Centrally Banked Cryptocurrencies George Danezis (University College - - PowerPoint PPT Presentation

Centrally Banked Cryptocurrencies

George Danezis (University College London) Sarah Meiklejohn (University College London)

2

who’s interested in ‘blockchain’?

2

who’s interested in ‘blockchain’?

2

who’s interested in ‘blockchain’?

2

who’s interested in ‘blockchain’?

2

who’s interested in ‘blockchain’?

2

who’s interested in ‘blockchain’?

2

who’s interested in ‘blockchain’?

3

fully decentralized cryptocurrencies

3

fully decentralized cryptocurrencies

3

fully decentralized cryptocurrencies

tx tx(addrA→addrB)

3

fully decentralized cryptocurrencies

tx

(generate transaction ledger)

“mining”

(generate monetary supply)

tx(addrA→addrB)

3

fully decentralized cryptocurrencies

append-only tx

(generate transaction ledger)

“mining”

(generate monetary supply)

tx(addrA→addrB)

3

fully decentralized cryptocurrencies

transparent append-only tx

(generate transaction ledger)

“mining”

(generate monetary supply)

tx(addrA→addrB)

3

fully decentralized cryptocurrencies

transparent pseudonyms append-only tx

(generate transaction ledger)

“mining”

(generate monetary supply)

tx(addrA→addrB)

4

issues with Bitcoin

hashing rates are out of control incentive structure is messed up attacks on mining no control over monetary policy

4

issues with Bitcoin

hashing rates are out of control incentive structure is messed up attacks on mining no control over monetary policy not suitable for most applications!

RSCoin

5

RSCoin

5

monetary supply

decentral central central

RSCoin

5

monetary supply ledger

central distribute decentral decentral central central

RSCoin

5

monetary supply ledger

central distribute decentral decentral central central

transparent?

y y (or n) n

RSCoin

5

monetary supply ledger

central distribute decentral decentral central central

transparent?

y y (or n) n

pseudonyms?

y y (or n) n

RSCoin

5

monetary supply ledger

central distribute decentral decentral central central

transparent?

y y (or n) n

pseudonyms?

y y (or n) n

computation

high! low low

6

6

bank

(generate monetary supply)

6

mintette mintette mintette mintette bank

(generate monetary supply) (generate transaction ledger)

6

mintette mintette mintette mintette bank user

(generate monetary supply) (generate transaction ledger)

6

mintette mintette mintette mintette bank user

(generate monetary supply) (generate transaction ledger)

6

mintette mintette mintette mintette bank user

(generate monetary supply) (generate transaction ledger)

7

mintette mintette mintette mintette bank user

7

mintette mintette mintette mintette bank user consensus?

7

mintette mintette mintette mintette bank user what gets sent? consensus?

7

mintette mintette mintette mintette bank user what gets sent? consensus? how do mintettes collect txs?

7

mintette mintette mintette mintette bank user what gets sent? consensus? how do mintettes collect txs? consensus?

8

user

1 2 tx:

consensus

8

user

1 2 tx:

consensus

each address is owned by a set of mintettes

8

user

1 2 tx:

consensus

each address is owned by a set of mintettes

a d d r e s s e s

mintette mintette mintette mintette mintette mintette mintette mintette mintette mintette mintette mintette mintette mintette mintette mintette mintette mintette

9

mintette1 mintette1 user

1 2 tx:

mintette1

1

consensus

9

mintette1 mintette1 user

1 2 tx:

mintette1

1

mintettes check for double spending… …using lists of unspent transaction outputs (utxo)

consensus

10

mintette1 mintette1 user

1 2 tx:

✓

mintette1

✓

1

signed ‘yes’ vote (and head h)

consensus

11

mintette1 mintette1 user

1 2 tx:

✓

mintette1

✓

mintette2 mintette2 mintette2

1 tx

✓ ✓ “bundle of evidence” contains ‘yes’ votes from majority of mintettes in shard

consensus

11

mintette1 mintette1 user

1 2 tx:

✓

mintette1

✓

mintette2 mintette2 mintette2

1 tx

✓ ✓ mintettes check validity of bundle by checking for signatures from authorized mintettes…

consensus

12

mintette1 mintette1 user

1 2 tx:

✓

mintette1

✓

mintette2 mintette2 mintette2

1 tx

✓ ✓

tx tx

…and if satisfied they add transaction to be committed and send back receipt

consensus

13

consensus features

13

consensus features

simple (adaption of Two-Phase Commit)

13

consensus features

scalable! simple (adaption of Two-Phase Commit)

13

consensus features

scalable!

T = set of txs generated per second Q = # mintettes per shard M = # mintettes

simple (adaption of Two-Phase Commit)

13

consensus features

scalable!

T = set of txs generated per second Q = # mintettes per shard M = # mintettes

simple (adaption of Two-Phase Commit)

∑tx∈T 2(mtx+1)Q M

• comm. per mintette per sec =

13

consensus features

scalable!

T = set of txs generated per second Q = # mintettes per shard M = # mintettes

simple (adaption of Two-Phase Commit)

∑tx∈T 2(mtx+1)Q

scales infinitely as more mintettes are added!

M

• comm. per mintette per sec =

14

14

each new mintette adds ≈ 75 tx/sec

14

each new mintette adds ≈ 75 tx/sec compared to Bitcoin’s 7

what gets sent?

15

mintette mintette mintette mintette bank user what gets sent? how do mintettes collect txs? (2PC) consensus? consensus?

what gets sent?

15

mintette mintette mintette mintette bank user what gets sent? how do mintettes collect txs? (2PC) how do mintettes collect txs? (contacted based on shard) consensus?

what gets sent?

15

mintette mintette mintette mintette bank user what gets sent? how do mintettes collect txs? (2PC) (contacted based on shard) what gets sent? consensus?

16

security properties

no double spending (only “good” transactions get included)

16

security properties

no double spending (only “good” transactions get included) (if honest majority)

17

security properties

no double spending (only “good” transactions get included) non-repudiation (mintettes are held to their promises)

17

security properties

no double spending (only “good” transactions get included) non-repudiation (mintettes are held to their promises) (because mintettes provide receipt upon committing transaction)

18

security properties

no double spending (only “good” transactions get included) non-repudiation (mintettes are held to their promises) auditability (mintettes can’t cheat without detection)

19

mintette logs

borrow ideas from Certificate Transparency to log actions

19

mintette logs

borrow ideas from Certificate Transparency to log actions mintettes create log entry every time they:

• act as mintette in first phase (Query)
• act as mintette in second phase (Commit)
• publish head of hash chain (CloseEpoch)

rolling hash chain of log acts as commitment to actions

19

mintette logs

borrow ideas from Certificate Transparency to log actions mintettes create log entry every time they:

• act as mintette in first phase (Query)
• act as mintette in second phase (Commit)
• publish head of hash chain (CloseEpoch)

rolling hash chain of log acts as commitment to actions mintettes cross-hash chains to provide evidence of activity

19

mintette logs

borrow ideas from Certificate Transparency to log actions mintettes create log entry every time they:

• act as mintette in first phase (Query)
• act as mintette in second phase (Commit)
• publish head of hash chain (CloseEpoch)

rolling hash chain of log acts as commitment to actions send logs to bank at end of every period mintettes cross-hash chains to provide evidence of activity

20

security properties

no double spending (only “good” transactions get included) non-repudiation (mintettes are held to their promises) auditability (mintettes can’t cheat without detection)

20

security properties

no double spending (only “good” transactions get included) non-repudiation (mintettes are held to their promises) auditability (mintettes can’t cheat without detection)

21

mintette mintette mintette mintette bank user what gets sent? how do mintettes collect txs? (2PC) (contacted based on shard) what gets sent? (cross-hashed chains) consensus?

21

mintette mintette mintette mintette bank user what gets sent? how do mintettes collect txs? (2PC) (contacted based on shard) (cross-hashed chains)

• collate transactions

consensus?

21

mintette mintette mintette mintette bank user what gets sent? how do mintettes collect txs? (2PC) (contacted based on shard) (cross-hashed chains)

• collate transactions
• allocate fees
• audit mintettes

consensus?

21

mintette mintette mintette mintette bank user what gets sent? how do mintettes collect txs? (2PC) (contacted based on shard) (cross-hashed chains)

• collate transactions
• allocate fees
• audit mintettes

(-add coin generation)

• authorize mintettes

consensus?

RSCoin

22

monetary supply ledger

central distribute decentral decentral central central

transparent?

y y (or n) n

pseudonyms?

y y (or n) n

computation

high! low low

RSCoin

22

monetary supply ledger

central distribute decentral decentral central central

transparent?

y y (or n) n

pseudonyms?

y y (or n) n

computation

high! low low Thanks! Any questions?