Outline Previous e-cash and techniques CSci 5271 Bitcoin design Introduction to Computer Security Day 26: Electronic cash and Bitcoin Announcements Stephen McCamant University of Minnesota, Computer Science & Engineering Bitcoin experience Kinds of Internet payments One ideal: electronic cash Credit/debit cards: most popular Direct transactions without third party Wide adoption among consumers, little consumer fraud liability No transaction fees Restrictive merchant procedures Potentially anonymous PayPal Non-revocable: buyer bears fraud risk Easier to accept payments Centrally managed to deal with fraud Micropayments Blinded signatures Claim: what the web needs is small Sign something without knowing its payments to support content value Too small for existing mechanisms Often used together with randomized One idea (Peppercoin): simulate small auditing payment with small probability of larger For RSA, multiply message by r ❡ , r payment random Actual market for micropayments has Allows a bank to “mint” coins that can been small still be anonymous Most buyers and sellers prefer free + other revenue
Challenge: double spending Puzzles / proof-of-work Computational problem you solve to Any purely electronic data can be show you spent some effort duplicated, including electronic money Common: choose s so that ❤ ✭ ♠ ❦ s ✮ Can’t allow two copies to both be spent starts with many 0 bits Shows ideal no-third-party e-cash can’t For instance, required solved puzzles be possible can be a countermeasure against DoS Hashcash and spam Hash trees and timestamp services Merkle tree: parent node includes hash Idea: use proof of work to solve email of children spam problem Good hash function ✦ root determines Puzzle based on date and recipient whole tree Legitimate users send only a few messages Can prove value of leaf with log-sized Problem 1: mailing lists evidence Problem 2: spam botnets Application: document timestamping Never caught on (commitment) service Outline Bitcoin addresses Address is basically a public/private Previous e-cash and techniques signing key pair Randomized naming, collision unlikely Bitcoin design At any moment, balance is a perhaps Announcements fractional number of bitcoins (BTC) Anyone one can send to an address, Bitcoin experience private key needed to spend
Global transaction log Bitcoin network Use peer-to-peer network to distribute Basic transaction: Take ① ✶ from ❛ ✶ , ① ✷ transaction log from ❛ ✷ , . . . , put ② ✶ in ❛ ✵ ✶ , ② ✷ in ❛ ✵ ✷ , . . . Of course require P ✐ ① ✐ ❂ P Roughly similar to BitTorrent, etc. for ❥ ② ❥ Keep one big list of all transactions old data ever Once a node is in sync, only updates need to be sent Check all balances in addresses taken from are sufficient New transactions sent broadcast Consistency and double-spending Bitcoin blocks If all nodes always saw the same log, Group ✘ 10 minutes of latest double-spending would be impossible transactions into one “block” But how to ensure consistency, if Use a proof of work so creating a block multiple clients update at once? is very hard Symmetric situation: me and “me” in All nodes race, winning block Australia both try to spend the same propagates $100 at the same time Bitcoin blockchains Regulating difficulty Difficulty of the proof-of-work is Each block contains a pointer to the adjusted to target the 10 minute block previous one frequency Nodes prefer the longest chain they Recomputed over two-week (2016 know block) average E.g., inconsistency usually resolved by Network adjusts to amount of next block computing power available
Bitcoin mining Outline Where do bitcoins come from Previous e-cash and techniques originally? Bitcoin design Fixed number created per block, assigned by the node that made it Announcements An incentive to compete in the block generation race Bitcoin experience Called mining by analogy with gold Group project presentations Wednesday presentations Start next Wednesday, run three ✶✿✵✵ ✲ ✶✿✶✸ ❏❙ ❆P■ ❝❤❡❝❦✐♥❣ ✭◗✮ lectures ✶✿✶✹ ✲ ✶✿✷✺ P❛ss✇♦r❞ ♠♦❞❡❧s ✭▲▼❙✮ Plan 10 minute presentation plus say 3 ✶✿✷✻ ✲ ✶✿✸✾ ❘❡❛❞✐♥❣ ❈❆P❚❈❍❆s ✭◆❖❘❘✮ minutes Q&A ✶✿✹✵ ✲ ✶✿✹✺ ❛♥♥♦✉♥❝❡♠❡♥ts One student per group presents ✶✿✹✻ ✲ ✶✿✺✾ ❊✈✐❧✲t✇✐♥ ❲✐❋✐ ✭❈◆◗❚✮ Slides, BYO laptop recommended ✷✿✵✵ ✲ ✷✿✶✸ P❛ss✇♦r❞ ♠❛♥❛❣❡rs ✭❉❊❑✮ Can send me backup slides (PDF, PPT) night before December dates Outline Previous e-cash and techniques Final project progress reports due tonight Bitcoin design Exercise set 5 due Tuesday 12/12 Announcements Project final reports due Wednesday 12/13 Bitcoin experience
Where Bitcoin came from Current statistics Block chain 497,498 blocks, ✘ 154GB Paper and early implementation by 16.7M BTC minted (many presumed lost) Satoshi Nakamoto Theoretical value at market exchange Generally presumed to be a pseudonym rate ❃ $184 billion “Genesis block” created January 2009 Millions of addresses, probably many Containing headline from The Times (of London) about a bank bailout fewer users Mining power: 11 etahash/sec What can you buy with Bitcoin? Bitcoin as a currency Can be exchanged for dollars, etc. Stuff from increasingly many online Currently pretty cumbersome retailers In some ways more like gold than fiat In-person purchases, still mostly a currencies novelty No central authority Ransomware ransoms Price changes driven more by demand than supply Illegal drugs (Silk Road successors) Exchange rate trend: volatile, recently Murder for hire: currently probably a up a lot fraud Deflation and speculation Bitcoin mining trends Some people want bitcoins to spend on Exponentially increasing rates purchases Demand based on “velocity” CPU ✦ GPU ✦ FPGA ✦ ASIC Supply does not keep up with interest Specialized hardware has eclipsed So, value of 1 BTC has to go up general purpose Others want bitcoins because they Including malware and botnets think the price will go up in the future Recent price trends suggest continuing Self-fulfilling prophecy But vulnerable to steep drops if investment expectations change
Enforcing consistency Scaling Bitcoin Current most pressing limitation: 1MB Structure of network very resistant to block size protocol change Limits volume of transactions Inertia of everybody else’s code Several changes that would effectively Changes unpopular among miners will increase it still being discussed not stick Size of block chain Minor crisis March 2013: details of Compare growth to external storage cost/GB database lock allocation cause half of Fewer and fewer users keep the whole network to reject large block chain anyway Speed of confirmation Stealing bitcoins Bitcoins are a very tempting target for When is it safe to know you have malware received money? Private keys stored directly on client Safe answer: wait for several blocks machines Too slow for, say, in-person transactions Theft is non-reversible Much easier than PayPal or identity theft Much faster: wait for transaction to propagate Standard recommendation is to keep Basic rule: precedence by order seen keys mostly offline Bitcoin (non-)anonymity Zero-knowledge for privacy Basic idea: prove this money came from a previous transaction Bitcoin addresses are not directly tied But without revealing which to any other identity Made possible with recent crypto But the block chain is public, so there’s constructions lots of information Downsides: still expensive, trusted setup E.g., list of largest balances easily collectable Two rounds of academic papers lead to “Zcash”
Different proofs of work Smart contracts Desire: avoid centralizing mining in Basically, computer programs that large farms disburse money Common approach is to make memory Idea predates Bitcoin, but it’s a natural rather than computation the limiting match factor in cost Bitcoin has a limited programming Similar constructions also used for language password hashing Other contenders, such as Ethereum, Some tricky trade-offs, including desire have a richer one for cheap verification Smart contracts challenges Next time Expensive to run contracts many times (e.g., during mining) Group project presentations Code visible, but bugs can’t be fixed Hack of high-profile Ethereum “DAO” application lead to a community fork
Recommend
More recommend
