Bitcoin Demystified November 2, 2016 1 / 28 

Three Questions • What? • So what? • Now what? 2 / 28 

Bitcoin and Me • Read about Bitcoin first in connection with Silk Road • Started reading the Bitcoin SoK paper in July • Submitted a proposal to NIRD&PR in August • Attended Scaling Bitcoin workshop in October • Bitcoin noob 3 / 28 

Scaling Bitcoin • Not the usual academic workshop • Attended by engineers, professors, students, journalists, investors • No proceedings • Advance full registration fee of $150 • Travel subsidies upto $1500 each awarded • Allowed presentation of work presented elsewhere • All presentations available on Youtube 4 / 28 

What is Bitcoin? 

What is Bitcoin? • The world’s first decentralized digital currency • Announced by Satoshi Nakamoto in October 2008 • Source code released in January 2009 • Computers running Bitcoin software form a peer to peer network • Under active development on GitHub • Identity of creator remains unknown today 6 / 28 

Digital Currency Desiderata • Counterfeiting resistant • Limited in quantity • Double spending resistant • Alice pays Bob n digicoins for pizza • Alice uses the same n digicoins to pay Carol for some beer All three problems can be solved using a central authority like a bank • Bank add serial numbers to digicoins and digitally signs them • Bank controls the rate of new digicoin creation • If all spending is routed through the bank, double spending cannot occur What if we don’t trust the bank? Can we implement a digital currency without using a bank? 7 / 28 

Double Spending • Valid owner of a digicoin tries to spend it in two different transactions • Double spending is familiar to academics • Submitting the same paper to two different conferences is a form of double spending • Possible solution: Reviewers google contents of the paper to find duplicates • This solution fails if • Conferences are accepting papers at the same time • Proceedings of first conference have not been published yet • Better solution: A single public database to store all submissions to all conferences 8 / 28 

The Blockchain • The blockchain is Bitcoin’s public database or ledger for storing Bitcoin transactions • A chain of blocks of transactions • Each block contains 1 MB of transactions • Every node in the Bitcoin P2P network maintains a copy • Solves the double spending problem in a decentralized manner • Questions • How is the state of the blockchain synchronized across all nodes? • Who is allowed to add blocks? • How is a transaction encoded? • How is the integrity of the transaction data ensured? • To understand Bitcoin’s solution, we need • Cryptographic hash functions • Digital signatures 9 / 28 

Cryptographic Hash Functions • Accepts bit strings of any length • Output is a bit string of fixed length • Easy to compute • Difficult to invert • Given H(x), computationally infeasible to find x • Collision resistant • Computationally infeasible to find x = y such that H(x) = H(y) • Pseudorandom function • Output looks like a uniformly distributed random variable • Given T ∈ Z ∩ [0, 2256 − 1] and distinct inputs x1 , x2 , . . . , xN N i=1 I [SHA256(xi ) ≤ T] N ≈ T + 1 2256 ≈ T 2256 . 10 / 28 

Digital Signatures • Implemented using public-key cryptography • Three functions needed • (privKey, pubKey) = generateKeys() • signature = sign(privKey, message) • isValid = verify(pubKey, message, signature) 11 / 28 

Public Keys = Identifiers • To enable transfer of bitcoins, entities need identifiers • Identifier assignment needs to be dencentralized • Bitcoin uses public keys from ECDSA as identifiers or addresses • Each public key is 512 bits long • Properties • Decentralized identity management • Anyone can create a public-private key pair • Collision probability is effectively zero • Private key recovery from public key is computationally infeasible • Bitcoin allows the use of RIPEMD160(SHA256(pubKey)) as the address for increased security 12 / 28 

Transaction Format nVersion #vin vin[0] hash n scriptSigLen scriptSig nSequence vin[1] hash n scriptSigLen scriptSig nSequence #vout vout[0] nValue scriptPubkeyLen scriptPubkey vout[1] nValue scriptPubkeyLen scriptPubkey nLocktime Transaction format version Number of inputs Input 1 Input 2 Number of outputs Output 1 Output 2 13 / 28 

Transaction Format Some Old Transaction nVersion #vin vin[0] hash n scriptSigLen scriptSig nSequence vin[1] hash n scriptSigLen scriptSig nSequence #vout vout[0] nValue scriptPubkeyLen scriptPubkey vout[1] nValue scriptPubkeyLen scriptPubkey nLocktime • We want to move the bitcoins in the first output of some old transaction • Construct a new transaction with • An input with hash equal to SHA2562 hash of the old transaction • Index n equal to 0 indicating the first output • scriptSig proving knowledge of private key etc 14 / 28 

Transaction Format Some Old Transaction nVersion #vin vin[0] hash n scriptSigLen scriptSig nSequence vin[1] hash n scriptSigLen scriptSig nSequence #vout vout[0] nValue scriptPubkeyLen scriptPubkey vout[1] nValue scriptPubkeyLen scriptPubkey nLocktime New Transaction nVersion #vin vin[0] hash n scriptSigLen scriptSig nSequence #vout vout[0] nValue scriptPubkeyLen scriptPubkey nLocktime • We want to move the bitcoins in the first output of some old transaction • Construct a new transaction with • An input with hash equal to SHA2562 hash of the old transaction • Index n equal to 0 indicating the first output • scriptSig proving knowledge of private key etc 14 / 28 

Transaction Format Some Old Transaction nVersion #vin vin[0] hash n scriptSigLen scriptSig nSequence vin[1] hash n scriptSigLen scriptSig nSequence #vout vout[0] nValue scriptPubkeyLen scriptPubkey vout[1] nValue scriptPubkeyLen scriptPubkey nLocktime New Transaction nVersion #vin vin[0] hash n scriptSigLen scriptSig nSequence #vout vout[0] nValue scriptPubkeyLen scriptPubkey nLocktime SHA2562 • We want to move the bitcoins in the first output of some old transaction • Construct a new transaction with • An input with hash equal to SHA2562 hash of the old transaction • Index n equal to 0 indicating the first output • scriptSig proving knowledge of private key etc 14 / 28 

Transaction Format Some Old Transaction nVersion #vin vin[0] hash n scriptSigLen scriptSig nSequence vin[1] hash n scriptSigLen scriptSig nSequence #vout vout[0] nValue scriptPubkeyLen scriptPubkey vout[1] nValue scriptPubkeyLen scriptPubkey nLocktime New Transaction nVersion #vin vin[0] hash n scriptSigLen scriptSig nSequence #vout vout[0] nValue scriptPubkeyLen scriptPubkey nLocktime SHA2562 • We want to move the bitcoins in the first output of some old transaction • Construct a new transaction with • An input with hash equal to SHA2562 hash of the old transaction • Index n equal to 0 indicating the first output • scriptSig proving knowledge of private key etc 14 / 28 

Script • The Bitcoin scripting language • Forth-like stack-based language • Each output’s scriptPubKey contains a challenge script • Each input’s scriptSig contains a response script • Acceptable script templates is limited • Example: Pay-to-PubkeyHash (P2PK) • scriptPubKey: OP_DUP OP_HASH160 OP_EQUALVERIFY OP_CHECKSIG • scriptSig: 15 / 28 

Pay-to-PubkeyHash Execution scriptSig is executed first Stack Remaining Script Empty Empty scriptPubKey is executed using final scriptSig stack state Stack Remaining Script OP_DUP OP_HASH160 OP_EQUALVERIFY OP_CHECKSIG OP_HASH160 OP_EQUALVERIFY OP_CHECKSIG OP_EQUALVERIFY OP_CHECKSIG OP_EQUALVERIFY OP_CHECKSIG OP_CHECKSIG True Empty Transaction is valid if final top stack element is True 16 / 28 

Block Format Previous Block nVersion HashPrevBlock HashMerkleRoot nTime nBits nNonce #vtx vtx[] New Block nVersion HashPrevBlock HashMerkleRoot nTime nBits nNonce #vtx vtx[] SHA2562 • Each block consists of a header followed by an array of transactions • SHA2562 hash of the previous block header is stored in HashPrevBlock • nBits and nNonce specify rules of new block addition (More on that later) • HashMerkleRoot stores the root hash of the Merkle tree of transactions 17 / 28 

Merkle Tree h = H(h0 h1) h0 = H(h00 h01) h00 = H(t0) t0 h01 = H(t1) t1 h1 = H(h10 h10) h10 = H(t2) t2 h10 • Root hash is a function of all the transactions • Even a single bit change in a transaction will change root hash 18 / 28 

Who is allowed to add a new block? nVersion HashPrevBlock HashMerkleRoot nTime nBits nNonce #vtx vtx[] • Any node which can solve a hard computational puzzle • nBits encodes a 256-bit target value T, say T = 0x 00 · · · 00 16 times FFFFF · · · FFFFF 48 times • A node which can find nNonce such that SHA256 (SHA256 (nVersion HashPrevBlock HashMerkleRoot nTime nBits nNonce )) ≤ T can add a new block • Since Pr[H ≤ T] ≈ T 2256 , the average number of trials is 2256 T 19 / 28 

Why should anyone solve this hard puzzle? • Successful solver gets rewarded in bitcoins • Puzzle solving is called mining and nodes are called miners • Every block contains a coinbase transaction which creates 12.5 bitcoins (≈ $9000 as of this morning) • During new block construction, a miner inserts his public key as destination of coinbase bitcoins • Every miner is competing to solve their puzzle • Miners also collect the transaction fees in the block • If the input amount of a transaction exceeds the output, then the difference goes to the miner as fees • Successful miners are said to have demonstrated proof of work 20 / 28 

Block Creation Workflow • Nodes which want to perform transactions broadcast them • Miners collect all broadcasted transactions and reject invalid ones • Miners select most recent block on the longest path in the blockchain and insert its hash in new block header • Miners compete to solve the puzzle and broadcast successful solutions on the network • On hearing a successful solution, other miners abandon current puzzle and start work on new puzzle 21 / 28 

What if two miners solve the puzzle at the same time? Genesis Block Block 1 · · · Block N Solution from miner 1 Solution from miner 2 • Both miners will broadcast their solution on the network • Nodes will accept the first solution they hear • Node will reject the second solution which builds off the same parent block • If nodes see a longer chain than the one they are working on, they switch to it • Eventually the network will converge and achieve consensus • This solves the double spending problem 22 / 28 

What if two miners solve the puzzle at the same time? Genesis Block Block 1 · · · Block N Block N + 1 Block N + 2 Orphan block • Both miners will broadcast their solution on the network • Nodes will accept the first solution they hear • Node will reject the second solution which builds off the same parent block • If nodes see a longer chain than the one they are working on, they switch to it • Eventually the network will converge and achieve consensus • This solves the double spending problem 22 / 28 

How often are new blocks created? • Once every 10 minutes nVersion HashPrevBlock HashMerkleRoot nTime nBits nNonce #vtx vtx[] • Every 2016 blocks, the target T is recalculated • Let tsum be the time take to mine the last 2016 blocks Tnew = tsum 14 × 24 × 60 × 60 × T 23 / 28 

Bitcoin Supply is Limited • The coinbase reward was initially 50 BTC per block • It halves every 210,000 blocks ≈ 4 years • Reward became 25 BTC in 11/2012 and 12.5 BTC in 07/2016 • The total number of possible bitcoins is 21 million • The last bitcoin will be mined in 2140 24 / 28 

Bitcoin Summary • Open source software • Peer to peer network • Decentralized identity management • Built-in incentive to achieve consensus • Counterfeiting resistant by design • Limited supply to prevent inflation • Double spending resistant 25 / 28 

So What? • 1 BTC = $727 today. Market cap ≈ $11.6 billion • Bitcoin is a robust PoC of the blockchain • Blockchain in WEF top 10 emerging technologies of 2016 • As of Q1 of 2016, VC funding in Bitcoin and blockchain exceeds $1.1 billion • MIT has Digital Currency Initiative at MIT Media Lab • Stanford and Princeton offer MOOCs on Bitcoin and blockchain • Hillary Clinton pledged support for “public service blockchain applications” • Lots of other cryptocurrencies launched (Ethereum, Zcash) • Smart contracts now possible with minimal trust requirements 26 / 28 

Now What? • Acquiring bitcoins • Mining (not profitable anymore on PC) • Local meetup • Bitcoin exchange • Do some work in exchange for bitcoins • Investment Risks • Loss of private key via memory loss, computer crash, hacking • Bitcoin exchanges get hacked • Learning more • Books • Princeton book http://bitcoinbook.cs.princeton.edu/ • Digital Gold by Nathaniel Popper • Papers • SoK Paper http://randomwalker.info/ • CABRA https://github.com/cdecker/btcresearch • Bitcoin Developer Reference https://github.com/minium/Bitcoin-Spec • Sites • Bitcoin Wiki https://en.bitcoin.it/ • Bitcoin.org https://bitcoin.org/ 27 / 28 

Thanks for your attention 28 / 28