Class 27: Cryptocurrency

Transcript

1. MARKETS, MECHANISMS, MACHINES University of Virginia, Spring 2019 Class 27:

   Cryptocurrency 22 April 2019 cs4501/econ4559 Spring 2019 David Evans and Denis Nekipelov https://uvammm.github.io

2. Final Project Presentations Next Tuesday (April 30), in class up

   to min(5, ' + 3) minutes to present your project tell a story, don’t read a list motivate your project: why should we care? explain what you did: overview, and something interesting results: focus on getting most interesting result across demos are better than slides pictures are better than text (almost) anything is better than a bullet list 1

3. Final Project Presentations Next Tuesday (April 30), in class up

   to min(5, ' + 3) minutes to present your project tell a story, don’t read a list motivate your project: why should we care? explain what you did: overview, and something interesting results: focus on getting most interesting result across demos are better than slides pictures are better than text (almost) anything is better than a bullet list 2 Try not to have any slides as boring, text- heavy, and bullet-listy as this one was!

4. Final Project Presentations 3 Be creative! (tasty is good too...)

5. Final Project Reports Monday, 6 May (4:59pm): this is a

   strict deadline, unless you pre- arrange an extension Default: web site that describes your project - permanently hosted (e.g., github pages) - text/image description of your project - code and data Alternatives: video, academic-style paper, song, etc. - if you are doing something unconventional, ask for advice first 4

6. Cryptocurrency and Blockchain 5

7. What is money? 6

8. 7 For thousands of years, philosophers, thinkers and prophets have

   besmirched money and called it the root of all evil. Be that as it may, money is also the apogee of human tolerance. Money is more open- minded than language, state laws, cultural codes , religious beliefs and social habits. Money is the only trust system created by humans that can bridge almost any cultural gap, and that does not discriminate on the basis of religion, gender, race, age or sexual orientation. Thanks to money, even people who don’t know each other and don’t trust each other can nevertheless cooperate effectively.

9. Paradox of Money Money works because people trust it. People

   trust money because it works. Need a starting point: where does that trust begin.

10. 9 Aristotle’s Politics 350 BCE

11. Fiat Currency 10

12. 11 With a strong enough army, anything can be a

    fiat currency

13. Can bits be a currency? 12

14. Owning and Transferring a Coin 13 Alice: “I, Alice, give

    coin x to Bob.” Only Alice should be able to say this (if she owns coin x). Everyone should be able to trust it is valid. Bob should now own coin x.

15. Asymmetry Required Need a function f that is: Easy to

    compute: given x, easy to compute f (x) Hard to invert: given f (x), hard to compute x Has a trap-door: given f (x) and t, easy to compute x 14

16. Using Asymmetric Crypto: Signatures 15 E D Verified Message Signed

    Message Message Insecure Channel KU B KR B Bob Generates key pair: KU B , KR B Publishes KU B Anyone Get KU B from trusted provider

17. Transferring a Coin 16 Alice signs m 1 = “I,

    Alice (KU A ), give coin x, t to Bob (KU B ).” with her private signing key, KR A . How does Bob transfer x to Colleen (KU C )?

18. Transferring a Coin 17 Bob signs m 2 = “I

    give coin x, given to me by m 1 to Colleen (KU C ).” with KR B . Alice signs m 1 = “I, Alice (KU A ), give coin x to Bob (KU B ).” with her private signing key, KR A .

19. Transferring a Coin 18 Bob signs m 2 = “I

    give coin x, given to me by m 1 to Colleen (KU C).” with KR B. Alice signs m 1 = “I, Alice (KU A), give coin x to Bob (KU B).” with her private signing key, KR A. Colleen signs m 3 = “I give coin x, given to me by m 2 to Dave (KU D).” with KR C. This does not solve: how to create x how to prevent double spending ...

20. Centralized Digital Currency 19 Trusted Bank Account No. Owner’s Identity

    Value 3022493 Alice 2033.23 3022494 Bob 8733.03 3022495 Colleen 24331.77 3022496 Dave 0.01 3022497 Denis 5823392.23

21. 20 Communications of the ACM October 1985

22. 21 Communications of the ACM October 1985

23. First Wave Cryptocurrency 22 David Chaum

24. First Wave Cryptocurrency 23 David Chaum Bankrupt, 1998

25. Decentralized Currency Currency without trust 24

26. Double Spending Challenge 25 M = transfer X to Bob

    SignKRA [H(M)] Bob wants to verify: 1. Alice owns X 2. Alice hasn’t transferred X 3. The coin will be valuable for Bob

27. Double Spending Challenge 26 M = transfer X to Bob

    SignKRA [H(M)] Bob wants to verify: 1. Alice owns X 2. Alice hasn’t transferred X 3. The coin will be valuable for Bob Node C Node A Node B tx b tx b

28. 27 M = transfer X to Bob SignKRA [H(M)] Bob

    wants to verify: 1. Alice owns X 2. Alice hasn’t transferred X 3. The coin will be valuable for Bob Node C Node A Node B tx b tx b M = transfer X to Coleen SignKRA [H(M)] tx c

29. 28 M = transfer X to Bob SignKRA [H(M)] Bob

    wants to verify: 1. Alice owns X 2. Alice hasn’t transferred X 3. The coin will be valuable for Bob Node C Node A Node B tx b tx b M = transfer X to Coleen SignKRA [H(M)] tx c

30. 29 M = transfer X to Bob SignKRA [H(M)] Bob

    wants to verify: 1. Alice owns X 2. Alice hasn’t transferred X 3. The coin will be valuable for Bob Node C Node A Node B tx b tx b M = transfer X to Coleen SignKRA [H(M)] tx c Node E Node D

31. 30 Node A Node B Node C M = transfer

    X to Colleen EKRA [H(M)] tc tc tc tc BAD! t Transactions 1 tb (X->Bob) Transactions 1 t b (X->Bob) Transactions 1 tc (X->Cathy)

32. Scaling the Network 31 Node A Node B Node C

    t a t b t b Node D Node E Node F Node G

33. Voting on the Consensus Ledger 32

34. Inconsistent Blockchains 33 Node A Node B Node C Node

    D Node E Node F Node G How do we know which blockchain is “correct”?

35. 34 CRYPTO 1992 Cynthia Dwork (now at Harvard) Moni Naor

    (Weizmann Institute)

36. 35

37. Idea: Proof-of-Work Pricing Function: (f) - moderately easy to compute

    - cannot be amortized computing f(m1 ),…, f(ml ) costs l times as much as computing f(mi ). - easily verified: given x, y easy to check y = f(x) 36

38. Hashcash Adam Back 1997 37

39. Interactive Hashcash 38 mail sender mail recipient’s server Hello Challenge:

    r r ç random nonce Everyone agrees on one-way function f

40. Interactive Hashcash 39 mail sender mail recipient’s server Hello Challenge:

    r r ç random nonce search for x such that f(x) = r Everyone agrees on one-way function f (x, Mail)

41. Interactive Hashcash 40 mail sender mail recipient’s server Hello Challenge:

    r r ç random nonce search for x such that f(x) = r Everyone agrees on one-way function f (x, Mail) Verify f(x) = r

42. Satoshi’s Solution 41

43. Blockchain 42 B0 H(B0) Nonce Transactions H(B1) Nonce Transactions H(B2)

    Nonce Transactions Distributed ledger maintained by network of untrusted nodes Blocks added require proof-of-work Node’s agree to consensus: longest (most difficult) chain Incentives designed to encourage network nodes to: Validate and record transactions Spend effort on extending consensus chain

44. Bitcoin’s Proof-of-Work 43 B0 H(B0) Nonce Transactions H(B1) Nonce Transactions

    H(B2) Nonce Transactions Find a nonce x such that: SHA-256(SHA-256(r || x)) < T/d r = header includes H(previous block) root of Merkle tree of transactions

45. 44 Expected hashes to find block: = " # 2%&~

    2.7 # 10&& 27 sextillion 286 quintillion 58 quadrillion 498 trillion 500 billion 453 million 203 thousand 968

46. 45 Adjusted by protocol every 2016 blocks (~ 2 weeks

    at expected 10 minutes per block rate)

47. Actual Bitcoin Block 46 https://en.bitcoin.it/wiki/Protocol_documentation#Block_Headers

48. 47 Bitcoin Transaction Input 1: v1 , a1 Input 2:

    v2 , a2 … Output 1: x1 , d1 Output 2: x2 , d2 … transaction fees = sum(input values) – sum(output values) (must be non-negative for valid transaction)

49. Bitcoin Script 48 OP_DATA <public key> OP_CHECKSIG Locking Script OP_DATA

    <signature> Unlocking Script Transaction a0b6ea….. Input 1: v1 , a1 Output 1: x1 , d1 Output 2: x2 , d2 … Transaction d8730d… Locking Script Unlocking Script If Bitcoin Address were just public key Spender provides unlocking script, transaction is valid if stack ends with 1 on top

50. Bitcoin Script 49 OP_DUP OP_HASH160 OP_DATA <bitcoin address> OP_EQUALVERIFY OP_CHECKSIG

    Locking Script OP_DATA <signature> OP_DATA <public key> Unlocking Script Transaction a0b6ea….. Input 1: v1 , a1 Output 1: x1 , d1 Output 2: x2 , d2 … Transaction d8730d… Locking Script Unlocking Script Bitcoin Address = H(public key)

51. OP_RETURN (until July 2010) 50 https://github.com/bitcoin/bitcoin/blob/v0.1.5/script.cpp#L170 Universal Unlocking Script! OP_DATA

    1 OP_RETURN

52. 51 Example Transaction Fees are optional…

53. 52 Mt. Gox proof-of-assets transaction

54. 53 Exhibit B

55. 54 Bitcoin Transaction Input 1: v1 , a1 Input 2:

    v2 , a2 … Output 1: x1 , d1 Output 2: x2 , d2 … transaction fees = sum(input values) – sum(output values) (must be non-negative for valid transaction) How is new bitcoin created?

56. 55 Coinbase Transaction Output 1: x1 , d1 Output 2:

    x2 , d2 … sum(output values) ≤ sum(transaction fees) + mining reward mining reward = 50 BTC 2floor(block number / 210,000)

57. 56

58. Mining 57

59. (General-Purpose) Computers are Useless 58

60. 59 XOR two 32-bit values in CPU XOR two 32-bit

    values in ASIC 4 transistors XOR design

61. 60 https://en.bitcoin.it/wiki/Mining_hardware_comparison

62. 61

63. 62 AntMiner S9: 12 TH/s AntMiner S5+ [Oct 2015]: 7

    TH/s, 3436W

64. 63

65. 64 Fire at mining facility in Thailand, 14 Oct 2014

    Photo credit: www.thairath.co.th

66. 65

67. 66

68. 67

69. 68 Entire bitcoin network: 1/10-1/5th Lake Anna Power Station

70. 69 Blockchain Hype!

71. 70 Google Trends Renminbi Bitcoin Dec 2013

72. 71 Bitcoin “Hype” Bitcoin Market Price (US$)

73. 72 $5K today $20K in Dec 2017

74. 73 $5K today $20K in Dec 2017

75. 74 Bitcoin “Market Capitalization” = Number of Bitcoins ✕ Market

    Price = 17.66M ✕ $5387.90 ≈ $95B

76. Estimated $US Daily Transaction Value 75

77. How long does it take Apple to make $628M? 76

78. How long does it take Apple to make $628M? 77

    Apple’s 2018 revenue
    $266B
    $728M/day

79. Charge Project Presentations in One Week! 78