Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bitcoin

sarva
November 02, 2016
560

 Bitcoin

sarva

November 02, 2016
Tweet

Transcript

  1. Bitcoin Demystified
    November 2, 2016
    1 / 28

    View full-size slide

  2. Three Questions
    • What?
    • So what?
    • Now what?
    2 / 28

    View full-size slide

  3. Bitcoin and Me
    • Read about Bitcoin first in connection with Silk Road
    • Started reading the Bitcoin SoK paper in July
    • Submitted a proposal to NIRD&PR in August
    • Attended Scaling Bitcoin workshop in October
    • Bitcoin noob
    3 / 28

    View full-size slide

  4. Scaling Bitcoin
    • Not the usual academic workshop
    • Attended by engineers, professors, students, journalists,
    investors
    • No proceedings
    • Advance full registration fee of $150
    • Travel subsidies upto $1500 each awarded
    • Allowed presentation of work presented elsewhere
    • All presentations available on Youtube
    4 / 28

    View full-size slide

  5. What is Bitcoin?

    View full-size slide

  6. What is Bitcoin?
    • The world’s first decentralized digital currency
    • Announced by Satoshi Nakamoto in October 2008
    • Source code released in January 2009
    • Computers running Bitcoin software form a peer to peer network
    • Under active development on GitHub
    • Identity of creator remains unknown today
    6 / 28

    View full-size slide

  7. Digital Currency Desiderata
    • Counterfeiting resistant
    • Limited in quantity
    • Double spending resistant
    • Alice pays Bob n digicoins for pizza
    • Alice uses the same n digicoins to pay Carol for some beer
    All three problems can be solved using a central authority like a bank
    • Bank add serial numbers to digicoins and digitally signs them
    • Bank controls the rate of new digicoin creation
    • If all spending is routed through the bank, double spending
    cannot occur
    What if we don’t trust the bank?
    Can we implement a digital currency without using a bank?
    7 / 28

    View full-size slide

  8. Double Spending
    • Valid owner of a digicoin tries to spend it in two different
    transactions
    • Double spending is familiar to academics
    • Submitting the same paper to two different conferences is a form
    of double spending
    • Possible solution: Reviewers google contents of the paper to
    find duplicates
    • This solution fails if
    • Conferences are accepting papers at the same time
    • Proceedings of first conference have not been published yet
    • Better solution: A single public database to store all
    submissions to all conferences
    8 / 28

    View full-size slide

  9. The Blockchain
    • The blockchain is Bitcoin’s public database or ledger for storing
    Bitcoin transactions
    • A chain of blocks of transactions
    • Each block contains 1 MB of transactions
    • Every node in the Bitcoin P2P network maintains a copy
    • Solves the double spending problem in a decentralized manner
    • Questions
    • How is the state of the blockchain synchronized across all nodes?
    • Who is allowed to add blocks?
    • How is a transaction encoded?
    • How is the integrity of the transaction data ensured?
    • To understand Bitcoin’s solution, we need
    • Cryptographic hash functions
    • Digital signatures
    9 / 28

    View full-size slide

  10. Cryptographic Hash Functions
    • Accepts bit strings of any length
    • Output is a bit string of fixed length
    • Easy to compute
    • Difficult to invert
    • Given H(x), computationally infeasible to find x
    • Collision resistant
    • Computationally infeasible to find x = y such that H(x) = H(y)
    • Pseudorandom function
    • Output looks like a uniformly distributed random variable
    • Given T ∈ Z ∩ [0, 2256 − 1] and distinct inputs x1
    , x2
    , . . . , xN
    N
    i=1
    I [SHA256(xi
    ) ≤ T]
    N

    T + 1
    2256

    T
    2256
    .
    10 / 28

    View full-size slide

  11. Digital Signatures
    • Implemented using public-key cryptography
    • Three functions needed
    • (privKey, pubKey) = generateKeys()
    • signature = sign(privKey, message)
    • isValid = verify(pubKey, message, signature)
    11 / 28

    View full-size slide

  12. Public Keys = Identifiers
    • To enable transfer of bitcoins, entities need identifiers
    • Identifier assignment needs to be dencentralized
    • Bitcoin uses public keys from ECDSA as identifiers or addresses
    • Each public key is 512 bits long
    • Properties
    • Decentralized identity management
    • Anyone can create a public-private key pair
    • Collision probability is effectively zero
    • Private key recovery from public key is computationally infeasible
    • Bitcoin allows the use of RIPEMD160(SHA256(pubKey)) as the
    address for increased security
    12 / 28

    View full-size slide

  13. Transaction Format
    nVersion
    #vin
    vin[0]
    hash
    n
    scriptSigLen
    scriptSig
    nSequence
    vin[1]
    hash
    n
    scriptSigLen
    scriptSig
    nSequence
    #vout
    vout[0]
    nValue
    scriptPubkeyLen
    scriptPubkey
    vout[1]
    nValue
    scriptPubkeyLen
    scriptPubkey
    nLocktime
    Transaction format version
    Number of inputs
    Input 1
    Input 2
    Number of outputs
    Output 1
    Output 2
    13 / 28

    View full-size slide

  14. Transaction Format
    Some Old Transaction
    nVersion
    #vin
    vin[0]
    hash
    n
    scriptSigLen
    scriptSig
    nSequence
    vin[1]
    hash
    n
    scriptSigLen
    scriptSig
    nSequence
    #vout
    vout[0]
    nValue
    scriptPubkeyLen
    scriptPubkey
    vout[1]
    nValue
    scriptPubkeyLen
    scriptPubkey
    nLocktime
    • We want to move the bitcoins in the first output of some old transaction
    • Construct a new transaction with
    • An input with hash equal to SHA2562 hash of the old transaction
    • Index n equal to 0 indicating the first output
    • scriptSig proving knowledge of private key etc
    14 / 28

    View full-size slide

  15. Transaction Format
    Some Old Transaction
    nVersion
    #vin
    vin[0]
    hash
    n
    scriptSigLen
    scriptSig
    nSequence
    vin[1]
    hash
    n
    scriptSigLen
    scriptSig
    nSequence
    #vout
    vout[0]
    nValue
    scriptPubkeyLen
    scriptPubkey
    vout[1]
    nValue
    scriptPubkeyLen
    scriptPubkey
    nLocktime
    New Transaction
    nVersion
    #vin
    vin[0]
    hash
    n
    scriptSigLen
    scriptSig
    nSequence
    #vout
    vout[0]
    nValue
    scriptPubkeyLen
    scriptPubkey
    nLocktime
    • We want to move the bitcoins in the first output of some old transaction
    • Construct a new transaction with
    • An input with hash equal to SHA2562 hash of the old transaction
    • Index n equal to 0 indicating the first output
    • scriptSig proving knowledge of private key etc
    14 / 28

    View full-size slide

  16. Transaction Format
    Some Old Transaction
    nVersion
    #vin
    vin[0]
    hash
    n
    scriptSigLen
    scriptSig
    nSequence
    vin[1]
    hash
    n
    scriptSigLen
    scriptSig
    nSequence
    #vout
    vout[0]
    nValue
    scriptPubkeyLen
    scriptPubkey
    vout[1]
    nValue
    scriptPubkeyLen
    scriptPubkey
    nLocktime
    New Transaction
    nVersion
    #vin
    vin[0]
    hash
    n
    scriptSigLen
    scriptSig
    nSequence
    #vout
    vout[0]
    nValue
    scriptPubkeyLen
    scriptPubkey
    nLocktime
    SHA2562
    • We want to move the bitcoins in the first output of some old transaction
    • Construct a new transaction with
    • An input with hash equal to SHA2562 hash of the old transaction
    • Index n equal to 0 indicating the first output
    • scriptSig proving knowledge of private key etc
    14 / 28

    View full-size slide

  17. Transaction Format
    Some Old Transaction
    nVersion
    #vin
    vin[0]
    hash
    n
    scriptSigLen
    scriptSig
    nSequence
    vin[1]
    hash
    n
    scriptSigLen
    scriptSig
    nSequence
    #vout
    vout[0]
    nValue
    scriptPubkeyLen
    scriptPubkey
    vout[1]
    nValue
    scriptPubkeyLen
    scriptPubkey
    nLocktime
    New Transaction
    nVersion
    #vin
    vin[0]
    hash
    n
    scriptSigLen
    scriptSig
    nSequence
    #vout
    vout[0]
    nValue
    scriptPubkeyLen
    scriptPubkey
    nLocktime
    SHA2562
    • We want to move the bitcoins in the first output of some old transaction
    • Construct a new transaction with
    • An input with hash equal to SHA2562 hash of the old transaction
    • Index n equal to 0 indicating the first output
    • scriptSig proving knowledge of private key etc
    14 / 28

    View full-size slide

  18. Script
    • The Bitcoin scripting language
    • Forth-like stack-based language
    • Each output’s scriptPubKey contains a challenge script
    • Each input’s scriptSig contains a response script
    • Acceptable script templates is limited
    • Example: Pay-to-PubkeyHash (P2PK)
    • scriptPubKey: OP_DUP OP_HASH160
    OP_EQUALVERIFY OP_CHECKSIG
    • scriptSig:
    15 / 28

    View full-size slide

  19. Pay-to-PubkeyHash Execution
    scriptSig is executed first
    Stack Remaining Script
    Empty

    Empty

    scriptPubKey is executed using final scriptSig stack state
    Stack Remaining Script

    OP_DUP OP_HASH160 OP_EQUALVERIFY OP_CHECKSIG


    OP_HASH160 OP_EQUALVERIFY OP_CHECKSIG



    OP_EQUALVERIFY OP_CHECKSIG



    OP_EQUALVERIFY OP_CHECKSIG




    OP_CHECKSIG

    True Empty
    Transaction is valid if final top stack element is True
    16 / 28

    View full-size slide

  20. Block Format
    Previous Block
    nVersion
    HashPrevBlock
    HashMerkleRoot
    nTime
    nBits
    nNonce
    #vtx
    vtx[]
    New Block
    nVersion
    HashPrevBlock
    HashMerkleRoot
    nTime
    nBits
    nNonce
    #vtx
    vtx[]
    SHA2562
    • Each block consists of a header followed by an array of transactions
    • SHA2562 hash of the previous block header is stored in HashPrevBlock
    • nBits and nNonce specify rules of new block addition (More on that later)
    • HashMerkleRoot stores the root hash of the Merkle tree of transactions
    17 / 28

    View full-size slide

  21. Merkle Tree
    h = H(h0
    h1)
    h0 = H(h00
    h01)
    h00 = H(t0)
    t0
    h01 = H(t1)
    t1
    h1 = H(h10
    h10)
    h10 = H(t2)
    t2
    h10
    • Root hash is a function of all the transactions
    • Even a single bit change in a transaction will change root hash
    18 / 28

    View full-size slide

  22. Who is allowed to add a new block?
    nVersion
    HashPrevBlock
    HashMerkleRoot
    nTime
    nBits
    nNonce
    #vtx
    vtx[]
    • Any node which can solve a hard computational puzzle
    • nBits encodes a 256-bit target value T, say
    T = 0x 00 · · · 00
    16 times
    FFFFF · · · FFFFF
    48 times
    • A node which can find nNonce such that
    SHA256 (SHA256 (nVersion HashPrevBlock HashMerkleRoot nTime nBits nNonce
    )) ≤ T
    can add a new block
    • Since Pr[H ≤ T] ≈ T
    2256
    , the average number of trials is 2256
    T
    19 / 28

    View full-size slide

  23. Why should anyone solve this hard puzzle?
    • Successful solver gets rewarded in bitcoins
    • Puzzle solving is called mining and nodes are called miners
    • Every block contains a coinbase transaction which creates 12.5
    bitcoins (≈ $9000 as of this morning)
    • During new block construction, a miner inserts his public key as
    destination of coinbase bitcoins
    • Every miner is competing to solve their puzzle
    • Miners also collect the transaction fees in the block
    • If the input amount of a transaction exceeds the output, then the
    difference goes to the miner as fees
    • Successful miners are said to have demonstrated proof of work
    20 / 28

    View full-size slide

  24. Block Creation Workflow
    • Nodes which want to perform transactions broadcast them
    • Miners collect all broadcasted transactions and reject invalid
    ones
    • Miners select most recent block on the longest path in the
    blockchain and insert its hash in new block header
    • Miners compete to solve the puzzle and broadcast successful
    solutions on the network
    • On hearing a successful solution, other miners abandon current
    puzzle and start work on new puzzle
    21 / 28

    View full-size slide

  25. What if two miners solve the puzzle at the same time?
    Genesis
    Block
    Block
    1
    · · ·
    Block
    N
    Solution from
    miner 1
    Solution from
    miner 2
    • Both miners will broadcast their solution on the network
    • Nodes will accept the first solution they hear
    • Node will reject the second solution which builds off the same
    parent block
    • If nodes see a longer chain than the one they are working on,
    they switch to it
    • Eventually the network will converge and achieve consensus
    • This solves the double spending problem
    22 / 28

    View full-size slide

  26. What if two miners solve the puzzle at the same time?
    Genesis
    Block
    Block
    1
    · · ·
    Block
    N
    Block
    N + 1
    Block
    N + 2
    Orphan
    block
    • Both miners will broadcast their solution on the network
    • Nodes will accept the first solution they hear
    • Node will reject the second solution which builds off the same
    parent block
    • If nodes see a longer chain than the one they are working on,
    they switch to it
    • Eventually the network will converge and achieve consensus
    • This solves the double spending problem
    22 / 28

    View full-size slide

  27. How often are new blocks created?
    • Once every 10 minutes
    nVersion
    HashPrevBlock
    HashMerkleRoot
    nTime
    nBits
    nNonce
    #vtx
    vtx[]
    • Every 2016 blocks, the target T is recalculated
    • Let tsum
    be the time take to mine the last 2016 blocks
    Tnew
    =
    tsum
    14 × 24 × 60 × 60
    × T
    23 / 28

    View full-size slide

  28. Bitcoin Supply is Limited
    • The coinbase reward was initially 50 BTC per block
    • It halves every 210,000 blocks ≈ 4 years
    • Reward became 25 BTC in 11/2012 and 12.5 BTC in 07/2016
    • The total number of possible bitcoins is 21 million
    • The last bitcoin will be mined in 2140
    24 / 28

    View full-size slide

  29. Bitcoin Summary
    • Open source software
    • Peer to peer network
    • Decentralized identity management
    • Built-in incentive to achieve consensus
    • Counterfeiting resistant by design
    • Limited supply to prevent inflation
    • Double spending resistant
    25 / 28

    View full-size slide

  30. So What?
    • 1 BTC = $727 today. Market cap ≈ $11.6 billion
    • Bitcoin is a robust PoC of the blockchain
    • Blockchain in WEF top 10 emerging technologies of 2016
    • As of Q1 of 2016, VC funding in Bitcoin and blockchain exceeds
    $1.1 billion
    • MIT has Digital Currency Initiative at MIT Media Lab
    • Stanford and Princeton offer MOOCs on Bitcoin and blockchain
    • Hillary Clinton pledged support for “public service blockchain
    applications”
    • Lots of other cryptocurrencies launched (Ethereum, Zcash)
    • Smart contracts now possible with minimal trust requirements
    26 / 28

    View full-size slide

  31. Now What?
    • Acquiring bitcoins
    • Mining (not profitable anymore on PC)
    • Local meetup
    • Bitcoin exchange
    • Do some work in exchange for bitcoins
    • Investment Risks
    • Loss of private key via memory loss, computer crash, hacking
    • Bitcoin exchanges get hacked
    • Learning more
    • Books
    • Princeton book http://bitcoinbook.cs.princeton.edu/
    • Digital Gold by Nathaniel Popper
    • Papers
    • SoK Paper http://randomwalker.info/
    • CABRA https://github.com/cdecker/btcresearch
    • Bitcoin Developer Reference
    https://github.com/minium/Bitcoin-Spec
    • Sites
    • Bitcoin Wiki https://en.bitcoin.it/
    • Bitcoin.org https://bitcoin.org/
    27 / 28

    View full-size slide

  32. Thanks for your attention
    28 / 28

    View full-size slide