IS THERE A THEORY BEHIND BITCOIN?Thomas Holenstein

ITS Science Colloquium, Nov 6, 2014

Goal of this Talk

Part I: What is Bitcoin? Approach: technical Requires digital signatures and

random oracles.

Goal of this Talk

Part II: Bitcoin research What are researchers doing? What are the open problems?

Disclaimer: I own some bitcoin.

Part I: What is Bitcoin?

What is Bitcoin?

Analogies don’t help…

Instead, we focus on the system: we explain how Bitcoin works.

This means: we explain the protocol.

Basics: Digital Signatures

Digital Signature

VerificationSigningKey Generation

Alice(Public)

Alice(Secret)

Alice

Bob

Bob Alice

Alice(Public)

Alice(Public)

Digital Signature

VerificationSigningKey Generation

Alice(Secret)

Bob

Alice(Public)

Digital Signature

VerificationKey Generation

Alice(Public)

Alice(Secret)

Goal: Bob should be sure that the

message originates from Alice.

Signing

Alice A

Message

Digital Signature

Key Generation

Public Key

Secret Key

A

Signing

Secret Key

Message

A

Verification

Public Key

Message

Security (informal): You cannot produce valid signatures without the secret key.

We now try to build bitcoin…

Attempt #1

… but we will fail.

Goals

We want some kind of “digital money”.

Everyone can participate.

No central instance – no bank.

Setting

Every computer can send messages to some other computers.

A network of computers.

Basic idea

Every computer maintains a table: “who owns what?”

Alice (Public)

Bob(Public)

Charlie(Public)

Dora(Public)

Eliza(Public)

10 BTC

0.2 BTC

0.001 BTC

2 BTC

17 BTC We will need: all computers have the same table.

Remark: The public keys are just bit

strings.

Sending Bitcoins

In “short”, transactions look like this:

Alice (Public)

Transfer 0.1 BTC

from

to Bob(Public)

A

$ F T

To send money, we use transactions. These are messages like this:

Sending Bitcoins

I’LL send 0.1 Bitcoin to Bob.

Alice

$ F T

Protocol: sending BTC

1. Craft a transaction.

2. Give it to your computer.

Protocol: participating

On valid transactions:1. Update ledger2. Relay transaction

Double Spending

I can exploit this!

Black Hat

Alice

Bob

: Give BTC from Black Hat to Alice: Give BTC from Black Hat to Bob

Black Hat prepares two transactions:

These transactions

spend previously spent bitcoins!

Thanks!

Thanks!

Double Spending

The bad guy spends the same Bitcoins with two different transactions and .

Computers receiving transaction will have a different ledger than computers receiving transaction .

We need a protocol to agree on a transaction. “Consensus protocols”. Studied since 1980,

starting with Pease, Shostak, Lamport. Huge literature! Main idea for protocols:

Consensus Protocols

What transaction are you using?

Protocols work if (say) > 70% of the computers

follow the protocol.

This solution does not help us!

Design goal: Everyone can participate.

I will gladly participate…With 1 000 virtual machines!

By running a special program, a bad guy controls many virtual computers.

Like this, he can make different participants believe different things.

Basics: Random Hashfunctions

Random Hash Functions (Random Oracles)

A random hash function is

where all outputs are chosen uniformly at random, independent of each other.

RH

Example: // x = 44709335 // x = 53639915 // x = 44709335

On my friends computer in the US: // x = 44709335

Random Hash Function

In practice, we hope that SHA256 behaves “like a random oracle”.

Calculation: If we made all computers on the world compute …

It takes ~“ years” to find s.t.

Bitcoin’s consensus protocol

Step 1: How does the protocol look like?

Step 2: What happens if people cheat?

Blocks

A block contains for another block , a list of transactions, and an arbitrary number

“nonce”.Block is valid if the first digits of the hash of are all zero.

8046465385222

0000031105830

0000077326777

RH

Blocks

If we have a block, we can find a “next block”:

Take from the previous block. Add transactions.

Try different values for this string until the hash starts with zeros.

¿

Blocks

If we have a block, we can find a “next block”:

Take from the previous block . Add transactions.

Try different values for this string until the hash starts with zeros.

Bitcoin chooses such that this takes ~10 minutes.

¿

¿

A Tree of Blocks

If we have a block, with a bit of work, we can find a “next block”…...and yet another “next block”…

…or a block which continues here…

… and so on.

A Tree of Blocks

In general, we can build a tree of blocks like this.

But only ever downwards!

The Protocol for Finding Blocks

Protocol: finding blocks

1. Take the longest chain you can find.

2. Collect transactions.3. Find a new valid block

here.4. Publish it.

The Protocol for Participants

Protocol: To know who owns BTC

1. Take the longest chain you can find.

2. Process the transactions in this chain in order.

Why work to find blocks?

Many people are trying to find blocks, which uses a lot of resources…

A real lot!

This is called “mining”.

Block reward

If you find a block, you get bitcoins as a reward.

Alice (Public)

Transfer 0.1 BTC

from

to Bob(Public)

A

Fee:0.001 BTC

Every transaction specifies a fee. It goes to the person who puts the transaction into a valid block.

Alice (Public)

Transfer 0.1 BTC

from

to Bob(Public)

A

Recap: The Bitcoin Protocol

Protocol: participate

Relay valid transactions. Relay valid blocks in the longest

chain. Work with the longest chain.

Protocol: miners

Collect valid transactions. Publish valid blocks which extend

the longest chain.

Bitcoin’s consensus protocol

Step 1: How does the protocol look like?

Step 2: What happens if people cheat?

Double Spends

I can exploit this!

Black Hat

Alice

Bob

I found a valid block!

Once a block is found, the double spends vanish.

Occasionally, two people find blocks at around the same time… but typically the problem disappears.

Build an Alternate Chain?

The more -calls are devoted to a chain, the faster it grows.

Thus, intuitively: to build a chain as fast as the rest, you need as many -calls as the rest.

Maybe I should build another chain?

Part II: Bitcoin Research

Understanding Bitcoin

Bitcoin was deployed with basically no theoretical foundation.

Is the system secure? What gives it security?

What will rational agents in the Bitcoin network do?

What are possible attacks?

Understanding Bitcoin

Ideally, we would want a model which captures the “important aspects”.

We then want theorems which describe the results.

Some of the following research goes into this direction.

Understanding Bitcoin: References

Babaioff, Dobzinski, Oren, Zohar (2012). On Bitcoin and red balloons

Bahack (2013). Theoretical Bitcoin attacks with less than half of the computational power

Barber, Boyen, Shi, Uzun (2012). Bitter to better - how to make Bitcoin a better currency

Becker, Breuker, Heide, Holler, Rauer, Bóhme (2012). Can we afford integrity by proof-of-work? Scenarios inspired by the Bitcoin currency

Bonneau, Narayanan (2014). Better in practice than in theory: lessons from the rise of Bitcoin

Courtois, Grajek, Naik (2013). The unreasonable fundamental incertitudes behind Bitcoin mining

Eyal, Sirer (2014). Majority is not enough: Bitcoin mining is vulnerable

Garay, Kiayias, Leonardos (2014). The Bitcoin backbone protocol: analysis and applications

Karame, Androulaki, Capkun (2012). Two Bitcoins at the price of one? Double-spending attacks on fast payments in Bitcoin

Kroll, Davey, Felten (2013). The economics of Bitcoin mining, or Bitcoin in the presence of adversaries

Möser, Böhme, Breuker (2014). Towards risk scoring of Bitcoin transactions

Nakamoto (2008). Bitcoin: a peer-to-peer electronic cash system

Raulo (2011). Optimal pool abuse strategy

Todd (2013). How a floating blocksize limit inevitably leads towards centralization

… many more.

http://bitcointalk.org

I omit many references… also in the

following!

Understanding Bitcoin: Open Problem

There are some aspects of Bitcoin which will change: The initial block reward will vanish. I believe: the network will grow or go

away. What are the effect of such changes?

(There is previous work which studies this).

Improving Bitcoin

New technology gives new choices. How do we choose? Try to make the system more

powerful. Try to make the design:

more secure, faster, less wasteful.

Improving Bitcoin: References

Back, Corallo, Dashjr, Friedenbach, Maxwell, Miller, Poelstra, Timón, Wuille (2014). Enabling Blockchain Innovations with Pegged Sidechains

Bamert, Decker, Elsen, Wattenhofer, Welten (2013). Have a Snack, Pay with Bitcoin

Ben-Sasson, Chiesa, Genkin, Tromer, Virza (2013). SNARKs for C: Verifying Program Executions Succinctly and in ZK

Bentov, Gabizon, Mizrahi (2014). Cryptocurrencies without Proof of Work

Bonneau, Clark, Miller (2014). FawkesCoin: A cryptocurrency without public-key cryptography

Buterin (2013). Ethereum White Paper. Dziembowski, Faust, Kolmogorov,

Pietrzak (2013). Proofs of Space

etotheipi, maaku, et al. (2012). Ultimate blockchain compression w/ trust-free […]

Hearn (2013). Decentralised crime fighting using private set intersection protocols

Heilman (2014). One Weird Trick to Stop Selfish Miners: Fresh Bitcoins […]

King, Nadal (2012). PPCoin: Peer-to-Peer Crypto-Currency with Proof-of-Stake

Lee (2013). Litecoin

Maxwell (2013). Really Really ultimate blockchain compression: CoinWitness

Miller, Shi, Kosba, Katz (2014). Nonoutsourceable Scratch-Off Puzzles to Discourage Bitcoin Mining Coalitions

Sompolinsky, Zohar (2013). Accelerating Bitcoin's Transaction Processing: Fast Money Grows on Trees, Not Chains

Todd (2014). Tree-chains preliminary summary.

Improving Bitcoin: Open Problem

Computing SHA256 around times per second seems like a big waste of energy.

Back of the envelope calculation gives a daily energy use of 5’000’000+ kWh (~ 500’000+ CHF)

Can we improve the situation?

(There is previous work which studies this).

Anonymity

Every transaction is broadcast and stored.

On the other hand, a priori nobody knows who owns which public key.

Is Bitcoin anonymous?

Anonymity: References

Androulaki, Karame, Roeschlin, Scherer, Capkun (2013). Evaluating user privacy in Bitcoin

Biryukov, Pustogarov (2014). Bitcoin over Tor isn't a good idea

Gervais, Karame, Gruber, Capkun (2014). On the privacy provisions of Bloom filters in lightweight Bitcoin clients

Koshy, Koshy, Mcdaniel (2014). An analysis of anonymity in Bitcoin using P2P network traffic

Meiklejohn, Pomarole, Jordan, Levchenko, McCoy, Voelker, Savage (2013). A Fistful Of bitcoins: Characterizing payments among men with no names

Ober, Katzenbeisser, Hamacher (2013). Structure and anonymity of the Bitcoin transaction graph

Reid, Harrigan (2012). An analysis of anonymity in the Bitcoin system

Ron, Shamir (2014). How did dread pirate Roberts acquire and protect his Bitcoin wealth?

Ron, Shamir (2013). Quantitative analysis of the full Bitcoin transaction graph

Spagnuolo, Maggi, Zanero (2014). BitIodine: Extracting intelligence from the Bitcoin network

theymos (2010). Anonymity

Improve Anonymity: References

Ben-Sasson, Chiesa, Garman, Green, Miers, Tromer, Virza (2014). Zerocash: decentralized anonymous payments from Bitcoin

Bonneau, Clark, Kroll, Miller, Narayanan. Mixcoin (2014). Anonymity for Bitcoin with accountable mixes

Danezis, Fournet, Kohlweiss, Parno (2013). Pinocchio Coin: building Zerocoin from a succinct pairing-based proof system

Garman, Green, Miers, Rubin (2014). Rational zero:

Economic security for Zerocoin with everlasting anonymity

Ladd (2012). Blind signatures for Bitcoin transaction anonymity

Maxwell (2013). CoinJoin: Bitcoin privacy for the real world

Miers, Garman, Green, Rubin (2013). Zerocoin: Anonymous distributed e-cash from Bitcoin

Saxena, Misra, Dhar (2014). Increasing anonymity in Bitcoin

Build on Top of Bitcoin

If Bitcoin works, we can use the technology for other things.

Use Bitcoin as a building block

Use the blockchain technology for new applications.

Build on top of Bitcoin

Andrychowicz, Dziembowski, Malinowski, Mazurek (2014). Secure Multiparty Computations on Bitcoin

Back, Bentov (2014). Note on fair coin toss via Bitcoin.

Bentov, Kumaresan (2014). How to Use Bitcoin to Design Fair Protocols

Clark, Bonneau, Felten, Kroll, Miller, Narayanan (2014). On Decentralizing Prediction Markets and Order Books.

Clark, Essex (2012). CommitCoin: Carbon Dating Commitments with Bitcoin

Finney et al. (2010). Bitcoin overlay protocols

Miller, Juels, Shi, Parno, Katz (2014). PermaCoin: Repurposing Bitcoin Work for Data Preservation

Study the behavior

Another approach is look at the current system.

What are people doing?

What happens in the network?

Study the behavior

Decker, Wattenhofer (2013). Information Propagation in the Bitcoin Network

Decker, Wattenhofer (2014). Bitcoin Transaction Malleability and MtGox

Donet Donet, Pérez-Solà, Herrera (2014). The Bitcoin P2P network

Gandal, Halaburda (2014). Competition in the Crypto-Currency Market.

Johnson, Laszka, Grossklags, Vasek, Moore (2014). Game-Theoretic Analysis of DDoS

Attacks Against Bitcoin Mining Pools

Plohmann, Gerhards-Padilla (2012). Case study of the miner botnet

Vasek, Thornton, Moore (2014). Empirical Analysis of Denial-of-Service Attacks in the Bitcoin Ecosystem

Moore, Christin (2013). Beware the Middleman: Empirical Analysis of Bitcoin-Exchange Risk

Economics and Policy

What are the economic foundations behind Bitcoin?

Does it make sense that Bitcoin has value?

Do law makers have to react to Bitcoin?

Economics and Policy

Ali, Barrdear, Clews, Southgate (2014). The economics of digital currencies

Andolfatto (2014). Bitcoin and beyond: the possibilities and pitfalls of virtual currencies

Boehm, Pesch (2014). Bitcoin: a first legal analysis - with reference […]

Brito, Shadab, Castillo (2014). Bitcoin financial regulation: securities, derivatives, prediction markets, & gambling

Brito, Castillo (2013). Bitcoin: A primer for policymakers.

Dion (2014): Bitcoin, regulating fraud in the economy of Hacker-Cash

Doguet (2013): The nature of the form: Legal and regulartory issues surounding the Bitcoin digital currency system

Elwell, Murphy, Seitzinger (2014). Bitcoin: questions, answers, and analysis of legal issues

European Central Bank (2012). Virtual currency schemes

Grinberg (2011). Bitcoin: An innovative alternative digital currency

Güring, Grigg (2011). Bitcoin & Gresham's Law - the economic inevitability of collapse

Hileman (2014). From Bitcoin to the Brixton pound: history and prospects for alternative currencies

Luther, White (2014). Can Bitcoin Become a Major Currency?

Marian (2013). Are cryptocurrencies 'super' tax havens?

Mimic (2014). Regulatory challenges of alternative e-currency; Comparative analysis of Bitcoin model in US and EU jurisdictions

Möser, Böhme, Breuker (2013). An inquiry into money laundering tools in the Bitcoin ecosystem

Sapuric, Kokkinaki (2014). Bitcoin is volatile! Isn't that right?

Yermack, (2013). Is Bitcoin a real currency? [...]

More research

Bergstra, Leeuw (2014). Bitcoin and beyond: exclusively informational monies

Lo, Wang (2014). Bitcoin as money?

Luther (2013). Cryptocurrencies, network effects, and switching costs

Maurer, Nelms, Swartz (2013). "When perhaps the real problem is money itself!": the practical materiality of Bitcoin

Rotman (2014). Bitcoin versus electronic money

Graf (2014). Sidechained Bitcoin substitutes: A monetary

commentary

… many more! Apologies to everyone whose research I missed or forgot to list!

Thanks to

Alessandro Chiesa

Sources

xkcd.com

blockchain.info

bitcoincharts.com KnCMiner.com

Christian Decker

Everyone for listening!