ENEE 457: E-Cash and BitcoinMain idea •Unforgeability of cash via unforgeability of signatures...

ENEE 457: E-Cash and Bitcoin

Charalampos (Babis) Papamanthou

[email protected]

Money today

Any problems?

• Cash is cumbersome and can be forged

• Credit card transactions• require centralized online bank

• are not secure

• can reveal private information to the bank

• charge arbitrary fees

First attempt: E-cash, 1982

• Addressed mainly the privacy issue

• Still centralized

• Not that secure: Double spending could still take place but the attacker would be caught later

Main idea• Unforgeability of cash via unforgeability of signatures

• To withdraw one e-coin

• Alice picks a serial number x, asks the bank to sign x, and the e-coin is coin = (sig_SK(x),x)

• Bank registers that that x has been issued for Alice

• To pay Bob one e-coin to buy coffee• Alice sends coin to Bob

• To accept payment• Bob verifies signature in coin

• To deposit

• Bob sends coin to the bank

• Bank checks x and updates Bob’s and Alice’s $ amounts

What can go wrong?• Bob can first deposit coin and then continue spending

coin

• The coin that is propagated is useless• Solution: When Bob deposits coin ask bank to sign

• x||PK_bob where PK_bob is a one-time PK that only

Bob knows the SK_bob

• When Bob needs to spend, it sends the coin

sig_SK(x||PK_A) and a sig under SK_bob that “I, Bob,

send this to Alice”

• Note that this cannot be propagated anymore

But…double-spending• Bob can send coin to two different entities…

• Double spending

• The only way to catch it is whenever you receive a

payment, ask the bank whether the serial number is valid

• Oh…you are reintroducing the bank again…

• (Bitcoin will help here)

Privacy problems of the above approach• The flow of money

• When you withdraw the bank associates you real identity with PK_A• When someone deposits, bank sees PK_A, so bank knows who you

are transacting with!

• Idea: Use blind signatures!

• Get the bank to sign something without knowing what is being signed

• After you receive the signature, retrieve the original signature

• Possible with RSA (send x * r ^ e, sig is x^d * r, retrieve by dividing with r)

HOW DO YOU SOLVE DOUBLE SPENDING

WITHOUT USING THE CENTRALIZED BANK?

November 2008

January 2009…today

Exciting technology underlying Bitcoin: Blockchain

• Distributed algorithms

• Cryptography

• Distributed consensus “in practice”, for the first time!

• Many applications, beyond cryptocurrencies!

But what is this blockchain?

Block 1

Block 2

Block 3message 1

message 2

message 3

…

message k

Rule 1: Global read & rule-based write

Block 1

Block 2

Block 3message 1

message 2

message 3

…

message k

Rule 2: Strict ordering of messages

Block 1

Block 2

Block 3

Block 4

message 1

message 2

message 3

…

message k

TX1: Bob sends 5 to Alice

TX2: Alice sends 5 to Amazon

TX3: George sends 6 to Tim

Rule 3: No message can be modified

Block 1

Block 2

Block 3

Block 4

message 1

message 2

message 3

…

message k

How to implement this abstraction?

• Controlled by Amazon

• Potentially no global read

• Message modifications

• Failures (not always up)

• Peer-to-peer network with state replication

• Periodic consensus on a new block

• Lots of results from distributed computing theory

• To hack the system you need a lot of effort

www.blockchain.com

What else can we do with blockchains?

Smart contracts (e.g., Ethereum)• Do away with lawyers, trusted

parties and escrows to enforce contracts!

• Bitcoin is the simplest contract: Allow money flow from A to B only if A has enough balance

• But how about more complicated conditions?

www.etherscan.io

Bitcoin

➢ It is a decentralized payment system that allows its users to transfer value to each other with no central authority or third party involved. It has units of value which can be exchanged for “real money”.

• Bitcoin -> the system• bitcoins -> the units of value

What is Bitcoin?

COMPE6311: Blockchain and Cryptocurrency Technologies

Bitcoin valueBitcoin market capital: approx. 114 billion USD (September 2018)

Current price: 1 BTC = 6,599 USD


Bitcoin value


➤ Anyone can participate in the Bitcoin network➤ Users are not registered by any “authority”

➤ Bitcoin uses Elliptic Curve DSA signatures ➤ Looks like a random 257-bit number➤ Easy to store/share as a QR code

Address

Bitcoin users

PK: p2Pknb7frT

SK: n52Hb9Klp

Address

Alice

PK: hUK67H9fyg

SK: z4Pxc2kKn3

Bob


Alice

PK: hUK67H9fyg

SK: z4Pxc2kKn3

Bob

PK: p2Pknb7frT

SK: n52Hb9KlpAlice sends 1 to Bob

Bitcoin transactions


Alice

PK: hUK67H9fyg

SK: z4Pxc2kKn3

Bob

PK: p2Pknb7frT

SK: n52Hb9KlphUK67H9fyg sends 1 to p2Pknb7frT

Transaction



Alice

PK: hUK67H9fyg

SK: z4Pxc2kKn3

Bob

PK: p2Pknb7frT


Transaction

What if?

hUK67H9fyg sends 1 to p2Pknb7frT



Alice

PK: hUK67H9fyg

SK: z4Pxc2kKn3

Bob

PK: p2Pknb7frT


Transaction

Signed under Alice’s SK!

A transaction is accepted only if the signature verifies

Based on digital signatures



Bitcoin’s three main components

Consensus: How can we agree on one global history of transactions?

Transaction Ledger: How do we check “validity” of transactions

Network: How can we share transactions?


Joining the Bitcoin P2P network

1

6

4

7

3

5

2

8

Hello World! I’m ready to Bitcoin!

getaddr()1, 7 getaddr()getaddr()


Transaction propagation (flooding)

1

7

4

6

3

5

2

8

New tx!A→B

A→B

A→B

A→B

A→B

A→B

A→B

A→B

A→B

A→B

A→B

Already heard that!





By storing a public history of all transactions ever!

Why do we need a transaction history?

Alice’s accounthas 5

Bob


Why do we need a transaction history?


Bob

Charlie

➤Double-spending must be prevented!



Bob

Why do we need transaction history?➤Double-spending must be prevented!➤Traditional approach: ask the bank



Bob

Who can we ask now?

Why do we need transaction history?➤Double-spending must be prevented!➤Traditional approach: ask the bank


Probably the most important problem with electronic currencies

➤Stores every transaction and is used to check users’ balancesAlice sends 1 to Bob

Alice sends 0.7 to Chris

Bob sends 1.2 to Dave

...Dave sends 0.2 to Chris

Time t

Time t+1

Bob sends 1 to Carol

Transaction Ledger


Alice

Example

Time t

Bob

Transaction Ledger

Alice sends 1 to Bob



...Dave sends 0.2 to Chris

Time t

Time t+1


...

2 5

➤Stores every transaction and is used to check users’ balances





Dave sends 0.2 to Chris

Example

Time t

Time t+1

Time t Time t+1

Transaction Ledger


Alice Bob Alice Bob

...

2 5 0.3 4.8

➤Stores every transaction and is used to check users’ balances


Transaction Ledger:

➤Required properties:1) Append-only

2) Cannot revise existing blocks

3) Global

➤Who maintains it?

o The users themselves!





Time t

Time t+1


...Blo

ck

1

6

4

7

3

5

2

8


Blockchain

Transaction Ledger: Bitcoin Blockchain

➤Required properties:1) Append only

2) Cannot revise existing blocks

3) Global

➤Who maintains it?

o The users themselves!





Time t

Time t+1


...Blo

ck

1

6

4

7

3

5

2

8

Miners: special types of usersCOMPE6311: Blockchain and Cryptocurrency Technologies

Who chooses the next block?

➤Every transaction is broadcast to all users






Time t+1

➤ Do we agree on this block for time t+1?

Miners voting ➤ majority wins

Yes Yes Yes YesNo

➤Every transaction is broadcast to all users

Who chooses the next block?

...

Jan sends 0.2 to Alice

Works well if majority of miners is honest!


Sybils: Multiple identities belonging to the same (malicious) user

Majority of what?➤What does majority mean in a system where everyone can participate?

➤Bitcoin solution: Majority is defined as the majority of computational power!


Proof-of-workTo “measure” a user’s computational power ask him to solve a puzzle:

• puzzle should be difficult to solve• but a solution should be easily verifiable

Consensus based on computational power

➤ The puzzle used in Bitcoin is based on the cryptographic hash function SHA256


Proof-of-workTo “measure” a user’s computational power ask him to solve a puzzle:

• puzzle should be difficult to solve• but, a solution should be easily verifiable

Consensus based on computational power

➤ The puzzle used in Bitcoin is based on the cryptographic hash function SHA256

Puzzle: Given “small” y find x such that SHA256(x) < y

Target


Davesends1 toCarol

...Bobsends1 toEve

Alicesends1 toBob

v2

vm

v1

Dave sends 1 to Carol

Puzzle: Given “small” y find x such that SHA256(x) < y

How is a new block added?

Alice

Alicesends1toBob

Broadcast

Miners

...

Pool of transactions not yet on the chain

Bob sends 1 to Eve


v2

vm

Find x such that SHA256(v1,…,vm , Blockt , x) < y

I found a new block!

Block B

4) New block announcement

2) Miners receive & check transaction

1) Payer announces transaction

Alicesends1toBob

Alicesends0.7toChris

Bobsends1.2toDave

...Davesends0.2toChris

Blockt-1

Alicesends1toBob

Alicesends0.7toChris

Bobsends1.2toDave

...Davesends0.2toChris

Block t

...

...

3) Miners “compete” to solve puzzle

Blockchain at time t

v1

Pool of transactions not yet on the chain


I found a new block!

Block B Block B’

What if multiple miners solve the puzzle?I found a new block!

...

Time t...

Time t+1

New block t+1

Time t-1

...

...

Time t+1

New block t+1

Fork...

Time t+2...

Longest chain (eventually) wins COMPE6311: Blockchain and Cryptocurrency Technologies

The rules of Nakamoto consensus

➤ All blocks must reference the previous blockchain header• append-only

➤ All blocks must be well-formed• all included transactions are valid

➤ Blocks must include a computational puzzle solution• mining is difficult

➤ Longest chain is the “true” blockchain at any time➤ New blocks mint X new Bitcoins that are awarded to the miner

• mining is rewarding

Incentives should favor honest behavior


Transaction confirmation ➤ As a merchant, how long do you wait before you consider a transaction confirmed?

BobTimet

... ...

Timet+1

...

Timet+2

...

Timet+4

Alice

Alicesends5 toBob



Timet

... ...

Timet+1

...

Timet+2

...

Timet+4

Fork

...

Timet+2

...

Timet+3

...

Timet+5

BobAlice


...

Timet+3

This chain includes a different transaction from Alice


➤ Security property of Nakamoto consensus: Exponential Convegence

o Probability of forking decreases exponentially with # of subsequent blocks

➤ Heuristic rule enforced in practice: 6 blocks is safe (1 hour in real-world)


Timet

... ...

Timet+1

...

Timet+2

...

Timet+3

...

Timet+4

...

Timet+5

...

Timet+6

BobAlice


Some numbers about Bitcoin

➤10 min. expected mining time per blocko enforced by changing the target value y; currently 69+ leading 0’s

➤1 Mb size of each block

➤Total blocks mined so far ~543,000

➤100 M satoshis per bitcoin (smallest possible denomination)

➤Current bitcoin reward 12.5 BTC (~443,000 USD)o (halved every 210,000 blocks; originally 50 BTC)

➤~21M total bitcoins maximumo expected to exhaust by year 2040

o already mined ~80% of these…


https://www.blockchain.com/explorer

ENEE 457: E-Cash and BitcoinMain idea •Unforgeability of cash via unforgeability of signatures...

Documents

Transcript of ENEE 457: E-Cash and BitcoinMain idea •Unforgeability of cash via unforgeability of signatures...