Crypto Currencies And Bitcoin - Nicolas Courtoisnicolascourtois.com/bitcoin/paycoin_may_2014.pdf ·...
Transcript of Crypto Currencies And Bitcoin - Nicolas Courtoisnicolascourtois.com/bitcoin/paycoin_may_2014.pdf ·...
Crypto Currencies
UCL Bitcoin SeminarUCL crypto currency seminar and special interest group
every Thur 12h00-14h00 -room and exact hour varies
public web page: www.want2pay.com
2 Nicolas T. Courtois 2009-2014
Crypto Currencies
This Seminar
This is a university research seminar. With talks, demos, discussions, etc.Our goals are:• Learn non-trivial facts about bitcoin, highly technical maths and crypto.• Discover many “facts” we have been told about bitcoin are… NOT true.
– break bitcoin: will require serious effort.
• Improve bitcoin - so that it would be resistant to cybercriminals / NSA.
3 Nicolas T. Courtois 2009-2014
– write our own software and apps, looking for developers
• Develop methods to investigate what is going on in these networks: – for example undoing the anonymity, discovering statistically significant patterns, etc.
• Produce scientific works and Master/PhD theses about bitcoin.
The seminar will run every week at UCL. Slides and other materials will be made available on a selective basis.
I will also invite external people as speakers and stake holders.
Crypto Currencies
Donations Policy
Address for donations: 1DsGj3NJKgFLGw9PUi2a7VDmwEF5bnaaq
Donations will be spent on:
4 Nicolas T. Courtois 2009-2014
Donations will be spent on:• Drinks and food for participants of this seminar• Student stipends• Research expenses
Thanks for generous donations already received!
Crypto Currencies
Speakers Wanted!
Speakers are wanted, also from business startups, bankers, lawyers etc etc…
Send proposals of talks to: [email protected]• speaker and affiliation• title of your presentation• 2-5 lines executive summary
5 Nicolas T. Courtois 2009-2014
• 10+ pages of supporting material: sample slides, white paper, etc – to evaluate the quality/pertinence of your talk.
• time requested: 15 min / 30 min / 45 min.
Student s planning to do an M.Sc. Thesis on bitcoin are expected to deliver 2 short 15 min. talks before they are accepted to do their thesis on bitcoin.
Crypto Research at UCL
Dr. Nicolas T. Courtois1. cryptologist and
codebreaker
6
2. specialist of smart cards (e.g. bank cards, Oyster cards etc…)
Crypto Currencies
Our Works on Bitcoin
Nicolas Courtois, Marek Grajek, Rahul Naik: The Unreasonable Fundamental Incertitudes Behind Bitcoin Mining, http://arxiv.org/abs/1310.7935
Nicolas Courtois, Lear Bahack:On Subversive Miner Strategies and Block Withholding Attack
7 Nicolas T. Courtois 2009-2014
On Subversive Miner Strategies and Block Withholding Attackin Bitcoin Digital Currency http://arxiv.org/abs/1402.1718
Nicolas Courtois:On The Longest Chain Rule and Programmed Self-Destruction of Crypto
Currencies http://arxiv.org/abs/1405.0534
more in preparation.
Crypto Currencies
Controversy Around Our Recent Paper:
https://bitcointalk.org/index.php?topic=600436.0;all
8 Nicolas T. Courtois 2009-2014
Crypto Currencies
Bitcoin In A Nutshell
• bitocoins are cryptographic tokens – stored by people on their PCs or mobile phones
• ownership is achieved through digital signatures: – you have a certain cryptographic key, you have the money. – publicly verifiable, only one entity can sign
• consensus-driven, a distributed system which has no central authority– but I will not claim it is decentralized, this is simply not true!
10 Nicolas T. Courtois 2009-2014
– but I will not claim it is decentralized, this is simply not true! – a major innovation is that financial transactions CAN be executed and policed without
trusted authorities. Bitcoin is a sort of financial cooperative or a distributed business.
• based on self-interest: – a group of some 100 K people called bitcoin miners own the bitcoin “infrastructure”
which has costed about 0.5-1 billion dollars (estimation) – they make money from newly created bitcoins and fees – at the same time they approve and check the transactions. – a distributed electronic notary system
Crypto Currencies
Two Key Concepts
• initially money are attributed through Proof Of Work (POW)to one public key A
– to earn bitcoins one has to “work” (hashing) and consume energy (pay for electricity)– in order to cheat one needs to work even much more (be more powerful than the whole
network, for a short while)
11 Nicolas T. Courtois 2009-2014
network, for a short while)
• money transfer from public key A to public key B:– like signing a transfer in front of one notary whic h confirms the
signature ,
– multiple confirmations: another notary will re-confirm it, then another, etc…– we do NOT need to assume that ALL these notaries are honest.
• at the end it becomes too costly to cheat
Crypto Currencies
Full P2P Clienthttp://bitcoin.org/en/download
15 giga, 24 hours…
15 Nicolas T. Courtois 2009-2014
Payment and Crypto Currencies
Money
Key invention in human history:
18 Nicolas T. Courtois 2009-2014
money
- here is some money for your research
Crypto Currencies
Is Bitcoin Money?
• We will NOT claim it has all the characteristics of money. – it definitely has some!– they are traded against traditional currencies at a number of exchanges.– bitcoins are “legal” by default, – there were some attempts to regulate them and even ban them by governments.
19 Nicolas T. Courtois 2009-2014
Crypto Currencies
Two Main Functions of Money
1. Store Value2. Allow Payment (3. Unit of Account)
20 Nicolas T. Courtois 2009-2014
⇒both money and payments becomes more “virtual” with time…
Crypto Currencies
Evolution of - 1. Store Value
• Precious natural resources: salt etc => evolution/selection=>• Gold, Silver, Other Metals => Coins• Paper Money
• Money as Electronic Record
21 Nicolas T. Courtois 2009-2014
• Money as Electronic Record + Legal Protection + Government Guarantee
• 21st century: Cryptographic E-Cash
Crypto Currencies
Evolution of - 2. Payments
• Physical Cash (Bank Notes, Coins) = M0
• Cheques• Electronic Bank Transfer 20 days => 15 min…
22 Nicolas T. Courtois 2009-2014
• E-Purse Systems: geldkarte, London Oyster• Bank Cards• Contact-less Bank Cards, e.g. MasterCard PayPass:
• 21st century: Cryptographic E-Cash.
difference?
Crypto Currencies
Gold = “Global Single Currency”??
Most countries abandoned the gold standard during the Great Depression, – one of the earliest was the Bank of England [1931].
Much later, in 1971: the United States abandons it.Nixon Shock
23 Nicolas T. Courtois 2009-2014
Crypto Currencies
“Fiat Money”Def:Government-issued money not convertible for anything particular
(E.g; gold, goods etc).
Its value is controlled by the monetary policy and managed by the central bank.
(the quantity of money in circulation can be increased or decreased at any moment)
24 Nicolas T. Courtois 2009-2014
(the quantity of money in circulation can be increased or decreased at any moment)
Crypto Currencies
BOTTOM LINE
1. Store Value2. Allow Payment
CAN BE IMPLEMENTED DIFFERENTLY!
25 Nicolas T. Courtois 2009-2014
CAN BE IMPLEMENTED DIFFERENTLY!
SEPARATION IS NOT FORBIDDEN
Bitcoin Mining
Bitcoin
Bitcoin =… the most popular peer-to-peer
payment and virtual currency system as of today
26 Nicolas T. Courtois 2013
system as of today
belongs to no one, anarchy
=>
Crypto Currencies
BitcoinDecentralized peer to peer payment system
which works as currency: => has units of value which can be exchanged
for “real money”. Currently 1BTC= 400 USD.
Based on cryptography and network effects.
28 Nicolas T. Courtois 2009-2014
Based on cryptography and network effects.
Anarchy, not supported by any government and not issued by any bank.
“Play money”, imperfect system.
Crypto Currencies
*Disruption?Disruptive Technology:
def:
Allows to do things which just could not be done before…
29 Nicolas T. Courtois 2009-2014
done before…
Crypto Currencies
**CitationsBitcoin is:• Wild West of our time [Anderson-Rosenberg]
• There is no “undo” button for sth. like bitcoin [Mike Gogulski]
30 Nicolas T. Courtois 2009-2014
[Mike Gogulski]
Crypto Currencies
Krugman
• What’s wrong with Bitcoin? [title] • Bitcoin is …
– just one of possible ways to pay electronically [irony ☺]to pay electronically [irony ☺]
– Paul Krugman, Nobel price in economics
Crypto Currencies
More Krugman!
• Bitcoin is …– “the anti-social network”– “bitcoin is evil” – “bitcoin is evil” (he later claimed it was a joke)
– Paul Krugman, Nobel price in economics
Crypto Currencies
Who Is Evil?
• “Bitcoin Prevents Monetary Tyranny” - Jon Matonis for Forbes
33 Nicolas T. Courtois 2009-2014
• “Just thinking about bitcoin makes you a better person” – Max Keiser
Crypto Currencies
Cyprus vs. Bitcoin – April 2013correlation in Google searches
35 Nicolas T. Courtois 2009-2014
Crypto Currencies
April 2013• there was a Cyprus banking crisis…
depositors were unable to recover 100% of their deposits
• opinions about how crazy it was that bitcoin could rise…
37 Nicolas T. Courtois 2009-2014
could rise…
Crypto Currencies
13 April 2013Bitcoin is:• Digital Gold! - The Economist
39 Nicolas T. Courtois 2009-201413 April 2013 – “Digital Gold”
10-11 April 2013 – MtGox 24h shutdown
Crypto Currencies
Jan 2013-Jan 2014
10-11 April 2013 – MtGox 24h shutdown
14 => 1000 USD
40 Nicolas T. Courtois 2009-2014
13 April 2013 – “Digital Gold”The Economist
Crypto Currencies
Another Noble Price:In Davos Jan 2014:“It is a bubble,
there is no question about it.… It’s just an amazing example of a bubble.”
– Robert Shiller, Nobel price in economics, awarded specifically for work on asset bubbles.
Crypto Currencies
***Flash Crash 10 Feb 2014 before 6AM
42 Nicolas T. Courtois 2009-2014
600 => 102 USD in a blink of an eye
Crypto Currencies
Miracle Of BitcoinRemoves two pillars of money:
• “trust” => Peer 2 Peer self-regulation
based on self-interest?
43 Nicolas T. Courtois 2009-2014
based on self-interest?
• legal/government protection and policing=> anarchy!
Crypto Currencies
*Recall: Two Main Functions of Money
1. Store Value2. Allow Payment(3. Unit of Account)
45 Nicolas T. Courtois 2009-2014
Crypto Currencies
Are They Crazy?Anything can be “money”
if sufficiently many people accept it… (e.g. salt).
Question of: • popularity
46 Nicolas T. Courtois 2009-2014
• popularitylegal tender, government standardization and regulation <= recently thousands of press reports about bitcoin
• trusttrustworthy authority
<= assumption that majority of people are “honest”MUCH WEAKER…NO NEED TO TRUST ANYONE
Crypto Currencies
Play Money?A distinction play vs. real money has almost disappeared recently.
47 Nicolas T. Courtois 2009-2014
Crypto Currencies
Types of “Virtual Money”Source: ECB report, 10/2012
http://www.ecb.europa.eu/pub/pdf/other/virtualcurrencyschemes201210en.pdf
cf. Oyster…
48 Nicolas T. Courtois 2009-2014
Crypto Currencies
**Can Bitcoin Circumvent Laws? Like “this is not money”=>
therefore we don’t do anything which falls within remit of existing laws
(securities trading, gambling etc..)
Not so easy:
51 Nicolas T. Courtois 2009-2014
The Department of the Treasury Financial Crimes Enforcement Network (FinCEN) has clarified that cryptocurrency is not money, but all existing AML (Anti-Money Laundering) and KYC (Know Your Customer) regimes do nevertheless apply(!).
• Judge Amos Mazzant issued a memorandum arguing that bitcoin was “a currency or a form of money”.
• SEC clearly stated that transactions in bitcoins are financial transactions like any other, and are within their remit.
Crypto Currencies
Bitcoin Is Subject To Laws! Governments judges and regulators will apply the
rules which they think applicable, they are emerging and they are being clarified.
Bitcoin laundry question: • If I mix bitcoins with other people.
52 Nicolas T. Courtois 2009-2014
• If I mix bitcoins with other people.• UK: Proceeds of the Crime Act, If I have assisted
sb. in money laundering, I must report it to the Police or I can be prosecuted and go to prison.
Crypto Currencies
**US Regulation? • Bitcoin does not share characteristics
with instruments that we regulate as securities.• Consequently, the SEC,
like the Federal Reserve, is an unlikely regulator.
• […] perhaps the Commodities Future Trading Commission (CFTC) will decide that it could supervise Bitcoin as a
53 Nicolas T. Courtois 2009-2014
(CFTC) will decide that it could supervise Bitcoin as a commodity.
• absence of a legitimate authority recognizing and attributing value to Bitcoin provides supervisory opportunity to the Consumer Financial Protection Bureau (CFPB), which has as a mandate ensuring consumer financial safety
=> all according to a Wall Street lawyer Maese.
Crypto Currencies
**Block Chain Regulation The same Wall Street lawyer also says that: • The Block Chain technology could be SEPARATELY
regulated (!!!)• not proposing that the weightiness of bank regulation […] be applied to tech start-
ups• codification of development standards that good developers already use could
help the network become safe.
54 Nicolas T. Courtois 2009-2014
Cf. Vivian A. Maese: Divining the Regulatory Future of Illegitimate Cryptocurrencies, In Wall Street Lawyer, Vol. 18 Issue 5, May 2014.
Crypto Currencies
**Open Source = Criminals’ Best Friend?…same Wall Street lawyer:
• The open-source nature of the developer population provides opportunities for frivolous or criminal behavior that can damage the participants in the same way that investors can be misled by promises of get rich quick schemes [...]
• a self- regulatory organization (SRO) [...] could be created to oversee and examine [...] the engineers who create the code [...]
• Regulations could ensure that cybersecurity requirements are engineered into
55 Nicolas T. Courtois 2009-2014
• Regulations could ensure that cybersecurity requirements are engineered into the code and could ensure that the network would recover from a failure by building in redundancy. [...]
• One of the biggest risks that we face as a society in the digital age [...] is the quality of the code that will be used to run our lives.
Cf. Vivian A. Maese: Divining the Regulatory Future of Illegitimate Cryptocurrencies, In Wall Street Lawyer, Vol. 18 Issue 5, May 2014.
Crypto Currencies
*UKProblem: Initially UK HMRC have suggested that bitcoins are “VAT
taxable vouchers” – however if bitcoin is regarded as a good, when you buy it you should pay 20% VAT…
⇒ totally inappropriate classification, now abandoned.
56 Nicolas T. Courtois 2009-2014
⇒ totally inappropriate classification, now abandoned.
Crypto Currencies
Is Bitcoin “Electronic Money”?Directive 2009/110/EC of the European Parliament
and of the Council defines the concept of “electronic money”,
Article 2: electronic money “means electronically, including magnetically, stored monetary value as
57 Nicolas T. Courtois 2009-2014
including magnetically, stored monetary value as represented by a claim on the issuer which is issued on receipt of funds for the purpose of making payment transactions […], and which is accepted by a natural or legal person other than the electronic money issuer”.
Crypto Currencies
Is Bitcoin “Electronic Money”?This has been disputed; • YES “electronically stored monetary value” YES but stored in a diffused distributed way and valid
if not spent and with regard to a majority of ASIC votes…
• NOT ”as represented by a claim on the issuer”
58 Nicolas T. Courtois 2009-2014
• NOT ”as represented by a claim on the issuer”• there is no “LEGAL” entity acting as issuer• however
– there is no legal obligation but a technical and practical claim which works, not a debt though,
– and YES there exist issuers: miners, – or a collective issuer… “the bitcoin community”
Crypto Currencies
Bitcoin in GermanyBitcoin is “private money” in Germany.
Sweden:Bitcoin = method of payment.
59 Nicolas T. Courtois 2009-2014
Bitcoin = method of payment.
Finland: detailed rules, closer to a commodity.
Crypto Currencies
Bitcoin is…“a low-cost replacement for credit cards and other
payment mechanisms”
Very close to the business of
62 Nicolas T. Courtois 2009-2014
Very close to the business of • Western Union• CurrencyFair• PayPal• MastercardBitcoin is a direct threat to these companies.
Crypto Currencies
Competition Before BitcoinCredit cards:slow adoption: • it took 100 years to get people to use them!
63 Nicolas T. Courtois 2009-2014
Crypto Currencies
Beware!Bitcoin transaction volume: usually WRONG reports, includes
amounts people return to themselves
Similar data:coinometrics.com=> controversy:
11/2013
66 Nicolas T. Courtois 2009-2014
=> controversy: “pitiful statistics out of BTC fairyland”
Reuters: Fitch: Bitcoin Remains Smallin Comparison …68 M/day
Crypto Currencies
More Lunatic Asylum SeekersMore WRONG reports, May 2014
5/2014
67 Nicolas T. Courtois 2009-2014
Crypto Currencies
*Problems:• It is very difficult to reliably estimate the transaction
volume from the blockchain data alone.
• Blockhain.info provides both the misleading artificially inflated figures at http://blockchain.info/charts/output-volumeand their estimation of the actual transaction volume by their
68 Nicolas T. Courtois 2009-2014
and their estimation of the actual transaction volume by their own (imperfect) proprietary method cf. blockchain.info/charts/estimated-transaction-volume,
Crypto Currencies
Fiction Volume vs. Approximated Corrected One
fiction: USD >250 million/day?
69 Nicolas T. Courtois 2009-2014
corrected: USD 50 million/daymethodology still problematic…
Crypto Currencies
*Why Is It Difficult To Estimate?• Again truly accurate estimations are impossible to
obtain. – A particular problem are the actions of some bitcoin
addresses which hold very large balances and return change to themselves at new freshly created addresses.
Source: Nicolas Courtois: On The Longest Chain Rule and Programmed Self-
70 Nicolas T. Courtois 2009-2014
Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534
Crypto Currencies
Arguably The Best Way To Measure Bitcoin Adoption in Payment
Anybody willing to pay transaction fees?
71 Nicolas T. Courtois 2009-2014
Crypto Currencies
Alternative payments business is booming, growing 3%/year [McKinsey], faster than normal banking business, banks are almost totally absent!.
• Google wallet app and Amazon FPS allow to transfer money between customers• Walmart, big telcos and many banks are developing their M-payment schemes
in order to avoid Mastercard Visa etc fees…• In Kenya, 43% of GDP transits through M-PESA, mobile phone system which is
also a front-end to banks where banks play a secondary role. • PayPal president’s David Marcus:
Competition After Bitcoin [2014]
72 Nicolas T. Courtois 2009-2014
• PayPal president’s David Marcus: – initially they wanted to be independent from central banks and govs…– finally decided to became a bank, to become the biggest bank in the world?– has handled 180 billions in payments last year, 143 M customers
• Square new service - example: at coffee shop: – no signatures, no cards, no barcodes– check in when you enter the store– tell cashier your name and that you are using square! – the store manager has your picture displayed, he knows it is you– the customer receives a text with the amount paid, for him to check
Crypto Currencies
After few brief episodes of capitalism, modern business favours slavery.
Key Problem:
74 Nicolas T. Courtois 2009-2014
Crypto Currencies
A payment system in which • it is THE PAYER who initiates the transaction• controls the amount being paid• money and payments are stored outside of the
banking system [most recent systems erode the dominant position of banks]
Bitcoin!
75 Nicolas T. Courtois 2009-2014
banking system • money cannot be confiscated [cf. Cyprus banks]. • it challenges fractional reserve banking [new!] and
forces finance to become more “transparent”“Troubled” bitcoin [The Economist May 2014]
is certainly is here to stay => but now must face all sorts of competition and technical reforms [our work]
Crypto Currencies
Bitcoin Network• Peer to peer, decentralized, no central
authority, one ASIC one vote, => no third party risk [no need to trust the banker!]
• Knows no limits, borders, laws, etc…• Computers connected into a P2P network…
77 Nicolas T. Courtois 2009-2014
• Computers connected into a P2P network…• Every transaction can be downloaded by anyone…
1 client app
Crypto Currencies
Bitcoin• A Value Transfer Network
• term proposed by a Wall Street lawyer Maese.•
78 Nicolas T. Courtois 2009-2014
Crypto Currencies
More Than a Network
• Also a community: – adopters, developers, miners, speculators, etc…
• Upgrade the software, change the spec:
79 Nicolas T. Courtois 2009-2014
• Upgrade the software, change the spec:– people vote with their feet– bitcoin belongs to no one
Crypto Currencies
Network PropertiesSatoshi original idea [cf. Sect. 5 in his paper]:• homogenous nodes: they do the same job
– everybody participates equally– everybody is mining– a random graph
80 Nicolas T. Courtois 2009-2014
– a random graph
• it appears that the current network resembles “a random graph”
Crypto Currencies
The Reality is VERY Different!In violation of the original idea of Satoshi Bitcoin network has
now 3 sorts of VERY DIFFERENT ENTITIES– only “rich people” are mining
• upfront investment of >3000 USD.• 100K active miners as of today?
– but NOT running network nodes, mining is highly centralized, see pools
– some “full nodes”: they trust no one
81 Nicolas T. Courtois 2009-2014
– some “full nodes”: they trust no one • Satoshi client a.k.a. bitcoind, version 0.9.X. for PC, • 15 Gbytes, takes 1 day to synchronize, CPU/HDD load
– only some 13 K out of 60 K accept incoming connections (4/2014)– panic in May 2014: declining, less than 8,000 peers online
– many nodes do minimal work and minimal storage, they need to trust some other network nodes
Crypto Currencies
*Panic – May 2014• # active nodes << #miners• 8K << 100K
82 Nicolas T. Courtois 2009-2014
Crypto Currencies
*Scalability Issues• Current bitcoin processes only 0.7 transactions per second.
– VISA processes 2000 transactions per second.– YES, even at this scale of 2000 tx/s bitcoin would theoretically work:
each node receiving ALL new transactions would be like 1Mbit/second bandwidth.
83 Nicolas T. Courtois 2009-2014
• Limit on the size of one block = 1 Mb currently.– this can only accommodate 7 tr/sec– we are VERY close to exceed that, maybe in 6 months…
Crypto Currencies
Key Properties of Bitcoin• Consensus-driven
– consensus about the past history[blockchain]– consensus about the future[software spec]
• Pseudonymous, NOT anonymous• Ledger-based. Ledger is entirely public.
84 Nicolas T. Courtois 2009-2014
• Ledger-based. Ledger is entirely public.• Notion of account:
– has a balance in BTC.
• Wallet: – computer file which stores "the money".
Crypto Currencies
Wallets• Wallet: file which stores your “money".• A Bitcoin client App
is also called a wallet
85 Nicolas T. Courtois 2009-2014
Crypto Currencies
Wallets == Bitcoin client Apps• Major types:
1. Bitcoin Satoshi Core Client = Decent PC, full P2P node, stores full history - 15 Gb, trusts no one.
2. Mobile apps: trust and rely on servers for DB and authenticity; but stores money locally.
86 Nicolas T. Courtois 2009-2014
and authenticity; but stores money locally.3. Cloud apps: all is stored in the cloud!4. Offline systems: protect your assets from
cybercriminals5. Combined: multi-signature, THE BEST!
Crypto Currencies
More Properties of Bitcoin• Scarce, like gold (in fact worse than gold)
• Divisible into small pieces – 10 nBTC = 1 Satoshi = 1 / 100 million BTC
87 Nicolas T. Courtois 2009-2014
Crypto Currencies
Digital Currency1. Sth. that we know… String of Bits.
+ additional layers of security:
2. Sth that we can do (capability): BETTER.– can be used many times without loss of confidentiality…
89 Nicolas T. Courtois 2009-2014
– can be used many times without loss of confidentiality…– in bitcoin bank account = a certain private ECDSA key…
=>PK-based Currency, an important modern application of Digital Signatures!
Crypto Currencies
Main Problem:
This capability can be “spent twice”.
Avoiding this “Double Spending” is the main problem
90 Nicolas T. Courtois 2009-2014
Avoiding this “Double Spending” is the main problem when designing a digital currency system.
NOT yet solved in a satisfactory way, instability, slow transactions, more about this later.Cf. Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534
Crypto Currencies
**Crypto CitationsAbout Bitcoin:• Security depends on maths, not people.• The accuracy of past transactions is
guaranteed by cryptography, which is a special type of mathematics ☺
92 Nicolas T. Courtois 2009-2014
which is a special type of mathematics ☺
Crypto Currencies
**Crypto MisconceptionsTHIS IS WRONG:• SHA-256 is a cipher and provides
confidentiality.– Not it is a hash function and provides
integrity of everything
93 Nicolas T. Courtois 2009-2014
integrity of everything [hard to modify./cheat]
• "Bitcoins are encrypted": WRONG– ONLY if you encrypt your wallet, not everybody does.– Also can use SSL in P2P connections…
• communications are encrypted if you use TOR
Crypto Currencies
Block Chain(and Mining - expanded much later)
94 Nicolas T. Courtois 2009-2014
(and Mining - expanded much later)
Crypto Currencies
Append-Only Logs
One well-known method to implement money [pre-dates bitcoin according to George Danezis slides]:
A high-integrity, high-authenticity ”append only log”.Sufficient to implement money in theory.• Start by marking who has what money.
95 Nicolas T. Courtois 2009-2014
• Enter a log entry for each transfer.
Solutions differ in the method to get this ”append only log”
Crypto Currencies
Bitcoin Mining
• Minting: creation of new currency.• Confirmation+re-confirmation
of older transactions
Random Oracle – like mechanism
data from previoustransactions RNG
miner’s public key
96 Nicolas T. Courtois 2009-2014
Ownership:– “policed by majority of miners”: – only the owner can transfer [a part of] 25 BTC produced.
HASH
must start with 64 zeros
Crypto Currencies
Block Chain
Def: A transaction database
shared by everyone.
Also a ledger.
97 Nicolas T. Courtois 2009-2014
Every transaction since ever is public.
Each bitcoin “piece” is a union of things uniquely traced
to their origin in time
(cf. same as for several banknotes due to SN)
Crypto Currencies
Longest Chain Rule
“1 ASIC 1 vote”[heavily criticised elsewhere]
100 Nicolas T. Courtois 2009-2014
Crypto Currencies
Insight
If 2 solutions happens with proba 1/100
The chance that both will be extended before one of them reaches the miner of the other (making him stop) will be about
101 Nicolas T. Courtois 2009-2014
(1/100)^2Etc..
Negligible chance to go on forever, => quite soon one branch is longer and wins.
Crypto Currencies
Can Sb. Cancel His Transaction?
Yes if he produces a longer chain with another version of the history.
Very expensive, race against the whole network (the whole planet).
102 Nicolas T. Courtois 2009-2014
Can be easy or very difficult it depends!
Crypto Currencies
Attack:
Extend This Branch To Cancel One Transaction tx36
Goal: generate 4 blocks.
103 Nicolas T. Courtois 2009-2014
cost=maybe 30 BTCgain=500 BTCEASY and PROFITABLE! The only difficulty is the timing!!!!
tx36
Crypto Currencies
This Attack IS FEASIBLE!
Nicolas Courtois:On The Longest Chain Rule and Programmed Self-Destruction of Crypto
Currencies http://arxiv.org/abs/1405.0534
104 Nicolas T. Courtois 2009-2014
Crypto Currencies
Easy Or Difficult?
Difficult if:• All mining devices are privately hold by independent people.Easy if: • Many mining devices are rented with a market which allows
one instantly to buy a lot of hashing power by paying a small premium over the market price.
105 Nicolas T. Courtois 2009-2014
premium over the market price.WORSE THAN THAT: • A large mining pool can re-sell ALL the hash power to the
attacker, => this CANNOT BE DETECTED by miners,
due to a technicality which we will discuss later (mining with H0, not knowing on which branch/block they mine)
Crypto Currencies
Is it a 51% Attack?
51 % attacks: brain washing, vague and excessively general, highly misleading.
• computing power can be temporarily displaced.• it is NOT a number between 0 and 100%, two different hash powers at
different moments.
106 Nicolas T. Courtois 2009-2014
Crypto Currencies
The Question of Dominance
This attack will NOT work if Bitcoin is dominant and uses more hash power than all other crypto currencies combined.
In contrast ALL SMALLER currencies which use a widely used hash function are EXTREMELY EASY to attack, and money
107 Nicolas T. Courtois 2009-2014
hash function are EXTREMELY EASY to attack, and money can be stolen.
Crypto Currencies
The Question of “The Longest Chain Rule”
The longest chain rule was designed to allow for EXTREMELY BAD NETWORK PROPAGATION (think of North Korea, Syria, yes bitcoin can function in such environments).
However with normal (fast) networks it is EASY just not to accept double spends after say 1 minute, and after one
108 Nicolas T. Courtois 2009-2014
accept double spends after say 1 minute, and after one version of transaction is already propagated to a majority of network nodes.
⇒Easy decision for miners. A majority needs to agree. ⇒The longest chain rule is NOT good, needs reform.
Crypto Currencies
Longest Chain Rule is PROBLEMATIC!
See: Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto
Currencies http://arxiv.org/abs/1405.0534
No reason why the SAME rule would govern:
109 Nicolas T. Courtois 2009-2014
• Which block is paid (10 minutes)• Which transactions are accepted (every second)Violates the principles of • Least Common Mechanism [Saltzer and Schroeder 1975]• Poor Network Neutrality – miners have excessive discretionary powers…=> Unnecessary instability and slow transactions…
Crypto Currencies
Hash Power => Security???
Sams writes: "The amount of capital collectively burned hashing fixes the capital outlay required of an attacker […] to have a meaningful chance of orchestrating a successful double-spend attack […] The mitigation of this risk is valuable, [...]"
Wow! We have built a “Great Wall”. It protects our money against attacks.
110 Nicolas T. Courtois 2009-2014
It protects our money against attacks.
NO THIS IS MITAKEN
Crypto Currencies
Crazy Hash Power Increase
Nearly doubled every month… 1000x in 1 year.
111 Nicolas T. Courtois 2009-2014
Crypto Currencies
In Contrast: Bitcoin Adoption / Payment
Not good. Anybody willing to pay transaction fees?
112 Nicolas T. Courtois 2009-2014
Crypto Currencies
Ledger-Based Currency
A “Bitcoin Address” = a sort of equivalent of a bank account.Three formats.
– First format like full Pkey 2*32 byte points, redundant! "scriptPubKey":"04a39b9e4fbd213ef24bb9be69de4a118dd0644082e47c01fd9159d38637b83fbcdc115a5d6e970586a012d1cfe3e3a8b1a3d04e763bdc5a071c0e827c0bd834a5 OP_CHECKSIG“
– Hash it on 160 bits, conceals the PK key! (NSA: attacks possible!).
• e.g. 0568015a9facccfd09d70d409b6fc1a5546cecc6
114 Nicolas T. Courtois 2009-2014
• e.g. 0568015a9facccfd09d70d409b6fc1a5546cecc6
– Recode with checksum on 1+20+4 bytes checksum, 160+32 bits, • Base58: 1VayNert3x1KzbpzMGt2qdqrAThiRovi8 27-34 chars
PK itself remains confidential until some part is spent.SK = private key is always kept private, allows transfer of funds.
Crypto Currencies
Step 2: checksum / convert
116 Nicolas T. Courtois 2009-2014
27-34 charsBase_58 O0I1
Crypto Currencies
Bitcoin Ownership
Amounts of money are attributed to public keys. Owner of a certain “Attribution to PK” can at any moment
transfer it to some other PK (== another address).
not spentDestructive, cannot spend twice: spent
Crypto Currencies
Special Type of Addresses
Bitcoin can require simultaneously several private keys, in order to transfer the money.
The keys can be stored on different devices (highly secure).
They start with 3. They start with 3.
2 out of 3 are also already implemented in bitcoin [BIP16]. (1 device could be absent, money can still be used).
Very cool, solves the problem of insecure devices…Except if the attacker can break into many devices…
Crypto Currencies
Bitcoin Myths (not true)“Transactions are irreversible,” • really???? The opposite can be argued:
– The Longest Chain Rule means probabilistic certitude,
• HOWEVER in theory EVERY TRANSACTION CAN
122 Nicolas T. Courtois 2009-2014
• HOWEVER in theory EVERY TRANSACTION CAN BE INVALIDATED, (at a large expense),
⇒possible even 100 years later⇒if there is a longer chain!
“No intermediary in transactions?”– Not true (unless one of the parties is a miner)
Crypto Currencies
Bitcoin Transactions:• between any two addresses [and any two
network nodes], – at any time [no market closing hours].– validated within 10-60 minutes.
• should wait longer for larger transactions, beware of
123 Nicolas T. Courtois 2009-2014
• should wait longer for larger transactions, beware of “cheating miners”…
• many websites accept instantly, – they trust your application not to double spend – and trust miners to reject the second spent based on later
time, easy and plausible!
Crypto Currencies
In / Out
Owner of a certain “Attribution to PK” can at any moment transfer it to some other PK addresses.
=> 0 inputs possible if minting transaction… new money.
=> Several outputs are a norm for bitcoin transactions.
on this picture we ignore the fees
Crypto Currencies
Bitcoin Transfer
Owner of a certain “Attribution to PK” can at any moment transfer it to any other PK address.
Crypto Currencies
Bitcoin Circulation
127 Nicolas T. Courtois 2009-2014
Sometimes IP addresses known, rare cases
Crypto Currencies
Attributions
DEFINITION“Attribution to PK” =
act of an owner of a previous attribution (always destroyed)
ignoring fees
a previous attribution (always destroyed)which transfers a certain amount to the new PK = A2
(using a digital signature)
Caveat: Each attribution can be traced back to the initial mining event.
Crypto Currencies
Fragmentation and Summation Rule
Each PK has a balance, say 20 BTC current balance = sum(unspent attributions).
Attributions are ALWAYS destroyed when used,
Crypto Currencies
From Single Attribution
Example• Change: return some money to ourselves inside the same transaction
– this implies most transactions have 2 or more outputs – most apps use the same address– could use another fresh address for better anonymity, but too lazy…
same owner?no way to know for sure…
Crypto Currencies
With Multiple Attributions
131 Nicolas T. Courtois 2009-2014
typical case, even for a single user
Crypto Currencies
Bitcoin Transfer
Transactions have multiple inputs and multiple outputs.
Input Bitcoin Addresses
132 Nicolas T. Courtois 2009-2014
Transaction Signed by All Owners with their SK
Output Bitcoin Addresses
Input Bitcoin Addresses0.2 BTC 1.3 BTC
0.001 BTC
0.499 BTC1.0 BTC + Fees
Crypto Currencies
Bitcoin Transfer
Transactions have multiple inputs and multiple outputs.– helps for anonymity.– destroys all current attributions, – requires everybody’s signature
Input Bitcoin Addressescan repeat, specifies
tx origin + index of each!
133 Nicolas T. Courtois 2009-2014
Transaction Signed by All Owners with their SK
Output Bitcoin Addresses
Input Bitcoin Addresses
The transaction is signed but invalid to start with , it becomes valid only when confirmed many times by other people (embedded in a new block)
0.2 BTC 1.3 BTC
0.001 BTC
0.499 BTC1.0 BTC + Fees
frequently repeat some input addressescould all belong to the same person
0 1
Crypto Currencies
Example 1
can repeat, tx origin + index of each is can repeat input addresses
134 Nicolas T. Courtois 2009-2014
tx origin + index of each is included in the rawtx
Crypto Currencies
Example 2 = Raw Transaction
list of input attributions: origin tx, index n , ECDSA signature
unique ID on 256 bits = the hash of the whole
135 Nicolas T. Courtois 2009-2014
list of output attributions
0
1
H(recipient PK)
amount BTC
Crypto Currencies
Remarks:
About 30 million transactions ever made.
To know the balance of one account, we must “in theory” store ALL the transactions which send money for this address and then check ALL transactions made since then to see some of these are not already spent. these are not already spent.
Full bitcoin network nodes stored all transactions ever made and checks their correctness (all the digital signatures).
About 15 Gbytes data, 24 hours full download.In practice one could skip check for things confirmed by many miners…
dangerous though. There is no absolute proof that miners have already checked them (maybe they forgot, a bug).
Crypto Currencies
*Multiple signers:
Issues:• Who signs first?
– In any order.
• What if one signs and other refuse?– Transaction is non-existent. – Cannot be used to sign something different. – Cannot be used to sign something different.
• Do they KNOW what are they signing? – Yes, well, not sure
• What if some other inputs in this transaction are involved in illegal activity?
Crypto Currencies
*Chaining and Checks
one branch of a tree:
1 output 1 output 1 output1 output 1 output1 output
1 output
Crypto Currencies
What If / Answer• My private key or password is lost.
• I have an older backup for my wallet
142 Nicolas T. Courtois 2009-2014
Crypto Currencies
What If / Answer• My private key or password is lost.
• I have an older backup for my wallet•All money is lost, NOBODY can recover it•Some money will be recovered, not all.
143 Nicolas T. Courtois 2009-2014
Crypto Currencies
What If / Answer• My private key or password is lost.
• I have an older backup for my wallet
• Password is easy guess• RNG is faulty
•All money is lost, NOBODY can recover it•Some money will be recovered, not all.
144 Nicolas T. Courtois 2009-2014
Crypto Currencies
What If / Answer• My private key or password is lost.
• I have an older backup for my wallet
• Password is easy guess• RNG is faulty
•All money is lost, NOBODY can recover it•Some money will be recovered, not all.
•My money will be stolen by an anonymous hacker ASAP.
145 Nicolas T. Courtois 2009-2014
Crypto Currencies
Bitcoin Mining
• Minting: creation of new currency.Creation of “money”
+re-confirmation of older transactions
data from previoustransactions
148 Nicolas T. Courtois 2009-2014
HASH
Crypto Currencies
*Quiz Question
• What is wrong here?
data from previoustransactions RNG
miner’s private key
149 Nicolas T. Courtois 2009-2014
HASH
must start with 64 zeros
Crypto Currencies
Block Chain
Def: The bitcoin transaction
database shared by everyone.
150 Nicolas T. Courtois 2009-2014
Crypto Currencies
Bitcoin Ownership
Ownership:– “policed by everyone”: – only the owner of the ………
can transfer [a part of] 25 BTC produced.
data from previoustransactions RNG
miner’s public key
151 Nicolas T. Courtois 2009-2014
produced.
HASH
must start with 64 zeros
Crypto Currencies
Bitcoin Randomization
Nonce = def?
Which arrow?
data from previoustransactions RNG
miner’s public key
152 Nicolas T. Courtois 2009-2014
HASH
must start with 64 zeros
Crypto Currencies
Bitcoin Randomization
Nonce = Number Used Only Once
Strange: it repeats in the main bitcoin block chain.
data from previoustransactions nonce
miner’s public key
153 Nicolas T. Courtois 2009-2014
Example: 0x04111A63 x 2
What is responsible for that? What else can be randomized here?Why this is necessary?
HASH
must start with 64 zeros
Crypto Currencies
Bitcoin Mining
• Minting: creation of new currency.Creation+re-confirmation
of older transactions
Random Oracle – like mechanism.
data from previoustransactions RNG
miner’s public key
154 Nicolas T. Courtois 2009-2014
What????????????????HASH
must start with 64 zeros
Crypto Currencies
Bitcoin Mining
• Minting: creation of new currency.Creation+re-confirmation
of older transactions
Random Oracle – like mechanism
data from previoustransactions RNG
miner’s public key
155 Nicolas T. Courtois 2009-2014
Means: treat as a DETERMINISTIC black box which answers at random.
YES it is… However now I’m going to show it isn’t.
HASH
must start with 64 zeros
Crypto Currencies
Bitcoin Mining
• Minting: creation of new currency.Creation+re-confirmation
of older transactions
Random Oracle – like mechanism
data from previoustransactions RNG
miner’s public key
156 Nicolas T. Courtois 2009-2014
Means: treat as a DETERMINISTIC black box which answers at random.
YES it is, However now I’m going to show it isn’t.Marginal improvement (a constant factor) .
HASH
must start with 64 zeros
Crypto Currencies
Five Generations of Miners
1. CPU Mining
Example: Core i5 2600K, 17.3 Mh/s, 8 threads, 75W
157 Nicolas T. Courtois 2009-2014
CPU = about 4000 W / Gh/s
Crypto Currencies
Four Generations of Miners
2. GPU Mining
Example: NVIDIA Quadro NVS 3100M, 16 cores, 3.6 Mh/s, 14W
159 Nicolas T. Courtois 2009-2014
CPU = about 4000 W / Gh/s, in this caseGPU = about 4000 W / Gh/s, in this case
Who said GPU was better than CPU?Not always.
Crypto Currencies
Four Generations of Miners
3. FPGA Mining
Example: ModMiner Quad, 4 FPGA chips, 800 Mh/s, 40W
160 Nicolas T. Courtois 2009-2014
CPU,GPU = about 4000 W / Gh/sFPGA = about 50 W / Gh/s, in this case
Crypto Currencies
Four Generations of Miners
3. FPGA Mining
Example: ModMiner Quad, 4 FPGA chips, 800 Mh/s, 40W
161 Nicolas T. Courtois 2009-2014
CPU,GPU = about 4000 W / Gh/sFPGA = about 50 W / Gh/s
100x less energy.
Crypto Currencies
*Why Negative?
162 Nicolas T. Courtois 2009-201413 April 2013 – “Digital Gold”
(now stopped )
Crypto Currencies
Five Generations of Miners
FPGA: 100x less energy.
Still much less with ASIC: Good points: asynchronous logic, arbitrary gates, etc..Drawback: hard to update!
163 Nicolas T. Courtois 2009-2014
Another 10 – 100 times improvement.(100x is cheating:
I was comparing one 28 nm ASIC to one 45 nm FPGA)
Crypto Currencies
Five Generations of Miners
4. ASIC Miners
CPU,GPU = about 4000 W / Gh/s
164 Nicolas T. Courtois 2009-2014
CPU,GPU = about 4000 W / Gh/sFPGA = about 50 W / Gh/sASIC = now down to 0.35 W / Gh/s
Overall we have improved the efficiency 10,000 times since Satoshi started mining in early 2009…
Like 1000% per year improvement.
Crypto Currencies
Hash Rate - Doubles Nearly Every Month!
165 Nicolas T. Courtois 2009-201413 April 2013 – “Digital Gold”
Crypto Currencies
Five Generations of Miners!
5. Quantum Miners?
Business Law:
Every technology
166 Nicolas T. Courtois 2009-2014
Every technology improved by 30%, 67%, 1000%
each year???????????????
Crypto Currencies
and their angry customers
“Bad-Fly” Labs
167
1 W per GH/s????????????????????
3.2 W !!!!!!!!!!!!!!!
Payment and Crypto Currencies Mining
By power / Gh/s
ASICs Comparison
0.35 W low power mode
1 W
3.2 W
169 Nicolas T. Courtois 2010-2013
1 W
cf.https://en.bitcoin.it/wiki/Mining_hardware_comparis on
1 W
Crypto Currencies
Miners for Cash
Available since April 2014.
Before: it was IMPOSSIBLE for miners to evaluate the profitability of
their investments.
171 Nicolas T. Courtois 2009-2014
Waiting for 6 months is like getting…. 50 TIMES smaller return, like 2% of the original expected income for a miner…
Crypto Currencies
Total Cost? 0.5 -1.0 Billion USD
Quick estimation of the cost of hardware as of April 2014:Current hash rate 40,000 Th/s (April 2014)Assume most people use Neptune first generation which costed
3500 USD for 0.25 Th/s of hash power (better devices exist frankly just in pre-orders, well for a majority of people).
172 Nicolas T. Courtois 2009-2014
So current hash rate might have costed 40,000 x 4 x 3,500 USD, so maybe 600 M dollars in hash equipment.
However probably most people still use miners NOT as good as Neptune, then probably this is 2 times more... So maybe it is already more than 1 billion today.
600 M / 100 K people = 6000 USD typical investment?
Crypto Currencies
Mining Overviewhashed data from previous transactions
3x SHA-256 compression
175 Nicolas T. Courtois 2009-2014
Goal: find a valid pair (merkle_root, nonce)which gives 60 bits at 0 in H2
CISO Problem : Constrained Input Small Output
Crypto Currencies
Bitcoin Hash Functions
177 Nicolas T. Courtois 2009-2014
Hash FunctionsAnd Block Ciphers (!)
Crypto Currencies
SHA-256 Compression Function
cf. Pieprzyk, Matusiewicz et al.
block cipher
Davies-Meyer
Crypto Currencies
Fact:
The process of BitCoin Mining is no different than a brute force attack on a block cipher:
– Apply the same box many times, with different keys…– Here the block cipher is a part of a hash function but it does NOT
matter.• 98% of computational effort is
evaluating this block cipher box with various keys and various inputs
179 Nicolas T. Courtois 2009-2014
evaluating this block cipher box with various keys and various inputs• Like a random oracle.
BLOCK
CIPHER
PLAIN
KEY
Transforms a block cipher into a hash function.In SHA-256 we have: block size=256, 64 rounds, key size=256 expanded 4x.
Crypto Currencies
Davies-Meyer
M_imessage block
180 Nicolas T. Courtois 2009-2014
KEYCIPHER
PLAIN
IV or last hash
HASH
M_i
Crypto Currencies
Optimising Mining (39% gain w.r.t. best ASIC)
182 Nicolas T. Courtois 2009-2014
(39% gain w.r.t. best ASIC) Like Generation 4.1.
Crypto Currencies
Improvement 3 –
Gains 3 Rounds
At the Beginning Beginning
–they do NOT depend
on the nonce
Crypto Currencies
Improvement 6 –
Saving 2 More Additions ≈ 400 gates
with Hard Codingwith Hard Coding
AND SAVE LIKE HALF of the next addition!
(addition with a constant = cheaper, depends on the constant)
Crypto Currencies
Improvement X
Classical trick: Carry Save Adders.
C.S.A.
abc
abc
a+b+ca+b+c
ps
sc
197 Nicolas T. Courtois 2009-2014
a+b+ca+b+ccost = 1+ ε adderscost = 2 adders
Crypto Currencies
Whole Round
Only twofull adders.
A t Bt Ct Dt Et Ft Gt Ht
1
Ch()
KtC.S.A. C.
S.A.
C.S.A.
C.S.A. Wt
198 Nicolas T. Courtois 2009-2014
At+1 Bt+1
Ct+1
Dt+1
Et+1
Ft+1
Gt+1
Ht+1
0
Maj() C.S.
A.C.S.A.
A.
Crypto Currencies
Improvement 7 - Fact:
Some early values do NOT yet depend on the nonce. In H1 computation only (left column).
Crypto Currencies
Improvement 7 – 3 more
2 more 32-bit additions are saved by hard coding, and more for the next addition
(again, adding a constant, depends on the constant, average cost maybe saving another 1? addition).
Some 600 extra gates saved. Some 600 extra gates saved.
Crypto Currencies
Improvement X2
Also use Carry Save Adders in message scheduling.Only 1 full adder in each of (only) 48-3 values which need still to
be computed.
204 Nicolas T. Courtois 2009-2014
Crypto Currencies
San Diego Bitcoin Conference May 2013
Earlier he said that he has no stakes in ‘this game’. Then at minute 40 he claims that the current Bitcoin Proof of Work function based on SHA-256 will not survive “the year” (to be replaced before end of 2013). He says that assigns zero percent probability that “we” will continue with the present POW function”. Back to CPU mining.
https://www.youtube.com/watch?v=si-2niFDgtI
Crypto Currencies
SHA-256 to be phased out?
https://www.youtube.com/watch?v=si-2niFDgtI
HOWEVER:
NOBODY OWNS BITCOINWe claim the contrary: any attempt to change the POW is close
to impossible to enforce AND if mandated by some group of people, it will lead to a SPLIT IN THE BITCOIN COMMUNITY.
An organised divorce of people and software developers who will be running two separate block chain versions.
Crypto Currencies
Why Pools?
Reason 1. To smooth the gains: Instead of waiting 1 year to get 25 BTC, why not get a little money every day?
Reason 2. Huge Incertitudes: Law Of Bitcoin Minining: It follows the Poisson Distribution: – If for example in 1 month the miner expect to find 4 blocks, the
standard deviation is about √4=2.standard deviation is about √4=2.– In one month he will find 6 is some months he will find 2, sometimes
he will find 0.
VERY STRESSFUL. Cannot sleep at night. • Does my miner work correctly??? Wait for 10 years to see…• Are other miners cheating? Am I getting a fair share???
– [YES, as we will see later miners can cheat and earn more than other miners]
Crypto Currencies
What Are Pools?
• A group of small/larger miners who work together. Also protects their anonymity, also a social dimension:
• Effectively a cooperative: can provide support, mentoring, shared hosting, stats, management apps etc…
• Beware: single point of failure: pool servers.– can break down, miners will lose millions of dollars.– can break down, miners will lose millions of dollars.– can attack the network (for example filter transactions which are
accepted).
Crypto Currencies
Major Pools In Existence
Miners tend to flock to the largest pools.One pool has in early 2014 reached 50%. They have publicly said: please leave, do not join.• 50% attack = total control of bitcoin by one single entity.
Ukraine
Crypto Currencies
Pools Operation
Question: but is there a “fair and secure” implementation?
Answer: Probably There Isn’t. There is already ample literature on this.
Crypto Currencies
Bitcoin Share
A proof of effort: allows one to be paid.=def= A hash starting with 32 zeros (one in 232 hashes).
B064 zeros
32 zerosreward paid
Crypto Currencies
Bitcoin Share
A proof of effort: allows one to be paid.=def= A hash starting with 32 zeros (one in 232 hashes).
B064 zeros
32 zerosreward paid
B0 B164 zeros64 zeros
much later, after 2 32 shares have been found…
new block
Crypto Currencies
Trouble With Mining Management
Q: How to prevent people from hiding their “winning ticket” from the pool? Maybe embed information about “the pool“ inside each potential block data. Not enough:
*Solution 1: Mine with a private key known to individual miners?
⇒Allows all miners to cheat. ⇒We would need to trust the network (e.g. other miners) not to accept
this block outside of the pool. Seems impossible.
Solution 2: Mine with a private key not known to individual miners!
⇒Allows the pool manager to steal the money. Must be trusted.⇒BTW. This risk is mitigated by frequent pay-outs
⇒The only plausible solution in existence.
Crypto Currencies
*Stale/Rejected Shares
No precise definition, Used when large quantities of shares out of date are produced,
problem in a pool where miners have not been notified that their work is out of date.
(it might however re-become good later) due to fork situations.
B0 B1
32 zerosuseless share…
64 zeros64 zeros
32 zerosreward granted
Crypto Currencies
**Dupe Shares
Apparently in certain pools it does happen that 2 people produced the same share.
Short answer: Pools should be designed in such a way that it does not happen…
Crypto Currencies
Pool Hopping
The ``Pool Hopping Attack'' was amply studied by RosenfeldIt allows malicious miners to obtain gains which are in
proportion higher than their fair share.How?
Remember the pools work like a lottery, a group of people plays together for up to 1 winning ticket to share.
Crypto Currencies
Pool Hopping – Main Idea
If a miner mines in a pool in which a lot of shares have already been submitted and no block has yet been found, he will gain less in expectation because the reward will be shared with the miners who have contributed to this pool.
Therefore at a certain moment it may be profitable to stop Therefore at a certain moment it may be profitable to stop mining in this pool and contribute elsewhere (reward will be shared with less people).
This remains valid even if the pools penalize leavers and refuse to pay for their contribution if they do not mine for a complete ``shift''. It is still profitable for miners to quit and mine for another pool (or mine independently).
Crypto Currencies
Pool Hopping – Defenses
This attack works more or less well depending on how exactly pools are managed and also depending on the actions of other miners.
It can be shown that hoppers will earn more than normal ``continuous'' miners.
Various reward and pool management methods have been Various reward and pool management methods have been proposed in order to discourage pool hopping and some reward methods can be shown to be immune to this attack.
[cf. Rosenfeld works]
Crypto Currencies
Mining Cartel Attack
50% of miners decide to totally ignore blocks mined by other people. Likely to always succeed.
Only subversive miners make money from mining.
(there is no need to cheat on transactions, would also be possible for 50% of miners).
Crypto Currencies
*Difficulty Raising Attack
Very theoretical, powerful adversary.[Lear Bahack 2013] A powerful attacker is secretly preparing an alternative version
of the blockchain.At the same time he is manipulating the automatic difficulty
adjustment mechanism in his secret chain in order to adjustment mechanism in his secret chain in order to increase the probability of eventually that his chain will be recognized as surpassing the public honest chain.
If this happens, the attacker reveals his secret chain.This can be used to commit double-spending or to cancel some
transactions.
Crypto Currencies
Confidential Crypto Optimization Attack
A group of miners hire cryptologists to develop a secret method to mine more efficiently.
Similar but better than 39% gain of:
Nicolas Courtois, Marek Grajek, Rahul Naik:The Unreasonable Fundamental Incertitudes Behind Bitcoin
Mining, http://arxiv.org/abs/1310.7935
Crypto Currencies
Selfish Mining and Block Discarding Attacks [2013]
229 Nicolas T. Courtois 2009-2014
Crypto Currencies Mining
Selfish Mining Attacks
Proposed independently by Eyal-Sirer [Cornell] and also by Bahack [Open Univ. of Israel] in 2013.
It is about building secret extensions and disclosing them later.wasted effort
• In fact this is a very theoretical attack, most probably without a lot of practical importance…
• It relies entirely on “very rare events”, – most of the time there is no advantage to the attacker.
reward
Crypto Currencies
Selfish Mining Attacks
Assumption 1:If there is the longest chain in the bitcoin blockchain,
everybody mines on it. Called “consensus” Doing otherwise would be really stupid.
Crypto Currencies
Selfish Mining Attacks
Assumption 2:At any moment during the attack there are up to two competitive
public branches one of which can have a secret extension.• we have either just one branch
(with possibly a secret extension by the attacker’s)by the attacker’s)
• or a public fork with two branches of equal depth k
in the case of a fork one branch is composed solely of honest miner's blocks and the other is composed solely of attacker's blocks (which at moments can have a secret extension).
Crypto Currencies
Selective Disclosure
Attackers keep their blocks secret for some time, in order to make the honest majority lose energy mining on obsolete blocks.
However when other find a block, subversive miners disclose their ASAP. Known to them A BIT earlier. Small advantage.
Crypto Currencies
Fork Strategies
Subversive Miners mine on their own branch only.
Honest miners mine on both, depending on network Honest miners mine on both, depending on network propagation[current state].
• received first [current bitcoin software]• or chosen at random [suggested countermeasure]
OR
Crypto Currencies
Overall Result
Subversive miners can earn a bit more. Not a big deal.
Remark[Courtois]this attack is all about
e.g.
later wasted
events which almost never happen in the current bitcoin network.
Unlikely to get very significant…
Crypto Currencies
Fix It?
Countermeasure 1: [Cornell researchers]There is no minority attack if honest miners mine at random.
Countermeasure 2: [Bahack]: Fork punishment [for all miners].
Will make the attack completely insignificant…
Crypto Currencies
Block Withholding AttacksCf. Nicolas Courtois, Lear Bahack:On Subversive Miner Strategies and Block Withholding Attackin Bitcoin Digital Currency http://arxiv.org/abs/1402.1718
Crypto Currencies
Main Result
We revisit a known idea: block withholding.The miners mine in pools, they report shares but in (very rare)
case when they find the ‘winning’ tickets.
We show that this attack cannot be detected, not even in theory.theory.
We show that for very large pools, it will be visible, but nobody can say who is responsible.
This attack was known [Rosenfeld] and in the initial version the subversive miners gained nothing: everybody lost.
Crypto Currencies
Our Block Withholding Attack
We propose a better version, in which subversive miners DO get more than their fair share.
It is very simple:• 50 % of subversive miners withhold blocks they fin• 50 % mine solo normally (or in other pools).• 50 % mine solo normally (or in other pools).
We show that: 50-50 split maximizes the gain.
We claim that this simple attack is by far more practical and more realistic than the Cornell attack [1000s of press reports].
Crypto Currencies
**Buying a Fork
A fork in the main chain can be created retroactively…
=> In order to cheat: roll-back one or many large transactions from 0-4Y ago.
However high is the bitcoin price at any moment in the future, However high is the bitcoin price at any moment in the future, we have the following problem: in the future the percentage of newly created coins in 4 years (>= the price of roll-back), is becoming increasingly small compared to all the existing money in circulation in the Bitcoin network…
Crypto Currencies
Fact
Only 21 millions of bitcoins will ever be made.• 60% were already made.
Genius or a monumental mistake of Satoshi? Genius or a monumental mistake of Satoshi? • Great now, frequently praised for that,
– in bitcoin governments cannot print more money….
• I claim that it will kill bitcoin in the future – (well really ????)
Crypto Currencies
Growth Coins vs.
Deflationary Coins
247 Nicolas T. Courtois 2009-2014
Deflationary Coins
Crypto Currencies
Another Argument by Robert Sams
From Robert Sams, “The Marginal Cost of Cryptocurrency”: http://cryptonomics.org/2014/01/15/the-marginal-cost-of-cryptocurrency/
Other reasons to avoid bitcoin: volatility due to the existence of people holding large balances for speculation. He claims that this leads to a “toxic amount of exchange rate volatility”.
Not super convincing but plausible.
248 Nicolas T. Courtois 2009-2014
Not super convincing but plausible.
“Bitcoin [..] has a free rider problem, whereby speculative coin balances, which benefit from the system’s costly hashing rate are effectively subsidised by those who use bitcoins primarily as a MOE. These speculative balances repay the favour by adding a toxic amount of exchange rate volatility, providing yet another reason for the transaction motive to run away from log coin MOE. “
Crypto Currencies
Why Growth Coins Will Win???
This argument comes from Robert Sams, “The Marginal Cost of Cryptocurrency”: http://cryptonomics.org/2014/01/15/the-marginal-cost-of-cryptocurrency/
Argument: sooner or later “growth coins” vs. “deflationary currencies” which he improperly calls “log coins” will be in competition.
Then the argument is not very clear, he claims more or less that: • in deflationary currencies, most of the profit from appreciation will be received b y
249 Nicolas T. Courtois 2009-2014
• in deflationary currencies, most of the profit from appreciation will be received b y holders of coins through their constant appreciation
• little profit will be made by miners who control the network nevertheless => they will impose high fees
• in growth coins, there will be more seignorage profit and it will be spent on hashing. Miners will make good profits and transaction fees will be lower.
• thus year after year people will prefer growth coins…
Crypto Currencies
“Stupid Coin” syndrome.
Exact clones are UNBELIEVABLY stupid.• just stupid copy and paste of open source code• they are all broken: powerful people DO HAVE sufficient
computing power to double spend and cheat at any moment…
• as really worthless assets they are funny and can attract
252 Nicolas T. Courtois 2009-2014
• as really worthless assets they are funny and can attract speculators because of built-in self-destruction (studied later)
• have some value due to “anonymity services” they provide• they have tiny chances of survival:
– network effects make ALL stupid clones highly problematic because a currency cannot exist without having a large community of adopters…
Crypto Currencies
Market Caps [2 March 2014]
fake: Icelanders could only sell it after March 25, price 20x less 1 month later
253 Nicolas T. Courtois 2009-2014
All the other are too weak to stand on their feet…
Crypto Currencies
“Stupid Coin”?
More serious contenders must have 1+2:1. Have a number of adopters (or pay for promotion/advertising)
– have operational wallet software like android…
255 Nicolas T. Courtois 2009-2014
– be traded on exchanges…
2. Display some sort “competitive advantage”, must be different or better than bitcoin in some aspect– actually should by like substantially better,
• adoption barriers: small improvements are just NOT enough
Crypto Currencies
Review
For each contender we look at strong and weak points.
We start with weak points of bitcoin itself … => because altcoins can only claim to exist if they do sth that bitcoin does not do.
=> ****Actually all other things being equal smaller competitors of bitcoin are bound to die if they they are as
256 Nicolas T. Courtois 2009-2014
=> ****Actually all other things being equal smaller competitors of bitcoin are bound to die if they they are as good as bitcoin, just because they are smaller [theory of self-destruction, studied later].
Crypto Currencies
BitCoin
Cons:• Only very basic functionality• Bad anonymity
257 Nicolas T. Courtois 2009-2014
• Bad anonymity• No longer democratic, monopolized by cartels• “Bad” monetary policy in the long run… • Performance
– Slow transactions– Important hard drive usage by clients (14 G)– Takes ages to synchronize (like 1 day on a good PC)
Crypto Currencies
Scam Coins
Avoid, listed at
http://altcoins.com/scamcoins
258 Nicolas T. Courtois 2009-2014
Crypto Currencies
LiteCoin = LTCPros:• Number 2 = “digital silver”, at moments was 1 Billion USD Market Cap. • Exchanged at many exchanges • Android client, >10 000 downloads.• MORE DEMOCRATIC – SCRYPT mechanism. Mined with GPUs.
– many people will mine LTC just because they have nothing to do with their GPUs.
• went up from like 1 USD to 40 USD in Dec 2012.
259 Nicolas T. Courtois 2009-2014
• went up from like 1 USD to 40 USD in Dec 2012. • “Made in China”, well almost.
Cons: • clearly appreciation went a lot upwards just due to the rising price of
bitcoins, NOT because Litecoin is used or exchanged more. – Bad sign for all altcoins.
• world is full of recycled GPUs no longer profitable for bitcoins, owners have no choice, they just mine litecoins even if profitability is very low.
Crypto Currencies
PeerCoin = PPCoin = PPC
Pros:• Number 3, 100 M USD market cap.• Exchanged at BTC-e.• POW+POS (Proof of Stake), even more democratic, green• Unlimited monetary supply (“growth coin”)
260 Nicolas T. Courtois 2009-2014
• Unlimited monetary supply (“growth coin”)– adding at most 1% more coins each year, – similar to gold itself or better!
Cons: • Does not promise to go through the roof for savers.• Partly centralized: check pointing•
Crypto Currencies
**QuarkCoin = QRK
Pros:• Some 20 M USD market cap...• Multiple hashing • New block every 30 seconds• Again linearly growing monetary supply
261 Nicolas T. Courtois 2009-2014
• Again linearly growing monetary supply– adding at most 0.5% more coins each year, – again similar to gold itself
Cons: • Not better than Peercoin?
Crypto Currencies
DevCoin = DVC
Pros:• Pays developers, artists etc..• Super ethical: “Devcoins provide an income for everyone who
wants to work”, even if they are not very competitive.
262 Nicolas T. Courtois 2009-2014
Cons: • small adoption….
Crypto Currencies
NameCoin = NMC
Brilliant :• coins are generated for free when mining bitcoins (“merge mined”)• key/value registration and transfer system like DNS
Cons: Cyber squatters buying pairs to re-sell them later
263 Nicolas T. Courtois 2009-2014
Cyber squatters buying pairs to re-sell them later
Crypto Currencies
PrimeCoin = XPM
Pros:• Does sth. Interesting for cryptologists and mathematicians.• Traded on BTC-e.
Cons: • Not widely known yet, little press coverage.
264 Nicolas T. Courtois 2009-2014
• Not widely known yet, little press coverage.
Crypto Currencies
*TerraCoin = TRC
Cons: one of these stupid-coins without a single distinctive feature.
265 Nicolas T. Courtois 2009-2014
Crypto Currencies
*FeatherCoin = FTC
A fork in litecoin blockchain.
• Minor differences
266 Nicolas T. Courtois 2009-2014
Crypto Currencies
*NovaCoin = NVC
A descendant and sort of clone of peercoin
Pros:• Same as PPC• Variable inflation: depends on popularity. How?
267 Nicolas T. Courtois 2009-2014
Cons: • Same as PPC
Crypto Currencies
*AnonCoin = ANC
Pros:• Much better anonymity claimed • Traded on Coinex, Vircurex, Cryptsy
Cons:
268 Nicolas T. Courtois 2009-2014
Cons: • 1 G$ market cap only• Obscure, no info found
Crypto Currencies
*FreiCoin =
Very very strange...
Pros:• “currency for a working class”? vaguely ethical…• Discourages hoarding:
– free transactions,
269 Nicolas T. Courtois 2009-2014
– a fee for holding coins (they decay), like a property tax
Cons: • Why buy it? Poor adoption.
Crypto Currencies
“Programmed Self-Destruction”
Nicolas Courtois: On The Longest Chain Rule and Programmed Self-
270 Nicolas T. Courtois 2009-2014
Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534
Older version also at http://cryptome.org/2014/05/bitcoin-suicide.pdf
Crypto Currencies
Its in the DNA…
Theory of “Programmed Self-Destruction” [Courtois May 2014]
271 Nicolas T. Courtois 2009-2014
Crypto Currencies
*Unobtanium = UNO
NOT TO BE CONFUSED WITH Unocoin=Bangalore-based Indian exchange which trades BTC/USD, but they DO NOT EVEN trade any UNO
273 Nicolas T. Courtois 2009-2014
Crypto Currencies
Unobtanium = UNO – super-rare
unobtanium.io“The cryptocurrency of serious traders” ☺
Pros:• already has non-negligible value, 0.01 BTC• SHA256, reuse bitcoin ASICs
274 Nicolas T. Courtois 2009-2014
• SHA256, reuse bitcoin ASICs• traded at several exchanges• fast: about one block per 1.24 minutes• fixed monetary supply
Cons: • Tiny market cap: 1 million dollars• no genuine transactions?, close to zero tx/block, pure Ponzi?• there is much worse….
Crypto Currencies
Unobtanium In Trouble?
• UnobtaniumHUGE PROBLEM!
275 Nicolas T. Courtois 2009-2014
Crypto Currencies
Unobtanium In Trouble?
• very rare: only 250,000 will be ever made, • acceleration: reward halving every 3 months…• so what?
HUGE PROBLEM!
276 Nicolas T. Courtois 2009-2014
smells programmedself-destruction
Crypto Currencies
Unobtanium Facts
• 2/3 of coins were already mined in a short time since 10/2013• As of March 2014 similar profitability as bitcoin mining• Predicted to collapse VERY quickly: • 3 months later UNO market price (now 5.67 USD) must increase twice
OR miners will instantly switch their ASICs to BTC mining… wicked!• then it must double in the next 3 months… Hard to imagine…
277 Nicolas T. Courtois 2009-2014
• Then on 29 Sept 2014 it must achieve 15,000 USD, see the exact block halving mechanism. KILLER SWITCH!
• If it cannot appreciate so much… It will crash very badly.• time to short UNO!
Crypto Currencies
Unobtanium Death Warrant
– MAJOR ANOMALY: this currency is already destroying itself! • will always have small market cap <1G$ => small anonymity, small adoption etc…• in bitcoin the decline in mining profitability could be compensated by massive
adoption and fees, here the adoption is zero and fees are zero because transactions are virtually non-existent …
– miners are already running away from it as fast as they can, WITH SUDDEN JUMPS, evidence:
278 Nicolas T. Courtois 2009-2014
Crypto Currencies
Unobtanium Decline
– My prediction is that the hash power will decline to a ridiculously small value.
– Actually it HAS A KILL SWITCH : On 29 Sep 2014, the reward is DIVIDED 300 times overnight!!!!!!!!!!!!!!!!!!
– THIS WILL INEVITABLY LEAD TO TWO MAJOR HAZARDS:• it will become EASY to double spend,
279 Nicolas T. Courtois 2009-2014
• it will become EASY to double spend, – IT WILL COST A FEW DOLLARS to commit double spending attacks(!)
• it will become EASY to run a “mining cartel attack”: only accept blocks mined by members of a certain group.
• Further decline or total collapse predicted as soon as any of these two happens just once
Crypto Currencies
DogeCoin Death Warrant
– has seriously challenged LTC, 51% attack was possible in Feb 2014.– self-inflicted destruction shortly after?– http://bitinfocharts.com/comparison/hashrate-ltc-doge.html
281 Nicolas T. Courtois 2009-2014
shifting in both directions, sum=constant, correlation=-1
17 Mar halving!
Crypto Currencies
DogeCoin Predicted Decline– next block halving is… 28 April– One miner was able to execute a double spending attack! – YES! And quicker than I thought
282 Nicolas T. Courtois 2009-2014
– Prediction: all this is very bad for DOGEcoin, it will NEVER recover from this…
Crypto Currencies
Self Destruction?
Built-in in most current crypto currencies…
284 Nicolas T. Courtois 2009-2014
Crypto Currencies
Solutions?
– YES!– Later in these slides..– See also inside the paper:
Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534
285 Nicolas T. Courtois 2009-2014
Crypto Currencies
No Way Out
For Unobtanium and Dogecoin: their destruction is VERY HARD to prevent. • The only plausible way to do it: • Pay miners more in the future => produce more coins => break the
monetary policy
• Crypto currencies which claim to be a solution to solve the 2008
286 Nicolas T. Courtois 2009-2014
financial crisis, have in 1 year accomplished THE SAME DISASTER as our central banks:
• an exact equivalent of Quantitative Easing (QE): – they MUST now break their promise and print more coins….
• diluting the money of all the other people…
Crypto Currencies
CPU coins
Def. Coins designed to be mined with CPUs.
PGC – Pangucoin –China - based on scrypt-janeMEG – MemoryCoin – super-ethical? = aims to empower the economically
and financially marginalized
288 Nicolas T. Courtois 2009-2014
PTS – ProtoShares – claimed GPU resistant
Crypto Currencies
SLR
SLR = SolarCoin, started 22 Dec 2013• backed by two forms of proof of work. • SCRYPT + Solar Renewable Energy Certificate (SREC) that has been
generated and 3rd party verified.
• 60 second blocks
290 Nicolas T. Courtois 2009-2014
• 100 coins per block, halving every 526600 blocks (once a year)• 99% of coins premined and will be give to people who can bring a proof of
creating 1MW*hr of solar energy • 1% some are mined with SCRYPT.
Drawbacks: • advantageous for some countries• Fixed monetary supply, reward halving: future solar energy paid less…
Crypto Currencies
Fake market cap…All coins already mined, but NOT attributed => not in circulation, =>PEOPLE cannot sell, them,
=> fake Market Cap
291 Nicolas T. Courtois 2009-2014
Well not quite, because it is VERY COSTLY to produce 1MWh of solar power, so the DO HAVE large value? Not quite, coins are awarded NOT in exchange of energy, but for free for people who produce solar power, the solar power can be sold independently… depends on government subsidies available, NOT profitable to produce!
Overall this coin is very special, like a reflection of geography and government subsidies…
Crypto Currencies
Which Coins Actually Exist?
Remark: ALL SMALL COINS can be destroyed instantly, as just one rich person can have / rent 51% at any moment...
Which coins matter?
292 Nicolas T. Courtois 2009-2014
Crypto Currencies
Which Coins Matter
Some major coins wrt bitcoin, prices 2 March 2013:AUC – Auracoin - 0.04 BTCLTC – Litecoin – 0.024 BTCNVC – Novacoin – 0.013 BTCPPC- Peercoin- 0.010 BTCUNO – Unobtanium - 0.010 BTC
293 Nicolas T. Courtois 2009-2014
UNO – Unobtanium - 0.010 BTCXPM – PrimeCoin – 0.0026 BTCANC – AnonCoin – 0.0026 BTC
Totally misleading prices, look at market caps!
Crypto Currencies
Market Caps [2 March 2014]
294 Nicolas T. Courtois 2009-2014
All the other are too weak to stand on their feet…
Crypto Currencies
Ethereum
New currency with more powerful scripts, very powerful platform.• No limits in functionality, can be a lot more than a currency,
– implements “decentralized autonomous organizations” of arbitrary sort.
• Monetary supply grows linearly.
Applications:
296 Nicolas T. Courtois 2009-2014
• might liberate us from tyranny of Internet/software corporations, banks etc…
– crypto currencies– financial derivatives, – peer-to-peer gambling – on-blockchain identity and reputation systems– etc…
Lots of other innovations, uses SHA-3 (Keccak). Strongly ASIC resistant. Abstract simplicity: even basic features are encoded as scripts.
Crypto Currencies
A Ponzi scheme?
• Ponzi schemes collapse immediately when there are no new adopters…
• Any NEW currency can be seen as Ponzi scheme.
• Bitcoin will be alive if only current adopters continue to use it.– However investors might lose money, it could never be worth 1200 USD again…
298 Nicolas T. Courtois 2009-2014
Crypto Currencies
Reasons why bitcoin can go up beyond 1000 USD (1)
• Forex market is much bigger, just small part of it makes bitcoin worth a lot
• More people yet need to discover it
• Criminal economy is waiting for better anonymity (!),
299 Nicolas T. Courtois 2009-2014
for better anonymity (!), they will adopt it.
Cf. Darkcoin, Dark wallet, Zerocoin projects etc..
Crypto Currencies
More Reasons why bitcoin can go up beyond 1000 USD (2)
• Africa etc wants to be DE-COLONIZED from US dollar:
– they use dollars as a currency– they hold vast reserves in dollars– banks charge them as much as 19.2% for transfers vs. 5% average in G20 countries
[source: WorldBank, Send Money to Africa, Jan ’14]
300 Nicolas T. Courtois 2009-2014
[source: WorldBank, Send Money to Africa, Jan ’14]
• China needs it for bribes etc… Russia: 25% of the GDP.
Crypto Currencies
Bitcoin at $10,000 in 2014? Yes for 56% of Bitcoiners
UCL seminar also voted 9Y to 10N on 13.02.2014
301 Nicolas T. Courtois 2009-2014
Cf. http://www.coindesk.com/56-of-bitcoiners-believe-bitcoin-will-reach-10000-in-2014/
13.02.2014
Crypto Currencies
*****Reasons why bitcoin is worth a lot???
• Our planet’s resources are constant if not shrinking, the super-deflationary currency bitcoin is helpful: it reflects that.
• Maybe we a need for a currency like bitcoin for pricing of rare resources?.
• If it goes through the roof in USD (which are worth less and less) then it
302 Nicolas T. Courtois 2009-2014
will still be profitable for banks businesses and governments just to buy bitcoins instead of creating their own crypto currency.
– They will still make profit?
Crypto Currencies
Reasons why bitcoin can NOT go up beyond 1000 USD
• Anyone can create his currency, why pay to have coins?– Competition will kill bitcoin
• Current bitcoin can only handle 7 transactions per second worldwide – due to block size limit…
• to be fixed soon?
303 Nicolas T. Courtois 2009-2014
• Nobel price laureate Shiller says it is a bubble. For sure it is.
Crypto Currencies
Can Bitcoin Survive?
304 Nicolas T. Courtois 2009-2014
• Hash Power• Brand+Netwok Value
• Exempt from “Programmed Decline”?
Crypto Currencies
Why Bitcoin is Worth Sth:
Sources of their “intrinsic value” for crypto currencies.
• Network effects (positive externality).– Number of users– Their Medium of Exchange (MOE) function: sum of outstanding balances.– Trust and reputation etc…
305 Nicolas T. Courtois 2009-2014
– Trust and reputation etc…
• Is the ASIC infrastructure worth sth? YES?
WELL, MAYBE NOT QUITE AS MUCH. Next slides.
Crypto Currencies
*Recall: Crazy Hash Power Increase
Nearly doubled every month… 1000x in 1 year.
306 Nicolas T. Courtois 2009-2014
Crypto Currencies
Are ASICs Worth Sth?From Robert Sams, The Marginal Cost of Cryptocurrency: http://cryptonomics.org/2014/01/15/the-marginal-cost-of-cryptocurrency/
• “The amount of capital collectively burned hashing fixes the capital outlay required of an attacker to obtain enough hashing power to have a meaningful chance of orchestrating a successful double-spend attack on the system.”
• “The mitigation of this risk is valuable, and the more capital burned up
307 Nicolas T. Courtois 2009-2014
• “The mitigation of this risk is valuable, and the more capital burned up hashing a crypto currency’s network, the lower the expected frequency of successful double-spend attacks.”
This is actually already mistaken approach, see Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534
Crypto Currencies
Is Great Wall of ASIC Worth Sth?How much do we need these ASICs?
Q: Is there a way to circumvent it? Get the benefits for free or pay much less?
BTW. Bitcoin blockchain is opening for new applications (March 2014)!
308 Nicolas T. Courtois 2009-2014
for new applications (March 2014)!
Crypto Currencies
???** Circumvent The Costly Bitcoin Infrastructure?Free riders? =Can another coin use the Bitcoin infrastructure for free? Or maybe just pay the miners less for their effort? VERY SERIOUS question, because miners provide digital notary services “for free”:
additional things can be inserted in the block chain, hard to prevent. • YES in order to certify that a transaction has been issued by the owner of the key.
– things can be inserted in the blockchain at low cost (fees, some can be done for free).
• NO because bitcoin guarantees that the transaction is unique. It will NOT accept to police other transactions hidden in the blockchain (decide
309 Nicolas T. Courtois 2009-2014
It will NOT accept to police other transactions hidden in the blockchain (decide which ones are legitimate in case of double spending).
• However the unicity CAN also be guaranteed by timing: after 1 hour for example the transaction is considered final. One cannot inject anything retroactively inside the blockchain.
• Old conclusion:– So we conclude that bitcoin infrastructure is really worth sth. if we want fast confirmation
• more or less because the NSA cannot cancel the transactions once they are confirmed
– Maybe the bitcoin infrastructure is worth nothing in order to achieve slower payment applications…
Crypto Currencies
???**Circumvent Monetary Policy
Idea: Rent unused bitcoins for a short time => increase monetary supply. How to guarantee that they are returned? Implement fractional randomized reserve?
How???
310 Nicolas T. Courtois 2009-2014
Crypto Currencies
Bitcoin Monopoly RentsAccidental, more than deserved.
Programmed self-destruction [cf. new paper]: • other currencies have copied THESE EXACT mechanisms bitcoin
which makes them unable to survive. • good for bitcoin so far.
311 Nicolas T. Courtois 2009-2014
Crypto Currencies
Bad Reputation?• Miner over-investment and numerous pre-payment scandals, people earning 2x 10x 100x
less than expected…• MtGox thefts: at least 5% of all bitcoins in ciculation
312 Nicolas T. Courtois 2009-2014
• a Magnet for Criminals? – no, this would be Zerocoin, US dollar, 500 euro bills etc…
Crypto Currencies
10 May 2014Patrick Alexander quits bitcoin foundation
and states publicly that:• The foundation members need to emulate very high moral
values and ethics […] especially as it involves money. • So far, the track record of prominent Bitcoin Foundation
members has been abysmal. […] acts of a few, have
313 Nicolas T. Courtois 2009-2014
members has been abysmal. […] acts of a few, have overshadowed us all unfortunately.
• I no longer want to be associated with these people.• It is my wish that […] another organization can […] take its
proper place representing the great idea that is bitcoin.
Few other members also resigned immediately.
Crypto Currencies
New PaperNicolas Courtois: On The Longest Chain Rule and Programmed Self-
Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534• Bitcoin seriously lacks network neutrality:
miners are too centralized, have excessive discretionary powers, and can be made to participate in attacks without their knowledge
• Miners have over-invested, they will be tempted by criminal exploitation as a service through dodgy business ventures (e.g. bitundo.com)
315 Nicolas T. Courtois 2009-2014
as a service through dodgy business ventures (e.g. bitundo.com)• Nobody supports the ordinary peer-to-peer network and ordinary people
to do payments (poor security, poor transaction speeds, poor availability and poor promotion of secure bitcoin storage methods and practices)
Crypto Currencies
Longest Chain RuleThe longest chain rule might be OK in some applications, it fails bitcoin users
very badly. Much worse for weaker currencies.
We need some quick fix solutions. • Provide incentives for people to use bitcoin and to run peer nodes.• Use existing strengths of bitcoin in order to make blockchain manipulation
MUCH harder. How?
316 Nicolas T. Courtois 2009-2014
MUCH harder. How?
Crypto Currencies
ReinforcementsMake blockchain manipulation MUCH harder. • Use timing, the more a second transaction/signature comes later, the
more it should have negligible chances of being accepted.• More objective rules – less discretionary powers.• If there is a fork, incentives in place should be such that both branches
contain essentially the same transactions.• Miners should not hold bitcoin hostage.
317 Nicolas T. Courtois 2009-2014
• Miners should not hold bitcoin hostage.• Enable super fast zero-confirmation transactions.
Crypto Currencies
Ultra Fast Transactions!Very strange: Satoshi did NOT implement a timestamp for transactions.Impossible to distinguish between various situations.Impossible to manage double spending correctly.• Again, use the timing. • Ask other ordinary peer nodes to confirm your transaction for a fee, within
seconds, not a multiple of 10 minutes.• Chain and mix these confirmations.
318 Nicolas T. Courtois 2009-2014
• Chain and mix these confirmations.• Use timestamps and certify them by various electronic notary services.• Also use shares generated by miners (exist in vast quantities!). • Accumulate evidence that one version was propagated much earlier than
the other, and accept this version: MAKES BITCOIN MUCH FASTER.100x speed increase expected.
Crypto Currencies
Simultaneous Double SpendsNo strong opinion about what to do with these: It is possible to reject both: evidence that the private key was misused.(because we will have electronic evidence, money could be seized by bitcoin and donated to a charity which helps victims of bitcoin crime)
319 Nicolas T. Courtois 2009-2014
Crypto Currencies
Potential Problem (1)Big question: [Gerald Davis]Can this solution allow double spending attacks CHEAPER than forking the
blockchain? Just by corrupting the time attestation mechanisms?
320 Nicolas T. Courtois 2009-2014
Crypto Currencies
Potential Problem (2)Big question: [Gerald Davis]Can this solution allow double spending attacks CHEAPER than forking the
blockchain? Just by corrupting the time attestation mechanisms? Serious question. Possibly but in fact the opposite is probably true…
321 Nicolas T. Courtois 2009-2014
Crypto Currencies
Corrupting the Time Attestation Mechanisms? (3)Serious question. Possible but in fact the opposite is probably true: • we can trust the market to develop cheap reliable and decentralized
timestamping and certification mechanisms. Time is a reality which is far bigger than bitcoin blockchain and should be harder to manipulate
• there is a price to pay: knowledge of some private keys used before, need to corrupt people not known in advance
• certification by peers is closer to proof of stake than to proof of work
322 Nicolas T. Courtois 2009-2014
• certification by peers is closer to proof of stake than to proof of work
Crypto Currencies
Bribing + Network Attacks? (4)Can one bribe peers? continued. • Claim: if transactions are diffused and the “view” of the person being
attacked and the “view” of many other network nodes is essentially the same, there is no space for the attack.
=> this sort of attack requires some form of “network superiority” or manipulation, or the first transaction is diffused and there is no going
323 Nicolas T. Courtois 2009-2014
manipulation, or the first transaction is diffused and there is no going back. Or we have two transactions diffused. In both cases no attack, everybody sees the same reality, no attack.
In fact this question is independent from timestamping (next slide) and also works with “network superiority” alone:
Crypto Currencies
Network Attacks Alone? (5)Possible attack scenario with “network superiority” alone:• cheat the receiver with our transaction sent just to him, • control the network so that nobody else knows about this transaction,
– not diffused.
• emit another transaction later to the wide network, • make sure the victim receives it quite late…
324 Nicolas T. Courtois 2009-2014
Answer: It is the responsibility of people who accept zero confirmation transactions to check that the transactions on which they rely have been properly diffused in the network.
• Use all the bitcoin attestation mechanisms proposed above.• Check with well known https web sites (cannot be forged, can be
bribed/hacked though) etc. • Get insured.• Etc.
Crypto Currencies
One Final Comment
https://bitcointalk.org/index.php?topic=600436.0;all
325 Nicolas T. Courtois 2009-2014
Crypto Currencies
Anonymity???Transactions: ≥0 inputs, ≥1 inputsDue to practical reasons, most of the time (???)
ALL inputs belong to the same person or to people who know each other.
Crypto Currencies
Anonymity with PK-based Currency
For unspent money: hide any of– the owner’s ID (btw. his Public Key can be a secret, technicality!) – the “spending” location can be hidden with TOR
=> potentially with state of the art countermeasures, the potential thief has no way to locate the money!
328 Nicolas T. Courtois 2009-2014
Bad anonymity when you spend, • can split larger amounts in many pieces to avoid being seen
when you spend.• still hard to do…
Crypto Currencies
**Anonymity Citations• Bitcoin is NOT particularly anonymous BUT it
is SUPER DENIABLE – Dan Kaminsky⇒what does he mean???
⇒about creation of unlimited new identities?
329 Nicolas T. Courtois 2009-2014
⇒about creation of unlimited new identities? ⇒one person becomes many pseudonyms…⇒deniable = I can claim it was not me…
Crypto Currencies
**Anonymity?
Goal: return some money to itself inside the same transaction– use another fresh address for better anonymity– transactions also have multiple input addresses,
• allows perfect mixing in theory…
⇒ in practice we expect that “most of the time” most input addresses belong to the same person as one of the output addresses. ⇒ some geographical / side channel information could link them in pairs⇒ unless money is pre-split in standardized amounts like 0.01 BTC and always used as such.
⇒ Then no change is ever returned.
Due to practical and risk management questions, most of the time (?) ALL inputs belong to the same person or to people who know each other.
Crypto Currencies
AlsoThe secret billionaire syndrome:– in bitcoin the PK can be secret forever in practice (technicality)! – (also the payer location can be hidden very well, TOR). – potentially with state of the art countermeasures,
the potential thief has no way to locate the money!
– not so good anonymity when you spend, • can split in many pieces to avoid being seen when you spend.
331 Nicolas T. Courtois 2009-2014
• can split in many pieces to avoid being seen when you spend.
Crypto Currencies
Anonymity References:Robert McMillan: “Sure, You Can Steal Bitcoins. But
Good Luck Laundering Them”, August 2013.
Dan Kaminsky: Black ops of TCP/IP, presentation. Black Hat and Chaos Communication Camp, 2011
332 Nicolas T. Courtois 2009-2014
Fergal Reid and Martin Harrigan: An Analysis of Anonymity in the Bitcoin System, In Security and Privacy in Social Networks, Springer 2013
Crypto Currencies
Hard Or Easy?Robert McMillan: “Sure, You Can Steal Bitcoins. But
Good Luck Laundering Them”, August 2013.
Main points:• law enforcement has many ways of tracking down
a culprit .
333 Nicolas T. Courtois 2009-2014
• law enforcement has many ways of tracking down a culprit .
• bitcoin network is built in a way that can make it awfully difficult for criminals to spend the digital currency once they steal it
Crypto Currencies
Hard Or Easy?• you need to provide proof of identity to trade on Mt.
Gox or other exchanges– they can also hand other information such as IP
addresses and bank account numbers to investigators
• UBS 2014 report “Problematic Currency, Interesting
334 Nicolas T. Courtois 2009-2014
• UBS 2014 report “Problematic Currency, Interesting Payment System” is positive about legit usage of crypto currencies: – "In principle, financial institutions with existing anti-money
laundering systems in place (like banks) could adopt a common Bitcoin-like technology to facilitate fast and secure international transfers between end-users…”
Crypto Currencies
S/N question• while small-scale money laundering “seems quite possible”,
but the big fish will have problems• there simply aren’t enough places to exchange large
amounts of money in an anonymous way– bad news: look at these two addresses: suspected to
have laundered tens/hundreds of millions of dollars…
335 Nicolas T. Courtois 2009-2014
– https://blockchain.info/address/135N2nfAkextd6E25quXpM98qLSi2BccCb– https://blockchain.info/address/1Facb8QnikfPUoo8WVFnyai3e1Hcov9y8T
• S/N: “the money that’s moving around the system every day is just not enough to disguise large quantities of Bitcoin”
• super disturbing: anyone can setup a bitcoin exchange, lottery, market, etc. on the Internet.
Crypto Currencies
Laundry ServicesLike Bitcoin Laundry and Bitmix
• poor usability • likely to steal your money
337 Nicolas T. Courtois 2009-2014
Crypto Currencies
Cooperative Laundering - Main TrickKnown as “CoinJoin” method,
by gmaxwell, August 2013
user A0.5 BTC
user Afresh public key
338 Nicolas T. Courtois 2009-2014
txuser Bco-optedhas 0.5 BTC of is ownno risk of losing them
agree and sign tx independently
0.5 BTCuser Bfresh public key
which one is user A?Pb. At any later moment user B can betray himself
Crypto Currencies
Problems with Join Coin• User A can betray user B
• All inputs must have the same amount⇒Must return the change to yourself on a fresh address…
only to betray your identity later
339 Nicolas T. Courtois 2009-2014
Crypto Currencies
AltCoinsEach altcoin can be used to exchange to bitcoins and
back, hard to trace unless • you follow all altcoin companies
– E.g. their network communications, – or they cooperate with the police forces
• from public info:
340 Nicolas T. Courtois 2009-2014
• from public info: – timing and amounts of transactions in respective
blockchains
• these anonymity services is already a good reason why many “stupid” altcoins exist and have some non-zero market value!
Crypto Currencies
Rented Miners!You spend BTC from crime on rented miner ASIC.• Then you produce fresh coins! • No link (unless the cloud company traces you).
Even less link because of H0…
341 Nicolas T. Courtois 2009-2014
Crypto Currencies
Classical Ideas• Run a fake business• Play a Casino [bitcoin: provably honest casinos]• Manipulate a market… [use alt-coins] in order to
transmit money “wirelessly”: – example: inflate some asset on one side, profit from it on
the other side.
342 Nicolas T. Courtois 2009-2014
the other side.
Crypto Currencies
**Müllerian Mimicry• Imitate typical patterns of “innocent” bitcoin addresses.• Cf. David Naccache talk at CECC 2014.
343 Nicolas T. Courtois 2009-2014
Crypto Currencies
Anonymity Tips / Counter Arguments• use multiple addresses,
new address for each transaction
• create dummy movements• play lottery, buy/sell shares, exchange against
EUR/USD
• use mixing services, mix small amount at a
•no evidence that this helps, these addresses “meet” in the graph of transactions which is not a random graph
•must pay fees
•PERFECT if we cant trust these companies, nobody will now know which
344 Nicolas T. Courtois 2009-2014
• use mixing services, mix small amount at a time
• avoid EVER connecting your name with any of your Bitcoin addresses
• Hide you IP address with TOR
companies, nobody will now know which addresses belong to you
•close to impossible in practice
•Not a silver bullet
Crypto Currencies
Misconceptions / Counter Arguments• Bitcoin eliminates identity theft, there is no
identity to be stolen [Rosenberg-Anderson]•On the contrary, it creates new insidious forms of identity theft for the pseudonymous identity: •Example: steal someone’s private keys by a cyber attack, use for money laundering, this creates serious criminal justice problems against which there is no insurance
345 Nicolas T. Courtois 2009-2014
Crypto Currencies
“Invisible” Recipient? (for the time being)• Vaguely based on ideas by user=ByteCoin [Bitccoin forum]. • “Untraceable transactions […] are inevitable.”• Using Diffie-Hellman. Sender =A receiver =B. • Sender A knows the recipient’s public key gx mod P
and B knows A’s public key gy mod P.• A computes S=(gx)y mod P. • A computes H(S) as a seed for RNG, generates a deterministic new
bitcoin private key SK_transfer called the transfer address.
346 Nicolas T. Courtois 2009-2014
bitcoin private key SK_transfer called the transfer address.• A sends the money to this address.• Due to DH magic, B also knows this private key SK_transfer .• B takes the money and transfers them to new addresses.Remark: This is similar to a theft, the recipient B is anonymous only if he
can hide his network presence (e.g. using TOR) and as long as he is not yet spending the money. Requires a lot more work!
• The only real benefit is that nobody can initially associate the recipient B with his public key gy even though it is in a public directory.
Crypto Currencies
Software and Add-On Solutions
347 Nicolas T. Courtois 2009-2014
Solutions
to Make Bitcoin More Anonymous
Crypto Currencies
DarkWallet
Radical nearly-anarchist project
• Software which mixes 2 bitcoin transactions for people who do NOT know each other, mixing by default.
• A lightweight plug-in wallet for Chrome/Firefox.
348 Nicolas T. Courtois 2009-2014
Crypto Currencies
DarkCoin
Implementation of Coin-Join with several stages.Uses blind signatures in order to prove the input belongs to one of the
participants.Has a collateral deposit system: protects against badly behaving users, they
may lose money.
350 Nicolas T. Courtois 2009-2014
Cons: All the issues with CoinJoin.
Crypto Currencies
Zerocoin
Anonymous currency, ZK proofs. Initially proposed as an extension of bitcoin,
now it will be an independent currency.
Another similar proposal: Appecoin.
351 Nicolas T. Courtois 2009-2014
Crypto Currencies
Zerocoin
S secret serial number I commit to, needed to spend the coinr random needed to reveal S later onC=gShr
Producing Zerocoins:In Bitcoin blockchain 1 BTC => C, invalid H(PK), just destroyed 1 bitcoin,
352 Nicolas T. Courtois 2009-2014
In Bitcoin blockchain 1 BTC => C, invalid H(PK), just destroyed 1 bitcoin, this controls the monetary supply!
Remark: already protected against abuse, nobody wants to destroy bitcoins which cost money…
Now revealing this serial number S will be worth 1 BTC, like on-time signature mechanism??? , PROBLEM; must convince bitcoin developers to accept creation of bitcoins out of thin air!
Breaks bitcoin (or requires permission of bitcoin developers or/and a majority of miners).
Crypto Currencies
Zerocoin IssuesSource: https://bitcointalk.org/index.php?topic=279249.0Limitations:• uses cutting-edge cryptography: maybe insecure, understood by relatively few people• produces large (20kbyte) signatures that would bloat the blockchain (or create risk if in
external storage)• it requires a trusted party to initiate its accumulator. If that party cheats, they can steal coin.
(Perhaps fixable with more cutting-edge crypto.)• validation is very slow (can process about 2tx per second on a fast CPU), which is a major
barrier to deployment in Bitcoin as each full node must validate every transaction.
353 Nicolas T. Courtois 2009-2014
barrier to deployment in Bitcoin as each full node must validate every transaction.• large transactions and slow validation means costly transactions => will reduce the
anonymity set size• uses an accumulator which grows forever and has no pruning. In practice this means we'd
need to switch accumulators periodically to reduce the working set size, reducing the anonymity set size.
• some of these things may improve significantly with better math and software engineering over time.
But above all: Zerocoin requires a soft-forking change to the Bitco in protocol , which all full nodes must adopt, which would commit Bitcoin to a particular version of the Zerocoinprotocol. Politically contentious, as some developers and Bitcoin businesses are very concerned about being overly associated with "anonymity".
Crypto Currencies
Two GraphsFergal Reid and Martin Harrigan: An Analysis of Anonymity in the Bitcoin System, In Security and Privacy in
Social Networks, Springer 2013
Transactions form a DAG: Directed Acyclic Graph
355 Nicolas T. Courtois 2009-2014
Crypto Currencies
Second GraphPublic Keys Form A Graph in which money flows potentially in both
directions between any pair at various moments
356 Nicolas T. Courtois 2009-2014
Crypto Currencies
Initial Theft25,000 BTC
Initial steps: We can assume that all bitcoin
accounts initially involved are related to the thief?
357 Nicolas T. Courtois 2009-2014
Not quite after the theft, he donated some money to computer hacker group known as LulzSec.
Crypto Currencies
Analysis• flows split and then merge again• IP address reporting transactions• size of inputs/outputs• speed of transactions
(some are quite fast!)
Other sources of data
358 Nicolas T. Courtois 2009-2014
Other sources of data• order books with precise amounts
from exchanges
Crypto Currencies
Another Example of Actual CrimeA criminal gang promising non-existing miners (Hashblaster.com) run by a
non-existing company claimed to be based in Essen, Germany had numerous victims.
Some of these fraudulently obtained sums have transited through https://blockexplorer.com/address/1Nm1jYHo8WKuJc7Paq1VneAPdNtqcm
pm6t
359 Nicolas T. Courtois 2009-2014
Then they went to (next page).
Crypto Currencies
Bitcoin's most mysterious wallet?1Facb8QnikfPUoo8WVFnyai3e1Hcov9y8T
Initially it was a great mystery:• was active in the period from December 2013• total funds managed: 219,956 Bitcoins (estimated USD209 million)• fast growing, suspected to be a major laundry service etc...
360 Nicolas T. Courtois 2009-2014
Later it was found it belonged to MtGox! Q: Did MtGox check the identity of their customers?
Crypto Currencies
Tracing Larger Patterns (e.g. Geographic Patterns)
361 Nicolas T. Courtois 2009-2014
(e.g. Geographic Patterns)
Crypto Currencies
IP Address Per Transaction Reporting
© Bissessar Shiva and Nicolas Courtois, UCL 2013
362 Nicolas T. Courtois 2009-2014
Crypto Currencies
Currency Circulation
© Bissessar Shiva and Nicolas Courtois, UCL 2013
363 Nicolas T. Courtois 2009-2014
Crypto Currencies
Anonymity??? - Following 3.7 M$ For 24h
© Bissessar Shiva and Nicolas Courtois, UCL 2013
364 Nicolas T. Courtois 2009-2014
Crypto Currencies
Non-Anonymity Is Valuable:
Charity, political party, any publicly managed organization:
• Everybody knows how much money was donated.
366 Nicolas T. Courtois 2009-2014
• Everybody knows how much money was donated.• Everybody knows how money was spent.
Crypto Currencies
Important remark: US stock market is DECENTRALIZED (!).
One Wall street lawyer writes:• “the bitcoin network is actually reminiscent of a network
which was initially created to implement NMS [National Market Structure] regulations”.
Bitcoin vs. US Stock Market
369 Nicolas T. Courtois 2009-2014
Market Structure] regulations”. • “bitcoin technology is brilliant“ and maybe • a “kind of value transfer network that you could dream about
creating” for the stock markets – “if existing businesses had the luxury of a fresh start”
Source: Vivian A. Maese: Divining the Regulatory Futureof Illegitimate Cryptocurrencies, In Wall Street Lawyer, Vol. 18 Issue 5, May 2014.
Crypto Currencies
Edward De Bono: in the early 1990s wrote a pamphlet called "The IBM Dollar“
Dr. de Bono wrote that he looked forward to a time when “the successors to Bill Gates will have put the
Corporate Currencies Replacing the Stock Market?
371 Nicolas T. Courtois 2009-2014
“the successors to Bill Gates will have put the successors to Alan Greenspan out of business”, arguing in essence that it would be more efficient for companies to issue money than equity.
Edward de Bono argued that companies could raise money just as governments now do - by printing it.
Crypto Currencies
For Dr. de Bono: it was about "The IBM Dollar“ issued by IBM instead of raising money from the stock market.
His concept of “private currency”: • would be redeemable for IBM equipment,
Concept of Private Currency Based on Future Production
372 Nicolas T. Courtois 2009-2014
• would be redeemable for IBM equipment, • NOT at all like modern fiat, redeemable for nothing! Further startup scenario: • A start-up XX launches. Instead of issuing shares, it issues
XX-coin redeemable for future products/services. • E.g. a power plant start-up offers future kilowatt hours.
– In the early days, they are sold and trade at a significant discount to take into account the risks.
– Later this “private currency” goes up if company does well!