Bitcoin

Transcript

1. Bitcoin Demystified November 2, 2016 1 / 28

2. Three Questions • What? • So what? • Now what?

   2 / 28

3. Bitcoin and Me • Read about Bitcoin first in connection

   with Silk Road • Started reading the Bitcoin SoK paper in July • Submitted a proposal to NIRD&PR in August • Attended Scaling Bitcoin workshop in October • Bitcoin noob 3 / 28

4. Scaling Bitcoin • Not the usual academic workshop • Attended

   by engineers, professors, students, journalists, investors • No proceedings • Advance full registration fee of $150 • Travel subsidies upto $1500 each awarded • Allowed presentation of work presented elsewhere • All presentations available on Youtube 4 / 28

5. What is Bitcoin?

6. What is Bitcoin? • The world’s first decentralized digital currency

   • Announced by Satoshi Nakamoto in October 2008 • Source code released in January 2009 • Computers running Bitcoin software form a peer to peer network • Under active development on GitHub • Identity of creator remains unknown today 6 / 28

7. Digital Currency Desiderata • Counterfeiting resistant • Limited in quantity

   • Double spending resistant • Alice pays Bob n digicoins for pizza • Alice uses the same n digicoins to pay Carol for some beer All three problems can be solved using a central authority like a bank • Bank add serial numbers to digicoins and digitally signs them • Bank controls the rate of new digicoin creation • If all spending is routed through the bank, double spending cannot occur What if we don’t trust the bank? Can we implement a digital currency without using a bank? 7 / 28

8. Double Spending • Valid owner of a digicoin tries to

   spend it in two different transactions • Double spending is familiar to academics • Submitting the same paper to two different conferences is a form of double spending • Possible solution: Reviewers google contents of the paper to find duplicates • This solution fails if • Conferences are accepting papers at the same time • Proceedings of first conference have not been published yet • Better solution: A single public database to store all submissions to all conferences 8 / 28

9. The Blockchain • The blockchain is Bitcoin’s public database or

   ledger for storing Bitcoin transactions • A chain of blocks of transactions • Each block contains 1 MB of transactions • Every node in the Bitcoin P2P network maintains a copy • Solves the double spending problem in a decentralized manner • Questions • How is the state of the blockchain synchronized across all nodes? • Who is allowed to add blocks? • How is a transaction encoded? • How is the integrity of the transaction data ensured? • To understand Bitcoin’s solution, we need • Cryptographic hash functions • Digital signatures 9 / 28

10. Cryptographic Hash Functions • Accepts bit strings of any length

    • Output is a bit string of fixed length • Easy to compute • Difficult to invert • Given H(x), computationally infeasible to find x • Collision resistant • Computationally infeasible to find x = y such that H(x) = H(y) • Pseudorandom function • Output looks like a uniformly distributed random variable • Given T ∈ Z ∩ [0, 2256 − 1] and distinct inputs x1 , x2 , . . . , xN N i=1 I [SHA256(xi ) ≤ T] N ≈ T + 1 2256 ≈ T 2256 . 10 / 28

11. Digital Signatures • Implemented using public-key cryptography • Three functions

    needed • (privKey, pubKey) = generateKeys() • signature = sign(privKey, message) • isValid = verify(pubKey, message, signature) 11 / 28

12. Public Keys = Identifiers • To enable transfer of bitcoins,

    entities need identifiers • Identifier assignment needs to be dencentralized • Bitcoin uses public keys from ECDSA as identifiers or addresses • Each public key is 512 bits long • Properties • Decentralized identity management • Anyone can create a public-private key pair • Collision probability is effectively zero • Private key recovery from public key is computationally infeasible • Bitcoin allows the use of RIPEMD160(SHA256(pubKey)) as the address for increased security 12 / 28

13. Transaction Format nVersion #vin vin[0] hash n scriptSigLen scriptSig nSequence

    vin[1] hash n scriptSigLen scriptSig nSequence #vout vout[0] nValue scriptPubkeyLen scriptPubkey vout[1] nValue scriptPubkeyLen scriptPubkey nLocktime Transaction format version Number of inputs Input 1 Input 2 Number of outputs Output 1 Output 2 13 / 28

14. Transaction Format Some Old Transaction nVersion #vin vin[0] hash n

    scriptSigLen scriptSig nSequence vin[1] hash n scriptSigLen scriptSig nSequence #vout vout[0] nValue scriptPubkeyLen scriptPubkey vout[1] nValue scriptPubkeyLen scriptPubkey nLocktime • We want to move the bitcoins in the first output of some old transaction • Construct a new transaction with • An input with hash equal to SHA2562 hash of the old transaction • Index n equal to 0 indicating the first output • scriptSig proving knowledge of private key etc 14 / 28

15. Transaction Format Some Old Transaction nVersion #vin vin[0] hash n

    scriptSigLen scriptSig nSequence vin[1] hash n scriptSigLen scriptSig nSequence #vout vout[0] nValue scriptPubkeyLen scriptPubkey vout[1] nValue scriptPubkeyLen scriptPubkey nLocktime New Transaction nVersion #vin vin[0] hash n scriptSigLen scriptSig nSequence #vout vout[0] nValue scriptPubkeyLen scriptPubkey nLocktime • We want to move the bitcoins in the first output of some old transaction • Construct a new transaction with • An input with hash equal to SHA2562 hash of the old transaction • Index n equal to 0 indicating the first output • scriptSig proving knowledge of private key etc 14 / 28

16. Transaction Format Some Old Transaction nVersion #vin vin[0] hash n

    scriptSigLen scriptSig nSequence vin[1] hash n scriptSigLen scriptSig nSequence #vout vout[0] nValue scriptPubkeyLen scriptPubkey vout[1] nValue scriptPubkeyLen scriptPubkey nLocktime New Transaction nVersion #vin vin[0] hash n scriptSigLen scriptSig nSequence #vout vout[0] nValue scriptPubkeyLen scriptPubkey nLocktime SHA2562 • We want to move the bitcoins in the first output of some old transaction • Construct a new transaction with • An input with hash equal to SHA2562 hash of the old transaction • Index n equal to 0 indicating the first output • scriptSig proving knowledge of private key etc 14 / 28

17. Transaction Format Some Old Transaction nVersion #vin vin[0] hash n

    scriptSigLen scriptSig nSequence vin[1] hash n scriptSigLen scriptSig nSequence #vout vout[0] nValue scriptPubkeyLen scriptPubkey vout[1] nValue scriptPubkeyLen scriptPubkey nLocktime New Transaction nVersion #vin vin[0] hash n scriptSigLen scriptSig nSequence #vout vout[0] nValue scriptPubkeyLen scriptPubkey nLocktime SHA2562 • We want to move the bitcoins in the first output of some old transaction • Construct a new transaction with • An input with hash equal to SHA2562 hash of the old transaction • Index n equal to 0 indicating the first output • scriptSig proving knowledge of private key etc 14 / 28

18. Script • The Bitcoin scripting language • Forth-like stack-based language

    • Each output’s scriptPubKey contains a challenge script • Each input’s scriptSig contains a response script • Acceptable script templates is limited • Example: Pay-to-PubkeyHash (P2PK) • scriptPubKey: OP_DUP OP_HASH160 <pubkeyHash> OP_EQUALVERIFY OP_CHECKSIG • scriptSig: <signatures> <pubkey> 15 / 28

19. Pay-to-PubkeyHash Execution scriptSig is executed first Stack Remaining Script Empty

    <signature> <pubkey> <pubkey> Empty <signature> scriptPubKey is executed using final scriptSig stack state Stack Remaining Script <pubkey> OP_DUP OP_HASH160 <pubkeyHash> OP_EQUALVERIFY OP_CHECKSIG <signature> <pubkey> OP_HASH160 <pubkeyHash> OP_EQUALVERIFY OP_CHECKSIG <pubkey> <signature> <pubkeyHashNew> <pubkeyHash> OP_EQUALVERIFY OP_CHECKSIG <pubkey> <signature> <pubkeyHash> OP_EQUALVERIFY OP_CHECKSIG <pubkeyHashNew> <pubkey> <signature> <pubkey> OP_CHECKSIG <signature> True Empty Transaction is valid if final top stack element is True 16 / 28

20. Block Format Previous Block nVersion HashPrevBlock HashMerkleRoot nTime nBits nNonce

    #vtx vtx[] New Block nVersion HashPrevBlock HashMerkleRoot nTime nBits nNonce #vtx vtx[] SHA2562 • Each block consists of a header followed by an array of transactions • SHA2562 hash of the previous block header is stored in HashPrevBlock • nBits and nNonce specify rules of new block addition (More on that later) • HashMerkleRoot stores the root hash of the Merkle tree of transactions 17 / 28

21. Merkle Tree h = H(h0 h1) h0 = H(h00 h01)

    h00 = H(t0) t0 h01 = H(t1) t1 h1 = H(h10 h10) h10 = H(t2) t2 h10 • Root hash is a function of all the transactions • Even a single bit change in a transaction will change root hash 18 / 28

22. Who is allowed to add a new block? nVersion HashPrevBlock

    HashMerkleRoot nTime nBits nNonce #vtx vtx[] • Any node which can solve a hard computational puzzle • nBits encodes a 256-bit target value T, say T = 0x 00 · · · 00 16 times FFFFF · · · FFFFF 48 times • A node which can find nNonce such that SHA256 (SHA256 (nVersion HashPrevBlock HashMerkleRoot nTime nBits nNonce )) ≤ T can add a new block • Since Pr[H ≤ T] ≈ T 2256 , the average number of trials is 2256 T 19 / 28

23. Why should anyone solve this hard puzzle? • Successful solver

    gets rewarded in bitcoins • Puzzle solving is called mining and nodes are called miners • Every block contains a coinbase transaction which creates 12.5 bitcoins (≈ $9000 as of this morning) • During new block construction, a miner inserts his public key as destination of coinbase bitcoins • Every miner is competing to solve their puzzle • Miners also collect the transaction fees in the block • If the input amount of a transaction exceeds the output, then the difference goes to the miner as fees • Successful miners are said to have demonstrated proof of work 20 / 28

24. Block Creation Workflow • Nodes which want to perform transactions

    broadcast them • Miners collect all broadcasted transactions and reject invalid ones • Miners select most recent block on the longest path in the blockchain and insert its hash in new block header • Miners compete to solve the puzzle and broadcast successful solutions on the network • On hearing a successful solution, other miners abandon current puzzle and start work on new puzzle 21 / 28

25. What if two miners solve the puzzle at the same

    time? Genesis Block Block 1 · · · Block N Solution from miner 1 Solution from miner 2 • Both miners will broadcast their solution on the network • Nodes will accept the first solution they hear • Node will reject the second solution which builds off the same parent block • If nodes see a longer chain than the one they are working on, they switch to it • Eventually the network will converge and achieve consensus • This solves the double spending problem 22 / 28

26. What if two miners solve the puzzle at the same

    time? Genesis Block Block 1 · · · Block N Block N + 1 Block N + 2 Orphan block • Both miners will broadcast their solution on the network • Nodes will accept the first solution they hear • Node will reject the second solution which builds off the same parent block • If nodes see a longer chain than the one they are working on, they switch to it • Eventually the network will converge and achieve consensus • This solves the double spending problem 22 / 28

27. How often are new blocks created? • Once every 10

    minutes nVersion HashPrevBlock HashMerkleRoot nTime nBits nNonce #vtx vtx[] • Every 2016 blocks, the target T is recalculated • Let tsum be the time take to mine the last 2016 blocks Tnew = tsum 14 × 24 × 60 × 60 × T 23 / 28

28. Bitcoin Supply is Limited • The coinbase reward was initially

    50 BTC per block • It halves every 210,000 blocks ≈ 4 years • Reward became 25 BTC in 11/2012 and 12.5 BTC in 07/2016 • The total number of possible bitcoins is 21 million • The last bitcoin will be mined in 2140 24 / 28

29. Bitcoin Summary • Open source software • Peer to peer

    network • Decentralized identity management • Built-in incentive to achieve consensus • Counterfeiting resistant by design • Limited supply to prevent inflation • Double spending resistant 25 / 28

30. So What? • 1 BTC = $727 today. Market cap

    ≈ $11.6 billion • Bitcoin is a robust PoC of the blockchain • Blockchain in WEF top 10 emerging technologies of 2016 • As of Q1 of 2016, VC funding in Bitcoin and blockchain exceeds $1.1 billion • MIT has Digital Currency Initiative at MIT Media Lab • Stanford and Princeton offer MOOCs on Bitcoin and blockchain • Hillary Clinton pledged support for “public service blockchain applications” • Lots of other cryptocurrencies launched (Ethereum, Zcash) • Smart contracts now possible with minimal trust requirements 26 / 28

31. Now What? • Acquiring bitcoins • Mining (not profitable anymore

    on PC) • Local meetup • Bitcoin exchange • Do some work in exchange for bitcoins • Investment Risks • Loss of private key via memory loss, computer crash, hacking • Bitcoin exchanges get hacked • Learning more • Books • Princeton book http://bitcoinbook.cs.princeton.edu/ • Digital Gold by Nathaniel Popper • Papers • SoK Paper http://randomwalker.info/ • CABRA https://github.com/cdecker/btcresearch • Bitcoin Developer Reference https://github.com/minium/Bitcoin-Spec • Sites • Bitcoin Wiki https://en.bitcoin.it/ • Bitcoin.org https://bitcoin.org/ 27 / 28

32. Thanks for your attention 28 / 28