Crypto Currencies And Bitcoin - Nicolas Courtoisnicolascourtois.com/bitcoin/paycoin_may_2014.pdf · Crypto Currencies This Seminar This is a university research seminar . With talks,

Crypto Currencies And Bitcoin

Nicolas T. Courtois

- University College London, UK

Crypto Currencies

UCL Bitcoin SeminarUCL crypto currency seminar and special interest group

every Thur 12h00-14h00 -room and exact hour varies

public web page: www.want2pay.com

2 Nicolas T. Courtois 2009-2014

Crypto Currencies

This Seminar

This is a university research seminar. With talks, demos, discussions, etc.Our goals are:• Learn non-trivial facts about bitcoin, highly technical maths and crypto.• Discover many “facts” we have been told about bitcoin are… NOT true.

– break bitcoin: will require serious effort.

• Improve bitcoin - so that it would be resistant to cybercriminals / NSA.


– write our own software and apps, looking for developers

• Develop methods to investigate what is going on in these networks: – for example undoing the anonymity, discovering statistically significant patterns, etc.

• Produce scientific works and Master/PhD theses about bitcoin.

The seminar will run every week at UCL. Slides and other materials will be made available on a selective basis.

I will also invite external people as speakers and stake holders.

Crypto Currencies

Donations Policy

Address for donations: 1DsGj3NJKgFLGw9PUi2a7VDmwEF5bnaaq

Donations will be spent on:


Donations will be spent on:• Drinks and food for participants of this seminar• Student stipends• Research expenses

Thanks for generous donations already received!

Crypto Currencies

Speakers Wanted!

Speakers are wanted, also from business startups, bankers, lawyers etc etc…

Send proposals of talks to: [email protected]• speaker and affiliation• title of your presentation• 2-5 lines executive summary


• 10+ pages of supporting material: sample slides, white paper, etc – to evaluate the quality/pertinence of your talk.

• time requested: 15 min / 30 min / 45 min.

Student s planning to do an M.Sc. Thesis on bitcoin are expected to deliver 2 short 15 min. talks before they are accepted to do their thesis on bitcoin.

Crypto Research at UCL

Dr. Nicolas T. Courtois1. cryptologist and

codebreaker

6

2. specialist of smart cards (e.g. bank cards, Oyster cards etc…)

Crypto Currencies

Our Works on Bitcoin

Nicolas Courtois, Marek Grajek, Rahul Naik: The Unreasonable Fundamental Incertitudes Behind Bitcoin Mining, http://arxiv.org/abs/1310.7935

Nicolas Courtois, Lear Bahack:On Subversive Miner Strategies and Block Withholding Attack


On Subversive Miner Strategies and Block Withholding Attackin Bitcoin Digital Currency http://arxiv.org/abs/1402.1718

Nicolas Courtois:On The Longest Chain Rule and Programmed Self-Destruction of Crypto

Currencies http://arxiv.org/abs/1405.0534

more in preparation.

Crypto Currencies

Controversy Around Our Recent Paper:

https://bitcointalk.org/index.php?topic=600436.0;all


Crypto Currencies

Introducing Bitcoin


Crypto Currencies

Bitcoin In A Nutshell

• bitocoins are cryptographic tokens – stored by people on their PCs or mobile phones

• ownership is achieved through digital signatures: – you have a certain cryptographic key, you have the money. – publicly verifiable, only one entity can sign

• consensus-driven, a distributed system which has no central authority– but I will not claim it is decentralized, this is simply not true!


– but I will not claim it is decentralized, this is simply not true! – a major innovation is that financial transactions CAN be executed and policed without

trusted authorities. Bitcoin is a sort of financial cooperative or a distributed business.

• based on self-interest: – a group of some 100 K people called bitcoin miners own the bitcoin “infrastructure”

which has costed about 0.5-1 billion dollars (estimation) – they make money from newly created bitcoins and fees – at the same time they approve and check the transactions. – a distributed electronic notary system

Crypto Currencies

Two Key Concepts

• initially money are attributed through Proof Of Work (POW)to one public key A

– to earn bitcoins one has to “work” (hashing) and consume energy (pay for electricity)– in order to cheat one needs to work even much more (be more powerful than the whole

network, for a short while)


network, for a short while)

• money transfer from public key A to public key B:– like signing a transfer in front of one notary whic h confirms the

signature ,

– multiple confirmations: another notary will re-confirm it, then another, etc…– we do NOT need to assume that ALL these notaries are honest.

• at the end it becomes too costly to cheat

Crypto Currencies

Money Transfer


Crypto Currencies

In Practice


Payment and Crypto Currencies

Who AcceptsBitcoin?


Crypto Currencies

Full P2P Clienthttp://bitcoin.org/en/download

15 giga, 24 hours…


Crypto Currencies

Mobile Apps - Android


Crypto Currencies

Is Bitcoin Money?


Payment and Crypto Currencies

Money

Key invention in human history:


money

- here is some money for your research

Crypto Currencies

Is Bitcoin Money?

• We will NOT claim it has all the characteristics of money. – it definitely has some!– they are traded against traditional currencies at a number of exchanges.– bitcoins are “legal” by default, – there were some attempts to regulate them and even ban them by governments.


Crypto Currencies

Two Main Functions of Money

1. Store Value2. Allow Payment (3. Unit of Account)


⇒both money and payments becomes more “virtual” with time…

Crypto Currencies

Evolution of - 1. Store Value

• Precious natural resources: salt etc => evolution/selection=>• Gold, Silver, Other Metals => Coins• Paper Money

• Money as Electronic Record


• Money as Electronic Record + Legal Protection + Government Guarantee

• 21st century: Cryptographic E-Cash

Crypto Currencies

Evolution of - 2. Payments

• Physical Cash (Bank Notes, Coins) = M0

• Cheques• Electronic Bank Transfer 20 days => 15 min…


• E-Purse Systems: geldkarte, London Oyster• Bank Cards• Contact-less Bank Cards, e.g. MasterCard PayPass:

• 21st century: Cryptographic E-Cash.

difference?

Crypto Currencies

Gold = “Global Single Currency”??

Most countries abandoned the gold standard during the Great Depression, – one of the earliest was the Bank of England [1931].

Much later, in 1971: the United States abandons it.Nixon Shock


Crypto Currencies

“Fiat Money”Def:Government-issued money not convertible for anything particular

(E.g; gold, goods etc).

Its value is controlled by the monetary policy and managed by the central bank.

(the quantity of money in circulation can be increased or decreased at any moment)


(the quantity of money in circulation can be increased or decreased at any moment)

Crypto Currencies

BOTTOM LINE

1. Store Value2. Allow Payment

CAN BE IMPLEMENTED DIFFERENTLY!


CAN BE IMPLEMENTED DIFFERENTLY!

SEPARATION IS NOT FORBIDDEN

Bitcoin Mining

Bitcoin

Bitcoin =… the most popular peer-to-peer

payment and virtual currency system as of today

26 Nicolas T. Courtois 2013

system as of today

belongs to no one, anarchy

=>

Crypto Currencies

Crypto Currencies


Crypto Currencies

BitcoinDecentralized peer to peer payment system

which works as currency: => has units of value which can be exchanged

for “real money”. Currently 1BTC= 400 USD.

Based on cryptography and network effects.


Based on cryptography and network effects.

Anarchy, not supported by any government and not issued by any bank.

“Play money”, imperfect system.

Crypto Currencies

*Disruption?Disruptive Technology:

def:

Allows to do things which just could not be done before…


done before…

Crypto Currencies

**CitationsBitcoin is:• Wild West of our time [Anderson-Rosenberg]

• There is no “undo” button for sth. like bitcoin [Mike Gogulski]


[Mike Gogulski]

Crypto Currencies

Krugman

• What’s wrong with Bitcoin? [title] • Bitcoin is …

– just one of possible ways to pay electronically [irony ☺]to pay electronically [irony ☺]

– Paul Krugman, Nobel price in economics

Crypto Currencies

More Krugman!

• Bitcoin is …– “the anti-social network”– “bitcoin is evil” – “bitcoin is evil” (he later claimed it was a joke)

– Paul Krugman, Nobel price in economics

Crypto Currencies

Who Is Evil?

• “Bitcoin Prevents Monetary Tyranny” - Jon Matonis for Forbes


• “Just thinking about bitcoin makes you a better person” – Max Keiser

Crypto Currencies

13 April 2013HOWEVER

Crypto Currencies

Cyprus vs. Bitcoin – April 2013correlation in Google searches


Crypto Currencies

**Google Searches vs. Price 2013/14


Crypto Currencies

April 2013• there was a Cyprus banking crisis…

depositors were unable to recover 100% of their deposits

• opinions about how crazy it was that bitcoin could rise…


could rise…

Crypto Currencies

April 2013


bubble?they have seen nothing yet!

Crypto Currencies

13 April 2013Bitcoin is:• Digital Gold! - The Economist

39 Nicolas T. Courtois 2009-201413 April 2013 – “Digital Gold”

10-11 April 2013 – MtGox 24h shutdown

Crypto Currencies

Jan 2013-Jan 2014

10-11 April 2013 – MtGox 24h shutdown

14 => 1000 USD


13 April 2013 – “Digital Gold”The Economist

Crypto Currencies

Another Noble Price:In Davos Jan 2014:“It is a bubble,

there is no question about it.… It’s just an amazing example of a bubble.”

– Robert Shiller, Nobel price in economics, awarded specifically for work on asset bubbles.

Crypto Currencies

***Flash Crash 10 Feb 2014 before 6AM


600 => 102 USD in a blink of an eye

Crypto Currencies

Miracle Of BitcoinRemoves two pillars of money:

• “trust” => Peer 2 Peer self-regulation

based on self-interest?


based on self-interest?

• legal/government protection and policing=> anarchy!

Crypto Currencies

Is Bitcoin Money?

A Currency?


Crypto Currencies

*Recall: Two Main Functions of Money

1. Store Value2. Allow Payment(3. Unit of Account)


Crypto Currencies

Are They Crazy?Anything can be “money”

if sufficiently many people accept it… (e.g. salt).

Question of: • popularity


• popularitylegal tender, government standardization and regulation <= recently thousands of press reports about bitcoin

• trusttrustworthy authority

<= assumption that majority of people are “honest”MUCH WEAKER…NO NEED TO TRUST ANYONE

Crypto Currencies

Play Money?A distinction play vs. real money has almost disappeared recently.


Crypto Currencies

Types of “Virtual Money”Source: ECB report, 10/2012

http://www.ecb.europa.eu/pub/pdf/other/virtualcurrencyschemes201210en.pdf

cf. Oyster…


Crypto Currencies

Is Bitcoin Money?

Legal Side


Crypto Currencies

Bitcoin Foundation Denial…


Crypto Currencies

**Can Bitcoin Circumvent Laws? Like “this is not money”=>

therefore we don’t do anything which falls within remit of existing laws

(securities trading, gambling etc..)

Not so easy:


The Department of the Treasury Financial Crimes Enforcement Network (FinCEN) has clarified that cryptocurrency is not money, but all existing AML (Anti-Money Laundering) and KYC (Know Your Customer) regimes do nevertheless apply(!).

• Judge Amos Mazzant issued a memorandum arguing that bitcoin was “a currency or a form of money”.

• SEC clearly stated that transactions in bitcoins are financial transactions like any other, and are within their remit.

Crypto Currencies

Bitcoin Is Subject To Laws! Governments judges and regulators will apply the

rules which they think applicable, they are emerging and they are being clarified.

Bitcoin laundry question: • If I mix bitcoins with other people.


• If I mix bitcoins with other people.• UK: Proceeds of the Crime Act, If I have assisted

sb. in money laundering, I must report it to the Police or I can be prosecuted and go to prison.

Crypto Currencies

**US Regulation? • Bitcoin does not share characteristics

with instruments that we regulate as securities.• Consequently, the SEC,

like the Federal Reserve, is an unlikely regulator.

• […] perhaps the Commodities Future Trading Commission (CFTC) will decide that it could supervise Bitcoin as a


(CFTC) will decide that it could supervise Bitcoin as a commodity.

• absence of a legitimate authority recognizing and attributing value to Bitcoin provides supervisory opportunity to the Consumer Financial Protection Bureau (CFPB), which has as a mandate ensuring consumer financial safety

=> all according to a Wall Street lawyer Maese.

Crypto Currencies

**Block Chain Regulation The same Wall Street lawyer also says that: • The Block Chain technology could be SEPARATELY

regulated (!!!)• not proposing that the weightiness of bank regulation […] be applied to tech start-

ups• codification of development standards that good developers already use could

help the network become safe.


Cf. Vivian A. Maese: Divining the Regulatory Future of Illegitimate Cryptocurrencies, In Wall Street Lawyer, Vol. 18 Issue 5, May 2014.

Crypto Currencies

**Open Source = Criminals’ Best Friend?…same Wall Street lawyer:

• The open-source nature of the developer population provides opportunities for frivolous or criminal behavior that can damage the participants in the same way that investors can be misled by promises of get rich quick schemes [...]

• a self- regulatory organization (SRO) [...] could be created to oversee and examine [...] the engineers who create the code [...]

• Regulations could ensure that cybersecurity requirements are engineered into


• Regulations could ensure that cybersecurity requirements are engineered into the code and could ensure that the network would recover from a failure by building in redundancy. [...]

• One of the biggest risks that we face as a society in the digital age [...] is the quality of the code that will be used to run our lives.

Cf. Vivian A. Maese: Divining the Regulatory Future of Illegitimate Cryptocurrencies, In Wall Street Lawyer, Vol. 18 Issue 5, May 2014.

Crypto Currencies

*UKProblem: Initially UK HMRC have suggested that bitcoins are “VAT

taxable vouchers” – however if bitcoin is regarded as a good, when you buy it you should pay 20% VAT…

⇒ totally inappropriate classification, now abandoned.


⇒ totally inappropriate classification, now abandoned.

Crypto Currencies

Is Bitcoin “Electronic Money”?Directive 2009/110/EC of the European Parliament

and of the Council defines the concept of “electronic money”,

Article 2: electronic money “means electronically, including magnetically, stored monetary value as


including magnetically, stored monetary value as represented by a claim on the issuer which is issued on receipt of funds for the purpose of making payment transactions […], and which is accepted by a natural or legal person other than the electronic money issuer”.

Crypto Currencies

Is Bitcoin “Electronic Money”?This has been disputed; • YES “electronically stored monetary value” YES but stored in a diffused distributed way and valid

if not spent and with regard to a majority of ASIC votes…

• NOT ”as represented by a claim on the issuer”


• NOT ”as represented by a claim on the issuer”• there is no “LEGAL” entity acting as issuer• however

– there is no legal obligation but a technical and practical claim which works, not a debt though,

– and YES there exist issuers: miners, – or a collective issuer… “the bitcoin community”

Crypto Currencies

Bitcoin in GermanyBitcoin is “private money” in Germany.

Sweden:Bitcoin = method of payment.


Bitcoin = method of payment.

Finland: detailed rules, closer to a commodity.

Crypto Currencies

CanadaVery good environment, ATMs, start-ups


Crypto Currencies

Bitcoin vs. Paypal, WesternUnion Etc


Crypto Currencies

Bitcoin is…“a low-cost replacement for credit cards and other

payment mechanisms”

Very close to the business of


Very close to the business of • Western Union• CurrencyFair• PayPal• MastercardBitcoin is a direct threat to these companies.

Crypto Currencies

Competition Before BitcoinCredit cards:slow adoption: • it took 100 years to get people to use them!


Crypto Currencies

Bticoin vs. Credit Cards


Crypto Currencies

**Blacklisting Bitcoin By Banks


Crypto Currencies

Beware!Bitcoin transaction volume: usually WRONG reports, includes

amounts people return to themselves

Similar data:coinometrics.com=> controversy:

11/2013


=> controversy: “pitiful statistics out of BTC fairyland”

Reuters: Fitch: Bitcoin Remains Smallin Comparison …68 M/day

Crypto Currencies

More Lunatic Asylum SeekersMore WRONG reports, May 2014

5/2014


Crypto Currencies

*Problems:• It is very difficult to reliably estimate the transaction

volume from the blockchain data alone.

• Blockhain.info provides both the misleading artificially inflated figures at http://blockchain.info/charts/output-volumeand their estimation of the actual transaction volume by their


and their estimation of the actual transaction volume by their own (imperfect) proprietary method cf. blockchain.info/charts/estimated-transaction-volume,

Crypto Currencies

Fiction Volume vs. Approximated Corrected One

fiction: USD >250 million/day?


corrected: USD 50 million/daymethodology still problematic…

Crypto Currencies

*Why Is It Difficult To Estimate?• Again truly accurate estimations are impossible to

obtain. – A particular problem are the actions of some bitcoin

addresses which hold very large balances and return change to themselves at new freshly created addresses.

Source: Nicolas Courtois: On The Longest Chain Rule and Programmed Self-


Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534

Crypto Currencies

Arguably The Best Way To Measure Bitcoin Adoption in Payment

Anybody willing to pay transaction fees?


Crypto Currencies

Alternative payments business is booming, growing 3%/year [McKinsey], faster than normal banking business, banks are almost totally absent!.

• Google wallet app and Amazon FPS allow to transfer money between customers• Walmart, big telcos and many banks are developing their M-payment schemes

in order to avoid Mastercard Visa etc fees…• In Kenya, 43% of GDP transits through M-PESA, mobile phone system which is

also a front-end to banks where banks play a secondary role. • PayPal president’s David Marcus:

Competition After Bitcoin [2014]


• PayPal president’s David Marcus: – initially they wanted to be independent from central banks and govs…– finally decided to became a bank, to become the biggest bank in the world?– has handled 180 billions in payments last year, 143 M customers

• Square new service - example: at coffee shop: – no signatures, no cards, no barcodes– check in when you enter the store– tell cashier your name and that you are using square! – the store manager has your picture displayed, he knows it is you– the customer receives a text with the amount paid, for him to check

Crypto Currencies

Not at all!

Is Bitcoin Dead?


Crypto Currencies

After few brief episodes of capitalism, modern business favours slavery.

Key Problem:


Crypto Currencies

A payment system in which • it is THE PAYER who initiates the transaction• controls the amount being paid• money and payments are stored outside of the

banking system [most recent systems erode the dominant position of banks]

Bitcoin!


banking system • money cannot be confiscated [cf. Cyprus banks]. • it challenges fractional reserve banking [new!] and

forces finance to become more “transparent”“Troubled” bitcoin [The Economist May 2014]

is certainly is here to stay => but now must face all sorts of competition and technical reforms [our work]

Crypto Currencies

P2P Payment


Crypto Currencies

Bitcoin Network• Peer to peer, decentralized, no central

authority, one ASIC one vote, => no third party risk [no need to trust the banker!]

• Knows no limits, borders, laws, etc…• Computers connected into a P2P network…


• Computers connected into a P2P network…• Every transaction can be downloaded by anyone…

1 client app

Crypto Currencies

Bitcoin• A Value Transfer Network

• term proposed by a Wall Street lawyer Maese.•


Crypto Currencies

More Than a Network

• Also a community: – adopters, developers, miners, speculators, etc…

• Upgrade the software, change the spec:


• Upgrade the software, change the spec:– people vote with their feet– bitcoin belongs to no one

Crypto Currencies

Network PropertiesSatoshi original idea [cf. Sect. 5 in his paper]:• homogenous nodes: they do the same job

– everybody participates equally– everybody is mining– a random graph


– a random graph

• it appears that the current network resembles “a random graph”

Crypto Currencies

The Reality is VERY Different!In violation of the original idea of Satoshi Bitcoin network has

now 3 sorts of VERY DIFFERENT ENTITIES– only “rich people” are mining

• upfront investment of >3000 USD.• 100K active miners as of today?

– but NOT running network nodes, mining is highly centralized, see pools

– some “full nodes”: they trust no one


– some “full nodes”: they trust no one • Satoshi client a.k.a. bitcoind, version 0.9.X. for PC, • 15 Gbytes, takes 1 day to synchronize, CPU/HDD load

– only some 13 K out of 60 K accept incoming connections (4/2014)– panic in May 2014: declining, less than 8,000 peers online

– many nodes do minimal work and minimal storage, they need to trust some other network nodes

Crypto Currencies

*Panic – May 2014• # active nodes << #miners• 8K << 100K


Crypto Currencies

*Scalability Issues• Current bitcoin processes only 0.7 transactions per second.

– VISA processes 2000 transactions per second.– YES, even at this scale of 2000 tx/s bitcoin would theoretically work:

each node receiving ALL new transactions would be like 1Mbit/second bandwidth.


• Limit on the size of one block = 1 Mb currently.– this can only accommodate 7 tr/sec– we are VERY close to exceed that, maybe in 6 months…

Crypto Currencies

Key Properties of Bitcoin• Consensus-driven

– consensus about the past history[blockchain]– consensus about the future[software spec]

• Pseudonymous, NOT anonymous• Ledger-based. Ledger is entirely public.


• Ledger-based. Ledger is entirely public.• Notion of account:

– has a balance in BTC.

• Wallet: – computer file which stores "the money".

Crypto Currencies

Wallets• Wallet: file which stores your “money".• A Bitcoin client App

is also called a wallet


Crypto Currencies

Wallets == Bitcoin client Apps• Major types:

1. Bitcoin Satoshi Core Client = Decent PC, full P2P node, stores full history - 15 Gb, trusts no one.

2. Mobile apps: trust and rely on servers for DB and authenticity; but stores money locally.


and authenticity; but stores money locally.3. Cloud apps: all is stored in the cloud!4. Offline systems: protect your assets from

cybercriminals5. Combined: multi-signature, THE BEST!

Crypto Currencies

More Properties of Bitcoin• Scarce, like gold (in fact worse than gold)

• Divisible into small pieces – 10 nBTC = 1 Satoshi = 1 / 100 million BTC


Crypto Currencies

Digital Currency


Crypto Currencies

Digital Currency1. Sth. that we know… String of Bits.

+ additional layers of security:

2. Sth that we can do (capability): BETTER.– can be used many times without loss of confidentiality…


– can be used many times without loss of confidentiality…– in bitcoin bank account = a certain private ECDSA key…

=>PK-based Currency, an important modern application of Digital Signatures!

Crypto Currencies

Main Problem:

This capability can be “spent twice”.

Avoiding this “Double Spending” is the main problem


Avoiding this “Double Spending” is the main problem when designing a digital currency system.

NOT yet solved in a satisfactory way, instability, slow transactions, more about this later.Cf. Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534

Crypto Currencies

Crypto


Crypto Currencies

**Crypto CitationsAbout Bitcoin:• Security depends on maths, not people.• The accuracy of past transactions is

guaranteed by cryptography, which is a special type of mathematics ☺


which is a special type of mathematics ☺

Crypto Currencies

**Crypto MisconceptionsTHIS IS WRONG:• SHA-256 is a cipher and provides

confidentiality.– Not it is a hash function and provides

integrity of everything


integrity of everything [hard to modify./cheat]

• "Bitcoins are encrypted": WRONG– ONLY if you encrypt your wallet, not everybody does.– Also can use SSL in P2P connections…

• communications are encrypted if you use TOR

Crypto Currencies

Block Chain(and Mining - expanded much later)


(and Mining - expanded much later)

Crypto Currencies

Append-Only Logs

One well-known method to implement money [pre-dates bitcoin according to George Danezis slides]:

A high-integrity, high-authenticity ”append only log”.Sufficient to implement money in theory.• Start by marking who has what money.


• Enter a log entry for each transfer.

Solutions differ in the method to get this ”append only log”

Crypto Currencies

Bitcoin Mining

• Minting: creation of new currency.• Confirmation+re-confirmation

of older transactions

Random Oracle – like mechanism

data from previoustransactions RNG

miner’s public key


Ownership:– “policed by majority of miners”: – only the owner can transfer [a part of] 25 BTC produced.

HASH

must start with 64 zeros

Crypto Currencies

Block Chain

Def: A transaction database

shared by everyone.

Also a ledger.


Every transaction since ever is public.

Each bitcoin “piece” is a union of things uniquely traced

to their origin in time

(cf. same as for several banknotes due to SN)

Crypto Currencies

Fork – Hard To Avoid, 1% of the time


Crypto Currencies

Fork – Miners Mine On Both Branches


Crypto Currencies

Longest Chain Rule

“1 ASIC 1 vote”[heavily criticised elsewhere]


Crypto Currencies

Insight

If 2 solutions happens with proba 1/100

The chance that both will be extended before one of them reaches the miner of the other (making him stop) will be about


(1/100)^2Etc..

Negligible chance to go on forever, => quite soon one branch is longer and wins.

Crypto Currencies

Can Sb. Cancel His Transaction?

Yes if he produces a longer chain with another version of the history.

Very expensive, race against the whole network (the whole planet).


Can be easy or very difficult it depends!

Crypto Currencies

Attack:

Extend This Branch To Cancel One Transaction tx36

Goal: generate 4 blocks.


cost=maybe 30 BTCgain=500 BTCEASY and PROFITABLE! The only difficulty is the timing!!!!

tx36

Crypto Currencies

This Attack IS FEASIBLE!

Nicolas Courtois:On The Longest Chain Rule and Programmed Self-Destruction of Crypto



Crypto Currencies

Easy Or Difficult?

Difficult if:• All mining devices are privately hold by independent people.Easy if: • Many mining devices are rented with a market which allows

one instantly to buy a lot of hashing power by paying a small premium over the market price.


premium over the market price.WORSE THAN THAT: • A large mining pool can re-sell ALL the hash power to the

attacker, => this CANNOT BE DETECTED by miners,

due to a technicality which we will discuss later (mining with H0, not knowing on which branch/block they mine)

Crypto Currencies

Is it a 51% Attack?

51 % attacks: brain washing, vague and excessively general, highly misleading.

• computing power can be temporarily displaced.• it is NOT a number between 0 and 100%, two different hash powers at

different moments.


Crypto Currencies

The Question of Dominance

This attack will NOT work if Bitcoin is dominant and uses more hash power than all other crypto currencies combined.

In contrast ALL SMALLER currencies which use a widely used hash function are EXTREMELY EASY to attack, and money


hash function are EXTREMELY EASY to attack, and money can be stolen.

Crypto Currencies

The Question of “The Longest Chain Rule”

The longest chain rule was designed to allow for EXTREMELY BAD NETWORK PROPAGATION (think of North Korea, Syria, yes bitcoin can function in such environments).

However with normal (fast) networks it is EASY just not to accept double spends after say 1 minute, and after one


accept double spends after say 1 minute, and after one version of transaction is already propagated to a majority of network nodes.

⇒Easy decision for miners. A majority needs to agree. ⇒The longest chain rule is NOT good, needs reform.

Crypto Currencies

Longest Chain Rule is PROBLEMATIC!

See: Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto


No reason why the SAME rule would govern:


• Which block is paid (10 minutes)• Which transactions are accepted (every second)Violates the principles of • Least Common Mechanism [Saltzer and Schroeder 1975]• Poor Network Neutrality – miners have excessive discretionary powers…=> Unnecessary instability and slow transactions…

Crypto Currencies

Hash Power => Security???

Sams writes: "The amount of capital collectively burned hashing fixes the capital outlay required of an attacker […] to have a meaningful chance of orchestrating a successful double-spend attack […] The mitigation of this risk is valuable, [...]"

Wow! We have built a “Great Wall”. It protects our money against attacks.


It protects our money against attacks.

NO THIS IS MITAKEN

Crypto Currencies

Crazy Hash Power Increase

Nearly doubled every month… 1000x in 1 year.


Crypto Currencies

In Contrast: Bitcoin Adoption / Payment

Not good. Anybody willing to pay transaction fees?


Crypto Currencies

Bitcoin Address


Crypto Currencies

Ledger-Based Currency

A “Bitcoin Address” = a sort of equivalent of a bank account.Three formats.

– First format like full Pkey 2*32 byte points, redundant! "scriptPubKey":"04a39b9e4fbd213ef24bb9be69de4a118dd0644082e47c01fd9159d38637b83fbcdc115a5d6e970586a012d1cfe3e3a8b1a3d04e763bdc5a071c0e827c0bd834a5 OP_CHECKSIG“

– Hash it on 160 bits, conceals the PK key! (NSA: attacks possible!).

• e.g. 0568015a9facccfd09d70d409b6fc1a5546cecc6


• e.g. 0568015a9facccfd09d70d409b6fc1a5546cecc6

– Recode with checksum on 1+20+4 bytes checksum, 160+32 bits, • Base58: 1VayNert3x1KzbpzMGt2qdqrAThiRovi8 27-34 chars

PK itself remains confidential until some part is spent.SK = private key is always kept private, allows transfer of funds.

Crypto Currencies

Step 1: Hash


40 chars (nibbles)

Crypto Currencies

Step 2: checksum / convert


27-34 charsBase_58 O0I1

Crypto Currencies


*****On 1 Slide

Crypto Currencies

Bitcoin Ownership

Amounts of money are attributed to public keys. Owner of a certain “Attribution to PK” can at any moment

transfer it to some other PK (== another address).

not spentDestructive, cannot spend twice: spent

Crypto Currencies

Multi-Signature Addresses


Addresses

Crypto Currencies

Special Type of Addresses

Bitcoin can require simultaneously several private keys, in order to transfer the money.

The keys can be stored on different devices (highly secure).

They start with 3. They start with 3.

2 out of 3 are also already implemented in bitcoin [BIP16]. (1 device could be absent, money can still be used).

Very cool, solves the problem of insecure devices…Except if the attacker can break into many devices…

Crypto Currencies

Bitcoin Circulation


Crypto Currencies

Bitcoin Myths (not true)“Transactions are irreversible,” • really???? The opposite can be argued:

– The Longest Chain Rule means probabilistic certitude,

• HOWEVER in theory EVERY TRANSACTION CAN


• HOWEVER in theory EVERY TRANSACTION CAN BE INVALIDATED, (at a large expense),

⇒possible even 100 years later⇒if there is a longer chain!

“No intermediary in transactions?”– Not true (unless one of the parties is a miner)

Crypto Currencies

Bitcoin Transactions:• between any two addresses [and any two

network nodes], – at any time [no market closing hours].– validated within 10-60 minutes.

• should wait longer for larger transactions, beware of


• should wait longer for larger transactions, beware of “cheating miners”…

• many websites accept instantly, – they trust your application not to double spend – and trust miners to reject the second spent based on later

time, easy and plausible!

Crypto Currencies

Transfer


Crypto Currencies

In / Out

Owner of a certain “Attribution to PK” can at any moment transfer it to some other PK addresses.

=> 0 inputs possible if minting transaction… new money.

=> Several outputs are a norm for bitcoin transactions.

on this picture we ignore the fees

Crypto Currencies

Bitcoin Transfer

Owner of a certain “Attribution to PK” can at any moment transfer it to any other PK address.

Crypto Currencies

Bitcoin Circulation


Sometimes IP addresses known, rare cases

Crypto Currencies

Attributions

DEFINITION“Attribution to PK” =

act of an owner of a previous attribution (always destroyed)

ignoring fees

a previous attribution (always destroyed)which transfers a certain amount to the new PK = A2

(using a digital signature)

Caveat: Each attribution can be traced back to the initial mining event.

Crypto Currencies

Fragmentation and Summation Rule

Each PK has a balance, say 20 BTC current balance = sum(unspent attributions).

Attributions are ALWAYS destroyed when used,

Crypto Currencies

From Single Attribution

Example• Change: return some money to ourselves inside the same transaction

– this implies most transactions have 2 or more outputs – most apps use the same address– could use another fresh address for better anonymity, but too lazy…

same owner?no way to know for sure…

Crypto Currencies

With Multiple Attributions


typical case, even for a single user

Crypto Currencies

Bitcoin Transfer

Transactions have multiple inputs and multiple outputs.

Input Bitcoin Addresses


Transaction Signed by All Owners with their SK

Output Bitcoin Addresses

Input Bitcoin Addresses0.2 BTC 1.3 BTC

0.001 BTC

0.499 BTC1.0 BTC + Fees

Crypto Currencies

Bitcoin Transfer

Transactions have multiple inputs and multiple outputs.– helps for anonymity.– destroys all current attributions, – requires everybody’s signature

Input Bitcoin Addressescan repeat, specifies

tx origin + index of each!


Transaction Signed by All Owners with their SK

Output Bitcoin Addresses

Input Bitcoin Addresses

The transaction is signed but invalid to start with , it becomes valid only when confirmed many times by other people (embedded in a new block)

0.2 BTC 1.3 BTC

0.001 BTC

0.499 BTC1.0 BTC + Fees

frequently repeat some input addressescould all belong to the same person

0 1

Crypto Currencies

Example 1

can repeat, tx origin + index of each is can repeat input addresses


tx origin + index of each is included in the rawtx

Crypto Currencies

Example 2 = Raw Transaction

list of input attributions: origin tx, index n , ECDSA signature

unique ID on 256 bits = the hash of the whole


list of output attributions

0

1

H(recipient PK)

amount BTC

Crypto Currencies

Remarks:

About 30 million transactions ever made.

To know the balance of one account, we must “in theory” store ALL the transactions which send money for this address and then check ALL transactions made since then to see some of these are not already spent. these are not already spent.

Full bitcoin network nodes stored all transactions ever made and checks their correctness (all the digital signatures).

About 15 Gbytes data, 24 hours full download.In practice one could skip check for things confirmed by many miners…

dangerous though. There is no absolute proof that miners have already checked them (maybe they forgot, a bug).

Crypto Currencies

*Multiple signers:

Issues:• Who signs first?

– In any order.

• What if one signs and other refuse?– Transaction is non-existent. – Cannot be used to sign something different. – Cannot be used to sign something different.

• Do they KNOW what are they signing? – Yes, well, not sure

• What if some other inputs in this transaction are involved in illegal activity?

Crypto Currencies

Transaction Chaining 2 attributions:


Crypto Currencies

Fees => Miner Profit

Crypto Currencies

*Chaining and Checks

one branch of a tree:

1 output 1 output 1 output1 output 1 output1 output

1 output

Crypto Currencies

What If FAQ


Crypto Currencies

What If / Answer• My private key or password is lost.

• I have an older backup for my wallet


Crypto Currencies


• I have an older backup for my wallet•All money is lost, NOBODY can recover it•Some money will be recovered, not all.


Crypto Currencies



• Password is easy guess• RNG is faulty

•All money is lost, NOBODY can recover it•Some money will be recovered, not all.


Crypto Currencies



• Password is easy guess• RNG is faulty

•All money is lost, NOBODY can recover it•Some money will be recovered, not all.

•My money will be stolen by an anonymous hacker ASAP.


Crypto Currencies

Bitcoin Mining


Mining

Crypto Currencies

Money Out of Thin Air


Crypto Currencies

Bitcoin Mining

• Minting: creation of new currency.Creation of “money”

+re-confirmation of older transactions

data from previoustransactions


HASH

Crypto Currencies

*Quiz Question

• What is wrong here?


miner’s private key


HASH


Crypto Currencies

Block Chain

Def: The bitcoin transaction

database shared by everyone.


Crypto Currencies

Bitcoin Ownership

Ownership:– “policed by everyone”: – only the owner of the ………

can transfer [a part of] 25 BTC produced.




produced.

HASH


Crypto Currencies

Bitcoin Randomization

Nonce = def?

Which arrow?




HASH


Crypto Currencies

Bitcoin Randomization

Nonce = Number Used Only Once

Strange: it repeats in the main bitcoin block chain.

data from previoustransactions nonce



Example: 0x04111A63 x 2

What is responsible for that? What else can be randomized here?Why this is necessary?

HASH


Crypto Currencies

Bitcoin Mining

• Minting: creation of new currency.Creation+re-confirmation


Random Oracle – like mechanism.




What????????????????HASH


Crypto Currencies

Bitcoin Mining







Means: treat as a DETERMINISTIC black box which answers at random.

YES it is… However now I’m going to show it isn’t.

HASH


Crypto Currencies

Bitcoin Mining







Means: treat as a DETERMINISTIC black box which answers at random.

YES it is, However now I’m going to show it isn’t.Marginal improvement (a constant factor) .

HASH


Crypto Currencies

Five Generations of Miners

1. CPU Mining

Example: Core i5 2600K, 17.3 Mh/s, 8 threads, 75W


CPU = about 4000 W / Gh/s

Crypto Currencies

Four Generations


Crypto Currencies

Four Generations of Miners

2. GPU Mining

Example: NVIDIA Quadro NVS 3100M, 16 cores, 3.6 Mh/s, 14W


CPU = about 4000 W / Gh/s, in this caseGPU = about 4000 W / Gh/s, in this case

Who said GPU was better than CPU?Not always.

Crypto Currencies


3. FPGA Mining

Example: ModMiner Quad, 4 FPGA chips, 800 Mh/s, 40W


CPU,GPU = about 4000 W / Gh/sFPGA = about 50 W / Gh/s, in this case

Crypto Currencies


3. FPGA Mining

Example: ModMiner Quad, 4 FPGA chips, 800 Mh/s, 40W


CPU,GPU = about 4000 W / Gh/sFPGA = about 50 W / Gh/s

100x less energy.

Crypto Currencies

*Why Negative?


(now stopped )

Crypto Currencies


FPGA: 100x less energy.

Still much less with ASIC: Good points: asynchronous logic, arbitrary gates, etc..Drawback: hard to update!


Another 10 – 100 times improvement.(100x is cheating:

I was comparing one 28 nm ASIC to one 45 nm FPGA)

Crypto Currencies


4. ASIC Miners

CPU,GPU = about 4000 W / Gh/s


CPU,GPU = about 4000 W / Gh/sFPGA = about 50 W / Gh/sASIC = now down to 0.35 W / Gh/s

Overall we have improved the efficiency 10,000 times since Satoshi started mining in early 2009…

Like 1000% per year improvement.

Crypto Currencies

Hash Rate - Doubles Nearly Every Month!


Crypto Currencies

Five Generations of Miners!

5. Quantum Miners?

Business Law:

Every technology


Every technology improved by 30%, 67%, 1000%

each year???????????????

Crypto Currencies

and their angry customers

“Bad-Fly” Labs

167

1 W per GH/s????????????????????

3.2 W !!!!!!!!!!!!!!!

Crypto Currencies

KNC vs. BitFury vs. Butterfly

Better Miners: less nm

168 65 nm28 nm?20 nm

Payment and Crypto Currencies Mining

By power / Gh/s

ASICs Comparison

0.35 W low power mode

1 W

3.2 W


1 W

cf.https://en.bitcoin.it/wiki/Mining_hardware_comparis on

1 W

Payment and Crypto Currencies Mining

See bitcoinscammers.com

Criminal Scams

Crypto Currencies

Miners for Cash

Available since April 2014.

Before: it was IMPOSSIBLE for miners to evaluate the profitability of

their investments.


Waiting for 6 months is like getting…. 50 TIMES smaller return, like 2% of the original expected income for a miner…

Crypto Currencies

Total Cost? 0.5 -1.0 Billion USD

Quick estimation of the cost of hardware as of April 2014:Current hash rate 40,000 Th/s (April 2014)Assume most people use Neptune first generation which costed

3500 USD for 0.25 Th/s of hash power (better devices exist frankly just in pre-orders, well for a majority of people).


So current hash rate might have costed 40,000 x 4 x 3,500 USD, so maybe 600 M dollars in hash equipment.

However probably most people still use miners NOT as good as Neptune, then probably this is 2 times more... So maybe it is already more than 1 billion today.

600 M / 100 K people = 6000 USD typical investment?

Crypto Currencies

Bitcoin And Hash Functions


And Hash Functions

Crypto Currencies

Our Paper:arxiv.org/abs/1310.7935

174

Crypto Currencies

Mining Overviewhashed data from previous transactions

3x SHA-256 compression


Goal: find a valid pair (merkle_root, nonce)which gives 60 bits at 0 in H2

CISO Problem : Constrained Input Small Output

Crypto Currencies

Mining Internalshashed data from previous transactions

Crypto Currencies

Bitcoin Hash Functions


Hash FunctionsAnd Block Ciphers (!)

Crypto Currencies

SHA-256 Compression Function

cf. Pieprzyk, Matusiewicz et al.

block cipher

Davies-Meyer

Crypto Currencies

Fact:

The process of BitCoin Mining is no different than a brute force attack on a block cipher:

– Apply the same box many times, with different keys…– Here the block cipher is a part of a hash function but it does NOT

matter.• 98% of computational effort is

evaluating this block cipher box with various keys and various inputs


evaluating this block cipher box with various keys and various inputs• Like a random oracle.

BLOCK

CIPHER

PLAIN

KEY

Transforms a block cipher into a hash function.In SHA-256 we have: block size=256, 64 rounds, key size=256 expanded 4x.

Crypto Currencies

Davies-Meyer

M_imessage block


KEYCIPHER

PLAIN

IV or last hash

HASH

M_i

Crypto Currencies

***One Round of SHA-256cf. Pieprzyk, Matusiewicz et al.

Crypto Currencies

Optimising Mining (39% gain w.r.t. best ASIC)


(39% gain w.r.t. best ASIC) Like Generation 4.1.

Crypto Currencies

Hashing Block of 300+ Bits


padding added

Crypto Currencies

Hashing Block of 300+ Bits


padding added

Crypto Currencies

Padding

Crypto Currencies

+ Second Hash

Crypto Currencies

Inputs

Crypto Currencies

Davies-Meyer

Crypto Currencies

Mining Internalshashed data from previous transactions

Crypto Currencies

Improvement 1 – Amortized Cost(H0)=0

Crypto Currencies

Improvement 2 – Gains 3 Rounds At the End

Crypto Currencies

Improvement 3 –

Gains 3 Rounds

At the Beginning Beginning

–they do NOT depend

on the nonce

Crypto Currencies

Improvement 4 –

Incremental Incremental Computation

Crypto Currencies

Improvement 4 - contd

–Incremental Computation

2 increments instead of 200 gates.

Crypto Currencies

Improvement 5 –

Gains Gains 18 Additions ≈ 3600 gates

Crypto Currencies

Improvement 6 –

Saving 2 More Additions ≈ 400 gates

with Hard Codingwith Hard Coding

AND SAVE LIKE HALF of the next addition!

(addition with a constant = cheaper, depends on the constant)

Crypto Currencies

Improvement X

Classical trick: Carry Save Adders.

C.S.A.

abc

abc

a+b+ca+b+c

ps

sc


a+b+ca+b+ccost = 1+ ε adderscost = 2 adders

Crypto Currencies

Whole Round

Only twofull adders.

A t Bt Ct Dt Et Ft Gt Ht

1

Ch()

KtC.S.A. C.

S.A.

C.S.A.

C.S.A. Wt


At+1 Bt+1

Ct+1

Dt+1

Et+1

Ft+1

Gt+1

Ht+1

0

Maj() C.S.

A.C.S.A.

A.

Crypto Currencies

Message Schedule

=> just copy for 16 R

non-trivial part

Crypto Currencies

Message Schedule

Crypto Currencies

Improvement 7 - Fact:

Some early values do NOT yet depend on the nonce. In H1 computation only (left column).

Crypto Currencies

Improvement 7 – 3 more

2 more 32-bit additions are saved by hard coding, and more for the next addition

(again, adding a constant, depends on the constant, average cost maybe saving another 1? addition).

Some 600 extra gates saved. Some 600 extra gates saved.

Crypto Currencies

Improvement 8 – 1 More Incremental

We have: nonce

Crypto Currencies

Improvement X2

Also use Carry Save Adders in message scheduling.Only 1 full adder in each of (only) 48-3 values which need still to

be computed.


Crypto Currencies

Optimising The Mining

Crypto Currencies

Future – Dan Kaminsky


Crypto Currencies

San Diego Bitcoin Conference May 2013

Earlier he said that he has no stakes in ‘this game’. Then at minute 40 he claims that the current Bitcoin Proof of Work function based on SHA-256 will not survive “the year” (to be replaced before end of 2013). He says that assigns zero percent probability that “we” will continue with the present POW function”. Back to CPU mining.

https://www.youtube.com/watch?v=si-2niFDgtI

Crypto Currencies

SHA-256 to be phased out?

https://www.youtube.com/watch?v=si-2niFDgtI

HOWEVER:

NOBODY OWNS BITCOINWe claim the contrary: any attempt to change the POW is close

to impossible to enforce AND if mandated by some group of people, it will lead to a SPLIT IN THE BITCOIN COMMUNITY.

An organised divorce of people and software developers who will be running two separate block chain versions.

Crypto Currencies

Mining In Pools


Crypto Currencies

Why Pools?

Reason 1. To smooth the gains: Instead of waiting 1 year to get 25 BTC, why not get a little money every day?

Reason 2. Huge Incertitudes: Law Of Bitcoin Minining: It follows the Poisson Distribution: – If for example in 1 month the miner expect to find 4 blocks, the

standard deviation is about √4=2.standard deviation is about √4=2.– In one month he will find 6 is some months he will find 2, sometimes

he will find 0.

VERY STRESSFUL. Cannot sleep at night. • Does my miner work correctly??? Wait for 10 years to see…• Are other miners cheating? Am I getting a fair share???

– [YES, as we will see later miners can cheat and earn more than other miners]

Crypto Currencies

What Are Pools?

• A group of small/larger miners who work together. Also protects their anonymity, also a social dimension:

• Effectively a cooperative: can provide support, mentoring, shared hosting, stats, management apps etc…

• Beware: single point of failure: pool servers.– can break down, miners will lose millions of dollars.– can break down, miners will lose millions of dollars.– can attack the network (for example filter transactions which are

accepted).

Crypto Currencies

Major Pools In Existence

Miners tend to flock to the largest pools.One pool has in early 2014 reached 50%. They have publicly said: please leave, do not join.• 50% attack = total control of bitcoin by one single entity.

Ukraine

Crypto Currencies

Pools Operation

Question: but is there a “fair and secure” implementation?

Answer: Probably There Isn’t. There is already ample literature on this.

Crypto Currencies

Bitcoin Share

A proof of effort: allows one to be paid.=def= A hash starting with 32 zeros (one in 232 hashes).

B064 zeros

32 zerosreward paid

Crypto Currencies

Bitcoin Share

A proof of effort: allows one to be paid.=def= A hash starting with 32 zeros (one in 232 hashes).

B064 zeros

32 zerosreward paid

B0 B164 zeros64 zeros

much later, after 2 32 shares have been found…

new block

Crypto Currencies

Trouble With Mining Management

Q: How to prevent people from hiding their “winning ticket” from the pool? Maybe embed information about “the pool“ inside each potential block data. Not enough:

*Solution 1: Mine with a private key known to individual miners?

⇒Allows all miners to cheat. ⇒We would need to trust the network (e.g. other miners) not to accept

this block outside of the pool. Seems impossible.

Solution 2: Mine with a private key not known to individual miners!

⇒Allows the pool manager to steal the money. Must be trusted.⇒BTW. This risk is mitigated by frequent pay-outs

⇒The only plausible solution in existence.

Crypto Currencies

*Stale/Rejected Shares

No precise definition, Used when large quantities of shares out of date are produced,

problem in a pool where miners have not been notified that their work is out of date.

(it might however re-become good later) due to fork situations.

B0 B1

32 zerosuseless share…

64 zeros64 zeros

32 zerosreward granted

Crypto Currencies

**Dupe Shares

Apparently in certain pools it does happen that 2 people produced the same share.

Short answer: Pools should be designed in such a way that it does not happen…

Crypto Currencies

Attacks: Pool Hopping Attack


Crypto Currencies

Pool Hopping

The ``Pool Hopping Attack'' was amply studied by RosenfeldIt allows malicious miners to obtain gains which are in

proportion higher than their fair share.How?

Remember the pools work like a lottery, a group of people plays together for up to 1 winning ticket to share.

Crypto Currencies

Pool Hopping – Main Idea

If a miner mines in a pool in which a lot of shares have already been submitted and no block has yet been found, he will gain less in expectation because the reward will be shared with the miners who have contributed to this pool.

Therefore at a certain moment it may be profitable to stop Therefore at a certain moment it may be profitable to stop mining in this pool and contribute elsewhere (reward will be shared with less people).

This remains valid even if the pools penalize leavers and refuse to pay for their contribution if they do not mine for a complete ``shift''. It is still profitable for miners to quit and mine for another pool (or mine independently).

Crypto Currencies

Pool Hopping – Defenses

This attack works more or less well depending on how exactly pools are managed and also depending on the actions of other miners.

It can be shown that hoppers will earn more than normal ``continuous'' miners.

Various reward and pool management methods have been Various reward and pool management methods have been proposed in order to discourage pool hopping and some reward methods can be shown to be immune to this attack.

[cf. Rosenfeld works]

Crypto Currencies

Attacks: - Mining Cartel Attack


Crypto Currencies

Mining Cartel Attack

50% of miners decide to totally ignore blocks mined by other people. Likely to always succeed.

Only subversive miners make money from mining.

(there is no need to cheat on transactions, would also be possible for 50% of miners).

Crypto Currencies

Attacks: - Difficulty Raising Attack


Crypto Currencies

*Difficulty Raising Attack

Very theoretical, powerful adversary.[Lear Bahack 2013] A powerful attacker is secretly preparing an alternative version

of the blockchain.At the same time he is manipulating the automatic difficulty

adjustment mechanism in his secret chain in order to adjustment mechanism in his secret chain in order to increase the probability of eventually that his chain will be recognized as surpassing the public honest chain.

If this happens, the attacker reveals his secret chain.This can be used to commit double-spending or to cancel some

transactions.

Crypto Currencies

Confidential Crypto Optimisation Attack


Crypto Currencies

Confidential Crypto Optimization Attack

A group of miners hire cryptologists to develop a secret method to mine more efficiently.

Similar but better than 39% gain of:

Nicolas Courtois, Marek Grajek, Rahul Naik:The Unreasonable Fundamental Incertitudes Behind Bitcoin

Mining, http://arxiv.org/abs/1310.7935

Crypto Currencies

Selfish Mining and Block Discarding Attacks [2013]


Crypto Currencies Mining

Selfish Mining Attacks

Proposed independently by Eyal-Sirer [Cornell] and also by Bahack [Open Univ. of Israel] in 2013.

It is about building secret extensions and disclosing them later.wasted effort

• In fact this is a very theoretical attack, most probably without a lot of practical importance…

• It relies entirely on “very rare events”, – most of the time there is no advantage to the attacker.

reward

Crypto Currencies


Assumption 1:If there is the longest chain in the bitcoin blockchain,

everybody mines on it. Called “consensus” Doing otherwise would be really stupid.

Crypto Currencies


Assumption 2:At any moment during the attack there are up to two competitive

public branches one of which can have a secret extension.• we have either just one branch

(with possibly a secret extension by the attacker’s)by the attacker’s)

• or a public fork with two branches of equal depth k

in the case of a fork one branch is composed solely of honest miner's blocks and the other is composed solely of attacker's blocks (which at moments can have a secret extension).

Crypto Currencies

Selective Disclosure

Attackers keep their blocks secret for some time, in order to make the honest majority lose energy mining on obsolete blocks.

However when other find a block, subversive miners disclose their ASAP. Known to them A BIT earlier. Small advantage.

Crypto Currencies

Fork Strategies

Subversive Miners mine on their own branch only.

Honest miners mine on both, depending on network Honest miners mine on both, depending on network propagation[current state].

• received first [current bitcoin software]• or chosen at random [suggested countermeasure]

OR

Crypto Currencies

Overall Result

Subversive miners can earn a bit more. Not a big deal.

Remark[Courtois]this attack is all about

e.g.

later wasted

events which almost never happen in the current bitcoin network.

Unlikely to get very significant…

Crypto Currencies

Fix It?

Countermeasure 1: [Cornell researchers]There is no minority attack if honest miners mine at random.

Countermeasure 2: [Bahack]: Fork punishment [for all miners].

Will make the attack completely insignificant…

Crypto Currencies

Our New Paper[2014]


Crypto Currencies

Block Withholding AttacksCf. Nicolas Courtois, Lear Bahack:On Subversive Miner Strategies and Block Withholding Attackin Bitcoin Digital Currency http://arxiv.org/abs/1402.1718

Crypto Currencies

Main Result

We revisit a known idea: block withholding.The miners mine in pools, they report shares but in (very rare)

case when they find the ‘winning’ tickets.

We show that this attack cannot be detected, not even in theory.theory.

We show that for very large pools, it will be visible, but nobody can say who is responsible.

This attack was known [Rosenfeld] and in the initial version the subversive miners gained nothing: everybody lost.

Crypto Currencies

Our Block Withholding Attack

We propose a better version, in which subversive miners DO get more than their fair share.

It is very simple:• 50 % of subversive miners withhold blocks they fin• 50 % mine solo normally (or in other pools).• 50 % mine solo normally (or in other pools).

We show that: 50-50 split maximizes the gain.

We claim that this simple attack is by far more practical and more realistic than the Cornell attack [1000s of press reports].

Crypto Currencies

**Large Scale Attacks


Attacks

Crypto Currencies

**Buying a Fork

A fork in the main chain can be created retroactively…

=> In order to cheat: roll-back one or many large transactions from 0-4Y ago.

However high is the bitcoin price at any moment in the future, However high is the bitcoin price at any moment in the future, we have the following problem: in the future the percentage of newly created coins in 4 years (>= the price of roll-back), is becoming increasingly small compared to all the existing money in circulation in the Bitcoin network…

Crypto Currencies

Bitcoin Monetary Policy

in Question


in Question

Crypto Currencies

Fact

Only 21 millions of bitcoins will ever be made.• 60% were already made.

Genius or a monumental mistake of Satoshi? Genius or a monumental mistake of Satoshi? • Great now, frequently praised for that,

– in bitcoin governments cannot print more money….

• I claim that it will kill bitcoin in the future – (well really ????)

Crypto Currencies

Reward Halving


Crypto Currencies

Built-in Deflationary Scarcity

Crypto Currencies

Growth Coins vs.

Deflationary Coins


Deflationary Coins

Crypto Currencies

Another Argument by Robert Sams

From Robert Sams, “The Marginal Cost of Cryptocurrency”: http://cryptonomics.org/2014/01/15/the-marginal-cost-of-cryptocurrency/

Other reasons to avoid bitcoin: volatility due to the existence of people holding large balances for speculation. He claims that this leads to a “toxic amount of exchange rate volatility”.

Not super convincing but plausible.


Not super convincing but plausible.

“Bitcoin [..] has a free rider problem, whereby speculative coin balances, which benefit from the system’s costly hashing rate are effectively subsidised by those who use bitcoins primarily as a MOE. These speculative balances repay the favour by adding a toxic amount of exchange rate volatility, providing yet another reason for the transaction motive to run away from log coin MOE. “

Crypto Currencies

Why Growth Coins Will Win???

This argument comes from Robert Sams, “The Marginal Cost of Cryptocurrency”: http://cryptonomics.org/2014/01/15/the-marginal-cost-of-cryptocurrency/

Argument: sooner or later “growth coins” vs. “deflationary currencies” which he improperly calls “log coins” will be in competition.

Then the argument is not very clear, he claims more or less that: • in deflationary currencies, most of the profit from appreciation will be received b y


• in deflationary currencies, most of the profit from appreciation will be received b y holders of coins through their constant appreciation

• little profit will be made by miners who control the network nevertheless => they will impose high fees

• in growth coins, there will be more seignorage profit and it will be spent on hashing. Miners will make good profits and transaction fees will be lower.

• thus year after year people will prefer growth coins…

Crypto Currencies

AltCoins


Crypto Currencies

Alt - CoinsSome examples [from mid-2013]


Crypto Currencies

“Stupid Coin” syndrome.

Exact clones are UNBELIEVABLY stupid.• just stupid copy and paste of open source code• they are all broken: powerful people DO HAVE sufficient

computing power to double spend and cheat at any moment…

• as really worthless assets they are funny and can attract


• as really worthless assets they are funny and can attract speculators because of built-in self-destruction (studied later)

• have some value due to “anonymity services” they provide• they have tiny chances of survival:

– network effects make ALL stupid clones highly problematic because a currency cannot exist without having a large community of adopters…

Crypto Currencies

Market Caps [2 March 2014]

fake: Icelanders could only sell it after March 25, price 20x less 1 month later


All the other are too weak to stand on their feet…

Crypto Currencies

Market Caps[15 April 2014]


Crypto Currencies

“Stupid Coin”?

More serious contenders must have 1+2:1. Have a number of adopters (or pay for promotion/advertising)

– have operational wallet software like android…


– be traded on exchanges…

2. Display some sort “competitive advantage”, must be different or better than bitcoin in some aspect– actually should by like substantially better,

• adoption barriers: small improvements are just NOT enough

Crypto Currencies

Review

For each contender we look at strong and weak points.

We start with weak points of bitcoin itself … => because altcoins can only claim to exist if they do sth that bitcoin does not do.

=> ****Actually all other things being equal smaller competitors of bitcoin are bound to die if they they are as


=> ****Actually all other things being equal smaller competitors of bitcoin are bound to die if they they are as good as bitcoin, just because they are smaller [theory of self-destruction, studied later].

Crypto Currencies

BitCoin

Cons:• Only very basic functionality• Bad anonymity


• Bad anonymity• No longer democratic, monopolized by cartels• “Bad” monetary policy in the long run… • Performance

– Slow transactions– Important hard drive usage by clients (14 G)– Takes ages to synchronize (like 1 day on a good PC)

Crypto Currencies

Scam Coins

Avoid, listed at

http://altcoins.com/scamcoins


Crypto Currencies

LiteCoin = LTCPros:• Number 2 = “digital silver”, at moments was 1 Billion USD Market Cap. • Exchanged at many exchanges • Android client, >10 000 downloads.• MORE DEMOCRATIC – SCRYPT mechanism. Mined with GPUs.

– many people will mine LTC just because they have nothing to do with their GPUs.

• went up from like 1 USD to 40 USD in Dec 2012.


• went up from like 1 USD to 40 USD in Dec 2012. • “Made in China”, well almost.

Cons: • clearly appreciation went a lot upwards just due to the rising price of

bitcoins, NOT because Litecoin is used or exchanged more. – Bad sign for all altcoins.

• world is full of recycled GPUs no longer profitable for bitcoins, owners have no choice, they just mine litecoins even if profitability is very low.

Crypto Currencies

PeerCoin = PPCoin = PPC

Pros:• Number 3, 100 M USD market cap.• Exchanged at BTC-e.• POW+POS (Proof of Stake), even more democratic, green• Unlimited monetary supply (“growth coin”)


• Unlimited monetary supply (“growth coin”)– adding at most 1% more coins each year, – similar to gold itself or better!

Cons: • Does not promise to go through the roof for savers.• Partly centralized: check pointing•

Crypto Currencies

**QuarkCoin = QRK

Pros:• Some 20 M USD market cap...• Multiple hashing • New block every 30 seconds• Again linearly growing monetary supply


• Again linearly growing monetary supply– adding at most 0.5% more coins each year, – again similar to gold itself

Cons: • Not better than Peercoin?

Crypto Currencies

DevCoin = DVC

Pros:• Pays developers, artists etc..• Super ethical: “Devcoins provide an income for everyone who

wants to work”, even if they are not very competitive.


Cons: • small adoption….

Crypto Currencies

NameCoin = NMC

Brilliant :• coins are generated for free when mining bitcoins (“merge mined”)• key/value registration and transfer system like DNS

Cons: Cyber squatters buying pairs to re-sell them later


Cyber squatters buying pairs to re-sell them later

Crypto Currencies

PrimeCoin = XPM

Pros:• Does sth. Interesting for cryptologists and mathematicians.• Traded on BTC-e.

Cons: • Not widely known yet, little press coverage.


• Not widely known yet, little press coverage.

Crypto Currencies

*TerraCoin = TRC

Cons: one of these stupid-coins without a single distinctive feature.


Crypto Currencies

*FeatherCoin = FTC

A fork in litecoin blockchain.

• Minor differences


Crypto Currencies

*NovaCoin = NVC

A descendant and sort of clone of peercoin

Pros:• Same as PPC• Variable inflation: depends on popularity. How?


Cons: • Same as PPC

Crypto Currencies

*AnonCoin = ANC

Pros:• Much better anonymity claimed • Traded on Coinex, Vircurex, Cryptsy

Cons:


Cons: • 1 G$ market cap only• Obscure, no info found

Crypto Currencies

*FreiCoin =

Very very strange...

Pros:• “currency for a working class”? vaguely ethical…• Discourages hoarding:

– free transactions,


– a fee for holding coins (they decay), like a property tax

Cons: • Why buy it? Poor adoption.

Crypto Currencies

“Programmed Self-Destruction”

Nicolas Courtois: On The Longest Chain Rule and Programmed Self-



Older version also at http://cryptome.org/2014/05/bitcoin-suicide.pdf

Crypto Currencies

Its in the DNA…

Theory of “Programmed Self-Destruction” [Courtois May 2014]


Crypto Currencies

Unobtanium


Crypto Currencies

*Unobtanium = UNO

NOT TO BE CONFUSED WITH Unocoin=Bangalore-based Indian exchange which trades BTC/USD, but they DO NOT EVEN trade any UNO


Crypto Currencies

Unobtanium = UNO – super-rare

unobtanium.io“The cryptocurrency of serious traders” ☺

Pros:• already has non-negligible value, 0.01 BTC• SHA256, reuse bitcoin ASICs


• SHA256, reuse bitcoin ASICs• traded at several exchanges• fast: about one block per 1.24 minutes• fixed monetary supply

Cons: • Tiny market cap: 1 million dollars• no genuine transactions?, close to zero tx/block, pure Ponzi?• there is much worse….

Crypto Currencies

Unobtanium In Trouble?

• UnobtaniumHUGE PROBLEM!


Crypto Currencies

Unobtanium In Trouble?

• very rare: only 250,000 will be ever made, • acceleration: reward halving every 3 months…• so what?

HUGE PROBLEM!


smells programmedself-destruction

Crypto Currencies

Unobtanium Facts

• 2/3 of coins were already mined in a short time since 10/2013• As of March 2014 similar profitability as bitcoin mining• Predicted to collapse VERY quickly: • 3 months later UNO market price (now 5.67 USD) must increase twice

OR miners will instantly switch their ASICs to BTC mining… wicked!• then it must double in the next 3 months… Hard to imagine…


• Then on 29 Sept 2014 it must achieve 15,000 USD, see the exact block halving mechanism. KILLER SWITCH!

• If it cannot appreciate so much… It will crash very badly.• time to short UNO!

Crypto Currencies

Unobtanium Death Warrant

– MAJOR ANOMALY: this currency is already destroying itself! • will always have small market cap <1G$ => small anonymity, small adoption etc…• in bitcoin the decline in mining profitability could be compensated by massive

adoption and fees, here the adoption is zero and fees are zero because transactions are virtually non-existent …

– miners are already running away from it as fast as they can, WITH SUDDEN JUMPS, evidence:


Crypto Currencies

Unobtanium Decline

– My prediction is that the hash power will decline to a ridiculously small value.

– Actually it HAS A KILL SWITCH : On 29 Sep 2014, the reward is DIVIDED 300 times overnight!!!!!!!!!!!!!!!!!!

– THIS WILL INEVITABLY LEAD TO TWO MAJOR HAZARDS:• it will become EASY to double spend,


• it will become EASY to double spend, – IT WILL COST A FEW DOLLARS to commit double spending attacks(!)

• it will become EASY to run a “mining cartel attack”: only accept blocks mined by members of a certain group.

• Further decline or total collapse predicted as soon as any of these two happens just once

Crypto Currencies

DogeCoin Self-Destruction!


Self-Destruction!

Crypto Currencies

DogeCoin Death Warrant

– has seriously challenged LTC, 51% attack was possible in Feb 2014.– self-inflicted destruction shortly after?– http://bitinfocharts.com/comparison/hashrate-ltc-doge.html


shifting in both directions, sum=constant, correlation=-1

17 Mar halving!

Crypto Currencies

DogeCoin Predicted Decline– next block halving is… 28 April– One miner was able to execute a double spending attack! – YES! And quicker than I thought


– Prediction: all this is very bad for DOGEcoin, it will NEVER recover from this…

Crypto Currencies

Any Hope?


Crypto Currencies

Self Destruction?

Built-in in most current crypto currencies…


Crypto Currencies

Solutions?

– YES!– Later in these slides..– See also inside the paper:



Crypto Currencies

No Way Out

For Unobtanium and Dogecoin: their destruction is VERY HARD to prevent. • The only plausible way to do it: • Pay miners more in the future => produce more coins => break the

monetary policy

• Crypto currencies which claim to be a solution to solve the 2008


financial crisis, have in 1 year accomplished THE SAME DISASTER as our central banks:

• an exact equivalent of Quantitative Easing (QE): – they MUST now break their promise and print more coins….

• diluting the money of all the other people…

Crypto Currencies

CPU coins


Crypto Currencies

CPU coins

Def. Coins designed to be mined with CPUs.

PGC – Pangucoin –China - based on scrypt-janeMEG – MemoryCoin – super-ethical? = aims to empower the economically

and financially marginalized


PTS – ProtoShares – claimed GPU resistant

Crypto Currencies

Solar Coin


Crypto Currencies

SLR

SLR = SolarCoin, started 22 Dec 2013• backed by two forms of proof of work. • SCRYPT + Solar Renewable Energy Certificate (SREC) that has been

generated and 3rd party verified.

• 60 second blocks


• 100 coins per block, halving every 526600 blocks (once a year)• 99% of coins premined and will be give to people who can bring a proof of

creating 1MW*hr of solar energy • 1% some are mined with SCRYPT.

Drawbacks: • advantageous for some countries• Fixed monetary supply, reward halving: future solar energy paid less…

Crypto Currencies

Fake market cap…All coins already mined, but NOT attributed => not in circulation, =>PEOPLE cannot sell, them,

=> fake Market Cap


Well not quite, because it is VERY COSTLY to produce 1MWh of solar power, so the DO HAVE large value? Not quite, coins are awarded NOT in exchange of energy, but for free for people who produce solar power, the solar power can be sold independently… depends on government subsidies available, NOT profitable to produce!

Overall this coin is very special, like a reflection of geography and government subsidies…

Crypto Currencies

Which Coins Actually Exist?

Remark: ALL SMALL COINS can be destroyed instantly, as just one rich person can have / rent 51% at any moment...

Which coins matter?


Crypto Currencies

Which Coins Matter

Some major coins wrt bitcoin, prices 2 March 2013:AUC – Auracoin - 0.04 BTCLTC – Litecoin – 0.024 BTCNVC – Novacoin – 0.013 BTCPPC- Peercoin- 0.010 BTCUNO – Unobtanium - 0.010 BTC


UNO – Unobtanium - 0.010 BTCXPM – PrimeCoin – 0.0026 BTCANC – AnonCoin – 0.0026 BTC

Totally misleading prices, look at market caps!

Crypto Currencies

Market Caps [2 March 2014]


All the other are too weak to stand on their feet…

Crypto Currencies

Bitcoin 2.0


Crypto Currencies

Ethereum

New currency with more powerful scripts, very powerful platform.• No limits in functionality, can be a lot more than a currency,

– implements “decentralized autonomous organizations” of arbitrary sort.

• Monetary supply grows linearly.

Applications:


• might liberate us from tyranny of Internet/software corporations, banks etc…

– crypto currencies– financial derivatives, – peer-to-peer gambling – on-blockchain identity and reputation systems– etc…

Lots of other innovations, uses SHA-3 (Keccak). Strongly ASIC resistant. Abstract simplicity: even basic features are encoded as scripts.

Crypto Currencies

• Is Bitcoin a Ponzi Scheme?• Financial Scam?


Crypto Currencies

A Ponzi scheme?

• Ponzi schemes collapse immediately when there are no new adopters…

• Any NEW currency can be seen as Ponzi scheme.

• Bitcoin will be alive if only current adopters continue to use it.– However investors might lose money, it could never be worth 1200 USD again…


Crypto Currencies

Reasons why bitcoin can go up beyond 1000 USD (1)

• Forex market is much bigger, just small part of it makes bitcoin worth a lot

• More people yet need to discover it

• Criminal economy is waiting for better anonymity (!),


for better anonymity (!), they will adopt it.

Cf. Darkcoin, Dark wallet, Zerocoin projects etc..

Crypto Currencies

More Reasons why bitcoin can go up beyond 1000 USD (2)

• Africa etc wants to be DE-COLONIZED from US dollar:

– they use dollars as a currency– they hold vast reserves in dollars– banks charge them as much as 19.2% for transfers vs. 5% average in G20 countries

[source: WorldBank, Send Money to Africa, Jan ’14]


[source: WorldBank, Send Money to Africa, Jan ’14]

• China needs it for bribes etc… Russia: 25% of the GDP.

Crypto Currencies

Bitcoin at $10,000 in 2014? Yes for 56% of Bitcoiners

UCL seminar also voted 9Y to 10N on 13.02.2014


Cf. http://www.coindesk.com/56-of-bitcoiners-believe-bitcoin-will-reach-10000-in-2014/

13.02.2014

Crypto Currencies

*****Reasons why bitcoin is worth a lot???

• Our planet’s resources are constant if not shrinking, the super-deflationary currency bitcoin is helpful: it reflects that.

• Maybe we a need for a currency like bitcoin for pricing of rare resources?.

• If it goes through the roof in USD (which are worth less and less) then it


will still be profitable for banks businesses and governments just to buy bitcoins instead of creating their own crypto currency.

– They will still make profit?

Crypto Currencies

Reasons why bitcoin can NOT go up beyond 1000 USD

• Anyone can create his currency, why pay to have coins?– Competition will kill bitcoin

• Current bitcoin can only handle 7 transactions per second worldwide – due to block size limit…

• to be fixed soon?


• Nobel price laureate Shiller says it is a bubble. For sure it is.

Crypto Currencies

Can Bitcoin Survive?


• Hash Power• Brand+Netwok Value

• Exempt from “Programmed Decline”?

Crypto Currencies

Why Bitcoin is Worth Sth:

Sources of their “intrinsic value” for crypto currencies.

• Network effects (positive externality).– Number of users– Their Medium of Exchange (MOE) function: sum of outstanding balances.– Trust and reputation etc…


– Trust and reputation etc…

• Is the ASIC infrastructure worth sth? YES?

WELL, MAYBE NOT QUITE AS MUCH. Next slides.

Crypto Currencies

*Recall: Crazy Hash Power Increase

Nearly doubled every month… 1000x in 1 year.


Crypto Currencies

Are ASICs Worth Sth?From Robert Sams, The Marginal Cost of Cryptocurrency: http://cryptonomics.org/2014/01/15/the-marginal-cost-of-cryptocurrency/

• “The amount of capital collectively burned hashing fixes the capital outlay required of an attacker to obtain enough hashing power to have a meaningful chance of orchestrating a successful double-spend attack on the system.”

• “The mitigation of this risk is valuable, and the more capital burned up


• “The mitigation of this risk is valuable, and the more capital burned up hashing a crypto currency’s network, the lower the expected frequency of successful double-spend attacks.”

This is actually already mistaken approach, see Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534

Crypto Currencies

Is Great Wall of ASIC Worth Sth?How much do we need these ASICs?

Q: Is there a way to circumvent it? Get the benefits for free or pay much less?

BTW. Bitcoin blockchain is opening for new applications (March 2014)!


for new applications (March 2014)!

Crypto Currencies

???** Circumvent The Costly Bitcoin Infrastructure?Free riders? =Can another coin use the Bitcoin infrastructure for free? Or maybe just pay the miners less for their effort? VERY SERIOUS question, because miners provide digital notary services “for free”:

additional things can be inserted in the block chain, hard to prevent. • YES in order to certify that a transaction has been issued by the owner of the key.

– things can be inserted in the blockchain at low cost (fees, some can be done for free).

• NO because bitcoin guarantees that the transaction is unique. It will NOT accept to police other transactions hidden in the blockchain (decide


It will NOT accept to police other transactions hidden in the blockchain (decide which ones are legitimate in case of double spending).

• However the unicity CAN also be guaranteed by timing: after 1 hour for example the transaction is considered final. One cannot inject anything retroactively inside the blockchain.

• Old conclusion:– So we conclude that bitcoin infrastructure is really worth sth. if we want fast confirmation

• more or less because the NSA cannot cancel the transactions once they are confirmed

– Maybe the bitcoin infrastructure is worth nothing in order to achieve slower payment applications…

Crypto Currencies

???**Circumvent Monetary Policy

Idea: Rent unused bitcoins for a short time => increase monetary supply. How to guarantee that they are returned? Implement fractional randomized reserve?

How???


Crypto Currencies

Bitcoin Monopoly RentsAccidental, more than deserved.

Programmed self-destruction [cf. new paper]: • other currencies have copied THESE EXACT mechanisms bitcoin

which makes them unable to survive. • good for bitcoin so far.


Crypto Currencies

Bad Reputation?• Miner over-investment and numerous pre-payment scandals, people earning 2x 10x 100x

less than expected…• MtGox thefts: at least 5% of all bitcoins in ciculation


• a Magnet for Criminals? – no, this would be Zerocoin, US dollar, 500 euro bills etc…

Crypto Currencies

10 May 2014Patrick Alexander quits bitcoin foundation

and states publicly that:• The foundation members need to emulate very high moral

values and ethics […] especially as it involves money. • So far, the track record of prominent Bitcoin Foundation

members has been abysmal. […] acts of a few, have


members has been abysmal. […] acts of a few, have overshadowed us all unfortunately.

• I no longer want to be associated with these people.• It is my wish that […] another organization can […] take its

proper place representing the great idea that is bitcoin.

Few other members also resigned immediately.

Crypto Currencies

Bitcoin Reform


Crypto Currencies

New PaperNicolas Courtois: On The Longest Chain Rule and Programmed Self-

Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534• Bitcoin seriously lacks network neutrality:

miners are too centralized, have excessive discretionary powers, and can be made to participate in attacks without their knowledge

• Miners have over-invested, they will be tempted by criminal exploitation as a service through dodgy business ventures (e.g. bitundo.com)


as a service through dodgy business ventures (e.g. bitundo.com)• Nobody supports the ordinary peer-to-peer network and ordinary people

to do payments (poor security, poor transaction speeds, poor availability and poor promotion of secure bitcoin storage methods and practices)

Crypto Currencies

Longest Chain RuleThe longest chain rule might be OK in some applications, it fails bitcoin users

very badly. Much worse for weaker currencies.

We need some quick fix solutions. • Provide incentives for people to use bitcoin and to run peer nodes.• Use existing strengths of bitcoin in order to make blockchain manipulation

MUCH harder. How?


MUCH harder. How?

Crypto Currencies

ReinforcementsMake blockchain manipulation MUCH harder. • Use timing, the more a second transaction/signature comes later, the

more it should have negligible chances of being accepted.• More objective rules – less discretionary powers.• If there is a fork, incentives in place should be such that both branches

contain essentially the same transactions.• Miners should not hold bitcoin hostage.


• Miners should not hold bitcoin hostage.• Enable super fast zero-confirmation transactions.

Crypto Currencies

Ultra Fast Transactions!Very strange: Satoshi did NOT implement a timestamp for transactions.Impossible to distinguish between various situations.Impossible to manage double spending correctly.• Again, use the timing. • Ask other ordinary peer nodes to confirm your transaction for a fee, within

seconds, not a multiple of 10 minutes.• Chain and mix these confirmations.


• Chain and mix these confirmations.• Use timestamps and certify them by various electronic notary services.• Also use shares generated by miners (exist in vast quantities!). • Accumulate evidence that one version was propagated much earlier than

the other, and accept this version: MAKES BITCOIN MUCH FASTER.100x speed increase expected.

Crypto Currencies

Simultaneous Double SpendsNo strong opinion about what to do with these: It is possible to reject both: evidence that the private key was misused.(because we will have electronic evidence, money could be seized by bitcoin and donated to a charity which helps victims of bitcoin crime)


Crypto Currencies

Potential Problem (1)Big question: [Gerald Davis]Can this solution allow double spending attacks CHEAPER than forking the

blockchain? Just by corrupting the time attestation mechanisms?


Crypto Currencies

Potential Problem (2)Big question: [Gerald Davis]Can this solution allow double spending attacks CHEAPER than forking the

blockchain? Just by corrupting the time attestation mechanisms? Serious question. Possibly but in fact the opposite is probably true…


Crypto Currencies

Corrupting the Time Attestation Mechanisms? (3)Serious question. Possible but in fact the opposite is probably true: • we can trust the market to develop cheap reliable and decentralized

timestamping and certification mechanisms. Time is a reality which is far bigger than bitcoin blockchain and should be harder to manipulate

• there is a price to pay: knowledge of some private keys used before, need to corrupt people not known in advance

• certification by peers is closer to proof of stake than to proof of work


• certification by peers is closer to proof of stake than to proof of work

Crypto Currencies

Bribing + Network Attacks? (4)Can one bribe peers? continued. • Claim: if transactions are diffused and the “view” of the person being

attacked and the “view” of many other network nodes is essentially the same, there is no space for the attack.

=> this sort of attack requires some form of “network superiority” or manipulation, or the first transaction is diffused and there is no going


manipulation, or the first transaction is diffused and there is no going back. Or we have two transactions diffused. In both cases no attack, everybody sees the same reality, no attack.

In fact this question is independent from timestamping (next slide) and also works with “network superiority” alone:

Crypto Currencies

Network Attacks Alone? (5)Possible attack scenario with “network superiority” alone:• cheat the receiver with our transaction sent just to him, • control the network so that nobody else knows about this transaction,

– not diffused.

• emit another transaction later to the wide network, • make sure the victim receives it quite late…


Answer: It is the responsibility of people who accept zero confirmation transactions to check that the transactions on which they rely have been properly diffused in the network.

• Use all the bitcoin attestation mechanisms proposed above.• Check with well known https web sites (cannot be forged, can be

bribed/hacked though) etc. • Get insured.• Etc.

Crypto Currencies

One Final Comment

https://bitcointalk.org/index.php?topic=600436.0;all


Crypto Currencies

Anonymity


Crypto Currencies

Anonymity???Transactions: ≥0 inputs, ≥1 inputsDue to practical reasons, most of the time (???)

ALL inputs belong to the same person or to people who know each other.

Crypto Currencies

Anonymity with PK-based Currency

For unspent money: hide any of– the owner’s ID (btw. his Public Key can be a secret, technicality!) – the “spending” location can be hidden with TOR

=> potentially with state of the art countermeasures, the potential thief has no way to locate the money!


Bad anonymity when you spend, • can split larger amounts in many pieces to avoid being seen

when you spend.• still hard to do…

Crypto Currencies

**Anonymity Citations• Bitcoin is NOT particularly anonymous BUT it

is SUPER DENIABLE – Dan Kaminsky⇒what does he mean???

⇒about creation of unlimited new identities?


⇒about creation of unlimited new identities? ⇒one person becomes many pseudonyms…⇒deniable = I can claim it was not me…

Crypto Currencies

**Anonymity?

Goal: return some money to itself inside the same transaction– use another fresh address for better anonymity– transactions also have multiple input addresses,

• allows perfect mixing in theory…

⇒ in practice we expect that “most of the time” most input addresses belong to the same person as one of the output addresses. ⇒ some geographical / side channel information could link them in pairs⇒ unless money is pre-split in standardized amounts like 0.01 BTC and always used as such.

⇒ Then no change is ever returned.

Due to practical and risk management questions, most of the time (?) ALL inputs belong to the same person or to people who know each other.

Crypto Currencies

AlsoThe secret billionaire syndrome:– in bitcoin the PK can be secret forever in practice (technicality)! – (also the payer location can be hidden very well, TOR). – potentially with state of the art countermeasures,

the potential thief has no way to locate the money!

– not so good anonymity when you spend, • can split in many pieces to avoid being seen when you spend.


• can split in many pieces to avoid being seen when you spend.

Crypto Currencies

Anonymity References:Robert McMillan: “Sure, You Can Steal Bitcoins. But

Good Luck Laundering Them”, August 2013.

Dan Kaminsky: Black ops of TCP/IP, presentation. Black Hat and Chaos Communication Camp, 2011


Fergal Reid and Martin Harrigan: An Analysis of Anonymity in the Bitcoin System, In Security and Privacy in Social Networks, Springer 2013

Crypto Currencies

Hard Or Easy?Robert McMillan: “Sure, You Can Steal Bitcoins. But

Good Luck Laundering Them”, August 2013.

Main points:• law enforcement has many ways of tracking down

a culprit .


• law enforcement has many ways of tracking down a culprit .

• bitcoin network is built in a way that can make it awfully difficult for criminals to spend the digital currency once they steal it

Crypto Currencies

Hard Or Easy?• you need to provide proof of identity to trade on Mt.

Gox or other exchanges– they can also hand other information such as IP

addresses and bank account numbers to investigators

• UBS 2014 report “Problematic Currency, Interesting


• UBS 2014 report “Problematic Currency, Interesting Payment System” is positive about legit usage of crypto currencies: – "In principle, financial institutions with existing anti-money

laundering systems in place (like banks) could adopt a common Bitcoin-like technology to facilitate fast and secure international transfers between end-users…”

Crypto Currencies

S/N question• while small-scale money laundering “seems quite possible”,

but the big fish will have problems• there simply aren’t enough places to exchange large

amounts of money in an anonymous way– bad news: look at these two addresses: suspected to

have laundered tens/hundreds of millions of dollars…


– https://blockchain.info/address/135N2nfAkextd6E25quXpM98qLSi2BccCb– https://blockchain.info/address/1Facb8QnikfPUoo8WVFnyai3e1Hcov9y8T

• S/N: “the money that’s moving around the system every day is just not enough to disguise large quantities of Bitcoin”

• super disturbing: anyone can setup a bitcoin exchange, lottery, market, etc. on the Internet.

Crypto Currencies

Anonymity Methods


Crypto Currencies

Laundry ServicesLike Bitcoin Laundry and Bitmix

• poor usability • likely to steal your money


Crypto Currencies

Cooperative Laundering - Main TrickKnown as “CoinJoin” method,

by gmaxwell, August 2013

user A0.5 BTC

user Afresh public key


txuser Bco-optedhas 0.5 BTC of is ownno risk of losing them

agree and sign tx independently

0.5 BTCuser Bfresh public key

which one is user A?Pb. At any later moment user B can betray himself

Crypto Currencies

Problems with Join Coin• User A can betray user B

• All inputs must have the same amount⇒Must return the change to yourself on a fresh address…

only to betray your identity later


Crypto Currencies

AltCoinsEach altcoin can be used to exchange to bitcoins and

back, hard to trace unless • you follow all altcoin companies

– E.g. their network communications, – or they cooperate with the police forces

• from public info:


• from public info: – timing and amounts of transactions in respective

blockchains

• these anonymity services is already a good reason why many “stupid” altcoins exist and have some non-zero market value!

Crypto Currencies

Rented Miners!You spend BTC from crime on rented miner ASIC.• Then you produce fresh coins! • No link (unless the cloud company traces you).

Even less link because of H0…


Crypto Currencies

Classical Ideas• Run a fake business• Play a Casino [bitcoin: provably honest casinos]• Manipulate a market… [use alt-coins] in order to

transmit money “wirelessly”: – example: inflate some asset on one side, profit from it on

the other side.


the other side.

Crypto Currencies

**Müllerian Mimicry• Imitate typical patterns of “innocent” bitcoin addresses.• Cf. David Naccache talk at CECC 2014.


Crypto Currencies

Anonymity Tips / Counter Arguments• use multiple addresses,

new address for each transaction

• create dummy movements• play lottery, buy/sell shares, exchange against

EUR/USD

• use mixing services, mix small amount at a

•no evidence that this helps, these addresses “meet” in the graph of transactions which is not a random graph

•must pay fees

•PERFECT if we cant trust these companies, nobody will now know which


• use mixing services, mix small amount at a time

• avoid EVER connecting your name with any of your Bitcoin addresses

• Hide you IP address with TOR

companies, nobody will now know which addresses belong to you

•close to impossible in practice

•Not a silver bullet

Crypto Currencies

Misconceptions / Counter Arguments• Bitcoin eliminates identity theft, there is no

identity to be stolen [Rosenberg-Anderson]•On the contrary, it creates new insidious forms of identity theft for the pseudonymous identity: •Example: steal someone’s private keys by a cyber attack, use for money laundering, this creates serious criminal justice problems against which there is no insurance


Crypto Currencies

“Invisible” Recipient? (for the time being)• Vaguely based on ideas by user=ByteCoin [Bitccoin forum]. • “Untraceable transactions […] are inevitable.”• Using Diffie-Hellman. Sender =A receiver =B. • Sender A knows the recipient’s public key gx mod P

and B knows A’s public key gy mod P.• A computes S=(gx)y mod P. • A computes H(S) as a seed for RNG, generates a deterministic new

bitcoin private key SK_transfer called the transfer address.


bitcoin private key SK_transfer called the transfer address.• A sends the money to this address.• Due to DH magic, B also knows this private key SK_transfer .• B takes the money and transfers them to new addresses.Remark: This is similar to a theft, the recipient B is anonymous only if he

can hide his network presence (e.g. using TOR) and as long as he is not yet spending the money. Requires a lot more work!

• The only real benefit is that nobody can initially associate the recipient B with his public key gy even though it is in a public directory.

Crypto Currencies

Software and Add-On Solutions


Solutions

to Make Bitcoin More Anonymous

Crypto Currencies

DarkWallet

Radical nearly-anarchist project

• Software which mixes 2 bitcoin transactions for people who do NOT know each other, mixing by default.

• A lightweight plug-in wallet for Chrome/Firefox.


Crypto Currencies

Anonymity Alt-Coins


Crypto Currencies

DarkCoin

Implementation of Coin-Join with several stages.Uses blind signatures in order to prove the input belongs to one of the

participants.Has a collateral deposit system: protects against badly behaving users, they

may lose money.


Cons: All the issues with CoinJoin.

Crypto Currencies

Zerocoin

Anonymous currency, ZK proofs. Initially proposed as an extension of bitcoin,

now it will be an independent currency.

Another similar proposal: Appecoin.


Crypto Currencies

Zerocoin

S secret serial number I commit to, needed to spend the coinr random needed to reveal S later onC=gShr

Producing Zerocoins:In Bitcoin blockchain 1 BTC => C, invalid H(PK), just destroyed 1 bitcoin,


In Bitcoin blockchain 1 BTC => C, invalid H(PK), just destroyed 1 bitcoin, this controls the monetary supply!

Remark: already protected against abuse, nobody wants to destroy bitcoins which cost money…

Now revealing this serial number S will be worth 1 BTC, like on-time signature mechanism??? , PROBLEM; must convince bitcoin developers to accept creation of bitcoins out of thin air!

Breaks bitcoin (or requires permission of bitcoin developers or/and a majority of miners).

Crypto Currencies

Zerocoin IssuesSource: https://bitcointalk.org/index.php?topic=279249.0Limitations:• uses cutting-edge cryptography: maybe insecure, understood by relatively few people• produces large (20kbyte) signatures that would bloat the blockchain (or create risk if in

external storage)• it requires a trusted party to initiate its accumulator. If that party cheats, they can steal coin.

(Perhaps fixable with more cutting-edge crypto.)• validation is very slow (can process about 2tx per second on a fast CPU), which is a major

barrier to deployment in Bitcoin as each full node must validate every transaction.


barrier to deployment in Bitcoin as each full node must validate every transaction.• large transactions and slow validation means costly transactions => will reduce the

anonymity set size• uses an accumulator which grows forever and has no pruning. In practice this means we'd

need to switch accumulators periodically to reduce the working set size, reducing the anonymity set size.

• some of these things may improve significantly with better math and software engineering over time.

But above all: Zerocoin requires a soft-forking change to the Bitco in protocol , which all full nodes must adopt, which would commit Bitcoin to a particular version of the Zerocoinprotocol. Politically contentious, as some developers and Bitcoin businesses are very concerned about being overly associated with "anonymity".

Crypto Currencies

Crime Investigations


Crypto Currencies

Two GraphsFergal Reid and Martin Harrigan: An Analysis of Anonymity in the Bitcoin System, In Security and Privacy in

Social Networks, Springer 2013

Transactions form a DAG: Directed Acyclic Graph


Crypto Currencies

Second GraphPublic Keys Form A Graph in which money flows potentially in both

directions between any pair at various moments


Crypto Currencies

Initial Theft25,000 BTC

Initial steps: We can assume that all bitcoin

accounts initially involved are related to the thief?


Not quite after the theft, he donated some money to computer hacker group known as LulzSec.

Crypto Currencies

Analysis• flows split and then merge again• IP address reporting transactions• size of inputs/outputs• speed of transactions

(some are quite fast!)

Other sources of data


Other sources of data• order books with precise amounts

from exchanges

Crypto Currencies

Another Example of Actual CrimeA criminal gang promising non-existing miners (Hashblaster.com) run by a

non-existing company claimed to be based in Essen, Germany had numerous victims.

Some of these fraudulently obtained sums have transited through https://blockexplorer.com/address/1Nm1jYHo8WKuJc7Paq1VneAPdNtqcm

pm6t


Then they went to (next page).

Crypto Currencies

Bitcoin's most mysterious wallet?1Facb8QnikfPUoo8WVFnyai3e1Hcov9y8T

Initially it was a great mystery:• was active in the period from December 2013• total funds managed: 219,956 Bitcoins (estimated USD209 million)• fast growing, suspected to be a major laundry service etc...


Later it was found it belonged to MtGox! Q: Did MtGox check the identity of their customers?

Crypto Currencies

Tracing Larger Patterns (e.g. Geographic Patterns)


(e.g. Geographic Patterns)

Crypto Currencies

IP Address Per Transaction Reporting

© Bissessar Shiva and Nicolas Courtois, UCL 2013


Crypto Currencies

Currency Circulation



Crypto Currencies

Anonymity??? - Following 3.7 M$ For 24h



Crypto Currencies

Transparency


Crypto Currencies

Non-Anonymity Is Valuable:

Charity, political party, any publicly managed organization:

• Everybody knows how much money was donated.


• Everybody knows how much money was donated.• Everybody knows how money was spent.

Crypto Currencies

Bitcoin and The Stock Market


The Stock Market

Crypto Currencies

Hidden Connection


Crypto Currencies

Important remark: US stock market is DECENTRALIZED (!).

One Wall street lawyer writes:• “the bitcoin network is actually reminiscent of a network

which was initially created to implement NMS [National Market Structure] regulations”.

Bitcoin vs. US Stock Market


Market Structure] regulations”. • “bitcoin technology is brilliant“ and maybe • a “kind of value transfer network that you could dream about

creating” for the stock markets – “if existing businesses had the luxury of a fresh start”

Source: Vivian A. Maese: Divining the Regulatory Futureof Illegitimate Cryptocurrencies, In Wall Street Lawyer, Vol. 18 Issue 5, May 2014.

Crypto Currencies

De Bono Connection


Crypto Currencies

Edward De Bono: in the early 1990s wrote a pamphlet called "The IBM Dollar“

Dr. de Bono wrote that he looked forward to a time when “the successors to Bill Gates will have put the

Corporate Currencies Replacing the Stock Market?


“the successors to Bill Gates will have put the successors to Alan Greenspan out of business”, arguing in essence that it would be more efficient for companies to issue money than equity.

Edward de Bono argued that companies could raise money just as governments now do - by printing it.

Crypto Currencies

For Dr. de Bono: it was about "The IBM Dollar“ issued by IBM instead of raising money from the stock market.

His concept of “private currency”: • would be redeemable for IBM equipment,

Concept of Private Currency Based on Future Production


• would be redeemable for IBM equipment, • NOT at all like modern fiat, redeemable for nothing! Further startup scenario: • A start-up XX launches. Instead of issuing shares, it issues

XX-coin redeemable for future products/services. • E.g. a power plant start-up offers future kilowatt hours.

– In the early days, they are sold and trade at a significant discount to take into account the risks.

– Later this “private currency” goes up if company does well!

Documents

Crypto Currencies And Bitcoin - Nicolas Courtoisnicolascourtois.com/bitcoin/paycoin_may_2014.pdf · Crypto Currencies This Seminar This is a university research seminar . With talks,