Professional Documents
Culture Documents
2. Mining:
Open to anyone, but inevitable concentration of power
often seen as undesirable
3. Updates to software:
Core developers trusted by community, have great power
Needs of decentralization in Bitcoin
• Objective: A purely peer-to-peer version of electronic cash would allow online
payments to be sent directly from one party to another without going through a
financial institution
• Challenge: Double spending attack
• Solution:
• Digital signatures provide part of the solution
• Main benefits are lost if a trusted third party is still required to prevent double-spending
• Solution for double-spending problem using a peer-to-peer network
• network timestamps transactions by hashing them into an ongoing chain of
hash-based proof-of-work, forming a record that cannot be changed without
redoing the proof-of-work
• longest chain not only serves as proof of the sequence of events witnessed,
but proof that it came from the largest pool of CPU power
• Benefit: As long as a majority of CPU power is controlled by nodes
that are not cooperating to attack the network, they'll generate the
longest chain and outpace attackers
Distributed consensus
Bitcoin’s key challenge
• Key technical challenge of decentralized e-cash:
distributed consensus
signed by Alice
Pay to pkBob : H( )
Tx Tx
Tx Tx
… …
Tx Tx
Embraces randomness
• Does away with the notion of a specific starting and ending point for consensus
• Consensus happens over long time scales — about 1 hour
• In summary, consensus in Bitcoins is not deterministic – Even at the end of 1 hour
nodes may not be 100% sure that their view of the block chain is the consensus view
• Although the probability of that not being the case is very low
Consensus without identity: using a block chain
Bitcoin’s consensus algorithm
Bitcoin nodes don’t have long-term identities
Why?
• Key assumptions:
• Now we can pick a random ID & select that node
• Multiple sybil nodes by the adversary are able to get only a single token
(random ID)
Key idea: implicit consensus
1. In each round (corresponds to a different block in the
block chain), random node is picked
1. Stealing Bitcoins?
2. Denial of service?
3. Double spend?
What can a malicious node do?
Double-
signed by A spending
CA → B
Pay to pkB : H( ) attack
signed by A CA → A’
Pay to pkA’ : H( )
CA → B
Double-spend probability
CA → A’ double-spend decreases exponentially
attempt with # of confirmations
Value is fixed: currently 12.5 BTC, halves every 210,000 blocks created (or
every 4 years at the current rate of block creation)
• We are now in the third period – first period block reward was 50 BTC
Block creator gets to “collect” the reward only if the block ends up on long-
term consensus branch!
• Subtle but powerful trick: Incentivizes nodes to behave in way that will get other
nodes to extend their block
There’s a finite supply of bitcoins
Total supply: 21 million
• Why 10 minutes?
• Not significant!
• Can change it to 5 minutes, and system would still work
Key security assumption
Advantage?
No centralized verifier needed! Any node or miner can
verify that the block was correctly mined
Mining economics
mining cost
If mining reward
> (hardware + → Profit
(block reward + Tx fees)
electricity cost)
Complications:
• Fixed (hardware) vs. variable (electricity) costs
• Reward depends on rate at which miners propose blocks (ratio of their
hash rate to the global hash rate)
• Cost in dollars, but reward in BTC profit depends on exchange rate
Solving more than 1020 hashes to obtain 12.5 BTC at current
exchange rate is profitable!
Putting it all together
Recap
Identities Block chain & consensus
P2P network
Bitcoin is bootstrapped
security of
block chain
health of
value of
mining
currency
ecosystem
What can a “51% attacker” do?
Steal coins from existing address? ✗
• Hardware Wallets
• Bitcoin wallets with hardware component wherein the private keys are stored in chips on
small handheld devices
• only respond to certain pre-programmed requests
• For example, Sign this transaction request
• private key is stored on hardware that is not connected to the internet
• can communicate with the outside world only via a limited set of pre-programmed
interfaces
• Ex: Trezor and Ledger Nano
Software Wallets
• Address Creation
• Step 1: Generate some randomness and use it to pick a number from 1 to 2256-1. This is your private key.
• Step 2: Do some maths on it to generate a public key.
• Step 3: Hash your public key twice to create your Bitcoin address.
• Step 4: Save the private key and its corresponding address.
• Address Display – Encoding the Bitcoin addresses
• When someone wants to send you bitcoins, you need to tell them your address
• Encoded String – base58
• take the bits of the key and convert it from a binary number to a base 58. it uses 58 characters to encode each digits as a character.
Why 58? Lower case + upper case + digits = 26+26+10=62 After leaving out some confusing characters, its 58
• Ex: 1LfSBaySpe6UBw4NoH9VLSGmnPvujmhFXV
• QR code – 2 dimensional barcode
• Nothing but text, encoded in a visual way that makes it easy for QR code scanners to read the code and convert it back into text
• Vanity address
• an address that starts with some human-meaningful text: 1bonesEeTcABPjLzAb1VkFgySY6Zqu3sX
• Account Balance
• Needs all the transactions going in and out of the addresses
• full node wallet
• storing the entire blockchain and keeping it up to date
• constantly connected over the internet to other Bitcoin nodes
• lightweight wallet
• connecting to a node elsewhere which does the heavy lifting
• Bitcoin Payments
• Wallets have the capability to know the account balances as well as make payments
• Generates a bundle of data called a ‘transaction,’ which includes
• references to the coins that are going to be spent (transaction inputs consisting of unspent outputs of previous
transactions), and
• which accounts the coins will be sent to (new outputs).
• Vanity address – (Bitcoin address)
• an address that starts with some human-meaningful text.
• For ex: the gambling website Satoshi Bones has users send money to addresses containing the string
“bones” in positions 2--6, such as 1bonesEeTcABPjLzAb1VkFgySY6Zqu3sX (all regular addresses begin
with the character 1, indicating pay-to-pubkey-hash.)
• What is address?
• Hash(hash((public key))=address. If the digits are manupulated by satoshi, means it is not possible to
generate its key pair.
• How they produced these kind of addresses?
• repeatedly generated private keys until they got lucky and found one which hashed to this pattern. Such
addresses are called vanity addresses and there are tools to generate them.
• How much work does this take?
• 58 possibilities for every character
• To find an address which starts with a specific k -character string, generate 58k addresses on average until
you get lucky (600 million addresses for 5 character)
• But it becomes exponentially harder if we increase the address.
• Speeding up vanity address generation.
• private key x
• Public key is gx
• address is H(gx)
• After trying gx try gx+1, because gx+1 =xgx
Other features of Software Wallet
• Good wallet software has more functionality, including the ability to back up
private keys (encrypted with a passphrase) either to a user’s hard drive or to a
cloud storage server
• Generate one-time use addresses for privacy
• Hold addresses and private keys for multiple cryptocurrencies
• integrated with exchanges to allow users to convert between one
cryptocurrency and another directly from within the wallet software
• m of n ‘sharding’ or ‘splitting’ of a private key
• Allow you to split keys or set up addresses that require multiple digital signatures to
spend from
• 2-of-3 sharding where a private key is split into 3 parts, any 2 of which can be combined
to regenerate the original key
• Shamir’s secret sharing algorithm
• m of n ‘multi-sig’ addresses
• addresses that require multiple digital signatures to make payments from them
• multiple people need to sign or approve a transaction
Hardware Wallets
• Bitcoin wallets with a hardware component where private keys are stored
in chips on small handheld devices
• The user interface software for this hardware component is run on an
online machine.
• When it comes to the critical part of the transaction (the signing), the
unsigned transaction is sent to the hardware wallet, which returns the
signed transaction without revealing the private key
Storage of Keys: Cold or Hot Storage
• Wallets are software which are used to create and share the addresses with
which the account balance and payments can be made.
• However, they need some storage to manage data such as private keys and addresses
• It may be either local storage in your PC or mobile phone or an online storage.
Similar to keep the money in safe Similar to keep the money in wallet
online offline
separate
keys
• Is it possible to manage Bitcoins only with a cold storage?
• No! But it can be used together with a hot one to store the majority of Bitcoins
• If you use both Hot and cold storage together:
• Keep separate addresses and keys for each
• BENEFIT: Coins in the cold storage will be safe evenif the hot storage is compromised
• Moving Bitcoins between hot and cold storage
• each side knows its own secret key and the receiving address of the other side
• Even if the cold storage is offline most of the time, it sometimes needs to connect
• To transfer money and to check if its balance is changed.
• Scenario-1: Hot storage is operating whereas the cold storage is offline
• If the amount in the hot storage becomes too high:
• Move some coins from hot storage to cold storage using their own addresses
• Challenge: To preserve privacy, each coin needs to be transfer to different addresses. Since
the cold storage is offline, how to get these addresses from cold storage?
• Yes! Gmail does this in 2-factor authentication. Generate a list of codes and take the
printout and use these codes to login.
• Likewise, the cold storage needs to go online, generate a list of addresses and transfer
it to Hot storage.
• The hot storage uses these addresses of cold storage to transfer the money from it.
• The last two steps were done by Hierarchical Wallet.
• If the amount in the hot storage becomes too low:
• Move some coins from cold storage to hot storage but how?
• Connect the Cold storage to online and transfer it
Hot storage Cold storage
online offline
online
cold address(es)
offline
Problem:
Want to use a new address (and key) for each coin sent to cold
But how can hot wallet learn new addresses if cold wallet is offline?
Awkward solution:
Generate a big batch of addresses/keys, transfer to hot beforehand
Better solution:
Hierarchical wallet
Hierarchical Wallet
• Allows the cold storage side to have an unbounded number of addresses and
the hot side knows these addresses via short, one time communication
between the both sides.
• IMPORTANT - Regular key generate (generateKey) creates a public key
(address) and a secret key but with the key generation info it is possible to
create a sequences of addresses instead of just one without leaking the
information regarding private keys
• address generation info
• apply genAddr operation to the address generation info and integer i, obtaining the ith address
• private key generation info
• apply genKey operation to the key generation info and integer i, obtaining the ith private key
• This split up enables the address generation in the Hot side and the private key
generation in the cold side
• ECDSA supports hierarchical key generation
• As long as the hot and cold side know the right sequence number, you can
generate addresses from the hot side and private keys on the cold side.
Hierarchical Wallet • At the beginning the cold side does
the generateKeysHier operation obtaining
both the address and key generation info.
• Then it pass the address generation info to
the hot side.
• So, now they're connected and the two
sides can generate addresses or keys
when needed.
• When the cold side reconnects,
• it generates addresses sequentially and
checks the block chain for transfers to
those addresses until it reaches an
address that hasn’t received any coins.
• It can also generate private keys
sequentially if it wants to send some
coins back to the hot side or spend them
some other way
How to store the key or a key generation info in cold storage ?
• Digital Wallet
• Save it in phone or tablet, but If the device is stolen or broken, the keys get lost
• Brain Wallet
• encrypt the information with a password that we must remember and Useful during travel or in poor
physical security situations
• subject to all possible attacks against passwords
• Online guessing of email logins (solved by rate-limit)
• Here in brain wallet, the attacker download all the addresses and try to guess the passwords (solved by strong passwords generated
using random 80 bit number)
• One passphrase-generation procedure that gives about 80 bits of entropy is to pick a random sequence of 6 words from among
the 10,000 most common English words (6 ⨉ log 2 (10000) is roughly 80
• Key stretching: use a deliberately slow function to derive the private key from the passphrase to ensure it takes as long as possible for
the attacker to try all possibilities. Ex; Take SHA-256 and compute say 220 iterations of it,
• Also it has a predictable algorithm for turning a passphrase into a public and private key.
• hash the passphrase with a suitable hash function to derive the private key, and given the private key, the public key can
be derived in a standard way
• Challenge: all private keys in a brain wallet can be accessed by the attacker, if he can guess the passphrase thereby he
can own all the unspent bitcoin in the address
• Paper Wallet
• print the information and lock it up in a safe as 2D barcode, QR code or a string in base 58 notations but It
can be stolen
• Tamper-Resistant device
• store offline information is to put it in somekind of tamper-resistant device.
Split and share keys
• So far different ways of storing the private keys in a single place were discussed
• Problem: Single point of failure
• Solution: split and share keys to have more security.
• Secret Sharing – Split and Share the keys
• split the key in N pieces such that,
• given any K of those pieces, is possible to reconstruct the key.
• given fewer than K pieces, it is impossible to know anything about the original key.
• Example: N=2, K=2
• Step:1 – Choose the following
• large prime number P
• S is the secret and has to be in the range [0,P-1]
• R a random value, which is also in the range [0,P-1]
• Step:2 – Split the secret S as shown below
• X1 = (S+R) mod P
• X2= (S+2R) mod P
• Step:3 – Reconstruct S If both X1 and X2 are known:
• (2X1 - X2) mod P = (2S+2R-S-2R) mod P = S mod P = S
• How to increase N, with K=2
• take the 2D plane with X and Y axis
• choose a random value R
• draw a line with slope R and passing
through the point (0,S)
• the shares will be the points on the
line (1, S+R), (2, S+2R), (3, S+3R), ...
• Clearly it is possible to choose as
many shares as wanted, since there's
an infinite number of points on the
line
• Given any two points on a line, it is
possible to retrieve its equations
using the interpolation, so K=2.
• Given just one point, it's impossible
to retrieve any information about the
line
• If we do this operation using the Representing a secret via a series of points on a
arithmetic modulo a large prime P, all random polynomial curve of degree K-1 allows
we have said is still applicable. the secret to be reconstructed if, and only if, at
least K of the points (“shares”) are available
• How to increase K?
• To increase K, use functions that require more than two points to be defined
• Ex: For K=3, use a Quadratic function Y = R2 X2 + R1 X + S which requires two random parameters R1 and R2
• Ex: K=4, use a Cubic function (increase a polynomial degree)
• Advantages of secret sharing
• Adversary
• needs to retrieve K shares in order to get back the secret key
• needs to break the security of different places K times
• Disadvantages of secret sharing
• To sign a transaction, we need to reconstruct the key bringing the shares together
• If an attack happens at that time, it is easy get the secret key
• Using Threshold cryptography
• produce Bitcoin signatures in a decentralized fashion using the shares
of the key(Split) without ever reconstructing the private key on any
single device
• Steps
• split its key material between your desktop and your phone
• initiate a payment on your desktop, which would create a partial signature and send it to
your phone
• Your phone would then alert you with the payment details — recipient, amount, etc. —
and request your confirmation
• your phone would complete the signature using its share of the private key and
broadcast the transaction to the block chain
• If a malware in your desktop
• It tried to steal your bitcoins, it might initiate a transaction that sent the funds to the hacker’s address,
but then you’d get an alert on your phone for a transaction you didn’t authorize
• Using Multi-signature
• Instead of taking a single key and splitting it, Bitcoin script directly allows you to stipulate
that control over an address be split between different keys. These keys can then be
stored in different locations and the signatures produced separately. Of course, the
completed, signed transaction will be constructed on some device
• Example: Andrew, Arvind, Ed, and Joseph are cofounders of a company which owns a lot of Bitcoins. To
protect their storage they can decide to use a multi-signature 3 out of 4 for their transaction. Each of
the five of them will generate a key pair and sign the signature separately. In 3-out-of-4 multi-sigthree
of them must sign to create a valid transaction.
• Advantages
• the four key are kept separately and with a different security. So that it is quite difficult for an attacker
to retrieve 3 of them
• if one or two employees go rogue, they're still not able to take ownership of the money. The majority is
necessary to manage it
• in addition if one loses the key it is still possible to manage the cold storage and transfer the money to a
new place.
Threshold Cryptography vs Multi-Signatures
• Threshold signatures are a cryptographic technique to take a single
key, split it into shares, store them separately, and sign transactions
without reconstructing the key.
• Multi-signatures are a feature of Bitcoin script by which you can
specify that control of an address is split between multiple
independent keys. While there are some differences between them,
they both increase security by avoiding single points of failure.
Online Wallets – Wallet on the Cloud
• An online wallet is kind of like a local wallet that you might manage yourself,
• except the information is stored in the cloud, and
• you access it using a web interface on your computer or
• using an app on your smartphone
• site sends code
• site stores keys
• you log in to access wallet
• Coinbase and blockchain.info.
• Pros:
• convenient
• nothing to install
• works on multiple devices
• Cons:
• security worries
• what if site malicious?
• what if site compromised?
Online Wallet
Bitcoin Exchanges
• Typical traditional bank service
• Open your account
• You deposited the fiat currency, the bank promises to give it back later
• Bank take some amount of and invest it whereas keep a fraction of money to meet out
the usual or unusual day’s demands – fractional reserve.
• Bitcoin exchange service
• Open your account
• You deposit the fiat currency and bitcoin, the bank promises to give it either or both form
• You do credit or debit both bitcoin and fiat currency, buy or sell bitocins using fiat
currency
• If you want to buy 2 BTC, the exchange identifies a person who is willing to sell 2 BTC and connect him
to you.
• If my account holds 5000 dollars and 3 bitcoins and I use the exchange, I put an order to buy 2 bitcoins
for 580 dollars each, and the exchange finds someone who is willing to take the other side of that
transaction and the transaction happens. Now I have 5 bitcoins in my account instead of three, and
3840 dollars instead of 5000
• Pros
• Exchanges help to connect the Bitcoin economy and the flows of bitcoins with the fiat
currency economy
• Cons
• Three types of risks
• Bank Run: A run is what happens when a bunch of people show up all at once and want their money
back.
• Greedy behavior - Ponzi scheme: someone gets people to give them money in exchange for profits in
the future, but then actually takes their money and uses it to pay out the profits to people who bought
previously
• Inside/outside attackers: someone — perhaps even an employee of the exchange — will manage to
penetrate the security of the exchange to key information that controls large amounts of bitcoins
• A study in 2013 found that 18 of 40 Bitcoin exchanges had ended up closing due to some
failure or some inability to pay out the money that the exchange had promised to pay
out.
• Failure rate is nearly 45% where the banks donot have that much failure rate due to regulations
• How Bitcoin exchanges or other Bitcoin business should be regulated?
• Proof of reserve (by signing a challenge string )
• The Proof of Reserve is made of two pieces:
• prove how much reserve it's holding.
• prove how many demand deposits the group holds.
• Aims to prove that the exchanges has sufficient amount of bitcoin reserve and the valid customers are
participated in the proof of reserve.
• How much reserve you’re holding?
• simply publishes a valid payment-to-self transaction of the claimed reserve amount
• How to prove these transactions are legitimate?
• sign a challenge string - a random string of bits generated by some impartial party — with the same
private key that was used to sign the payment-to-self transaction
• Proof of liabilities (by Merkle tree)
• How many demand deposits you hold?
• If you can prove your reserves and your demand deposits then anyone can simply divide those two numbers
and that's what your fractional reserve is
• Construction
• Leaf nodes are all the customers'
accounts and their individual deposit
• Root of the Merkle tree will correspond
to the total deposit amount
• The exchange can sign the root of the
tree, making a claim that it's valid.
• Verification
• Now each customer can ask to see that
they are included in the tree.
• The exchange can show the path to the
customer account and the customer can
check that the hash pointers are
consistent all the way down and that
starting with its deposit the amount add
up to the total.
If everybody does it, then every branch
of the tree is explored and verified.
• Proof of liabilities
• The exchange publishes the root of a Merkle tree that contains all users at the leaves,
including deposit amounts.
• Any user can request a proof of inclusion in the tree, and verify that the deposit sums are
propagated correctly to the root of the tree.
• Proof of Inclusion
• The root hash pointer and root value are the same as what the exchange signed and
published.
• The hash pointers are consistent all the way down, that is, each hash value is indeed the
cryptographic hash of the node it points to.
• The leaf contains the correct user account info (say, username/user ID, and deposit
amount).
• Each value is the sum of the values of the two values beneath it.
• Neither of the values is a negative number.
• Drawback of these: leak lot of private information
• Solution: Proof of Solvency
• Payment services
• How a merchant accepts payments in bitcoins in a practical way?
• Challenges
• New technology may affect their business
• Additional cost incurred to include the bitcoin in their business
• Security risks
• Exchange rate risks
• Solution
• Payment services exist to allow both the customer and the merchant to get what they want, bridging the gap
between these different desires.
• The merchant goes to payment service website and fills out a form describing the item, price, and
presentation of the payment widget, and so on.
• The payment service generates HTML code that the merchant can drop into their website.
• When the customer clicks the payment button, various things happen in the background and eventually
the merchant gets a confirmation saying, “a payment was made by customer ID [customer-id] for item
[item-id+ in amount *value+.”
Payment service
Payment process involving user, merchant and payment
service
• Transaction fee
• Transaction fee = value of inputs - value of outputs
• fee goes to miner who records the transaction
• Costs resources for
• peers to relay your transaction
• miner to record your transaction
• Transaction fee compensates for (some of) these costs
• Generally, higher fee means transaction will be forwarded and recorded faster.
• Current default-transaction fee
• No fee is charged if a transaction meets all of these three conditions
• The transaction is less than 1000 bytes in size,
• All outputs are 0.01 BTC or larger
• Priority is large enough where Priority is defined as: (sum of input age * input value) / (transaction size)
• Otherwise
• Transaction fee is 0.0001 BTC per 1000 bytes
• The approximate size of a transaction is
• 148 bytes for each input plus, 34 bytes for each output and 10 bytes for other information.
• So a transaction with two inputs and two outputs would be about 400 bytes
• Most miners enforce the consensus fee structure.
• If you don’t pay the consensus fee, your transaction will take longer to be
recorded.
• Miners prioritize transactions based on fees and the priority formula.
• Currency Exchange Markets
• Currency exchanges trade bitcoins against fiat currency like dollars and euros.
• Basic market dynamics
• market matches buyer and seller
• large, liquid market reaches a consensus price
• price set by supply (of BTC) and demand (for BTC)
• Supply of Bitcoin
• supply = coins in circulation (+ demand deposits?)
• coins in circulation: fixed number, currently ~13.1 million
• When to include demand deposits?
• When they can actually be sold in the market.
• Demand of Bitcoin
• BTC demanded to mediate fiat-currency transactions
• Alice buys BTC for $
• Alice sends BTC to Bob
• Bob sells BTC for $
• BTC demanded as an investment
• if the market thinks demand will go up in future
Simple model of transaction-demand
S
Bitcoins become available per second
D Equilibrium:
T
Bitcoins needed per second P = TD
P S