DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree...
Transcript of DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree...
![Page 1: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/1.jpg)
Master Degree in Data Science
Sapienza University of Rome
Academic Year 2018-2019
Instructor: Daniele Venturi(Slides from a series of lectures by Stefan Dziembowski)
DATA PRIVACY AND SECURITY
![Page 2: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/2.jpg)
BitcoinData Privacy and Security
2
Part VI: Cryptocurrencies
![Page 3: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/3.jpg)
History of Digital Cash
BitcoinData Privacy and Security
3
• 1990: Chaum’s anonymous eCash
– Uses sophisticated crypto to achieve security and user anonimity
withdrawal
pay
deposit
Company foundedin 1990… Went
bankrupt in 1998
![Page 4: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/4.jpg)
History of Digital Cash
BitcoinData Privacy and Security
4
• 2008: Bitcoin announced by Satoshi Nakamoto
• 2011-2013: Popular for buying illegal goods
– E.g., Silk Road anonymous marketplace
• End of 2013: Market price skyrockets and the world notices
Main difference with eCash:
![Page 5: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/5.jpg)
The Bitcoin Revolution
BitcoinData Privacy and Security
5
• Problems of earlier ecash systems
– Need trusted center (money does not circulate)
– High transaction fees
• Solutions in bitcoin ecosystem
– Decentralized system (money circulates)
– Variable transaction fees
![Page 6: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/6.jpg)
Bitcoin’s Success
BitcoinData Privacy and Security
6
• Probably one of the most discussedcryptographic technologies ever!
Bitcoin
Snowden
Encryption
![Page 7: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/7.jpg)
No Trusted Servers!
BitcoinData Privacy and Security
7
• Nobody controls the money
– The amount of money that will ever be created isfixed to around 21 mln Bitcoin (no inflation)
Exchange rate fluctuates
![Page 8: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/8.jpg)
Next Block Halving
BitcoinData Privacy and Security
8
![Page 9: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/9.jpg)
Really No Trusted Server?
BitcoinData Privacy and Security
9
• The client software is written by people whoare in charge to change the system
• Software contains so-called checkpoints (more on this later)
• Popular clients:
The people behindthe software are not
anonymous
![Page 10: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/10.jpg)
Bitcoin in Context
BitcoinData Privacy and Security
10
Bitcoin:• Protocol• Client
software• Data
(blockchain)
Bitcoin Ecosystem
Financial Sector
• Banks• Fonds• Regulators• Treasury
• Exchanges• Mining pools• Remote wallets
Real Economy
• Agents• Goods• Markets (legal/illegal)• Externalities
![Page 11: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/11.jpg)
Updates?
BitcoinData Privacy and Security
11
• How to update the protocol if there is no governing body?
• Updates take the form of Bitcoin ImprovementProposals (BIPs)
• The Bitcoin community votes on BIPs
– Weight of votes proportional to computing power
– Voting process organised centrally (via a forum)
![Page 12: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/12.jpg)
Bitcoin ≈ Real Money?
BitcoinData Privacy and Security
12
• Bitcoin values comes from the fact that: "People expect that other people will accept itin the future."
It’s like realmoney
It’s a "Ponzischeme"
Enthusiasts:
Sceptics:
![Page 13: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/13.jpg)
Some Economist Are More Positive
BitcoinData Privacy and Security
13
• Billions of VC funding, many major banks and companies are interested
While these types of innovations may pose risks related to law enforcement and
supervisory matters, there are also areas in which they may hold long-term
promise, particularly if the innovations promote a faster, more secure and more
efficient payment system
Ben Bernanke
![Page 14: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/14.jpg)
Why Bitcoin Became So Popular?
BitcoinData Privacy and Security
14
• Ideological reasons
– Crypto anarchy (nobody controls the money)
• Good timing due to financial crisis in 2008
– No money printing in Bitcoin
• Trading of illegal goods due to seeminganonymity (pseudonimity)
• Payments can be cheap
– Almost no fees for long time (PayPal 2-10%)
• Novel technology for distributed systems
![Page 15: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/15.jpg)
Illegal Market Places
BitcoinData Privacy and Security
15
• What is sold?
• Mostly non-professional sellers
– Most items only listed for few days
• All markets value: 600.000 USD per day
Category # of items % of total
Weed 3338 13.7
Prescriptions 1784 7,3
Books 955 3,9
Cannabis 877 3,6
Cocaine 630 2,6
LSD 440 1,8
![Page 16: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/16.jpg)
Downsides of Decentralization
BitcoinData Privacy and Security
16
• There are no regulators
– MtGox (handling 70% of all Bitcoin transactions) shut down on Feb 2014, reporting 850.000 BTC (450 million USD) stolen
• Transactions cannot be reserved
– But see a later lecture for alternatives
• Software bugs immediately exploited ashackers can make money
– Ransomware
– Virus stealing bitcoins
![Page 17: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/17.jpg)
BitcoinData Privacy and Security
17
Bitcoin's Design Principles
![Page 18: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/18.jpg)
Doublespending
BitcoinData Privacy and Security
18
• Main problem with the digital money is that itis much easier to copy than real money
– Bits are easier to copy than paper
16fab13fc6890
![Page 19: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/19.jpg)
Bitcoin’s Idea (Simplified)
BitcoinData Privacy and Security
19
• The users emulate a public bulletin-boardcontaining a list of transactions
– A transaction if of the form: «User 𝑃1 transfers a coin #16fab13fc6890 to user 𝑃2»
16fab13fc6890
You have alreadyspent this!
![Page 20: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/20.jpg)
Trusted Bulletin-Board Emulation
BitcoinData Privacy and Security
20
Ideal World Real World
Main difficulty:Some parties can
cheat!
![Page 21: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/21.jpg)
An Idea
BitcoinData Privacy and Security
21
• Assume honest majority and implement the bulletin-board by voting
– Every transaction is broadcast
Transaction id Value
ddbs21239864k… 0.084 BTC
edd98763hn3nr… 1.2 BTC
mkk8765g4g2j3… 0.036 BTC
YES NO YES NO
Is this the correctbulletin-board?
In cryptocurrencies this is called
the consensus protocol
![Page 22: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/22.jpg)
How to Implement Consensus?
BitcoinData Privacy and Security
22
• A very well-studied problem in distributedcomputing
• Idea: Use techniques from MPC
– Agreement requires honest majority
– Problem: Sybil attack
– How to define majority in a context whereeverybody can join the network?
![Page 23: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/23.jpg)
Bitcoin’s solution
BitcoinData Privacy and Security
23
• Majority = Majority of computing power
• Now creating multiple identities does not help
![Page 24: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/24.jpg)
How is this verified?
BitcoinData Privacy and Security
24
• Use Proofs of Work (PoW) – Dwork & Naor ‘92
• Basic idea: User solve moderately hard puzzle
• Digital puzzle: Use cryptographic hashing
– Hash function 𝐇 with running time TIME 𝐇
– Solve: Find input s.t. output starts with 𝑛 zeroes
– Verify: Compute hash
Hard to find solution Easy to verify
![Page 25: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/25.jpg)
Simple PoW
BitcoinData Privacy and Security
25
Hash function 𝐇 with running time TIME(𝐇)
Random 𝑥
Answer 𝑠
Find 𝑠 s.t. 𝐇(𝑠||𝑥)starts with 𝑛 zeroes (time 2𝑛 ∙ TIME(𝐇))
Check that 𝐇(𝑠||𝑥)starts with 𝑛 zeroes
(time TIME(𝐇))
![Page 26: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/26.jpg)
Setup for the Bulletin-Board
BitcoinData Privacy and Security
26
• Users maintaining the bulletin-board are called miners
• Miners maintain a chain of blocks:
Block 0 Block 1 Block 2 Block 3
Transactionsfrom period 1
Transactionsfrom period 2
Transactionsfrom period 3
The genesis block, createdby Nakamoto on 03/01/09
Block size < 1MB ≈ 7 trans./sec
Period ≈ 10 mins
![Page 27: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/27.jpg)
Extending the Blockchain
BitcoinData Privacy and Security
27
• The chain is extended by using the PoW
• PoW challenge: 𝐇(Salt||𝐇 Block𝑖 ||TX) startswith 𝑛 zeroes (hardness parameter)
Block 0 Block 1 Block 2
Transactions Transactions
𝐇 𝐇
Salt Salt
In Bitcoin 𝐇= SHA-256
![Page 28: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/28.jpg)
Adjusting the Hardness Parameter
BitcoinData Privacy and Security
28
• The computing power of the miners changes
• Miners should generate a new block every 10 minutes (on average)
• Thus the hardness parameter is periodicallyadjusted to the mining power
– It happens once every 2016 blocks
– Automatic process, in a way that depends on the time it took to generate the 2016 blocks
– Possible because each block contains a timestamp
![Page 29: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/29.jpg)
Hash Rate
BitcoinData Privacy and Security
29
• January 2017: 2,550,000 TH/s
• January 2018: 15,000,000 TH/s
• September 2018: 50,000,000 TH/s
![Page 30: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/30.jpg)
How it Looks in Real Life
BitcoinData Privacy and Security
30
Height Timestamp Transactions Miner Size
550168 6 minutes ago 2796 DPOOL 1,1 MB
550167 11 minutes ago 2348 BTC.com 1,5 MB
550166 27 minutes ago 2227 … …
550165 44 minutes ago … …
550164 49 minutes ago … …
![Page 31: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/31.jpg)
How to Post on the Board
BitcoinData Privacy and Security
31
• Broadcast over the internet your transactionto the miners
• Hope they will add it to the next block
– Miners are incentivized to do so
• Miners never add invalid transactions (e.g., doublespending)
– A chain with an invalid transaction is itself notvalid, so no rational miner would do it
• When a miner finds an extension he broadcasts it to all the users
![Page 32: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/32.jpg)
Forks
BitcoinData Privacy and Security
32
• The longest chain counts!
Block i
Block i+1
Block i+2
Block i+3
Block’ i+2
This chain is valid
Makes no sense to work on a shorter chain, as everybodyelse is working on extending
the longest one
![Page 33: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/33.jpg)
Consequences
BitcoinData Privacy and Security
33
• The system should quickly self-stabilize
• If there is a fork, then one branch will die
– What if your transaction ends up in a deadbranch?
– Recommendation: To make sure it doesn’t happenwait 6 blocks (≈1 hour)
![Page 34: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/34.jpg)
Can Transactions be Reversed?
BitcoinData Privacy and Security
34
• Requires a fork in the past
– Unlikely with minority computing power
– Honest miners always ahead of the adversary
![Page 35: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/35.jpg)
Attack based on Hardness Parameter
BitcoinData Privacy and Security
35
⋯ ⋯ ⋯
⋯⋯
1) Secretly compute another chain with fake
timestamps (indicating thatit took a long time to
produce it)
2016 blocks
2) The difficulty dropsdrammatically, so can
quickly produce a chainlonger than the valid one
and publish it
![Page 36: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/36.jpg)
The Strongest Chain
BitcoinData Privacy and Security
36
• For this reason, in Bitcoin it is not the longestchain that matters, but rather the strongest
• Strength of each block is 2𝑛
• Strength of the chain is the sum of the strength of all blocks
– This clearly prevents the previous attack
![Page 37: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/37.jpg)
Joining the Network
BitcoinData Privacy and Security
37
• How to identify a user? Use a digital signaturescheme (𝐊, 𝐒, 𝐕)
– Bitcoin uses ECDSA
New user
Publish 𝑝𝑘and keep 𝑠𝑘 secret
(𝑝𝑘, 𝑠𝑘) ←$ 𝐊
Every userhas his own
key pair
![Page 38: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/38.jpg)
Digital Signature Standard (DSS)
BitcoinData Privacy and Security
38
• Approved by US government in 1994
– Designed by NIST & NSA
– Originally using SHA-1, but now SHA-2 isrecommended
– DSS is the standard and DSA is the algorithm
• A variant of ElGamal PKE
– Security based on the hardness of DL
– Creates a 320-bit signature (vs 1024 bits with RSA)
– Most of the computation is mod a 160-bit prime
![Page 39: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/39.jpg)
DSA Key Generation
BitcoinData Privacy and Security
39
• Shared global public values (𝑝, 𝑞, 𝛼)
– Prime 𝑝 of size 1024 bits
– Prime 𝑞 of size 160 bits (factor of 𝑝 − 1)
• Value 𝛼 ∈ ℤ𝑝∗ of order 𝑞
– Pick 𝑔 ∈ ℤ𝑝∗ and compute 𝛼 = 𝑔(𝑝−1)/𝑞mod 𝑝
– Repeat if 𝛼 = 1
• Each user generates (𝑎, 𝛽)
– Private key 𝑎 ←$ ℤ𝑞
– Public key 𝛽 = 𝛼𝑎mod 𝑝
![Page 40: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/40.jpg)
DSA Signing
BitcoinData Privacy and Security
40
• Let 𝑥 ∈ {0,1}∗ be the message to be signed
– Pick random 𝑘 ←$ ℤ𝑞
– Let 𝑟 = 𝛼𝑘 mod 𝑝 mod 𝑞
– Let 𝑠 = 𝐒𝐇𝐀𝟐 𝑥 + 𝑎 ∙ 𝑟 𝑘−1mod 𝑞
– Repeat if 𝑟 = 0 or 𝑠 = 0
• Signature is 𝑦 = (𝑟, 𝑠)
– Value 𝑘 should be destroyed and never reused
![Page 41: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/41.jpg)
Signature Verification
BitcoinData Privacy and Security
41
• Give message 𝑥 and signature 𝑦 = (𝑟, 𝑠)
– Compute 𝑢 = 𝑠−1 ∙ 𝐒𝐇𝐀𝟐 𝑥 mod 𝑞
– Compute 𝑡 = 𝑠−1 ∙ 𝑟 mod 𝑞
– Let 𝑣 = 𝛼𝑢𝛽𝑡mod 𝑝 mod 𝑞
• Accept iff 𝑣 = 𝑟
• Correctness𝑣 = 𝛼𝑢+𝑎𝑡mod 𝑝 mod 𝑞
= 𝛼𝑠−1(𝐒𝐇𝐀𝟐 𝑥 +𝑎𝑟)mod 𝑝 mod 𝑞
= 𝛼𝑠−1𝑘𝑠mod 𝑝 mod 𝑞 = 𝑟 mod 𝑞
![Page 42: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/42.jpg)
Remarks on DSA
BitcoinData Privacy and Security
42
• Important to check 𝑟, 𝑠 ≠ 0
– If 𝑟 = 0, then 𝑠 = 𝐒𝐇𝐀𝟐 𝑥 ∙ 𝑘−1mod 𝑞 isindependent of the secret key 𝑎
– If 𝑠 = 0, then 𝑠−1mod 𝑞 cannot be computed
– Both events very unlikely (probability ≈ 2−160)
• Operations on both sides are performed mod𝑞, only one operation is performed mod 𝑝
![Page 43: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/43.jpg)
Elliptic Curve DSA (ECDSA)
BitcoinData Privacy and Security
43
• Variant of DSA using elliptic curve groups
• Signature is 320 bits
• All operations are mod a 160-bit prime (or slightly more)
– Minimum size 163 or 192 bits
• Security depends on hardness of solving DL in an elliptic curve group
![Page 44: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/44.jpg)
Validating Blockchains
BitcoinData Privacy and Security
44
• What is needed in order to decide whichblockchain is valid?
• One needs to know:
– The initial rules of the game
– The genesis block
• Given many candidates pick the one that:
– Verifies correctly
– Is the longest (i.e., the strongest)
• Verification can take several hours (blockchainsize ≈ 185GB as of September 2018)
![Page 45: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/45.jpg)
Checkpoints
BitcoinData Privacy and Security
45
• Old block hash hardcoded into Bitcoinsoftware
• In theory: Not needed
• Goes against the decentralized spirit of Bitcoin
• But useful in practice:
– Prevent some DoS attacks (flooding nodes with unusable chains)
– Prevent attacks involving isolating nodes and providing them fake chains
– Optimization for initial blockchain download
![Page 46: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/46.jpg)
Protocol Updates
BitcoinData Privacy and Security
46
• The Bitcoin protocol can be updated
• Proposals can be submitted to the Bitcoinfoundation in the form of BitcoinImprovement Proposals (BIPs)
• Only the miners can vote
– Votes included in the minted blocks
– Currently, need 75% approval which roughlycorresponds to 75% of computing power
![Page 47: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/47.jpg)
Summary of Main Features
BitcoinData Privacy and Security
47
• Extending blockchain is computationally hard
• Once a miner finds an extension he broadcaststhe new block to everybody
• Users will always accept the longest chain asthe valid one
– In practice it is a bit more complex
• How are the miners incentivized to followthese rules?
– Short answer: They are payed in bitcoins!
![Page 48: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/48.jpg)
Where Do These Bitcoins Come From?
BitcoinData Privacy and Security
48
• A miner that solves the PoW gets a reward
– 50 BTC for the first 210000 blocks (≈ 4 years)
– 25 BTC for the next 210000 blocks
– 12.5 BTC for the next 210000 blocks
– … and so on
• Note that: 210000 50 + 25 + 12.5 +⋯ = 21000000
![Page 49: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/49.jpg)
More in Details…
BitcoinData Privacy and Security
49
• Each block contains a transaction thattransfers the reward to the miner
– A so-called coinbase transaction
• Advantages:
– It provides an incentive to be a miner
– It makes miners interested in broadcasting the new block asap
![Page 50: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/50.jpg)
An Important Feature
BitcoinData Privacy and Security
50
• Assuming everybody follows the protocol, the following invariant is maintained:
• Fract. of computing power ≈ fract. of revenue
• This is because 𝑃𝑖’s chances of solving the PoW are proportional to the number of times𝑃𝑖 can evaluate the hash function
Every miner 𝑃𝑖 whose computing power is a 𝛼𝑖-fraction of the total computing power mines a
𝛼𝑖-fraction of the blocks
![Page 51: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/51.jpg)
Freshness of the Genesis Block
BitcoinData Privacy and Security
51
Genesisblock
I did not know the genesisblock before Bitcoin waslaunched (Jan 3, 2009)
Here is a heuristic proof: «The genesis block contains a hash of a title from a front page of the London Times on Jan 3, 2009.»
![Page 52: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/52.jpg)
Why Does it Matter?
BitcoinData Privacy and Security
52
Genesisblock
• Otherwise Satoshi could «pre-mine»1) Secretely start miningin 1980 and produce a
very strong chain
3) On Jan 3, 2010 publish secret chain
2) Honest miners start working on Jan 3, 2009;
since they have lesstime after 1 year their
chain is still weaker
![Page 53: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/53.jpg)
Bitcoin’s Money Mechanics
BitcoinData Privacy and Security
53
• Bitcoin is transaction based
• Technically there is no notion of coin
• Users 𝑃7 and 𝑃8 hold 5 BTC, whereas user 𝑃9holds 40 BTC
25 BTC createdby 𝑃1
25 BTC sent to 𝑃2
5 BTC sent to 𝑃45 BTC sent to 𝑃3
15 BTC sent to 𝑃5
25 BTC created by 𝑃6
15 BTC from 𝑃5 + 25 BTC from 𝑃6
to 𝑃9
5 BTC sent to 𝑃75 BTC sent to 𝑃8
TIME
![Page 54: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/54.jpg)
Syntax of Transactions (Simplified)
BitcoinData Privacy and Security
54
User 𝑃1 creates 25 BTC
User 𝑃1 sends 25 BTC from 𝑇1 to 𝑃2Signature of 𝑃1
on 𝑇2
User 𝑃2 sends 25 BTC from 𝑇2 to 𝑃3Signature of 𝑃2
on 𝑇3
𝑇1 =
𝑇2 =
𝑇3 =
𝑃1
𝑃2
𝑃3
During the mining process
We say 𝑇3redeems 𝑇2
![Page 55: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/55.jpg)
Multiple Output Transactions
BitcoinData Privacy and Security
55
User 𝑃1 sends 10 BTC from 𝑇1 to 𝑃2User 𝑃1 sends 8 BTC from 𝑇1 to 𝑃3User 𝑃1 sends 7 BTC from 𝑇1 to 𝑃4
Signature of 𝑃1on 𝑇2
𝑇2 =
𝑃1
𝑃2 𝑃3
10 BTC 7 BTC
𝑃4
![Page 56: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/56.jpg)
Multiple Input Transactions
BitcoinData Privacy and Security
56
User 𝑃2 sends 10 BTC from 𝑇3 to 𝑃1User 𝑃3 sends 8 BTC from 𝑇3 to 𝑃1User 𝑃4 sends 7 BTC from 𝑇3 to 𝑃1
Signature of 𝑃2 on 𝑇4Signature of 𝑃3 on 𝑇4Signature of 𝑃4 on 𝑇4
𝑇4 =
𝑃1
𝑃2 𝑃3
10 BTC 7 BTC
𝑃4
All signaturesneed to be valid
![Page 57: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/57.jpg)
Time Locks
BitcoinData Privacy and Security
57
User 𝑃1 sends 25 BTC from 𝑇1 to 𝑃2if time 𝑡 has passed
Signature of 𝑃1 on 𝑇2𝑇2 =
Transaction specifiestime 𝑡 after which it is
considered valid
Measured in blocks or real time
![Page 58: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/58.jpg)
Generalizations
BitcoinData Privacy and Security
58
• All these features can be combined
• The total value of in-coming transactions can be larger than the total value of outgoingtransactions
– The difference is called the fee
– Goes to the miner
• The conditions for redeeming a transactioncan be more general (the so-called smartcontracts)
![Page 59: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/59.jpg)
Block Structure in More Details
BitcoinData Privacy and Security
59
𝐇
𝐇 𝐇
𝐇 𝐇 𝐇 𝐇
𝑇𝑋1 𝑇𝑋2 𝑇𝑋3 𝑇𝑋4 𝑇𝑋5 𝑇𝑋6 𝑇𝑋7 𝑇𝑋8
ℎ00 ℎ01 ℎ10 ℎ11
ℎ1ℎ0
Prevhash
SaltTXBlock
Header
𝐇
Block
Merkle tree
![Page 60: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/60.jpg)
How to Verify Merkle Trees
BitcoinData Privacy and Security
60
𝐇
𝐇 𝐇
𝐇 𝐇 𝐇
𝑇𝑋1 𝑇𝑋2 𝑇𝑋3 𝑇𝑋4 𝑇𝑋5 𝑇𝑋6 𝑇𝑋7 𝑇𝑋8
ℎ00 ℎ01 ℎ10 ℎ11
ℎ1ℎ0
TX
𝐇
Root
Proofs are log(depth) and verification requires log(depth) time
![Page 61: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/61.jpg)
Why Merkle Trees?
BitcoinData Privacy and Security
61
• Merkle root always of same small size
– Easily transmittable for pooled mining
– Simplifies writing hashing algorithms in hardware
• Light clients
– No need to process the entire block
• Pruning of old spend transactions
– Old transactions are not needed in order to verifythe validity of the blockchain
![Page 62: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/62.jpg)
BitcoinData Privacy and Security
62
Mining Pools and Attacks
![Page 63: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/63.jpg)
Solo Mining
BitcoinData Privacy and Security
63
• Variance of income too high for solo miners
• Here is a rough estimate:
40,000,000 THash/s
14 THash/s≈ 2857142
≈ 54.4 ∙ (365 ∙ 24 ∙ 6)
• Waiting time for mining a block ≈ 50 years
Total hash rate asof Nov. 2018
ASICS Antminer S9 – 14 THash/s (3,000 USD)
![Page 64: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/64.jpg)
Mining Pools
BitcoinData Privacy and Security
64
• Miners create cartels called mining pools
• Mining pools are either operated centrally or in a peer-to-peer fashion
• Some of the pools charge fees for their service
– E.g., if the operator gets 25 BTC for mining, then itwill share 25 − 𝜑 BTC (where 𝜑 is the fee)
• Expected revenue is lower on average, butvariance is significantly smaller
– Tricky bit: How to prevent cheating? How to reward the miners?
![Page 65: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/65.jpg)
Biggest Mining Pools
BitcoinData Privacy and Security
65
As of July 13, 2017
![Page 66: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/66.jpg)
How to Design a Mining Pool?
BitcoinData Privacy and Security
66
Nonce 𝑠𝑖
A transaction 𝑇𝑖 and a hash 𝐇(𝐵𝑖)
Tries to find 𝑠𝑖 such that𝐇(𝑠𝑖 , 𝐇 𝐵𝑖 , 𝑇
𝑖) starts with 𝑛 zeroes
MinerMining Pool
Operator
Current hardnessparameter
𝑝𝑘
Includes coinbase transactiontransferring money to 𝑝𝑘
Once nonce is found by one of the pool members, each of them is rewardedproportionally to his work
But how to verifyhow much work a
miner did?
![Page 67: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/67.jpg)
Proportional Method
BitcoinData Privacy and Security
67
Nonce 𝑠𝑖But also submit partialsolutions, i.e. values 𝑠𝑖′
such that 𝐇(𝑠𝑖 , 𝐇 𝐵𝑖 , 𝑇𝑖)
starts with 𝑛′ ≪ 𝑛 zeroes
A transaction 𝑇𝑖 and a hash 𝐇(𝐵𝑖)
Tries to find 𝑠𝑖 such that𝐇(𝑠𝑖 , 𝐇 𝐵𝑖 , 𝑇
𝑖) starts with 𝑛 zeroes
MinerMining Pool Operator
Current hardnessparameter
𝑝𝑘
Amount of work measured in # of partial solutions
![Page 68: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/68.jpg)
Probability of Success
BitcoinData Privacy and Security
68
• Probability of pool winning is 𝛼1 + 𝛼2 + 𝛼3
• Reward for Alice: BTC 25 ∙𝛼1
𝛼1+𝛼2+𝛼3
≈ proportional to 𝛼1
≈ proportional to 𝛼2
≈ proportional to 𝛼3
𝛼1
𝛼2
𝛼3
time
proportion of computing power
submitted share
Expected rewardBTC 25 ∙ 𝛼1
![Page 69: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/69.jpg)
Pool Hopping
BitcoinData Privacy and Security
69
• What if miners change pool?
– Expected revenue is 𝛼𝑖 (from new pool)
– Plus the revenue form old pool (small extra)
• It is profitable to escape from pools with lotsof share holders
– Because such pools have too many «mouths to feed»
![Page 70: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/70.jpg)
Slush’s Method
BitcoinData Privacy and Security
70
• Solution: Use a scoring function that assigns to each share a score 𝜎
• Then assign rewards proportionally to the score 𝜎
• Slush’s scoring function: 𝜎 = 𝑒𝑇/𝑐
– 𝑇: time since beginning of this round
– 𝑐: some constant
• Intuitively this gives advantage to miners whojoined late
![Page 71: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/71.jpg)
Other Methods
BitcoinData Privacy and Security
71
• Pay-per-share: Operator pays for each partialsolution, no matter if he mined the block
– Risky for operator (leading to higher fees)
• Score-based: Geometric method, double geometric method…
• See also:
– Meni Rosenfeld, Analysis of Bitcoin Pooled MiningReward Systems, 2011
![Page 72: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/72.jpg)
Security of Mining Pools
BitcoinData Privacy and Security
72
• Typically assume the operator is honest
– Because he has reputation
• Miners are instead untrusted
• We will describe two attacks:
– Sabotage attack
– Lie-in-wait attack
• Both attacks are based on withholding certainblocks
– Similar to selfish-mining attack (see later)
![Page 73: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/73.jpg)
Sabotage Attack
BitcoinData Privacy and Security
73
• Based on submitting only partial solutions
– Pool loses money
– Dishonest miner does not earn anything (actuallyit loses a little bit)
• Ultimate goal: Make the pool go bankrupt
– E.g., because it is a competing pool
– Mining pool Eligus lost 300 BTC back in 2014
Mining Pool OperatorPartial solutions
RewardComplete solution
Miner
![Page 74: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/74.jpg)
Lie-in-Wait Attack
BitcoinData Privacy and Security
74
• Once solution is found (say for 𝑃2)
– Wait submitting it and mine for 𝑃2 only
– Send it to 𝑃2 after some time
• Intuition is that this is profitable because 𝑃2 isa very likely winner
1/3 computing power
Mining pool 𝑃1
Mining pool 𝑃2
Mining pool 𝑃3
Mine for several pools
![Page 75: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/75.jpg)
Peer-to-Peer Mining
BitcoinData Privacy and Security
75
• General idea: Miners create a blockchain with hardness parameter 𝑛′ ≪ 𝑛 on top last block
– Every 𝐵𝑖𝑗
is a valid extension of 𝐵𝑖 (hardness 𝑛′)
– Requires to use other fields in the block
• Parameter 𝑛′ chosen in such a way that new blocks appear often (say every 30 sec)
Block 𝐵𝑖 Block 𝐵𝑖1 Block 𝐵𝑖
2 Block 𝐵𝑖3
![Page 76: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/76.jpg)
How to Do it
BitcoinData Privacy and Security
76
𝐵𝑖:
…
…
…
𝐵𝑖2:
nonce
𝐇(𝐵𝑖)
trans.
𝐇(𝐵𝑖1)
𝐇(∙)
𝐵𝑖3:
nonce
𝐇(𝐵𝑖)
trans.
𝐇(𝐵𝑖2)
𝐇(∙)
𝐵𝑖1:
nonce
𝐇(𝐵𝑖)
trans.
𝐇(∙)
• The blocks contain extra space that can be
used to store the hash values 𝐇(𝐵𝑖𝑗)
![Page 77: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/77.jpg)
Reward
BitcoinData Privacy and Security
77
• Block 𝐵𝑖𝑘 enters the main blockchain as 𝐵𝑖+1
• Reward can be computed using some formula
• Each miner is incentivized to behave nicely
Block 𝐵𝑖 Block 𝐵𝑖1 Block 𝐵𝑖
2 𝐵𝑖𝑘 = 𝐵𝑖+1…
Ends with 𝑛 zeroes
𝑃2𝑃1 𝑃𝑘
Includes a payment to 𝑃1
Includes a payment to 𝑃1, … , 𝑃𝑘−1
![Page 78: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/78.jpg)
Possible Attack Goals
BitcoinData Privacy and Security
78
• Double spending
• Get more money than you should
• Short selling
– Bet that the price of BTC will drop and thendestroy the system (i.e., make the price of BTC go to zero)
• Someone (government?) interested in shutting Bitcoin down
![Page 79: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/79.jpg)
The 51% Attack
BitcoinData Privacy and Security
79
• An adversary controlling majority of computational power cannot
– Steal money from earlier transactions (requiresforging a signature)
– Generate money without effort (still needs to solve PoW)
• However such an adversary can
– Fork the chain and doublespend
– Reject all other miners’ blocks
– Exclude certain transactions
![Page 80: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/80.jpg)
Programming Errors
BitcoinData Privacy and Security
80
• Block 74638 (Aug 2010) contained a transaction with 2 outputs summing to over 184 billion BTC
– Integer overflow in Bitcoin software
– Solved by software update + manual fork
• Fork at block 225430 caused by an error in the software update
– Solved by reverting to older version
• Moral: Nothing can be fully decentralized
– Sometimes human intervention is needed
![Page 81: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/81.jpg)
Transaction Malleability
BitcoinData Privacy and Security
81
• Transactions are identified by their hashes
• One can change TxId by mauling a signature
– In ECDSA if 𝜎 = (𝑟, 𝑠) is a valid signature of message 𝑚, so is 𝜎′ = (𝑟, −𝑠)
User 𝑃1 sends 1 BTC from 𝑇1 to 𝑃2Signature of 𝑃1
on 𝑇2𝑇2 =
𝐇(∙)
TxId = 𝐇(𝑇2)
![Page 82: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/82.jpg)
How to Exploit Malleability
BitcoinData Privacy and Security
82
• As a result TxId changes!
• Often not a problem as semantically nothingchanged
• Problematic for Bitcoin contracts
Miners
![Page 83: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/83.jpg)
Claimed Attack on MtGox
BitcoinData Privacy and Security
83
• MtGox cannot see transaction with TxId 𝐇(𝑇) in blockchain
– As if transaction did not happen
– Doublespending possible
• Decker-Wattenhofer 14: This isprobably not true
Deposit 1BTC
Withdraw 1BTC
𝐵𝑖 𝐵𝑖+1 𝐵𝑖+2 𝐵𝑖+3
"MtGox pays 1 BTC to 𝐴"
𝐴
![Page 84: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/84.jpg)
Lack of Anonimity
BitcoinData Privacy and Security
84
• Bitcoin only guarantees pseudonymity
• Can sometimes be de-anonymized
– Meiklejohn et al.: A Fistful of Bitcoin, 2013
1 BTC 1 BTC
1 BTC
Can be linked!
Heuristic solution:
![Page 85: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/85.jpg)
Hardware Mining
BitcoinData Privacy and Security
85
• Evolution of mining habits
– CPU -> GPU -> FPGA -> ASIC
• Several drawbacks
– Makes the whole process non-democratic
– Might be exploited by very powerful adversary
– Excludes some applications (e.g., mining asmicropayment)
• Advantages
– Security against botnets and makes minersinterested in long-term stability of the system
How long term? Hashrate can go up by 100x
in a year
![Page 86: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/86.jpg)
Risks Associated with Pool Mining
BitcoinData Privacy and Security
86
• June 2014: The Ghash.io pool got > 50% of the total hash power
– What we were promised: A distributed currencyindependent of the central banks
– What we got (June 2014): Currency controlled by single company
• Miners lost control of which blocks they mine
– Not possible to choose Bitcoin transactions
– Common believe: 99% of the miners only care about highest possible block reward
![Page 87: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/87.jpg)
How to Break Bitcoin?
BitcoinData Privacy and Security
87
• Start a number of mining pools with a negative fee
• Wait to get > 50% computational power
• Will the miners join?
– Well, yes if they only care about block reward
• Is Bitcoin secure?
– Need to assume that majority behaves honestlyeven if it has incentives not to do so
– Maybe the only reason why it is still unbroken isthat nobody was really interested in doing it
![Page 88: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/88.jpg)
Majority is not Enough (Selfish Mining)
BitcoinData Privacy and Security
88
• Ittay Eyal and Emin G. Sirer: Bitcoin Mining is Vulnerable
• Basic idea: When a new block is found keep itfor yourself
• Goal: Make the honest miners waste theireffort to mine blocks that will never make it to the blockchain
• The proportion of minted blocks is higher, yielding a revenue greater than the fair share
![Page 89: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/89.jpg)
Bitcoin is not Incentive Compatible
BitcoinData Privacy and Security
89
• Recall with the honest strategy every minerwith 𝛼-fraction of computing power gets 𝛼-fraction of the revenue
• But if there is a strategy that is more beneficialthan the honest strategy, miners have an incentive to misbehave
– The larger 𝛼 the more beneficial the dishoneststrategy is
– Hence miners have incentive to join a large pool that uses this strategy
![Page 90: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/90.jpg)
Simplifying Assumption
BitcoinData Privacy and Security
90
• What happens if there is a fork?
• Assume that the adversary is always first
– E.g., he puts a lots of fake nodes acting as sensors
– We will remove this assumption later
Bitcoin specification: "From twochains of equal length mine on the one that was received first."
![Page 91: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/91.jpg)
Selfish Mining (Basic Idea)
BitcoinData Privacy and Security
91
• Adversary finds new block and keeps it
• Two things can happen:
In this case the adversarypublishes his own block
and loses nothingPublish the chain when the public one equalizes
![Page 92: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/92.jpg)
Towards the Full Attack
BitcoinData Privacy and Security
92
• The assumption that the adversary is alwaysfirst might look unrealistic
• Eyal and Sirer show a modification of the attack that works without this assumption
• Let 𝛾 be the probability that a honest minerwill choose to mine on the adversary’s chain
• Assume the adversary controls an 𝛼- fractionof the computing power
– The other miners hold 1 − 𝛼 -fract. for 𝛼 < 1/2
![Page 93: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/93.jpg)
An Observation
BitcoinData Privacy and Security
93
• What is the probability that the adversary’schain is selected?
• Let 𝛿 = 𝛼 + (1 − 𝛼) ∙ 𝛾
Adversaryextends the
chain
Honest minerextends the
chain
Adversary’schain getsextended
Honest chaingets extended
![Page 94: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/94.jpg)
State Transitions
BitcoinData Privacy and Security
94
State 0
State 1
State 0’State 2
1 − 𝛼 𝛼
1 − 𝛿
𝛿
Initial state (no forks)
Adversary findsnew block
Adversary findsanother block
Adversary’sblock winsHonest block
wins
Honest minersalso find a block
State 0
State 0
Adversarypublishes hischain ASAP
![Page 95: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/95.jpg)
Continuing from State 2
BitcoinData Privacy and Security
95
State 3
State 2
Adversarypublishes hischain ASAP
1 − 𝛼
𝛼
State 0
![Page 96: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/96.jpg)
Resulting State Machine
BitcoinData Privacy and Security
96
State 0 State 1 State 2 State 3 State 4
1 − 𝛼 1 − 𝛼 1 − 𝛼
𝛼 𝛼 𝛼 𝛼
…
State 0’
1 − 𝛼1
![Page 97: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/97.jpg)
Calculating the Revenue
BitcoinData Privacy and Security
97
State 0 State 1 State 2 State 3 State 4
+1 +1 +1
…
State 0’
(∗)
• Apply theory of Markov chains
– Stationary distribution: 𝑝0, 𝑝0′, 𝑝1, 𝑝2, …
Expected Revenue: 𝛿 ∙ 𝑝0′ + 𝛼 ∙ 𝑝1 + 𝛼 ∙ 𝑝2 +⋯
∗ = +1 iff attacker wins a fork (happens with probability 𝛿)
![Page 98: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/98.jpg)
The Final Result
BitcoinData Privacy and Security
98
• Eyal and Sirer show that the expected revenueexceeds that of the honest strategy as long as
𝛼 >1 − 𝛾
3 − 2𝛾
𝛼
𝛾
1/31/4
11/2
![Page 99: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/99.jpg)
How to Fix it?
BitcoinData Privacy and Security
99
• One simple idea is to choose 𝛾 = 1/2
– This means choosing which fork to mine uniformlyat random
• The threshold for 𝛼 moves to ¼
– This means that with such a modification Bitcoinwould be secure as long as a ¾-fraction of computing power is honest
– Smaller than the believed ½-fraction but betterthan current reality
![Page 100: DATA PRIVACY AND SECURITYdanieleventuri.altervista.org/files/06_Bitcoin_1819.pdf · Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Instructor: Daniele](https://reader034.fdocuments.in/reader034/viewer/2022042204/5ea58a5695cf0b7ef0160b5d/html5/thumbnails/100.jpg)
Summary of Other Attacks
BitcoinData Privacy and Security
100
• Whale transactions
– Make transactions with huge fees
– Incentivizes miners to mine on old blocks
– Accidentally happened in the past
• Flood attack
– Send big amount of small transactions
– Countermeasure: Increase transactions fees
• Destroy Bitcoins
– Send Bitcoins to unspendable output addresses to burn them