ring must be constructed) Loss of token (new token must be generated) 4

Just for Fun: Recovering Lost Tokens (**) Solution: use two tokens! When one token reaches P i, the other token has been lost if the token has not met the other token since last visit and P i has not been visited by other token since last visit. Algorithm: uses two tokens, called ping and pong int nping = 1; /*invariant: nping+npong = 0 */ int npong = -1; each process keeps track of value of last token it has seen. int m = 0; /* value of last token seen by Pi */ Ping-Pong Algorithm (**) upon arrival of ( ping, nping) if (m == nping) { /* pong is lost! generate new one. */ nping = nping + 1; pong = - nping; } else { m = nping; } when tokens meet upon arrival of ( pong, npong) if (m == npong) { /* ping is lost! generate new one. */ npong = npong - 1; ping = - npong; } else { m = npong; } nping = nping + 1; npong = npong - 1; 5

Centralization vs. Decentralization Distributed Consensus Consensus without Identity, using a Block Chain Incentives and Proof of Work Putting it all together Distributed Consensus Distributed Consensus: Given n nodes that each have an input value. Some of these nodes are malicious. A distributed consensus protocol has the following two properties: 1. It must terminate with all honest nodes in agreement on the value. 2. The value must have been generated by an honest node. 6

Distributed Consensus in a Cryptocurrency signed by Alice Pay to pk Bob : H( ) Alice broadcasts transaction to entire currency network! The peer-to-peer nodes need consensus on: which transaction were broadcast order in which these transactions were broadcast Consensus on Order?! (*) (But, we don t have a global time!?) What can go wrong if we don t agree on order (in general, not in Bitcoin): client Obj1 Obj2 deposit confirm Solution: Timestamps withdraw Q: What is a Timestamp? A1: A random number A2: maybe a bit more than that... 7

Happened-Before Ordering of Events (*) Happened-Before relation: (Lamport 1978) Absence of central time means: no notion of happened-when (no total ordering of events) But can generate a happened-before notion (partial ordering of events) P i a b Event a happened-before Event b. (a -> b) P i P j a Event a happened-before Event b. (a -> b) b P i a b c P j Event a happened-before Event c. (a -> c) (transitivity) Happened-Before Ordering (2) (*) Q: What when no happened-before relation exists between two events? A: The two events are concurrent. P i a x? d P j b y c Events x and y are concurrent. 8

Happened-Before compliant Timestamps (*) Clock Condition if a -> b then TS(a) < TS(b) P i a b TS i (a) < TS i (b) TS i (b) < TS j (c) P j c Happened-Before compliant Clocks (*) Timestamps are generated by local clocks. Feel free to initialize local clock to some random number. Rule 1: increment C i after every local event. C i a C i+1 Rule 2: timestamp outgoing messages with current local clock C. i C i a C i+1 TS = C i Rule 3: Upon receiving message with timestamp TS, update local clock C j to be C j = max (C j, TS+1) C j TS C j = max(c j,ts+1) 9

Tie back to Cryptocurrencies signed by Donald Pay to pk Alice : H( ) signed by Pluto Pay to pk Donald : H( ) signed by Alice Pay to pk Bob : H( ) signed by Mickey Pay to pk Pluto : H( ) How Consensus could work in Bitcoin At any given time: All nodes have a sequence of blocks of transactions they have reached consensus on Each node has a set of outstanding transactions it has heard about 10

How Consensus could work in Bitcoin Consensus protocol OK to select any valid block, even if proposed by only one node Consensus is hard! Nodes may crash Nodes may be malicious (Byzantine behaviour) Network is imperfect Not all pairs of nodes connected Faults in network Latency; no global time 11

Bitcoin Consensus: Theory & Practice Bitcoin consensus works better in practice than in theory. Theory is still catching up. BUT theory is important, can help predict unforeseen attacks. Things Bitcoin does differently Introduces incentives Possible only because it s a currency! Embraces randomness Does away with the notion of a specific end-point Consensus happens over long time scales about 1 hour 12

Centralization vs. Decentralization Distributed Consensus Consensus without Identity, using a Block Chain Incentives and Proof of Work Putting it all together Consensus without Identities Why identity? Pragmatic: some protocols need node IDs Security: assume less than 50% malicious Why don t Bitcoin nodes have identities? Identities are hard in P2P systems Sybil attacks Pseudonymity is a goal of Bitcoin 13

Consensus Algorithm (simplified) 1. New transactions are broadcast to all nodes 2. Each node collects new transactions into a block 3. In each round a random node gets to broadcast its block 4. Other nodes accept the block only if all transactions in it are valid (unspent, valid signatures) 5. Nodes express their acceptance of the block by including its hash in the next block they create What can a Malicious Node do? Stealing Bitcoins: Stealing another user s coins would require to forge the owner s signature Denial-of-Service: Alice wants to prevent Bob s transactions from being included in block chain. Alice may prevent for one or more rounds. Eventually, honest node will be picked, who will include Bob s transaction in proposed block. Double-Spend Attack: Alice purchases service from Bob and pays in coins. Alice creates transaction and broadcasts it to the network. Later, Alice attempts to pay same coin to one of her accounts. 14

Double-Spend Attack C A B signed by A Pay to pk B : H( ) signed by A Pay to pk A : H( ) C A A Honest nodes will extend the longest valid branch From Merchant Bob s Perspective 1 confirmation 3 confirmations C A B C A A Hear about C A B transaction 0 confirmations double-spend attempt Double-spend probability decreases exponentially with # of confirmations. Most common heuristic: 6 confirmations 15

Recap Protection against invalid transactions is cryptographic, but enforced by consensus Protection against double-spending is purely by consensus You are never 100% sure a transaction is in consensus branch. Guarantee is probabilistic. Centralization vs. Decentralization Distributed Consensus Consensus without Identity, using a Block Chain Incentives and Proof of Work Putting it all together 16

Assumption of Honesty is problematic Q: Can we give nodes incentives for behaving honestly? Can we penalize the node that created this block? Can we reward nodes that created these blocks? Everything so far is just a distributed consensus protocol. But now we utilize the fact that the currency has value. Two Types of Incentives Incentive Type 1: Block Reward Incentive Type 2: Transaction Fees 17

Incentive 1: Block Reward Creator of block gets to 1. include special coin-creation transaction in the block 2. choose recipient address of this transaction (typically creator) Value is fixed: currently 25 BTC, halves every 4 years The Catch: Block creator gets to collect the reward only if the block ends up on long-term consensus branch! Note: This is the only way to create new Bitcoins! There is a finite Supply of Bitcoins Total supply: 21 million Total bitcoins in circulation First inflection point: reward halved from 50BTC to 25BTC Year Block reward is how new bitcoins are created. Runs out in 2040. No new bitcoins unless rules change. 18

Incentive 2: Transaction Fees Creator of transaction can choose to make output value less than input value. Remainder is a transaction fee and goes to block creator. Purely voluntary, like a tip. Transaction fees become increasingly important, as block rewards start running out. It is a bit unclear how this all will work out. Ongoing research! Three Remaining Problems 1. How to pick a random node? 2. How to avoid a free-for-all due to rewards? 3. How to prevent Sybil attacks? 19

Selecting a Random Node: Proof of Work To approximate selecting a random node: Select nodes in proportion to a resource that no one can monopolize (we hope) In proportion to computing power: proof-of-work In proportion to ownership: proof-of-stake Proof-of-Work: Hash Puzzles To create block, find nonce such that H(nonce prev_hash tx tx) is very small. nonce prev_h Output space of hash Target space If hash function is secure: only way to succeed is to try enough nonces until you get lucky 20

The 3 necessary Properties of Proof-of-Work Property 1: Must be (moderately) difficult to compute Property 2: The Cost must be parameterizable Property 3: Must be trivial to verify Property 1: Difficult to compute It takes about 2^32 * Difficulty to find a block. Only some nodes bother to compete: Miners 21

Property 2: Parameterizable Cost Nodes automatically re-calculate the target every 2016 blocks (about every two weeks). Goal: average time between blocks = 10 minutes Adjust difficulty to meet 10-minute goal. When will I get my Bitcoins? Probability density 10 minutes For individual miner: mean time to find block = 10 minutes fraction of hash power Time to next block (entire network) 22

Property 3: Trivial to Verify Nonce is published as part of block. Other miners simply verify that H(nonce prev_hash tx tx) < target Centralization vs. Decentralization Distributed Consensus Consensus without Identity, using a Block Chain Incentives and Proof of Work Putting it all together 23

Economics of Mining If mining reward > mining cost then miner makes a profit where mining reward = block reward + tx fees mining cost = hardware cost + operating costs (electricity, cooling, etc.) Complications: fixed vs. variable costs reward depends on global hash rate Cost in US$ vs. reward in Bitcoins Being an honest miner is not provably optimal! We need Three Types of Consensus 1. Consensus on Value 2. Consensus on State 3. Consensus on Rules 24

Bootstrapping a Cryptocurrency security of block chain health of mining ecosystem value of currency What about the 51% Attacker Scenario?! Steal coins from existing address? Suppress some transactions? From the block chain From the P2P network Change the block reward? Destroy confidence in Bitcoin? 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback