Key Handling & Transactions

Split and share keys

• Different ways of storing the private keys in a single place were discussed
– Problem: Single point of failure
– Solution: split and share keys to have more security.
• Secret Sharing – Split and Share the keys
– split the key in N pieces such that,
• given any K of those pieces, possible to reconstruct the key.
• given fewer than K pieces, impossible to know anything about the original key.
– Example: N=2, K=2
• Step:1 – Choose the following
– large prime number P
– S is the secret and has to be in the range [0,P-1]
– R a random value, which is also in the range [0,P-1]
• Step:2 – Split the secret S as shown below
– X1 = (S+R) mod P
– X2= (S+2R) mod P
• Step:3 – Reconstruct S If both X1 and X2 are known:
– (2X1 - X2) mod P = (2S+2R-S-2R) mod P = S mod P = S
• How to increase N, with K=2
– Take a 2D plane with X and Y axis
– choose a random value R
– draw a line with slope R and passing
through the point (0,S)
– Shares will be the points on the line
(1, S+R), (2, S+2R), (3, S+3R), ...
– Clearly it is possible to choose as
many shares as wanted, since there's
an infinite number of points on the
line
– Given any two points on a line, it is
possible to retrieve its equations
using the interpolation, so K=2.
– Given just one point, it's impossible
to retrieve any information about
the line
– If we do this operation using the Representing a secret via a series of points on a
arithmetic modulo a large prime P, random polynomial curve of degree K-1 allows
all we have said is still applicable. the secret to be reconstructed if, and only if, at
least K of the points (“shares”) are available
• How to increase K?
– To increase K, use functions that require more than two points to be defined
• Ex: For K=3, use a Quadratic function Y = R2 X2 + R1 X + S which requires
two random parameters R1 and R2
• Ex: K=4, use a Cubic function (increase a polynomial degree)
• Advantages of secret sharing
– Adversary
• needs to retrieve K shares in order to get back the secret key
• needs to break the security of different places K times
• Disadvantages of secret sharing
– To sign a transaction, we need to reconstruct the key bringing the shares
together
– If an attack happens at that time, it is easy get the secret key
 Using Threshold cryptography
• Produce Bitcoin signatures in a decentralized fashion using the shares of
the key(Split) without ever reconstructing the private key on any single
device
• Steps
– split its key material between your desktop and your phone
– initiate a payment on your desktop, which would create a partial
signature and send it to your phone
– Your phone would then alert you with the payment details —
recipient, amount, etc. — and request your confirmation
– your phone would complete the signature using its share of the
private key and broadcast the transaction to the block chain
– If a malware in your desktop
• It tried to steal your bitcoins, it might initiate a transaction that
sent the funds to the hacker’s address, but then you’d get an alert
on your phone for a transaction you didn’t authorize
 Using Multi-signature
• Instead of taking a single key and splitting it, Bitcoin script directly allows you to
stipulate that control over an address be split between different keys. These keys
can then be stored in different locations and the signatures produced separately.
• The completed, signed transaction will be constructed on some device
– Example: Andrew, Arvind, Ed, and Joseph are cofounders of a company
which owns a lot of Bitcoins. To protect their storage they can decide
to use a multi-signature 3 out of 4 for their transaction. Each of the
four of them will generate a key pair and sign the signature separately.
In 3-out-of-4 multi-sign three of them must sign to create a valid
transaction.
• Advantages
– Four key are kept separately and with a different security. So that it is
quite difficult for an attacker to retrieve 3 of them
– if one or two employees go rogue, they're still not able to take
ownership of the money. The majority is necessary to manage it
– If one loses the key it is still possible to manage the cold storage and
transfer the money to a new place.
 Threshold Cryptography vs Multi-
Signatures
• Threshold signatures are a cryptographic technique
to take a single key, split it into shares, store them
separately, and sign transactions without
reconstructing the key.
• Multi-signatures are a feature of Bitcoin script by
which you can specify that control of an address is
split between multiple independent keys. While
there are some differences between them, they both
increase security by avoiding single points of failure.
 Online Wallets – Wallet on the Cloud
• An online wallet is a kind of local wallet that you might
manage yourself,
– Except the information is stored in the cloud, and
– You access it using a web interface on your computer or
– Using an app on your smartphone
• site sends code
• site stores keys
• you log in to access wallet
– E.g. Coinbase and blockchain.info.
• Pros:
– convenient
– nothing to install
– works on multiple devices
• Cons:
– Security worries
– What if site malicious?
– What if site compromised?
 Bitcoin Exchanges
• Typical traditional bank service
– Open your account
– Deposited the fiat currency, the bank promises to give it back later
– Bank take some amount and invest it.
– Keep a fraction of it to meet out the usual/unusual day’s demands – fractional reserve.
• Bitcoin exchange service
– Open your account.
– Deposit the fiat currency and bitcoin, the bank promises to give it either or both form
– You do credit or debit both bitcoin and fiat currency, buy or sell bitocins using fiat
currency
• If you want to buy 2 BTC, the exchange identifies a person who is willing to sell 2
BTC and connect him to you.
• If my account holds 5000 dollars and 3 bitcoins and I use the exchange, I put an
order to buy 2 bitcoins for 580 dollars each, and the exchange finds someone who
is willing to take the other side of that transaction and the transaction happens.
Now I have 5 bitcoins in my account instead of three, and 3840 dollars instead of
5000
 Bitcoin Exchanges
• Pros
– Exchanges help to connect the Bitcoin economy and the flows of bitcoins with
the fiat currency economy
• Cons: Three types of risks
– Bank Run: A run is what happens when a bunch of people show up all at once
and want their money back.
– Greedy behavior - Ponzi scheme: someone gets people to give them money in
exchange for profits in the future, but then actually takes their money and
uses it to pay out the profits to people who bought previously
– Inside/outside attackers: someone — perhaps even an employee of the
exchange — will manage to penetrate the security of the exchange to key
information that controls large amounts of bitcoins
• A study in 2013 found that 18 of 40 Bitcoin exchanges had ended up closing due to
some failure or some inability to pay out the money that the exchange had
promised to pay out.
– Failure rate is nearly 45% where the banks do not have that much failure rate
due to regulations
 How Bitcoin exchanges or other
Bitcoin business should be regulated?
• Proof of reserve (by signing a challenge string )
– Proof of Reserve is made of two pieces:
• prove how much reserve it's holding.
• prove how many demand deposits the group holds.
– Aims to prove that the exchanges has sufficient amount of bitcoin reserve and
the valid customers are participated in the proof of reserve.
• How much reserve you’re holding?
– simply publishes a valid payment-to-self transaction of the claimed
reserve amount
• How to prove these transactions are legitimate?
– sign a challenge string - a random string of bits generated by some
impartial party — with the same private key that was used to sign
the payment-to-self transaction
• Proof of liabilities (by Merkle tree)
– How many demand deposits you hold?
• If you can prove your reserves and your demand deposits then anyone
can simply divide those two numbers and that's what your fractional
reserve is
• Construction
• Leaf nodes are all the customers'
accounts and their individual deposit
• Root of the Merkle tree will
correspond to the total deposit
amount
• The exchange can sign the root of the
tree, making a claim that it's valid.
• Verification
• Now each customer can ask to see
that they are included in the tree.
• The exchange can show the path to
the customer account and the
customer can check that the hash
pointers are consistent all the way
down and that starting with its
deposit the amount add up to the
total.
• If everybody does it, then every
branch of the tree is explored and
verified.
 How Bitcoin exchanges or other
Bitcoin business should be regulated?
• Proof of liabilities
– The exchange publishes the root of a Merkle tree that contains all
users at the leaves, including deposit amounts.
– Any user can request a proof of inclusion in the tree, and verify that
the deposit sums are propagated correctly to the root of the tree.
• Proof of Inclusion
– The root hash pointer and root value are the same as what the
exchange signed and published.
– The hash pointers are consistent all the way down, that is, each hash
value is indeed the cryptographic hash of the node it points to.
– The leaf contains the correct user account info (say, username/user ID,
and deposit amount).
– Each value is the sum of the values of the two values beneath it.
– Neither of the values is a negative number.
• Drawback of these: leak lot of private information
• Solution: Proof of Solvency
 Payment services
• How a merchant accepts payments in bitcoins in a practical way?
– Challenges
• New technology may affect their business
• Additional cost incurred to include the bitcoin in their business
• Security risks
• Exchange rate risks
– Solution
• Payment services exist to allow both the customer and the merchant to get what
they want, bridging the gap between these different desires.
– The merchant goes to payment service website and fills out a form describing
the item, price, and presentation of the payment widget, and so on.
– The payment service generates HTML code that the merchant can drop into
their website.
– When the customer clicks the payment button, various things happen in the
background and eventually the merchant gets a confirmation saying, “a
payment was made by customer ID [customer-id] for item [item-id] in amount
[value].”
Payment service
Payment process involving user, merchant
and payment service
 Payment service
• When a customer chooses to pay with Bitcoin using the new button:
– the merchant delivers a page that contains the "Pay with Bitcoin" button. The
button will contain a transaction ID, an identifier meaningful to the merchant
in its own accounting system, along with an amount to be paid.
– The information that the button has been clicked will be sent to the payment
service, along with the transaction id, the amount and merchant's identity.
– The payments service knows that the customer wants to pay with Bitcoins, so
will start an interaction with the user to give information about how to pay.
– When the user confirms the payment, there will be a redirect that goes back
to user's browser. This will also send a message to the merchant, saying that
for the payment service everything is ok until then.
– Later, the payment service will directly send a confirmation to the merchant,
when it's fully confirmed by the blockchain.
– The merchant can now send the product to the customer.
• Transaction fee
– Transaction fee = value of inputs - value of outputs
– fee goes to miner who records the transaction
– Costs resources for
• peers to relay your transaction
• miner to record your transaction
– Transaction fee compensates for (some of) these costs
– Generally, higher fee means transaction will be forwarded and recorded
faster.
• Current default-transaction fee
– No fee is charged if a transaction meets all of these three conditions
• The transaction is less than 1000 bytes in size,
• All outputs are 0.01 BTC or larger
• Priority is large enough where Priority is defined as: (sum of input age * input value) /
(transaction size)
– Otherwise
• Transaction fee is 0.0001 BTC per 1000 bytes
• The approximate size of a transaction is
– 148 bytes for each input plus, 34 bytes for each output and 10 bytes for other
information.
– So a transaction with two inputs and two outputs would be about 400 bytes
• Most miners enforce the consensus fee structure.
• If you don’t pay the consensus fee, your transaction will take longer to be
recorded.
• Miners prioritize transactions based on fees and the priority formula.
• Currency Exchange Markets
– Currency exchanges trade bitcoins against fiat currency
like dollars and euros.
• Basic market dynamics
– market matches buyer and seller
– large, liquid market reaches a consensus price
– price set by supply (of BTC) and demand (for BTC)
• Supply of Bitcoin
– supply = coins in circulation (+ demand deposits?)
– coins in circulation: fixed number, currently ~13.1 million
– When to include demand deposits?
• When they can actually be sold in the market.
• Demand of Bitcoin
– BTC demanded to mediate fiat-currency transactions
• Alice buys BTC for $
• Alice sends BTC to Bob
• Bob sells BTC for $
– BTC demanded as an investment
• if the market thinks demand will go up in future
Simple model of transaction-demand

T = total transaction value mediated via BTC ($ / sec)

D = duration that BTC is needed by a transaction (sec)
S = supply of BTC (not including BTC held as long-term investments)

S
D Bitcoins become available per second Equilibrium:

T P = TD
P Bitcoins needed per second S