ENEE 457: E-Cash and BitcoinMain idea •Unforgeability of cash via unforgeability of signatures...
Transcript of ENEE 457: E-Cash and BitcoinMain idea •Unforgeability of cash via unforgeability of signatures...
Money today
Any problems?
• Cash is cumbersome and can be forged
• Credit card transactions• require centralized online bank
• are not secure
• can reveal private information to the bank
• charge arbitrary fees
First attempt: E-cash, 1982
• Addressed mainly the privacy issue
• Still centralized
• Not that secure: Double spending could still take place but the attacker would be caught later
Main idea• Unforgeability of cash via unforgeability of signatures
• To withdraw one e-coin
• Alice picks a serial number x, asks the bank to sign x, and the e-coin is coin = (sig_SK(x),x)
• Bank registers that that x has been issued for Alice
• To pay Bob one e-coin to buy coffee• Alice sends coin to Bob
• To accept payment• Bob verifies signature in coin
• To deposit
• Bob sends coin to the bank
• Bank checks x and updates Bob’s and Alice’s $ amounts
What can go wrong?• Bob can first deposit coin and then continue spending
coin
• The coin that is propagated is useless• Solution: When Bob deposits coin ask bank to sign
• x||PK_bob where PK_bob is a one-time PK that only
Bob knows the SK_bob
• When Bob needs to spend, it sends the coin
sig_SK(x||PK_A) and a sig under SK_bob that “I, Bob,
send this to Alice”
• Note that this cannot be propagated anymore
But…double-spending• Bob can send coin to two different entities…
• Double spending
• The only way to catch it is whenever you receive a
payment, ask the bank whether the serial number is valid
• Oh…you are reintroducing the bank again…
• (Bitcoin will help here)
Privacy problems of the above approach• The flow of money
• When you withdraw the bank associates you real identity with PK_A• When someone deposits, bank sees PK_A, so bank knows who you
are transacting with!
• Idea: Use blind signatures!
• Get the bank to sign something without knowing what is being signed
• After you receive the signature, retrieve the original signature
• Possible with RSA (send x * r ^ e, sig is x^d * r, retrieve by dividing with r)
HOW DO YOU SOLVE DOUBLE SPENDING
WITHOUT USING THE CENTRALIZED BANK?
November 2008
January 2009…today
Exciting technology underlying Bitcoin: Blockchain
• Distributed algorithms
• Cryptography
• Distributed consensus “in practice”, for the first time!
• Many applications, beyond cryptocurrencies!
But what is this blockchain?
Block 1
Block 2
Block 3message 1
message 2
message 3
…
message k
Rule 1: Global read & rule-based write
Block 1
Block 2
Block 3message 1
message 2
message 3
…
message k
Rule 2: Strict ordering of messages
Block 1
Block 2
Block 3
Block 4
message 1
message 2
message 3
…
message k
TX1: Bob sends 5 to Alice
TX2: Alice sends 5 to Amazon
TX3: George sends 6 to Tim
Rule 3: No message can be modified
Block 1
Block 2
Block 3
Block 4
message 1
message 2
message 3
…
message k
How to implement this abstraction?
• Controlled by Amazon
• Potentially no global read
• Message modifications
• Failures (not always up)
• Peer-to-peer network with state replication
• Periodic consensus on a new block
• Lots of results from distributed computing theory
• To hack the system you need a lot of effort
www.blockchain.com
What else can we do with blockchains?
Smart contracts (e.g., Ethereum)• Do away with lawyers, trusted
parties and escrows to enforce contracts!
• Bitcoin is the simplest contract: Allow money flow from A to B only if A has enough balance
• But how about more complicated conditions?
www.etherscan.io
Bitcoin
➢ It is a decentralized payment system that allows its users to transfer value to each other with no central authority or third party involved. It has units of value which can be exchanged for “real money”.
• Bitcoin -> the system• bitcoins -> the units of value
What is Bitcoin?
COMPE6311: Blockchain and Cryptocurrency Technologies
Bitcoin valueBitcoin market capital: approx. 114 billion USD (September 2018)
Current price: 1 BTC = 6,599 USD
COMPE6311: Blockchain and Cryptocurrency Technologies
Bitcoin value
COMPE6311: Blockchain and Cryptocurrency Technologies
➤ Anyone can participate in the Bitcoin network➤ Users are not registered by any “authority”
➤ Bitcoin uses Elliptic Curve DSA signatures ➤ Looks like a random 257-bit number➤ Easy to store/share as a QR code
Address
Bitcoin users
PK: p2Pknb7frT
SK: n52Hb9Klp
Address
Alice
PK: hUK67H9fyg
SK: z4Pxc2kKn3
Bob
COMPE6311: Blockchain and Cryptocurrency Technologies
Alice
PK: hUK67H9fyg
SK: z4Pxc2kKn3
Bob
PK: p2Pknb7frT
SK: n52Hb9KlpAlice sends 1 to Bob
Bitcoin transactions
COMPE6311: Blockchain and Cryptocurrency Technologies
Alice
PK: hUK67H9fyg
SK: z4Pxc2kKn3
Bob
PK: p2Pknb7frT
SK: n52Hb9KlphUK67H9fyg sends 1 to p2Pknb7frT
Transaction
Bitcoin transactions
COMPE6311: Blockchain and Cryptocurrency Technologies
Alice
PK: hUK67H9fyg
SK: z4Pxc2kKn3
Bob
PK: p2Pknb7frT
SK: n52Hb9KlphUK67H9fyg sends 1 to p2Pknb7frT
Transaction
What if?
hUK67H9fyg sends 1 to p2Pknb7frT
Bitcoin transactions
COMPE6311: Blockchain and Cryptocurrency Technologies
Alice
PK: hUK67H9fyg
SK: z4Pxc2kKn3
Bob
PK: p2Pknb7frT
SK: n52Hb9KlphUK67H9fyg sends 1 to p2Pknb7frT
Transaction
Signed under Alice’s SK!
A transaction is accepted only if the signature verifies
Based on digital signatures
Bitcoin transactions
COMPE6311: Blockchain and Cryptocurrency Technologies
Bitcoin’s three main components
Consensus: How can we agree on one global history of transactions?
Transaction Ledger: How do we check “validity” of transactions
Network: How can we share transactions?
COMPE6311: Blockchain and Cryptocurrency Technologies
Joining the Bitcoin P2P network
1
6
4
7
3
5
2
8
Hello World! I’m ready to Bitcoin!
getaddr()1, 7 getaddr()getaddr()
COMPE6311: Blockchain and Cryptocurrency Technologies
Transaction propagation (flooding)
1
7
4
6
3
5
2
8
New tx!A→B
A→B
A→B
A→B
A→B
A→B
A→B
A→B
A→B
A→B
A→B
Already heard that!
COMPE6311: Blockchain and Cryptocurrency Technologies
Bitcoin’s three main components
Consensus: How can we agree on one global history of transactions?
Transaction Ledger: How do we check “validity” of transactions
Network: How can we share transactions?
COMPE6311: Blockchain and Cryptocurrency Technologies
Bitcoin’s three main components
Transaction Ledger: How do we check “validity” of transactions
COMPE6311: Blockchain and Cryptocurrency Technologies
By storing a public history of all transactions ever!
Why do we need a transaction history?
Alice’s accounthas 5
Bob
COMPE6311: Blockchain and Cryptocurrency Technologies
Why do we need a transaction history?
Alice’s accounthas 5
Bob
Charlie
➤Double-spending must be prevented!
COMPE6311: Blockchain and Cryptocurrency Technologies
Alice’s accounthas 5
Bob
Why do we need transaction history?➤Double-spending must be prevented!➤Traditional approach: ask the bank
COMPE6311: Blockchain and Cryptocurrency Technologies
Alice’s accounthas 5
Bob
Who can we ask now?
Why do we need transaction history?➤Double-spending must be prevented!➤Traditional approach: ask the bank
COMPE6311: Blockchain and Cryptocurrency Technologies
Probably the most important problem with electronic currencies
➤Stores every transaction and is used to check users’ balancesAlice sends 1 to Bob
Alice sends 0.7 to Chris
Bob sends 1.2 to Dave
...Dave sends 0.2 to Chris
Time t
Time t+1
Bob sends 1 to Carol
Transaction Ledger
COMPE6311: Blockchain and Cryptocurrency Technologies
Alice
Example
Time t
Bob
Transaction Ledger
Alice sends 1 to Bob
Alice sends 0.7 to Chris
Bob sends 1.2 to Dave
...Dave sends 0.2 to Chris
Time t
Time t+1
Bob sends 1 to Carol
...
2 5
➤Stores every transaction and is used to check users’ balances
COMPE6311: Blockchain and Cryptocurrency Technologies
Alice sends 1 to Bob
Alice sends 0.7 to Chris
Bob sends 1.2 to Dave
Dave sends 0.2 to Chris
Example
Time t
Time t+1
Time t Time t+1
Transaction Ledger
Bob sends 1 to Carol
Alice Bob Alice Bob
...
2 5 0.3 4.8
➤Stores every transaction and is used to check users’ balances
COMPE6311: Blockchain and Cryptocurrency Technologies
Transaction Ledger:
➤Required properties:1) Append-only
2) Cannot revise existing blocks
3) Global
➤Who maintains it?
o The users themselves!
Alice sends 1 to Bob
Alice sends 0.7 to Chris
Bob sends 1.2 to Dave
Dave sends 0.2 to Chris
Time t
Time t+1
Bob sends 1 to Carol
...Blo
ck
1
6
4
7
3
5
2
8
COMPE6311: Blockchain and Cryptocurrency Technologies
Blockchain
Transaction Ledger: Bitcoin Blockchain
➤Required properties:1) Append only
2) Cannot revise existing blocks
3) Global
➤Who maintains it?
o The users themselves!
Alice sends 1 to Bob
Alice sends 0.7 to Chris
Bob sends 1.2 to Dave
Dave sends 0.2 to Chris
Time t
Time t+1
Bob sends 1 to Carol
...Blo
ck
1
6
4
7
3
5
2
8
Miners: special types of usersCOMPE6311: Blockchain and Cryptocurrency Technologies
Bitcoin’s three main components
Consensus: How can we agree on one global history of transactions?
Transaction Ledger: How do we check “validity” of transactions
Network: How can we share transactions?
COMPE6311: Blockchain and Cryptocurrency Technologies
Bitcoin’s three main components
Consensus: How can we agree on one global history of transactions?
COMPE6311: Blockchain and Cryptocurrency Technologies
Who chooses the next block?
➤Every transaction is broadcast to all users
COMPE6311: Blockchain and Cryptocurrency Technologies
Alice sends 1 to Bob
Alice sends 0.7 to Chris
Bob sends 1.2 to Dave
Dave sends 0.2 to Chris
Time t+1
➤ Do we agree on this block for time t+1?
Miners voting ➤ majority wins
Yes Yes Yes YesNo
➤Every transaction is broadcast to all users
Who chooses the next block?
...
Jan sends 0.2 to Alice
Works well if majority of miners is honest!
COMPE6311: Blockchain and Cryptocurrency Technologies
Sybils: Multiple identities belonging to the same (malicious) user
Majority of what?➤What does majority mean in a system where everyone can participate?
➤Bitcoin solution: Majority is defined as the majority of computational power!
COMPE6311: Blockchain and Cryptocurrency Technologies
Proof-of-workTo “measure” a user’s computational power ask him to solve a puzzle:
• puzzle should be difficult to solve• but a solution should be easily verifiable
Consensus based on computational power
➤ The puzzle used in Bitcoin is based on the cryptographic hash function SHA256
COMPE6311: Blockchain and Cryptocurrency Technologies
Proof-of-workTo “measure” a user’s computational power ask him to solve a puzzle:
• puzzle should be difficult to solve• but, a solution should be easily verifiable
Consensus based on computational power
➤ The puzzle used in Bitcoin is based on the cryptographic hash function SHA256
Puzzle: Given “small” y find x such that SHA256(x) < y
Target
COMPE6311: Blockchain and Cryptocurrency Technologies
Davesends1 toCarol
...Bobsends1 toEve
Alicesends1 toBob
v2
vm
v1
Dave sends 1 to Carol
Puzzle: Given “small” y find x such that SHA256(x) < y
How is a new block added?
Alice
Alicesends1toBob
Broadcast
Miners
...
Pool of transactions not yet on the chain
Bob sends 1 to Eve
Alice sends 1 to Bob
v2
vm
Find x such that SHA256(v1,…,vm , Blockt , x) < y
I found a new block!
Block B
4) New block announcement
2) Miners receive & check transaction
1) Payer announces transaction
Alicesends1toBob
Alicesends0.7toChris
Bobsends1.2toDave
...Davesends0.2toChris
Blockt-1
Alicesends1toBob
Alicesends0.7toChris
Bobsends1.2toDave
...Davesends0.2toChris
Block t
...
...
3) Miners “compete” to solve puzzle
Blockchain at time t
v1
Pool of transactions not yet on the chain
COMPE6311: Blockchain and Cryptocurrency Technologies
I found a new block!
Block B Block B’
What if multiple miners solve the puzzle?I found a new block!
...
Time t...
Time t+1
New block t+1
Time t-1
...
...
Time t+1
New block t+1
Fork...
Time t+2...
Longest chain (eventually) wins COMPE6311: Blockchain and Cryptocurrency Technologies
The rules of Nakamoto consensus
➤ All blocks must reference the previous blockchain header• append-only
➤ All blocks must be well-formed• all included transactions are valid
➤ Blocks must include a computational puzzle solution• mining is difficult
➤ Longest chain is the “true” blockchain at any time➤ New blocks mint X new Bitcoins that are awarded to the miner
• mining is rewarding
Incentives should favor honest behavior
COMPE6311: Blockchain and Cryptocurrency Technologies
Transaction confirmation ➤ As a merchant, how long do you wait before you consider a transaction confirmed?
BobTimet
... ...
Timet+1
...
Timet+2
...
Timet+4
Alice
Alicesends5 toBob
COMPE6311: Blockchain and Cryptocurrency Technologies
Transaction confirmation ➤ As a merchant, how long do you wait before you consider a transaction confirmed?
Timet
... ...
Timet+1
...
Timet+2
...
Timet+4
Fork
...
Timet+2
...
Timet+3
...
Timet+5
BobAlice
COMPE6311: Blockchain and Cryptocurrency Technologies
...
Timet+3
This chain includes a different transaction from Alice
Transaction confirmation ➤ As a merchant, how long do you wait before you consider a transaction confirmed?
➤ Security property of Nakamoto consensus: Exponential Convegence
o Probability of forking decreases exponentially with # of subsequent blocks
➤ Heuristic rule enforced in practice: 6 blocks is safe (1 hour in real-world)
Alice sends 5 to Bob
Timet
... ...
Timet+1
...
Timet+2
...
Timet+3
...
Timet+4
...
Timet+5
...
Timet+6
BobAlice
COMPE6311: Blockchain and Cryptocurrency Technologies
Some numbers about Bitcoin
➤10 min. expected mining time per blocko enforced by changing the target value y; currently 69+ leading 0’s
➤1 Mb size of each block
➤Total blocks mined so far ~543,000
➤100 M satoshis per bitcoin (smallest possible denomination)
➤Current bitcoin reward 12.5 BTC (~443,000 USD)o (halved every 210,000 blocks; originally 50 BTC)
➤~21M total bitcoins maximumo expected to exhaust by year 2040
o already mined ~80% of these…
COMPE6311: Blockchain and Cryptocurrency Technologies
https://www.blockchain.com/explorer