MARKETS, MECHANISMS, MACHINES University of Virginia, Spring 2019 Class 27: Cryptocurrency 22 April 2019 cs4501/econ4559 Spring 2019 David Evans and Denis Nekipelov https://uvammm.github.io

Final Project Presentations Next Tuesday (April 30), in class up to min(5, ' + 3) minutes to present your project tell a story, don’t read a list motivate your project: why should we care? explain what you did: overview, and something interesting results: focus on getting most interesting result across demos are better than slides pictures are better than text (almost) anything is better than a bullet list 1

Final Project Presentations Next Tuesday (April 30), in class up to min(5, ' + 3) minutes to present your project tell a story, don’t read a list motivate your project: why should we care? explain what you did: overview, and something interesting results: focus on getting most interesting result across demos are better than slides pictures are better than text (almost) anything is better than a bullet list 2 Try not to have any slides as boring, text- heavy, and bullet-listy as this one was!

Final Project Reports Monday, 6 May (4:59pm): this is a strict deadline, unless you pre- arrange an extension Default: web site that describes your project - permanently hosted (e.g., github pages) - text/image description of your project - code and data Alternatives: video, academic-style paper, song, etc. - if you are doing something unconventional, ask for advice first 4

7 For thousands of years, philosophers, thinkers and prophets have besmirched money and called it the root of all evil. Be that as it may, money is also the apogee of human tolerance. Money is more open- minded than language, state laws, cultural codes , religious beliefs and social habits. Money is the only trust system created by humans that can bridge almost any cultural gap, and that does not discriminate on the basis of religion, gender, race, age or sexual orientation. Thanks to money, even people who don’t know each other and don’t trust each other can nevertheless cooperate effectively.

Owning and Transferring a Coin 13 Alice: “I, Alice, give coin x to Bob.” Only Alice should be able to say this (if she owns coin x). Everyone should be able to trust it is valid. Bob should now own coin x.

Asymmetry Required Need a function f that is: Easy to compute: given x, easy to compute f (x) Hard to invert: given f (x), hard to compute x Has a trap-door: given f (x) and t, easy to compute x 14

Using Asymmetric Crypto: Signatures 15 E D Verified Message Signed Message Message Insecure Channel KU B KR B Bob Generates key pair: KU B , KR B Publishes KU B Anyone Get KU B from trusted provider

Transferring a Coin 16 Alice signs m 1 = “I, Alice (KU A ), give coin x, t to Bob (KU B ).” with her private signing key, KR A . How does Bob transfer x to Colleen (KU C )?

Transferring a Coin 17 Bob signs m 2 = “I give coin x, given to me by m 1 to Colleen (KU C ).” with KR B . Alice signs m 1 = “I, Alice (KU A ), give coin x to Bob (KU B ).” with her private signing key, KR A .

Transferring a Coin 18 Bob signs m 2 = “I give coin x, given to me by m 1 to Colleen (KU C).” with KR B. Alice signs m 1 = “I, Alice (KU A), give coin x to Bob (KU B).” with her private signing key, KR A. Colleen signs m 3 = “I give coin x, given to me by m 2 to Dave (KU D).” with KR C. This does not solve: how to create x how to prevent double spending ...

Centralized Digital Currency 19 Trusted Bank Account No. Owner’s Identity Value 3022493 Alice 2033.23 3022494 Bob 8733.03 3022495 Colleen 24331.77 3022496 Dave 0.01 3022497 Denis 5823392.23

Double Spending Challenge 25 M = transfer X to Bob SignKRA [H(M)] Bob wants to verify: 1. Alice owns X 2. Alice hasn’t transferred X 3. The coin will be valuable for Bob

Double Spending Challenge 26 M = transfer X to Bob SignKRA [H(M)] Bob wants to verify: 1. Alice owns X 2. Alice hasn’t transferred X 3. The coin will be valuable for Bob Node C Node A Node B tx b tx b

27 M = transfer X to Bob SignKRA [H(M)] Bob wants to verify: 1. Alice owns X 2. Alice hasn’t transferred X 3. The coin will be valuable for Bob Node C Node A Node B tx b tx b M = transfer X to Coleen SignKRA [H(M)] tx c

28 M = transfer X to Bob SignKRA [H(M)] Bob wants to verify: 1. Alice owns X 2. Alice hasn’t transferred X 3. The coin will be valuable for Bob Node C Node A Node B tx b tx b M = transfer X to Coleen SignKRA [H(M)] tx c

29 M = transfer X to Bob SignKRA [H(M)] Bob wants to verify: 1. Alice owns X 2. Alice hasn’t transferred X 3. The coin will be valuable for Bob Node C Node A Node B tx b tx b M = transfer X to Coleen SignKRA [H(M)] tx c Node E Node D

30 Node A Node B Node C M = transfer X to Colleen EKRA [H(M)] tc tc tc tc BAD! t Transactions 1 tb (X->Bob) Transactions 1 t b (X->Bob) Transactions 1 tc (X->Cathy)

Idea: Proof-of-Work Pricing Function: (f) - moderately easy to compute - cannot be amortized computing f(m1 ),…, f(ml ) costs l times as much as computing f(mi ). - easily verified: given x, y easy to check y = f(x) 36

Interactive Hashcash 39 mail sender mail recipient’s server Hello Challenge: r r ç random nonce search for x such that f(x) = r Everyone agrees on one-way function f (x, Mail)

Interactive Hashcash 40 mail sender mail recipient’s server Hello Challenge: r r ç random nonce search for x such that f(x) = r Everyone agrees on one-way function f (x, Mail) Verify f(x) = r

Bitcoin’s Proof-of-Work 43 B0 H(B0) Nonce Transactions H(B1) Nonce Transactions H(B2) Nonce Transactions Find a nonce x such that: SHA-256(SHA-256(r || x)) < T/d r = header includes H(previous block) root of Merkle tree of transactions