Bitcoin, a(lookunder(the(bonnet · Bitcoin as an Anti-Censorship Tool 5.2.2 Workflow As mentioned...
Transcript of Bitcoin, a(lookunder(the(bonnet · Bitcoin as an Anti-Censorship Tool 5.2.2 Workflow As mentioned...
Boris Škorić
Bitcoin, a look under the bonnet
ANP colloquium May 26, 2015
Outline
2
• Bitcoin 101 • Crypto - one-‐way func7ons - digital signatures
• Transac7ons • Mining
• Binding it all together • An7-‐censorship • Cau7onary notes
What this talk is NOT about
NOT:
• History of cryptocurrencies • Economics / poli7cs
• How to become rich
• How to aHack Bitcoin
3
Bitcoin 101
• Cryptocurrency - assets are purely digital - secret key gives access to "account" - crypto for proving ownership - crypto for signing transac7ons - crypto for crea7ng new money
• Decentralized - peer to peer communica7on
• "Block chain" - all transac7on history is public
4
Quick facts about Bitcoin
• Created in 2008 by "Satoshi Nakamoto" - open source - based on lots of prior work - but with unique combina7on of ingredients
• Accepted by > 105 merchants - easy (interna7onal) transfer of money
- PR value
• Current exchange rate: 1 bitcoin = 209 euro
5
Who is Satoshi Nakamoto?
Dorian S. Nakamoto? (Los Angeles, March 2014)
1 bitcoin = 108 Satoshi
There are many allega7ons
6
Concept #1: One-‐way hash func7on
"Cryptographic hash func9on"
• easy to compute
• very difficult to invert • low prob. of collisions • compressed & unique digest
input
fixed-‐size output
Example: SHA256
• arbitrary input size • output size 256 bits
10100...11010
7
Proof of work
hash
Given: some unpredictable stuff
Find out what to put here!
Hash value must sa>sfy a tough constraint, e.g. lie in a certain small range.
• Solving this problem costs a lot of trial & error => CPU 7me.
• Solu7ons are easily verified!
8
Concept #2: Digital signature
Main concept: key pair (a, A)
private key (secret)
public key
A can be computed from a; the reverse is difficult
a
hash
random r
hash
S σ = S(h,a,r)
h
V
A
V(h,σ,A) ∊ {yes,no}
Signing Signature verifica9on
h
Signature
9
Digital signatures
Successful verifica9on of signature proves two things
1. message integrity
2. authen7city
Anyone can verify a signature
- only the public key is needed
Only one person can generate signatures consistent with A - private key a is needed
Bla. Signed by mr A
"The holder of the private key confirms this message"
Signature
10
Bitcoin accounts
Choose your own key pair • public key is your "account number"
• private key gives access to account - prove that the account is yours: signature - confirming a payment: sign it
You can make as many accounts as you want, completely for free !
11
Bitcoin transac7ons
Transaction data structure
in 1 out 1
in 2 out 2
in M out N
...
...
"in" data: • payments to your account • each "in" data proves ownership
- digital signature - possibly different accounts
• each signature also covers all the "out" data
10 to Vercon
0.02 to Francesco
0.01 to Luigi
23000 to myself
Berlusconi
Al Capone
Don Corleone
Small transac2on fee: out < in
C.o.s.a.™
12
Transac7on: Script language
in#1# out#1#
in#2# out#2#
in#M# out#N#
...#
...#
in#1# out#1#
in#2# out#2#
in#M# out#N#
...#
...#
Challenge script
Response script
Parser 1. Execute Response script 2. Keep the stack 3. Execute Challenge script 4. Check if top of stack is True
Verifica9on
(Everybody can verify)
Pointer to specific output in some past transac>on
(past) (new)
The Script language is too expressive
• leads to implementa7on bugs
• many op7ons are now forbidden
yes/no
13
Allowed challenge script types
Type Prove knowledge of:
Pay to Pub.key private key
Pay to Pub.key hash pub.key & priv.key
Mul7sig n out of k private keys n,k heavily restricted
Nulldata -‐-‐-‐ 40 bytes arbitrary data; Max one Nulldata per transac7on
Pay to script hash challenge script + whatever it demands
Must be one of the above script types
14
peer-‐to-‐peer
Mining
Users Miners • Collect transac7ons • Signatures OK? • Fees OK? • Scripts OK? • Double spending? • Proof of work
...
We want to do these transac>ons:
hash
pointer to previous block
BLOCK
list of collected transac7ons
coinbase transac7on
Find out what to put here
should be smaller than target T
(simplified view)
T ≈ 2188
Lowered every 2016 blocks
15
Block chain
block chain
orphaned block
Incen9ves for the miner: • reward for proof of work, currently 25 BC • transac7on fees
The incen9ves stabilize the system • transac7on confirma7on mechanism brings reward
16
An7-‐censorship
Whole block chain must be visible • otherwise you cannot trust bitcoin • Difficult to censor!
How to write data into blockchain? • Control over data within transac7on • Plenty of op7ons!
Krzysztof Okupski MSc thesis, Dec. 2014:
"(Ab)using Bitcoin for an an>-‐censorship tool" • Bitcoin specifica7on document • open-‐source tool
17
Embedding data in transac7ons
74 (Ab)using Bitcoin as an Anti-Censorship Tool
5.2.2 Workflow
As mentioned before, there are two core functions that are implemented by the mes-saging system, the embedding of messages into the blockchain and their consecutiveextraction from the blockchain. In the following we will describe both functions in moredetail.
Embedding messagesThe process of embedding a message begins with reading it. Next it is compressed andthe embedding costs are estimated. The estimate is computed by building a transactionchain embedding the compressed data and calculating from it the transaction costs.After verification that the wallet holds su�cient funds, the process is continued.
In the next step the compressed data is embedded in a transaction chain. As the processis fairly complex, only a rough outline will be given. Firstly, two transactions are cre-ated and a pointer is set to the first transaction. Secondly, the optimal parameters arecalculated and the compressed data is embedded into the transaction in the followingorder - P2SH Multisig transaction input-output pairs, the Nulldata transaction outputand finally the budget split and budget claim. Note that the data will span over bothtransactions due to the inherent nature of scripts. Finally, if there is any remainingdata, then another transaction is added, the pointer is incremented and the last step isrepeated.
Figure 5.2: Transaction Structure with Embedded Data
The resulting structure after embedding data resembles the transaction chain depictedin Fig. 5.2. The first transaction has one transaction input that supplies the chain withfunds and marks the beginning of the chain. Then, the embedded data spans from thetransaction outputs of the first transaction to the transaction inputs of the last transac-tion. Finally, the last transaction has one transaction output that bundles the remainingfunds and marks the end of the chain.
During the embedding of messages into a transaction chain a trick is applied to ensurechaining between messages from the same sender. After the first message has been sent,
74 (Ab)using Bitcoin as an Anti-Censorship Tool
5.2.2 Workflow
As mentioned before, there are two core functions that are implemented by the mes-saging system, the embedding of messages into the blockchain and their consecutiveextraction from the blockchain. In the following we will describe both functions in moredetail.
Embedding messagesThe process of embedding a message begins with reading it. Next it is compressed andthe embedding costs are estimated. The estimate is computed by building a transactionchain embedding the compressed data and calculating from it the transaction costs.After verification that the wallet holds su�cient funds, the process is continued.
In the next step the compressed data is embedded in a transaction chain. As the processis fairly complex, only a rough outline will be given. Firstly, two transactions are cre-ated and a pointer is set to the first transaction. Secondly, the optimal parameters arecalculated and the compressed data is embedded into the transaction in the followingorder - P2SH Multisig transaction input-output pairs, the Nulldata transaction outputand finally the budget split and budget claim. Note that the data will span over bothtransactions due to the inherent nature of scripts. Finally, if there is any remainingdata, then another transaction is added, the pointer is incremented and the last step isrepeated.
Figure 5.2: Transaction Structure with Embedded Data
The resulting structure after embedding data resembles the transaction chain depictedin Fig. 5.2. The first transaction has one transaction input that supplies the chain withfunds and marks the beginning of the chain. Then, the embedded data spans from thetransaction outputs of the first transaction to the transaction inputs of the last transac-tion. Finally, the last transaction has one transaction output that bundles the remainingfunds and marks the end of the chain.
During the embedding of messages into a transaction chain a trick is applied to ensurechaining between messages from the same sender. After the first message has been sent,
74 (Ab)using Bitcoin as an Anti-Censorship Tool
5.2.2 Workflow
As mentioned before, there are two core functions that are implemented by the mes-saging system, the embedding of messages into the blockchain and their consecutiveextraction from the blockchain. In the following we will describe both functions in moredetail.
Embedding messagesThe process of embedding a message begins with reading it. Next it is compressed andthe embedding costs are estimated. The estimate is computed by building a transactionchain embedding the compressed data and calculating from it the transaction costs.After verification that the wallet holds su�cient funds, the process is continued.
In the next step the compressed data is embedded in a transaction chain. As the processis fairly complex, only a rough outline will be given. Firstly, two transactions are cre-ated and a pointer is set to the first transaction. Secondly, the optimal parameters arecalculated and the compressed data is embedded into the transaction in the followingorder - P2SH Multisig transaction input-output pairs, the Nulldata transaction outputand finally the budget split and budget claim. Note that the data will span over bothtransactions due to the inherent nature of scripts. Finally, if there is any remainingdata, then another transaction is added, the pointer is incremented and the last step isrepeated.
Figure 5.2: Transaction Structure with Embedded Data
The resulting structure after embedding data resembles the transaction chain depictedin Fig. 5.2. The first transaction has one transaction input that supplies the chain withfunds and marks the beginning of the chain. Then, the embedded data spans from thetransaction outputs of the first transaction to the transaction inputs of the last transac-tion. Finally, the last transaction has one transaction output that bundles the remainingfunds and marks the end of the chain.
During the embedding of messages into a transaction chain a trick is applied to ensurechaining between messages from the same sender. After the first message has been sent,
• Create 2^N accounts ⟹ N bits of info in account iden7fier
• Keep pumping ALL money through your accounts
• Pay to scripthash, with 1-‐out-‐of-‐14 mul7sig
Put informa9on in: • nulldata output • choice of 14 public keys
in challenge scripts • permuta7on of "in" w.r.t. "out" • splitup of the budget
(combinatorics: "composi7on") • signatures
Addi9onal tricks: • text only • reduced character set • compression
Fees: 16 Satoshi per embedded byte
18
Reading data from transac7ons
Reading is not dangerous • Anybody can read the blockchain • You don't even have to be part of the P2P network • What you need to know:
- where to look - how to parse
19
Remarks (1/2)
Black market, crime, etc. • Public keys are pseudonyms
• But: full history is visible; exchange knows your iden7ty • Special effort needed for laundering/mixing/anonymizing
TheX • ∃ specialized bitcoin-‐stealing malware
• Store private keys offline
• Use private keys offline (air gap)
Supposedly decentralized, but ... • Small number of en77es dominates mining
• Chinese mining farms
20
Remarks (2/2)
Bitcoin crypto seems flawless • That's a first.
Bitcoin is cluZered • scripts instead of fixed flowchart • too many transac7on types
• ....
Mining is a tremendous waste of energy • Nothing useful is created, only "art" • Find beHer confirma7on mechanism
21
Summary
22
Well designed system basics • stabilizing incen7ves • solid crypto
A look under Bitcoin's bonnet • one-‐way hashes • signed transac7ons • proofs of work • meshed together in the block chain
An9-‐censorship • embed data in transac7ons
• cost = fees: ≈16 Satoshi/byte