Presentation is loading. Please wait.

Presentation is loading. Please wait.

How Bitcoin Achieves Decentralization

Published byRosalind Harmon Modified over 8 years ago

Similar presentations

Presentation on theme: "How Bitcoin Achieves Decentralization"— Presentation transcript:

1 How Bitcoin Achieves Decentralization
Tyler Moore, CS 7403, University of Tulsa Slides adapted from Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller, Princeton University

2 Overview Centralization vs. decentralization Distributed consensus
Consensus without identity: the block chain Incentives and proof-of-work Putting it all together

3 Overview Centralization vs. decentralization Distributed consensus
Consensus without identity: the block chain Incentives and proof-of-work Putting it all together

4 Centralization vs. decentralization
Competing paradigms that underlie many digital technologies

5 Decentralization is not all-or-nothing
decentralized protocol, but dominated by centralized webmail services

6 Aspects of decentralization in Bitcoin
Who maintains the ledger? Who has authority over which transactions are valid? Who creates new bitcoins? Who determines how the rules of the system change? How do bitcoins acquire exchange value? Beyond the protocol: exchanges, wallet software, service providers...

7 Aspects of decentralization in Bitcoin
Peer-to-peer network: open to anyone, low barrier to entry Mining: open to anyone, but inevitable concentration of power often seen as undesirable Updates to software: core developers trusted by community, have great power

8 Overview Centralization vs. decentralization Distributed consensus
Consensus without identity: the block chain Incentives and proof-of-work Putting it all together

9 Bitcoin’s key challenge
Key technical challenge of decentralized e-cash: distributed consensus or: how to decentralize ScroogeCoin

10 Defining distributed consensus
The protocol terminates and all correct nodes decide on the same value This value must have been proposed by some correct node

11 Bitcoin is a peer-to-peer system
When Alice wants to pay Bob: she broadcasts the transaction to all Bitcoin nodes Pay to pkBob : H( ) signed by Alice Note: Bob’s computer is not in the picture

12 How consensus could work in Bitcoin
At any given time: All nodes have a sequence of blocks of transactions they’ve reached consensus on Each node has a set of outstanding transactions it’s heard about

13 How consensus could work in Bitcoin
Tx Tx Tx Tx Consensus protocol Tx Tx OK to select any valid block, even if proposed by only one node

14 No notion of global time
Why consensus is hard Nodes may crash Nodes may be malicious Network is imperfect Not all pairs of nodes connected Faults in network Latency No notion of global time Analogy of talking on the phone and having a lag

15 Many impossibility results
Byzantine generals problem Fischer-Lynch-Paterson (deterministic nodes): consensus impossible with a single faulty node

16 Understanding impossibility results
These results say more about the model than about the problem The models were developed to study systems like distributed databases

17 Bitcoin consensus: theory & practice
Bitcoin consensus works better in practice than in theory Theory is still catching up BUT theory is important, can help predict unforeseen attacks

18 Some things Bitcoin does differently
Introduces incentives Possible because it’s a currency! Embraces randomness Does away with the notion of a specific end-point Consensus happens over long time scales — about 1 hour

19 Overview Centralization vs. decentralization Distributed consensus
Consensus without identity: the block chain Incentives and proof-of-work Putting it all together

20 Why identity? Pragmatic: some protocols need node IDs
Security: assume less than 50% malicious

21 Why don’t Bitcoin nodes have identities?
Identity is hard in a P2P system — Sybil attack Pseudonymity is a goal of Bitcoin

22 Weaker assumption: select random node
Analogy: lottery or raffle When tracking & verifying identities is hard, we give people tokens, tickets, etc. Now we can pick a random ID & select that node

23 Key idea: implicit consensus
In each round, random node is picked This node proposes the next block in the chain Other nodes implicitly accept/reject this block by either extending it or ignoring it and extending chain from earlier block Every block contains hash of the block it extends

24 Consensus algorithm (simplified)
New transactions are broadcast to all nodes Each node collects new transactions into a block In each round a random node gets to broadcast its block Other nodes accept the block only if all transactions in it are valid (unspent, valid signatures) Nodes express their acceptance of the block by including its hash in the next block they create

25 What can a malicious node do?
Double-spending attack CA → B Pay to pkB : H( ) signed by A CA → A’ Pay to pkA’ : H( ) signed by A Can’t create new transactions from someone else’s address, or modify them. Suppressing tx’s is only a minor annoyance. Honest nodes will extend the longest valid branch

26 From Bob the merchant’s point of view
1 confirmation 3 confirmations CA → B CA → A’ Double-spend probability decreases exponentially with # of confirmations Most common heuristic: 6 confirmations double-spend attempt Hear about CA → B transaction 0 confirmations

27 Recap Protection against invalid transactions is cryptographic, but enforced by consensus Protection against double-spending is purely by consensus You’re never 100% sure a transaction is in consensus branch. Guarantee is probabilistic

28 Overview Centralization vs. decentralization Distributed consensus
Consensus without identity: the block chain Incentives and proof-of-work Putting it all together

29 Assumption of honesty is problematic
Can we give nodes incentives for behaving honestly? Everything so far is just a distributed consensus protocol But now we utilize the fact that the currency has value Can we reward nodes that created these blocks? Can we penalize the node that created this block?

30 Incentive 1: block reward
Creator of block gets to include special coin-creation transaction in the block choose recipient address of this transaction Value is fixed: currently 25 BTC, halves every 4 years Block creator gets to “collect” the reward only if the block ends up on long-term consensus branch!

31 There’s a finite supply of bitcoins
Block reward is how new bitcoins are created Runs out in No new bitcoins unless rules change Total supply: 21 million Year Total bitcoins in circulation First inflection point: reward halved from 50BTC to 25BTC

32 Incentive 2: transaction fees
Creator of transaction can choose to make output value less than input value Remainder is a transaction fee and goes to block creator Purely voluntary, like a tip

33 Remaining problems How to pick a random node?
How to avoid a free-for-all due to rewards? How to prevent Sybil attacks?

34 Proof of work To approximate selecting a random node:
select nodes in proportion to a resource that no one can monopolize (we hope) In proportion to computing power: proof-of-work In proportion to ownership: proof-of-stake

35 Equivalent views of proof of work
Select nodes in proportion to computing power Let nodes compete for right to create block Make it moderately hard to create new identities

36 Hash puzzles To create block, find nonce s.t.
prev_h Tx To create block, find nonce s.t. H(nonce ‖ prev_hash ‖ tx ‖ … ‖ tx) is very small Output space of hash Target space If hash function is secure: only way to succeed is to try enough nonces until you get lucky If Alice has 100x more computing power than Bob it doesn’t mean she always wins the race. It means she has about a 99% chance of wining. In the long run Bob will create 1% of the blocks

37 PoW property 1: difficult to compute
As of Aug 2014: about 1020 hashes/block Only some nodes bother to compete — miners

38 PoW property 2: parameterizable cost
Nodes automatically re-calculate the target every two weeks Goal: average time between blocks = 10 minutes Prob (Alice wins next block) = fraction of global hash power she controls what happens if time b/w blocks is too low or too high

39 Key security assumption
Attacks infeasible if majority of miners weighted by hash power follow the protocol

40 Solving hash puzzles is probabilistic
Time to next block (entire network) Probability density 10 minutes

41 PoW property 3: trivial to verify
Nonce must be published as part of block Other miners simply verify that H(nonce ‖ prev_hash ‖ tx ‖ … ‖ tx) < target

42 Mining economics Complications: fixed vs. variable costs
reward depends on global hash rate If mining reward (block reward + Tx fees) > hardware + electricity cost Profit

43 Overview Centralization vs. decentralization Distributed consensus
Consensus without identity: the block chain Incentives and proof-of-work Putting it all together

44 Recap Identities Transactions P2P network Block chain & consensus
Hash puzzles & mining

45 Bitcoin has three types of consensus
Value State Rules

46 Bitcoin is bootstrapped
security of block chain value of currency health of mining ecosystem

47 What can a “51% attacker” do?
Steal coins from existing address? Suppress some transactions? From the block chain From the P2P network Change the block reward? Destroy confidence in Bitcoin? ✓✓

48 Remaining questions How do we get from consensus to currency?
What else can we do with consensus?

Download ppt "How Bitcoin Achieves Decentralization"

Similar presentations

The easy answers to the hard questions! WHAT IS BITCOIN?

The easy answers to the hard questions! WHAT IS BITCOIN?
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Secure Digital Currency: Bitcoin Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the.

Secure Digital Currency: Bitcoin Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the.
CS425/CSE424/ECE428 — Distributed Systems — Fall 2011 2011-12-01Nikita Borisov - UIUC1.

CS425/CSE424/ECE428 — Distributed Systems — Fall Nikita Borisov - UIUC1.
Bitcoin. What is Bitcoin? A P2P network for electronic payments Benefits: – Low fees – No middlemen – No central authority – Can be anonymous – Each payment.

Bitcoin. What is Bitcoin? A P2P network for electronic payments Benefits: – Low fees – No middlemen – No central authority – Can be anonymous – Each payment.
Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.

Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.
Stefan Dziembowski Why do the cryptographic currencies need a solid theory? Forum Informatyki Teoretycznej, Warsaw 30.1.2015.

Stefan Dziembowski Why do the cryptographic currencies need a solid theory? Forum Informatyki Teoretycznej, Warsaw
Advanced Computer Communications PROFESSOR:STUDENT: PROF. DR. ING. BRAD REMUS STEFAN FEILMEIER - 10.04.2014 - FACULTATEA DE INGINERIE HERRMANN OBERTH MASTER-PROGRAM.

Advanced Computer Communications PROFESSOR:STUDENT: PROF. DR. ING. BRAD REMUS STEFAN FEILMEIER FACULTATEA DE INGINERIE HERRMANN OBERTH MASTER-PROGRAM.
1 The Sybil Attack John R. Douceur Microsoft Research Presented for Cs294-4 by Benjamin Poon.

1 The Sybil Attack John R. Douceur Microsoft Research Presented for Cs294-4 by Benjamin Poon.
BITCOIN An introduction to a decentralised and anonymous currency. By Andy Brodie.

BITCOIN An introduction to a decentralised and anonymous currency. By Andy Brodie.
Bitcoin is the FUTURE of MONEY!!

Bitcoin is the FUTURE of MONEY!!
 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.

 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.
The world’s first decentralized digital currency Meni Rosenfeld Bitcoil 29/11/2012Written by Meni Rosenfeld1.

The world’s first decentralized digital currency Meni Rosenfeld Bitcoil 29/11/2012Written by Meni Rosenfeld1.
On Power Splitting Games in Distributed Computation: The case of Bitcoin Pooled Mining Loi Luu, Ratul Saha, Inian Parameshwaran, Prateek Saxena & Aquinas.

On Power Splitting Games in Distributed Computation: The case of Bitcoin Pooled Mining Loi Luu, Ratul Saha, Inian Parameshwaran, Prateek Saxena & Aquinas.
Bitcoin (what, why and how?)

Bitcoin (what, why and how?)
Bitcoins and the Digital Economy Presented By: Matt Blackman.

Bitcoins and the Digital Economy Presented By: Matt Blackman.
1 Bitcoin A Digital Currency. Functions of Money.

1 Bitcoin A Digital Currency. Functions of Money.
Bitcoin 101 and Beyond Jonathan Levin VP Business Development, Chainalysis GmbH.

Bitcoin 101 and Beyond Jonathan Levin VP Business Development, Chainalysis GmbH.
Bitcoin today (October 2, 2015)

Bitcoin today (October 2, 2015)
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.

Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.

Similar presentations

Ads by Google