Bitcoin: A Peer-to-Peer Electronic Cash System Satoshi Nakamoto 1
Outline 2 Introduction Core Mechanism Transactions Timestamp server Proof-of-Work Network Incentive Reclaiming Disk Space Simplified Payment Verification Combining and Splitting Value Privacy Calculations Conclusion
Introduction A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Financial cannot avoid mediating disputes. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. No mechanism exists to make payments p2p without a trusted party. 3
Digital Signature 1.non-repudiation2.integrity *message digest = finger print => Different msg outputs diff. msg digest 4
Flow Chart 5 Wallet = file Address is created by cryptosystem (appendix) Wallet in their cpus Transaction begin
Outline Introduction Core Mechanism Transactions Timestamp server Proof-of-Work Network Incentive Reclaiming Disk Space Simplified Payment Verification Combining and Splitting Value Privacy Calculations Conclusion 6 Alice pays Alice signs the transaction with her private key in her wallet. Others can use public key to verify the she is truly the account owner Miners work on verifying. Collect transactions in past 10 min into a new block
After collecting past 10 mins transaction Miners respectively solve the SHA-256 hash function by incrementing the nonce value to make it output certain number of zero in the beginning. (called mining or Proof-of- work(POW)) First miner solving it can get incentive(50BTC) and others can start working on verification 7
How to create Bitcoin Address Having a private ECDSA keyECDSA 18E14A7B6A307F426A94F E7C8E774E7F9A47E2C203 5DB29A Take the corresponding public key generated with it AD64A87AE8A2FE83C1AF1A8403CB53F53E486D851 1DAD8A04887E5B23522CD A299FA9E ABC11A1DF38855ED6F2EE187E9C582BA6 2 - Perform SHA-256 hashing on the public keySHA FFE422B4E00731A59557A5CCA46CC A4 47BDB2D98D4B Perform RIPEMD-160 hashing on the result of SHA-256RIPEMD D E5E39F86A0D273BEE 8 Miners cant predict which nonce will produce a right hash value. Winner get incentive Alice and Bob’s transaction will get buried beneath other blocks Which makes it more difficult to modify their transaction cuz it requires to redo the POW on block above it.
9 Introduction Core Mechanism Transactions Timestamp server Proof-of-Work Network Incentive Reclaiming Disk Space Simplified Payment Verification Combining and Splitting Value Privacy Calculations Conclusion Outline
Transactions Electronic coin = > a chain of digital signatures Payee can not verify owner did not double spend Traditionally, trusted third party is required to prevent it Without trusted party, transaction must be publicly announced[1], let participants to verify the single history of the order of the chain. This will make payee be sure that he is the first receivers 10 [1] W. Dai, "b-money,"
What is block? 11
Timestamp Server A timestamp server[2-5](UNIX TIME) works by taking a hash of a block and widely broadcast it. 12 [2] H. Massias, X.S. Avila, and J.-J. Quisquater, "Design of a secure timestamping service with minimal trust requirements," In 20th Symposium on Information Theory in the Benelux, May [3] S. Haber, W.S. Stornetta, "How to time-stamp a digital document," In Journal of Cryptology, vol 3, no 2, pages , [4] D. Bayer, S. Haber, W.S. Stornetta, "Improving the efficiency and reliability of digital time-stamping," In Sequences II: Methods in Communication, Security and Computer Science, pages , [5] S. Haber, W.S. Stornetta, "Secure names for bit-strings," In Proceedings of the 4th ACM Conference on Computer and Communications Security, pages 28-35, April 1997.
Proof-of-Work(POW) Miners respectively solve the SHA-256 hash function by incrementing the nonce(strat from 0) to make it output certain number of zero in the beginning. The average work is 2^b, where b is zero bits required. To modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up and surpass the chain of the honest nodes(once the next POW is found and one chain becomes longer, nodes working on the shorter one will then switch to the longer one.) Solve the problem of majority decision making => POW is one- CPU-one-vote. (how: majority is represented by the longest chain which is the greatest POW effort invested in it) 13 [6] A. Back, "Hashcash - a denial of service counter-measure, "
Network Steps to run the network are as follows: 1)New transactions are broadcast to all nodes (others ->block chain) 2)Each node collects transactions in 10 mins into a block 3)Each node works on finding a difficult POW for its block 4)When a node finds a POW, it broadcasts the block to all nodes 5)Nodes accept the block only if all transactions in it are valid and not already spent 6)Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash 14
Incentive Creator of the block will create a new coin which is called incentive. Once the majority of bitcoins have been mined, the block reward will become an insignificant percentage of miners’ overall earnings The incentive can also be funded with transaction fees. (Fees incentivize miners to include transactions in a block) 15 This quantity (50) halves every 210,000 blocks. the limit of coins is 21,000,000 Block: earned per new-created block
Reclaiming Disk Space Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. To facilitate without breaking block’s hash, transaction are hashed in a Merkle Tree[7][2][5], with only root included in the block’s hash. 16 [7] R.C. Merkle, "Protocols for public key cryptosystems," In Proc Symposium on Security and Privacy, IEEE Computer Society, pages , April 1980.
Simplified Payment Verification & Combining and Splitting Value User only needs to keep a copy of block headers of the longest POW chain, and obtain the Merkle branch linking to its transaction, he can see that a network node has accepted it. Transaction contain multiple inputs and outputs. Normally with a single input from a larger previous transaction or multiple inputs combining smaller amounts, and two outputs: one for payment and one for returning. 17
Privacy The traditional banking model achieves a level of privacy by limiting access to information to the parties involved. Broadcast precludes this method. But privacy can still be maintained by keeping public keys anonymous. =>public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone.(like stock exchanges) Additional firewall: address is created for each transaction to keep them from being linked to a common owner 18
19 Introduction Core Mechanism Transactions Timestamp server Proof-of-Work Network Incentive Reclaiming Disk Space Simplified Payment Verification Combining and Splitting Value Privacy Calculations Conclusion Outline
20 The probability of an attacker catching up from a given deficit is analogous to a Gambler's Ruin problem as follows[8]: p = probability an honest node finds the next block q = probability the attacker finds the next block qz = probability the attacker will ever catch up from z blocks behind Our assumption is that p > q, the prob. drops exponentially as the number of blocks the attacker has to catch up with increases Calculation - 1 [8] W. Feller, "An introduction to probability theory and its applications," 1957.
21 Calculation - 2
22 Calculation - 3
23 Calculation - 4 When the prob. The attacker finds the next block is 0.1 and 0.3, Prob. Attacker succeed attacking current block drop exponentially as z increase. *z: blocks link after the current block
24 Calculation - 4 If want the Prob. Attacker succeed attacking current block < 0.1%, As q: prob. The attacker finds the next block increases, z got to increase too.
25 Introduction Core Mechanism Transactions Timestamp server Proof-of-Work Network Incentive Reclaiming Disk Space Simplified Payment Verification Combining and Splitting Value Privacy Calculations Conclusion Outline
Conclusion We Proposed a system for electronic transactions without trust third party, worldwide, fast, secure, privacy, low cost, everyone can access to it. 26
Appendix: How to create Bitcoin Address Having a private ECDSA keyECDSA 18E14A7B6A307F426A94F E7C8E774E7F9A47E2C203 5DB29A Take the corresponding public key generated with it AD64A87AE8A2FE83C1AF1A8403CB53F53E486D851 1DAD8A04887E5B23522CD A299FA9E ABC11A1DF38855ED6F2EE187E9C582BA6 2 - Perform SHA-256 hashing on the public keySHA FFE422B4E00731A59557A5CCA46CC A4 47BDB2D98D4B Perform RIPEMD-160 hashing on the result of SHA-256RIPEMD D E5E39F86A0D273BEE 27
Appendix: How to create Bitcoin Address Add version byte in front of RIPEMD-160 hash (0x00 for Main Network) D E5E39F86A0D273BEE 5 - Perform SHA-256 hash on the extended RIPEMD-160 result 445C7A8007A93D BB320A8FE2DEBD2AE1B47F0F 50BC10BAE845C Perform SHA-256 hash on the result of the previous SHA- 256 hash D61967F63C7DD183914A4AE452C9F6AD5D462CE3D B107615C1A8A30 28
Appendix: How to create Bitcoin Address Take the first 4 bytes of the second SHA-256 hash. This is the address checksum D61967F6 8 - Add the 4 checksum bytes from stage 7 at the end of extended RIPEMD-160 hash from stage 4. This is the 25-byte binary Bitcoin Address D E5E39F86A0D273BEED61967F Convert the result from a byte string into a base58 string using Base58Check encoding. This is the most commonly used Bitcoin Address formatBase58Check encoding 16UwLL9Risc3QfPqBUvKofHmBQ7wMtjvM 29