Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Class 27: Cryptocurrency

David Evans
April 23, 2019

Class 27: Cryptocurrency

https://uvammm.github.io/class27

Markets, Mechanisms, and Machines
University of Virginia
cs4501/econ4559 Spring 2019
David Evans and Denis Nekipelov
https://uvammm.github.io/

David Evans

April 23, 2019
Tweet

More Decks by David Evans

Other Decks in Business

Transcript

  1. MARKETS, MECHANISMS, MACHINES University of Virginia, Spring 2019
    Class 27:
    Cryptocurrency
    22 April 2019
    cs4501/econ4559 Spring 2019
    David Evans and Denis Nekipelov
    https://uvammm.github.io

    View Slide

  2. Final Project Presentations
    Next Tuesday (April 30), in class
    up to min(5, ' + 3) minutes to present your project
    tell a story, don’t read a list
    motivate your project: why should we care?
    explain what you did: overview, and something interesting
    results: focus on getting most interesting result across
    demos are better than slides
    pictures are better than text
    (almost) anything is better than a bullet list
    1

    View Slide

  3. Final Project Presentations
    Next Tuesday (April 30), in class
    up to min(5, ' + 3) minutes to present your project
    tell a story, don’t read a list
    motivate your project: why should we care?
    explain what you did: overview, and something interesting
    results: focus on getting most interesting result across
    demos are better than slides
    pictures are better than text
    (almost) anything is better than a bullet list
    2
    Try not to have any slides as boring, text-
    heavy, and bullet-listy as this one was!

    View Slide

  4. Final Project Presentations
    3
    Be creative!
    (tasty is
    good too...)

    View Slide

  5. Final Project Reports
    Monday, 6 May (4:59pm): this is a strict deadline, unless you pre-
    arrange an extension
    Default: web site that describes your project
    - permanently hosted (e.g., github pages)
    - text/image description of your project
    - code and data
    Alternatives: video, academic-style paper, song, etc.
    - if you are doing something unconventional, ask for advice first
    4

    View Slide

  6. Cryptocurrency and Blockchain
    5

    View Slide

  7. What is money?
    6

    View Slide

  8. 7
    For thousands of years, philosophers, thinkers and
    prophets have besmirched money and called it the
    root of all evil. Be that as it may, money is also the
    apogee of human tolerance. Money is more open-
    minded than language, state laws, cultural codes ,
    religious beliefs and social habits. Money is the only
    trust system created by humans that can bridge
    almost any cultural gap, and that does not
    discriminate on the basis of religion, gender, race,
    age or sexual orientation. Thanks to money, even
    people who don’t know each other and don’t trust
    each other can nevertheless cooperate effectively.

    View Slide

  9. Paradox of Money
    Money works because people trust it.
    People trust money because it works.
    Need a starting point: where does that trust begin.

    View Slide

  10. 9
    Aristotle’s Politics 350 BCE

    View Slide

  11. Fiat Currency
    10

    View Slide

  12. 11
    With a strong enough army,
    anything can be a fiat currency

    View Slide

  13. Can bits be a currency?
    12

    View Slide

  14. Owning and Transferring a Coin
    13
    Alice: “I, Alice, give coin x to Bob.”
    Only Alice should be able to say this (if she owns coin x).
    Everyone should be able to trust it is valid.
    Bob should now own coin x.

    View Slide

  15. Asymmetry Required
    Need a function f that is:
    Easy to compute:
    given x, easy to compute f (x)
    Hard to invert:
    given f (x), hard to compute x
    Has a trap-door:
    given f (x) and t,
    easy to compute x
    14

    View Slide

  16. Using Asymmetric Crypto: Signatures
    15
    E D
    Verified
    Message
    Signed Message
    Message
    Insecure Channel
    KU
    B
    KR
    B
    Bob
    Generates key pair: KU
    B
    , KR
    B
    Publishes KU
    B
    Anyone
    Get KU
    B
    from
    trusted provider

    View Slide

  17. Transferring a Coin
    16
    Alice signs
    m
    1
    = “I, Alice (KU
    A
    ), give coin x, t to Bob (KU
    B
    ).”
    with her private signing key, KR
    A
    .
    How does Bob transfer x to Colleen (KU
    C
    )?

    View Slide

  18. Transferring a Coin
    17
    Bob signs m
    2
    = “I give coin x, given to me by m
    1
    to Colleen (KU
    C
    ).”
    with KR
    B
    .
    Alice signs m
    1
    = “I, Alice (KU
    A
    ), give coin x to Bob (KU
    B
    ).” with
    her private signing key, KR
    A
    .

    View Slide

  19. Transferring a Coin
    18
    Bob signs m
    2
    = “I give coin x, given to me by m
    1
    to Colleen (KU
    C).”
    with KR
    B.
    Alice signs m
    1
    = “I, Alice (KU
    A), give coin x to Bob (KU
    B).” with
    her private signing key, KR
    A.
    Colleen signs m
    3
    = “I give coin x, given to me by m
    2
    to Dave (KU
    D).”
    with KR
    C.
    This does not solve:
    how to create x
    how to prevent double spending
    ...

    View Slide

  20. Centralized Digital Currency
    19
    Trusted Bank
    Account No. Owner’s Identity Value
    3022493 Alice 2033.23
    3022494 Bob 8733.03
    3022495 Colleen 24331.77
    3022496 Dave 0.01
    3022497 Denis 5823392.23

    View Slide

  21. 20
    Communications of the ACM
    October 1985

    View Slide

  22. 21
    Communications of the ACM
    October 1985

    View Slide

  23. First Wave Cryptocurrency
    22
    David Chaum

    View Slide

  24. First Wave Cryptocurrency
    23
    David Chaum
    Bankrupt, 1998

    View Slide

  25. Decentralized Currency
    Currency without trust
    24

    View Slide

  26. Double Spending Challenge
    25
    M = transfer X to Bob SignKRA
    [H(M)]
    Bob wants to verify:
    1. Alice owns X
    2. Alice hasn’t transferred X
    3. The coin will be valuable for Bob

    View Slide

  27. Double Spending Challenge
    26
    M = transfer X to Bob SignKRA
    [H(M)]
    Bob wants to verify:
    1. Alice owns X
    2. Alice hasn’t transferred X
    3. The coin will be valuable for Bob
    Node C
    Node A Node B
    tx
    b
    tx
    b

    View Slide

  28. 27
    M = transfer X to Bob SignKRA
    [H(M)]
    Bob wants to verify:
    1. Alice owns X
    2. Alice hasn’t transferred X
    3. The coin will be valuable for Bob
    Node C
    Node A Node B
    tx
    b
    tx
    b
    M = transfer X to Coleen SignKRA
    [H(M)]
    tx
    c

    View Slide

  29. 28
    M = transfer X to Bob SignKRA
    [H(M)]
    Bob wants to verify:
    1. Alice owns X
    2. Alice hasn’t transferred X
    3. The coin will be valuable for Bob
    Node C
    Node A Node B
    tx
    b
    tx
    b
    M = transfer X to Coleen SignKRA
    [H(M)]
    tx
    c

    View Slide

  30. 29
    M = transfer X to Bob SignKRA
    [H(M)]
    Bob wants to verify:
    1. Alice owns X
    2. Alice hasn’t transferred X
    3. The coin will be valuable for Bob
    Node C
    Node A Node B
    tx
    b
    tx
    b
    M = transfer X to Coleen SignKRA
    [H(M)]
    tx
    c
    Node E
    Node D

    View Slide

  31. 30
    Node A Node B Node C
    M = transfer X to Colleen EKRA
    [H(M)]
    tc
    tc tc tc
    BAD!
    t
    Transactions
    1 tb
    (X->Bob)
    Transactions
    1 t
    b
    (X->Bob)
    Transactions
    1 tc
    (X->Cathy)

    View Slide

  32. Scaling the Network
    31
    Node A Node B Node C
    t
    a
    t
    b
    t
    b
    Node D Node E Node F Node G

    View Slide

  33. Voting on the Consensus Ledger
    32

    View Slide

  34. Inconsistent Blockchains
    33
    Node A Node B Node C
    Node D Node E Node F Node G
    How do we know which
    blockchain is “correct”?

    View Slide

  35. 34
    CRYPTO 1992
    Cynthia Dwork
    (now at Harvard)
    Moni Naor
    (Weizmann Institute)

    View Slide

  36. 35

    View Slide

  37. Idea: Proof-of-Work
    Pricing Function: (f)
    - moderately easy to compute
    - cannot be amortized
    computing f(m1
    ),…, f(ml
    ) costs l times as
    much as computing f(mi
    ).
    - easily verified: given x, y easy to check y = f(x)
    36

    View Slide

  38. Hashcash
    Adam Back
    1997
    37

    View Slide

  39. Interactive Hashcash
    38
    mail sender
    mail recipient’s
    server
    Hello
    Challenge: r
    r ç random nonce
    Everyone agrees on one-way function f

    View Slide

  40. Interactive Hashcash
    39
    mail sender
    mail recipient’s
    server
    Hello
    Challenge: r
    r ç random nonce
    search for x such that
    f(x) = r
    Everyone agrees on one-way function f
    (x, Mail)

    View Slide

  41. Interactive Hashcash
    40
    mail sender
    mail recipient’s
    server
    Hello
    Challenge: r
    r ç random nonce
    search for x such that
    f(x) = r
    Everyone agrees on one-way function f
    (x, Mail) Verify f(x) = r

    View Slide

  42. Satoshi’s
    Solution
    41

    View Slide

  43. Blockchain
    42
    B0
    H(B0) Nonce
    Transactions
    H(B1) Nonce
    Transactions
    H(B2) Nonce
    Transactions
    Distributed ledger maintained by network of untrusted nodes
    Blocks added require proof-of-work
    Node’s agree to consensus: longest (most difficult) chain
    Incentives designed to encourage network nodes to:
    Validate and record transactions
    Spend effort on extending consensus chain

    View Slide

  44. Bitcoin’s Proof-of-Work
    43
    B0
    H(B0) Nonce
    Transactions
    H(B1) Nonce
    Transactions
    H(B2) Nonce
    Transactions
    Find a nonce x such that:
    SHA-256(SHA-256(r || x)) < T/d
    r = header includes H(previous block)
    root of Merkle tree of transactions

    View Slide

  45. 44
    Expected hashes to
    find block:
    = " # 2%&~ 2.7 # 10&&
    27 sextillion 286
    quintillion 58
    quadrillion 498 trillion
    500 billion 453 million
    203 thousand 968

    View Slide

  46. 45
    Adjusted by protocol every 2016 blocks (~ 2 weeks at expected 10 minutes per block rate)

    View Slide

  47. Actual Bitcoin Block
    46
    https://en.bitcoin.it/wiki/Protocol_documentation#Block_Headers

    View Slide

  48. 47
    Bitcoin
    Transaction
    Input 1: v1
    , a1
    Input 2: v2
    , a2

    Output 1: x1
    , d1
    Output 2: x2
    , d2

    transaction fees = sum(input values) – sum(output values)
    (must be non-negative for valid transaction)

    View Slide

  49. Bitcoin Script
    48
    OP_DATA
    OP_CHECKSIG
    Locking Script
    OP_DATA
    Unlocking Script
    Transaction
    a0b6ea…..
    Input 1: v1
    ,
    a1
    Output 1:
    x1
    , d1
    Output 2:
    x2
    , d2

    Transaction
    d8730d…
    Locking Script
    Unlocking Script
    If Bitcoin Address were just public key
    Spender provides unlocking script,
    transaction is valid if stack ends with 1 on top

    View Slide

  50. Bitcoin Script
    49
    OP_DUP
    OP_HASH160
    OP_DATA
    OP_EQUALVERIFY
    OP_CHECKSIG
    Locking Script
    OP_DATA
    OP_DATA
    Unlocking Script
    Transaction
    a0b6ea…..
    Input 1: v1
    ,
    a1
    Output 1:
    x1
    , d1
    Output 2:
    x2
    , d2

    Transaction
    d8730d…
    Locking Script
    Unlocking Script
    Bitcoin Address = H(public key)

    View Slide

  51. OP_RETURN (until July 2010)
    50
    https://github.com/bitcoin/bitcoin/blob/v0.1.5/script.cpp#L170
    Universal Unlocking Script!
    OP_DATA 1
    OP_RETURN

    View Slide

  52. 51
    Example Transaction
    Fees are optional…

    View Slide

  53. 52
    Mt. Gox proof-of-assets transaction

    View Slide

  54. 53
    Exhibit B

    View Slide

  55. 54
    Bitcoin
    Transaction
    Input 1: v1
    , a1
    Input 2: v2
    , a2

    Output 1: x1
    , d1
    Output 2: x2
    , d2

    transaction fees = sum(input values) – sum(output values)
    (must be non-negative for valid transaction)
    How is new bitcoin created?

    View Slide

  56. 55
    Coinbase
    Transaction
    Output 1: x1
    , d1
    Output 2: x2
    , d2

    sum(output values) ≤ sum(transaction fees) + mining reward
    mining reward = 50 BTC
    2floor(block number / 210,000)

    View Slide

  57. 56

    View Slide

  58. Mining
    57

    View Slide

  59. (General-Purpose)
    Computers are Useless
    58

    View Slide

  60. 59
    XOR two 32-bit values in CPU XOR two 32-bit values in ASIC
    4 transistors XOR design

    View Slide

  61. 60
    https://en.bitcoin.it/wiki/Mining_hardware_comparison

    View Slide

  62. 61

    View Slide

  63. 62
    AntMiner S9: 12 TH/s
    AntMiner S5+ [Oct 2015]: 7 TH/s, 3436W

    View Slide

  64. 63

    View Slide

  65. 64
    Fire at mining facility in Thailand, 14 Oct 2014
    Photo credit: www.thairath.co.th

    View Slide

  66. 65

    View Slide

  67. 66

    View Slide

  68. 67

    View Slide

  69. 68
    Entire bitcoin network: 1/10-1/5th Lake Anna Power Station

    View Slide

  70. 69
    Blockchain Hype!

    View Slide

  71. 70
    Google Trends
    Renminbi
    Bitcoin
    Dec 2013

    View Slide

  72. 71
    Bitcoin “Hype”
    Bitcoin
    Market
    Price (US$)

    View Slide

  73. 72
    $5K today
    $20K in Dec 2017

    View Slide

  74. 73
    $5K today
    $20K in Dec 2017

    View Slide

  75. 74
    Bitcoin “Market Capitalization” = Number of Bitcoins ✕ Market Price
    = 17.66M ✕ $5387.90 ≈ $95B

    View Slide

  76. Estimated $US Daily Transaction Value
    75

    View Slide

  77. How long does it take Apple to make $628M?
    76

    View Slide

  78. How long does it take Apple to make $628M?
    77
    Apple’s 2018 revenue $266B $728M/day

    View Slide

  79. Charge
    Project Presentations in One Week!
    78

    View Slide