Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Class 27: Cryptocurrency

David Evans
April 23, 2019

Class 27: Cryptocurrency

https://uvammm.github.io/class27

Markets, Mechanisms, and Machines
University of Virginia
cs4501/econ4559 Spring 2019
David Evans and Denis Nekipelov
https://uvammm.github.io/

David Evans

April 23, 2019
Tweet

More Decks by David Evans

Other Decks in Business

Transcript

  1. MARKETS, MECHANISMS, MACHINES University of Virginia, Spring 2019 Class 27:

    Cryptocurrency 22 April 2019 cs4501/econ4559 Spring 2019 David Evans and Denis Nekipelov https://uvammm.github.io
  2. Final Project Presentations Next Tuesday (April 30), in class up

    to min(5, ' + 3) minutes to present your project tell a story, don’t read a list motivate your project: why should we care? explain what you did: overview, and something interesting results: focus on getting most interesting result across demos are better than slides pictures are better than text (almost) anything is better than a bullet list 1
  3. Final Project Presentations Next Tuesday (April 30), in class up

    to min(5, ' + 3) minutes to present your project tell a story, don’t read a list motivate your project: why should we care? explain what you did: overview, and something interesting results: focus on getting most interesting result across demos are better than slides pictures are better than text (almost) anything is better than a bullet list 2 Try not to have any slides as boring, text- heavy, and bullet-listy as this one was!
  4. Final Project Reports Monday, 6 May (4:59pm): this is a

    strict deadline, unless you pre- arrange an extension Default: web site that describes your project - permanently hosted (e.g., github pages) - text/image description of your project - code and data Alternatives: video, academic-style paper, song, etc. - if you are doing something unconventional, ask for advice first 4
  5. 7 For thousands of years, philosophers, thinkers and prophets have

    besmirched money and called it the root of all evil. Be that as it may, money is also the apogee of human tolerance. Money is more open- minded than language, state laws, cultural codes , religious beliefs and social habits. Money is the only trust system created by humans that can bridge almost any cultural gap, and that does not discriminate on the basis of religion, gender, race, age or sexual orientation. Thanks to money, even people who don’t know each other and don’t trust each other can nevertheless cooperate effectively.
  6. Paradox of Money Money works because people trust it. People

    trust money because it works. Need a starting point: where does that trust begin.
  7. Owning and Transferring a Coin 13 Alice: “I, Alice, give

    coin x to Bob.” Only Alice should be able to say this (if she owns coin x). Everyone should be able to trust it is valid. Bob should now own coin x.
  8. Asymmetry Required Need a function f that is: Easy to

    compute: given x, easy to compute f (x) Hard to invert: given f (x), hard to compute x Has a trap-door: given f (x) and t, easy to compute x 14
  9. Using Asymmetric Crypto: Signatures 15 E D Verified Message Signed

    Message Message Insecure Channel KU B KR B Bob Generates key pair: KU B , KR B Publishes KU B Anyone Get KU B from trusted provider
  10. Transferring a Coin 16 Alice signs m 1 = “I,

    Alice (KU A ), give coin x, t to Bob (KU B ).” with her private signing key, KR A . How does Bob transfer x to Colleen (KU C )?
  11. Transferring a Coin 17 Bob signs m 2 = “I

    give coin x, given to me by m 1 to Colleen (KU C ).” with KR B . Alice signs m 1 = “I, Alice (KU A ), give coin x to Bob (KU B ).” with her private signing key, KR A .
  12. Transferring a Coin 18 Bob signs m 2 = “I

    give coin x, given to me by m 1 to Colleen (KU C).” with KR B. Alice signs m 1 = “I, Alice (KU A), give coin x to Bob (KU B).” with her private signing key, KR A. Colleen signs m 3 = “I give coin x, given to me by m 2 to Dave (KU D).” with KR C. This does not solve: how to create x how to prevent double spending ...
  13. Centralized Digital Currency 19 Trusted Bank Account No. Owner’s Identity

    Value 3022493 Alice 2033.23 3022494 Bob 8733.03 3022495 Colleen 24331.77 3022496 Dave 0.01 3022497 Denis 5823392.23
  14. Double Spending Challenge 25 M = transfer X to Bob

    SignKRA [H(M)] Bob wants to verify: 1. Alice owns X 2. Alice hasn’t transferred X 3. The coin will be valuable for Bob
  15. Double Spending Challenge 26 M = transfer X to Bob

    SignKRA [H(M)] Bob wants to verify: 1. Alice owns X 2. Alice hasn’t transferred X 3. The coin will be valuable for Bob Node C Node A Node B tx b tx b
  16. 27 M = transfer X to Bob SignKRA [H(M)] Bob

    wants to verify: 1. Alice owns X 2. Alice hasn’t transferred X 3. The coin will be valuable for Bob Node C Node A Node B tx b tx b M = transfer X to Coleen SignKRA [H(M)] tx c
  17. 28 M = transfer X to Bob SignKRA [H(M)] Bob

    wants to verify: 1. Alice owns X 2. Alice hasn’t transferred X 3. The coin will be valuable for Bob Node C Node A Node B tx b tx b M = transfer X to Coleen SignKRA [H(M)] tx c
  18. 29 M = transfer X to Bob SignKRA [H(M)] Bob

    wants to verify: 1. Alice owns X 2. Alice hasn’t transferred X 3. The coin will be valuable for Bob Node C Node A Node B tx b tx b M = transfer X to Coleen SignKRA [H(M)] tx c Node E Node D
  19. 30 Node A Node B Node C M = transfer

    X to Colleen EKRA [H(M)] tc tc tc tc BAD! t Transactions 1 tb (X->Bob) Transactions 1 t b (X->Bob) Transactions 1 tc (X->Cathy)
  20. Scaling the Network 31 Node A Node B Node C

    t a t b t b Node D Node E Node F Node G
  21. Inconsistent Blockchains 33 Node A Node B Node C Node

    D Node E Node F Node G How do we know which blockchain is “correct”?
  22. 35

  23. Idea: Proof-of-Work Pricing Function: (f) - moderately easy to compute

    - cannot be amortized computing f(m1 ),…, f(ml ) costs l times as much as computing f(mi ). - easily verified: given x, y easy to check y = f(x) 36
  24. Interactive Hashcash 38 mail sender mail recipient’s server Hello Challenge:

    r r ç random nonce Everyone agrees on one-way function f
  25. Interactive Hashcash 39 mail sender mail recipient’s server Hello Challenge:

    r r ç random nonce search for x such that f(x) = r Everyone agrees on one-way function f (x, Mail)
  26. Interactive Hashcash 40 mail sender mail recipient’s server Hello Challenge:

    r r ç random nonce search for x such that f(x) = r Everyone agrees on one-way function f (x, Mail) Verify f(x) = r
  27. Blockchain 42 B0 H(B0) Nonce Transactions H(B1) Nonce Transactions H(B2)

    Nonce Transactions Distributed ledger maintained by network of untrusted nodes Blocks added require proof-of-work Node’s agree to consensus: longest (most difficult) chain Incentives designed to encourage network nodes to: Validate and record transactions Spend effort on extending consensus chain
  28. Bitcoin’s Proof-of-Work 43 B0 H(B0) Nonce Transactions H(B1) Nonce Transactions

    H(B2) Nonce Transactions Find a nonce x such that: SHA-256(SHA-256(r || x)) < T/d r = header includes H(previous block) root of Merkle tree of transactions
  29. 44 Expected hashes to find block: = " # 2%&~

    2.7 # 10&& 27 sextillion 286 quintillion 58 quadrillion 498 trillion 500 billion 453 million 203 thousand 968
  30. 45 Adjusted by protocol every 2016 blocks (~ 2 weeks

    at expected 10 minutes per block rate)
  31. 47 Bitcoin Transaction Input 1: v1 , a1 Input 2:

    v2 , a2 … Output 1: x1 , d1 Output 2: x2 , d2 … transaction fees = sum(input values) – sum(output values) (must be non-negative for valid transaction)
  32. Bitcoin Script 48 OP_DATA <public key> OP_CHECKSIG Locking Script OP_DATA

    <signature> Unlocking Script Transaction a0b6ea….. Input 1: v1 , a1 Output 1: x1 , d1 Output 2: x2 , d2 … Transaction d8730d… Locking Script Unlocking Script If Bitcoin Address were just public key Spender provides unlocking script, transaction is valid if stack ends with 1 on top
  33. Bitcoin Script 49 OP_DUP OP_HASH160 OP_DATA <bitcoin address> OP_EQUALVERIFY OP_CHECKSIG

    Locking Script OP_DATA <signature> OP_DATA <public key> Unlocking Script Transaction a0b6ea….. Input 1: v1 , a1 Output 1: x1 , d1 Output 2: x2 , d2 … Transaction d8730d… Locking Script Unlocking Script Bitcoin Address = H(public key)
  34. 54 Bitcoin Transaction Input 1: v1 , a1 Input 2:

    v2 , a2 … Output 1: x1 , d1 Output 2: x2 , d2 … transaction fees = sum(input values) – sum(output values) (must be non-negative for valid transaction) How is new bitcoin created?
  35. 55 Coinbase Transaction Output 1: x1 , d1 Output 2:

    x2 , d2 … sum(output values) ≤ sum(transaction fees) + mining reward mining reward = 50 BTC 2floor(block number / 210,000)
  36. 56

  37. 59 XOR two 32-bit values in CPU XOR two 32-bit

    values in ASIC 4 transistors XOR design
  38. 61

  39. 63

  40. 64 Fire at mining facility in Thailand, 14 Oct 2014

    Photo credit: www.thairath.co.th
  41. 65

  42. 66

  43. 67

  44. How long does it take Apple to make $628M? 77

    Apple’s 2018 revenue $266B  $728M/day