ENEE 457: Computer Systems Security11/30/16

Lecture 24Bitcoin and Decentralized Cryptocurrencies

Charalampos (Babis) Papamanthou

Department of Electrical and Computer EngineeringUniversity of Maryland, College Park

WhatisBitcoin?

• Bitcoinisae-cashsystemenablingastomovefromcurrency(eitherpaperordigital)basedandregulatedoncentralizedbankstofully-decentralizedcurrency• Bitcoinisnotthefirstattempttodigitizecash

• Lotsofworkone-cashinthepast(beginningwiththeworkofDavidChaum)• Alle-cashworksareusingacentralizedpartytopreventdouble-spending

• Bitcoinworksbecauseitofferstherightincentives• Ifyouhelpmaintainthecorrectnessofthesystem,youwillearnsomeBitcoins• “Help”meansofferingsomeofyourcomputationalpowertoverifytransactions(moreonthatlater)

• Bitcoinwasfirstdescribedinaseminalpaper byanonymousSatoshiNakamoto

InterestingpropertiesofBitcoin

• Transparent• AllthetransactionmadebyBitcoinusersarerecordedinapublicledger• Seewww.blockchain.info• Problemwithprivacy?

• Finite• Thereisanupperboundonthetotalamountofbitcoinsthatwilleverbespent(thereisnoFederalReserveherethatcanarbitrarily“printBitcoins”)

• Simulatesthegoldstandard• Basedoncryptoanddistributedalgorithms

• Owningmoneyisequivalenttoknowingasecret(inparticularthesecretkeyofdigitalsignature)

• Makingsurethatnodoublespendingoccursisbasedonnoveldistributedalgorithms(consensus)

OtherpropertiesofBitcoin

• Global• Canbeusedtosendmoneyallacrosstheworldwithverysmallfees(asopposedtofeeschargedbymajorbanks)

• Also,youcantradeBitcoinsfordollarsandvice-versa• TobuyandsellBitcoins,gotohttps://www.coinbase.com/• WhatdoyougetandwhenyoubuyBitcoins?

• CurrentpriceofBitcoin

WherecanIpaywithBitcoin?

HistoryofBitcoin

• 2009:SatoshiNakamoto’s paper• 2009-2011:• Pricelessthan1dollar• Communityofenthusiasts

• 2013-today• Substantialgrowth• InDecember2013,pricereached1000dollars• Mediacoverage• LotsofstartupsfacilitatingBitcoinadoption• Venturecapitalistsinvestment

Bitcoinprice

Howdoesitwork?

• Mainpurposeofbanksistomaintainbalancescorrectly• E.g.,ifIsendyou10dollars,thebankneedstosubtract10dollarsfrommyaccountandsend10dollarstoyouraccount• Thisisoneofthemostfundamentalbankoperations• Thewholebankingsystemworksbecausewetrustthebankstodosocorrectly• Partlyforthisservice,wehavetopayallthesefeestothebanks• Bitcoinmainidea

• Doawaywithbankscompletelyandmaintainthisfileofbalancesinadistributedfashion

• Buthowdoyoupumpmoneyintothisneweconomy?• PaypeopleinBitcoinstohelpmaintainthisfileofbalances,called“ledger”

Bitcoinaddresses

• Bitcoinaddressesserveasthe“accountnumber”inyourbank• EveryindividualcanhaveasmanyBitcoinaddressesashewants• Veryeasytocreate• Nofeesatallforhavingone

• MyBitcoinaddress• 1Eq8hdVuGGii61QMhppNP5z27832dMwztG• Itnowhas0.01BTCassociatedwithit• Let’sverifythat

WhatisthisBitcoinaddress?

• IfyouwanttogetintoBitcoin• Youneedtogeneratea(SK,PK)pair

• Ofcourse,keepyourSKsecret• ThebitcoinaddressisanencodingofahashofPK• bitcoin_address =enc(hash(PK))

• MakeyourPKavailabletoeverybodysothatyoucanreceivepayments• Downloadingandinstallingcoinbase appwilltakecareofallthesesothatyouarereadytosendandacceptBitcoinpayments

Asimpletransaction

• Alicewantstopay3BitcoinstoBob• Aliceowns3BitcoinsataddressA• BobhasaddressB• TopayBob,Alicecreatesatransactionandbroadcastsittothewholenetwork• Thetransactioncontains

• AddressesAandB• ThepublickeyassociatedwithA• Amount3Bitcoins• Adigitalsignatureonthemessageofalltheabove,createdwithAlice’ssecretkey

Blockchain

• Therearecertainnodesonthenetworkcalledminers thatmaintainthecorrectledgeroftransactions• Minersputtransactionsintoblocks,andbroadcasttheirblockscontainingtransactionsthatareconsistent• E.g.,avalidblockcannotcontainthefollowingtwotransactions• AsentxBitcoinstoB(sayBhad0Bitcoinsbefore)• Bsent2xBitcoinstoC

• Onceaclaimedcorrectblockisbroadcast,itneedstobeverifiedbyotherminersbeforeitgetsaddedintotheBlockchain• Eventually,allminerswillgettoseethesameblockchain• Thisistheblockchain weseeatblockchain.info• Onaverage,anewblockiscreatedevery10minutes

Whatdominersdo?

• Distributedcomputingconsensus• Nplayers(maliciousandhonest)startwithinputvaluesx_1,x_2,…,x_N andsomepreviouslyagreedstate• Goaloftheprotocol• Allhonestplayersoutputeventuallyonevaluex_i andthenewstate’=f(state,x_i)• Thisvaluemusthavebeengeneratedbyanhonestnode

• Thislooksquiteeasy!• Isit?

Distributedalgorithmtoreachconsensus

• Allplayersstoretheinitialstate andtheirinputxi• Pickaplayerq uniformlyatrandom• Step1:Theplayerqgetsitsinputxqtoallothernodesproposingittobethenewextensiontostate• (iftheplayerishonestitsendsthesamecorrectinputstoallothernodes,otherwiseitcanbehavearbitrarity)

• Step2:Allhonestplayersverifyx_q andcomputethenewstate’• Theorem(informal):Ifmajorityofplayersishonest,theneventuallythesystemwillreachconsensus

Bitcoinconsensus

• Itisaninstantiationofwhatwedescribedbefore• Playersareminers• stateistheblockchain,containingblocksthatcontainvalidtransactions• Theinputsarethenewblocksthatarebeinggenerated

• Sowhatisthedifference?• RememberanimportantrequirementoftheconsensusprotocolisthateverytimeIshouldpicksomeoneuniformlyatrandom.• HowdoIpicksomeoneuniformlyatrandominBitcoin?• Inparticular,howdoIpicksomeoneuniformlyatrandominadistributedfashion?• ProofsofWork!!!

Howdoesaminerprepareablock

• Aminerreceivesabunchoftransactionsfromusers• Hecheckstoseethatthetransactionshehasarevalid• Heorganizesthetransactionsintoablockb• Nowheisreadytobroadcasthisblockandupdatethestateofthesystem• Wait,thetheoremsaysheneedstobechosenatrandom• Well,tobeeligibleforbroadcasting,heneedstosolveacomputationalpuzzleandsubmititssolution• Basically,thecomputationalpuzzlerequireshimtoinvertahash

BitcoinBlocksandTransactions

Whatisthenonceineachblock?

• Eachblocksubmittedbyaminerhasanonce• Thisnonceisthesolutiontothefollowingpuzzle

• H(nonce||previous_block_hash||hash_current_transactions)<target_value• Theblockwillbeacceptedaftertheaboveischecked• Theabovemechanismservesforchoosingsomemineratrandom,makingsuretheledgerismaintainedcorrectly• Thesmallertarget_value is,thehigherthedifficultyofthepuzzle• AdjustedbytheBitcoinfoundationtomakesureoneblockisminedapproximatelyevery10minutes• Questions

• Whywouldyouinvestyourcomputationalpowertoprepareblocks?• Whataretheincentives?

Incentivesforminers

• Minershelpmaintainingthecorrectledger,butthereisanincentive• Everytimethemineablocksuccessfully,theycollecttransactionfeesfromthetransactionstheymine• E.g.,ImighthaveatransactionsayingwithInputsaddressAand20bitcoinsandoutputsaddressBand19bitcoins• 1bitcoinwillbethetransactionfeefortheminer

• Youarenotrequiredtoaddtransactionfeesinyourtransactions• Butifyoudo,youaremorelikelytohaveyourtransactionverified• Isthistheonlyrevenueforminers?

Howdoyouputmoneyintothesystem?

• Foreveryblockmined,thereisaspecialtransactioncalledcoinbase• Thistransaction“creates”money• E.g.,creatingasuccessfulblockcanrewardyou~35Bitcoins• Thatisaround$9,000USD• ConcerningtheCoinbase transaction• Startsat50BTC• Halvesevery210,000blocks(around4years)• Whenitwouldgoto0,itwouldnotbepossibletomineBitcoinsandaroundthattimealmost21millionBitcoinswillhavebeenproduced• THISISHARDCODEDINTOTHEBITCOINSOURCE

ForkingontheBlockchain

• Itmightbethecasethattwonodesgettomineadifferentblockaroundthesametime• Sotwonodescangetsolutionsofdifferentpuzzlesatthesametime• Sotheblockchain candegenerateintoatree• Twominerscanstoredifferentpathsofthistree

• Bitcoinconsensusalgorithmensuresthelongestblockchain willprevail• Thelongestchainwillalwayswin(itcontainsthemostcumulativehashpower)

Recap

• HowdoyoujoinBitcoin?• Whathappenswhenyouwanttosend4BitcoinstoAlice?• Howistheledgermaintained?• Whatisthepurposeoftheminers?• Howdotheminersgetpaid?• Whathappenswhentwodifferentblocksareminedaroundthesametime?

Bitcoinandprivacy

• IsBitcoinprivate?• Notreally.Itprovidespseudonimity,sincenorealnamesappearontheblockchain• Butyoucanlaunchlinkingattacksbyanalyzingthetransactiongraph• Proposedalternatives

• Zerocoin,Zerocash• Thesearenewcryptocurrencieswithprivacy

• IntuitivedifferencebetweenBitcoinandZerocash• AminerinBitcoinprovesthatasenderAhasthemoneytopayasenderB• AminerinZerocash provesthatthereisaninputtransactionfromthepastthatcanbesenttoB(breakslinkage)

• ComplicatedcryptoconstructioncalledSNARKsarerequired

BuildingapplicationswithBitcoin

• IownafilefbutIdonotwanttostoreit,soIgiveittoGoogleandIkeeponehashh(f)locally• Whentimescomestopaymysubscription,IwantGoogletoprovetomethatithasthefile• SoGooglesendsmethefile…• Atthatpoint,Icantakethefileandleaveandneverpay• Atthesametime,ifIpayfirst,Googlecancheatandnotprovetomethatithasthefile• CanBitcoinhelphere?

SecureStoragewithBitcoin

• Mainidea:MakeaBitcointransactionforGoogle,whichwillfireonlywhenGooglepostsatransactionwiththefile• Namely,foratransactiontogothrough,Bitcoinallowsthroughascriptinglanguagetoindicatevariousconditionsthatmustbesatisfied• ButwhatifGoogledoesnothavethefile?• Wherewillmymoneygo?WillIloseitforever?• MoreonthatnextWednesdaybyMohammadandIbrahim

Onestepfurther:Smartcontracts

• BitcoinscriptinglanguageisnotTuring-complete• Howaboutifmorecomplicatedconditionsshouldberesponsiblefortheflowofcashinthesystem?• E.g.,

• Playrock-paper-scissorsonBitcoinandmakesuremoneygoestothewinner,withouthavingatrustedthirdpartyoverseeingtheprocess

• Smartcontracts:YoucanwriteprogramsinaTuring-completelanguageandhaveminersverifytransactionsbyexecutingthesecontracts• Example:Ethereum• Research:Privacy-preservingsmartcontracts (talktomeifyouareinterested)