Digital vs. paper currencies Paper: Digital: 16fab13fc6890 Very useful if is also digital.
A traditional ways of paying “digitally” Alice’s credit card number Alice Bob Alice’s credit card number Alice Bob transfer money to Bob’s account transfer confirmation PROBLEMS 1. trusted server for each transaction is needed (money doesn’t “circulate”), 2. high transaction fees, 3. no anonymity.
Can we have a true “digital analogue” of the paper money? Yes: Bitcoin! A digital currency introduced by “Satoshi Nakamoto” in currency unit: Bitcoin (BTC). 1 BTC = 10 8 Satoshi as of : Market cap = $7,990,451,275 1 BTC= $641.13
PROBLEMS WITH PREVIOUS APPROACHES 1. trusted server is needed (money doesn’t “circulate”), 2. high transaction fees, 3. no anonymity. Bitcoin in Bitcoin: low fees “pseudo-anonymity” no trusted server, money circulates
“No trusted server” nobody “controls the money”, and therefore: – The amount of money that will ever be “printer” is fixed (to around 21 mln BTC) no inflation – The exchange rate fluctuates:
Bitcoin ¼ “real money”? Bitcoin value comes from the fact that: “people expect that other people will accept it in the future.” It’s like all the other currencies Bitcoin enthusiasts: Bitcoin sceptics: It’s an artificial “bubble”
Main problem with the digital money Double spending… 16fab13fc6890 Bits are easier to copy than paper!
Bitcoin idea (simplified): The users emulate a public trusted bulletin-board containing a list of transactions. A transaction is of a form: This prevents double spending. “User P 1 transfers a coin #16fab13fc6890 to user P 2 ” 16fab13fc6890 you’ve already spent this coin!
What needs to be discussed 1.How is the trusted bulletin-board maintained? 2.How are the users identified? 3.Where does the money come from? 4.What is the syntax of the transactions?
Trusted bulletin-board emulation Main difficulty: Some parties can cheat. Classical result: possible if the “majority is honest”. For example for 5 players we can tolerate at most 2 “cheaters”. the “ideal” world a protocol that emulates the ideal world
Problem How to define “majority” in a situation where everybody can join the network?
The BitCoin solution Define the “majority” as the majority of the computing power Now creating multiple identities does not help!
How is this verified? Main idea: use Proofs of Work incentivize honest users to constantly participate in the process The honest users can use their idle CPU cycles. Nowadays: often done on dedicated hardware.
Proofs of Work (PoWs) Introduced by Dwork and Naor [Crypto 1992] as a countermeasure against spam. Basic idea: Force users to do some computational work: solve a moderately difficult “puzzle” such that the solution can be easily checked. One of the simplest PoWs is based on the cryptographic hash functions.
Cryptographic hash functions A function H : {0,1}* ! {0,1} n is a cryptographic hash function if it “behaves as random”. Common examples: SHA1, SHA3, RIPEMD,… Informal property: the only way to find x such that H(x) has some property is to do a brute-force search. SHA1(Będlewo) = 6533a9b2ab79e57a555bc3a7cdbc58998d6000f0 SHA1(Bendlewo) = f2a5a0cb8b942fbcb472a4cf6d6699ff6f630c71 SHA1(Będlewo) = 6533a9b2ab79e57a555bc3a7cdbc58998d6000f0 SHA1(Bendlewo) = f2a5a0cb8b942fbcb472a4cf6d6699ff6f630c71
A simple hash-based PoW Verifier Prover random x finds s such that H(s,x) starts with n zeros (in binary) s s “salt” “hardness parameter checks if H(s,x) starts with n zeros takes time 2 n ¢ TIME(H) takes time TIME(H) H -- a hash function whose computation takes time TIME(H)
Main idea The users participating in the scheme are called the “miners”. They maintain a chain of blocks: block 0 block 1 block 2 block 3 transactions from period 1 transactions from period 2 transactions from period 3 the “genesis block” created by Satoshi on 03/Jan/2009 ¼ 10 min.
How to post on the board Just broadcast (over the internet) your transaction to the miners. And hope they will add it to the next block. transaction T the miners are incentivized to do it.
Main principles 1.It is computationally hard to extend the chain. 2.Once a miner finds an extension he broadcasts it to everybody. 3.The users will always accept “the longest chain” as the valid one. the system incentivizes them to do it
How are the PoWs used? Main idea: to extend it one needs to find salt such that H(salt, block i,transactions) starts with some number n of zeros block 0 block 1 block 2 block 3 transactions from period 1 transactions from period 2 transactions from period 3 H – hash function salt H H H H H H
The hardness parameter is periodically changed The computing power of the miners changes. The miners should generate the new block each 10 minutes (on average). Therefore the hardness parameter is periodically adjusted to the mining power This happens once each 2016 blocks. For example the block generated on :52:10 looked like this: d8733e03fa9f5e5 2ec912fa82c9adfed09fbca9563cb4ce d8733e03fa9f5e5 2ec912fa82c9adfed09fbca9563cb4ce
How it looks in real life
What if there is a “fork”? block i block i+1 block 1+2 block’ 1+2 block i+3 block i+4 block’ 1+3 this chain is valid fork The “longest” chain counts.
Does it make sense to “work” on a shorter chain? No! block i+1 block 1+2 block’ 1+2 block i+3 block i+4 block’ 1+3 Because everybody else is working on extending the longest chain. Recall: we assumed that the majority follows the protocol.
How are the miners incentivized to participate in this game? Short answer: they are paid (in Bitcoins) for this. We will discuss it in detail later…
How long one should wait to be sure that the transaction is “confirmed”? block i block i+1 block 1+2 block i+3 block i+4 T = “Alice transfers 1 BTC to Bob” Alice Bob Bob waits a few block to be sure that there was no fork
What needs to be discussed 1.How is the trusted bulletin-board maintained? 2.How are the users identified? 3.Where does the money come from? 4.What is the syntax of the transactions?
User identification We use the digital signature schemes. secret key sk 1 public key pk 1 I am pk 1 The users are identified by their public keys.
Digital signature schemes A digital signature scheme consists of algorithms Gen, Sign and Vrfy, where: Gen (secret key sk, public key pk) Sign signature σ (sk, message M) Vrfy yes/no (pk, M, σ) input:output: Correctness: for every (sk,pk) := Gen() and every M we have Vrfy(pk,M,Sign(sk,M)) = yes Security: “without knowing sk it is infeasible to compute σ such that Vrfy(pk,M,σ) = yes”
Digital signature schemes are: publicly verifiable non-repudiable transferrable Gen P1P1 P1P1 secret key sk 1 public key of P 1 is pk 1 M M σ σ message M Vrfy(pk 1,M, σ) M M σ = Sign(sk 1, M) Vrfy(pk 1,M, σ)
What needs to be discussed 1.How is the trusted bulletin-board maintained? 2.How are the users identified? 3.Where does the money come from? 4.What is the syntax of the transactions?
Where does the money come from? A miner who finds a new block gets a “reward” in BTC: for the first 210,000 blocs: 50 BTC for the next 210,000 blocs: 25 BTC for the next 210,000 blocs: 12.5 BTC, and so on… Note: 210,000 ¢ ( ) ! 21,000,000 ¼ 4 years current reward
This is how it looks in detail
More details Each block contains a transaction that transfers the reward to the miner. Advantages: 1.It provides incentives to be a miner. 2.It also makes the miners interested in broadcasting new block asap. this view was challenged in a recent paper: Ittay Eyal, Emin Gun Sirer Majority is not Enough: Bitcoin Mining is Vulnerable this view was challenged in a recent paper: Ittay Eyal, Emin Gun Sirer Majority is not Enough: Bitcoin Mining is Vulnerable
What needs to be discussed 1.How is the trusted bulletin-board maintained? 2.How are the users identified? 3.Where does the money come from? 4.What is the syntax of the transactions?
Transaction syntax – simplified view T 1 = (User P 1 creates 25 BTC) T 2 = (User P 1 sends 25 BTC from T 1 to P 2 signature of P 1 on [T 2 ]) T 3 = (User P 2 sends 25 BTC from T 2 to P 3 signature of P 2 on [T 3 ]) 25 BTC in the “mining process” P1P1 P1P1 P2P2 P2P2 P3P3 P3P3 [T2][T2] [T3][T3] “value of T 2 “ We say that T 3 redeems T 2
How to “divide money”? Multi-output transactions: T 2 = (User P 1 sends 10 BTC from T 1 to user P 2, User P 1 sends 7 BTC from T 1 to user P 3, User P 1 sends 8 BTC from T 1 to user P 4 (User P 1 sends 10 BTC from T 1 to user P 2, User P 1 sends 7 BTC from T 1 to user P 3, User P 1 sends 8 BTC from T 1 to user P 4 signature of P 1 on [T 2 ] ) 8 BTC 7 BTC 10 BTC [T2][T2] P1P1 P1P1 P2P2 P2P2 P3P3 P3P3 P4P4 P4P4
Multiple inputs all signatures need to be valid! 8 BTC 7 BTC 10 BTC T 2 = (User P 2 sends 10 BTC from T 1 to user P 1, User P 3 sends 7 BTC from T 1 to user P 1, User P 4 sends 8 BTC from T 1 to user P 1 (User P 2 sends 10 BTC from T 1 to user P 1, User P 3 sends 7 BTC from T 1 to user P 1, User P 4 sends 8 BTC from T 1 to user P 1 signature of P 2 on [T 2 ], signature of P 3 on [T 2 ], signature of P 4 on [T 2 ]) signature of P 2 on [T 2 ], signature of P 3 on [T 2 ], signature of P 4 on [T 2 ]) [T2][T2] P1P1 P1P1 P4P4 P4P4 P2P2 P2P2 P3P3 P3P3
Time-locks It is also possible to specify time t when a transaction becomes valid. T 2 = (User P 1 sends 25 BTC from T 1 to P 2 if time t has passed) signature of P 1 on [T 2 ]) [T2][T2] measured in: real time, or blocks. measured in: real time, or blocks.
Generalizations 1.All these features can be combined. 2.The total value of in-coming transactions can be larger that the value of the out-going transactions. (the difference is called a “fee” and goes to the miner) 1.The condition for redeeming a transaction can be more general (the so-called “strange transactions”)
Strange transactions: T 2 = (User P 1 sends 1 BTC from T 1 to P 2 signature of P 1 on [T 2 ]) T 3 = (User P 2 sends 1 BTC from T 2 to P 3 signature of P 2 on [T 3 ]) P2P2 P2P2 P3P3 P3P3 T 2 = a condition C 2 to spend T 2 a “witness W 2 ” T 3 = a “witness W 3 ” P2P2 P2P2 P3P3 P3P3 T1T1 T1T1 1 BTC T2T2 T2T2 a condition C 3 to spend T 2 a Boolean function
Redeeming condition T 3 redeems T 2 if C 2 evaluates to true on input ([T 3 ],W 3 ). Note: in the the standard transactions: C 2 ([T 3 ],W 3 ) = Vrfy(pk 2,[T 3 ],W 3 ) [T3][T3] T 2 = a condition C 2 to spend T 2 a “witness W 2 ” T 3 = a “witness W 3 ” P2P2 P2P2 P3P3 P3P3 T1T1 T1T1 1 BTC T2T2 T2T2 a condition C 3 to spend T 2
How are the conditions written? In Bitcoin scripting language (non-Turing complete stack-based) Example: OP_DUP OP_HASH cfd7508be5c2e6ce9f1b6312b7f268476d2 OP_EQUALVERIFY OP_CHECKSIG
Bitcoin contracts
The “strange transactions” can be used to create the “Bitcoin contracts”. Simple examples: Pay money to anyone who knows some password. Assurance contracts. Put a “deposit” to prove you are not a spammer.
More complicated examples Multiparty lottery [Andrychowicz, Dziembowski, Malinowski, and Mazurek Secure Multiparty Computations on BitCoin 2013, Back and Bentov Bitcointalk thread 2013] 1 BTC a random party earns 3 BTC
Paying for delivering secret information [Andrychowicz, Dziembowski, Malinowski, and Mazurek Fair Two-Party Computations via Bitcoin Deposits (2013), How to deal with malleability of BitCoin transactions (2014)] I will pay 100 BTC to anyone who provides information about secret accounts in Switzerland
Bitcoin risks 1.Organized crime
2. Since the transactions are irreversible it’s easy to steal the coins
Other crypto currencies see cryptmarketcap.com
Thank you!