Professional Documents
Culture Documents
Dhandabani S
vigneshsrinivasan10@gmail.com
Background
Background: Currencies
Alice Bob
Carol David
Cycle Books
Alice Bob XYZ
Car Car
Background
Background: Money
Many ine ciencies in the barter system: value of good, impossible to spend later
Background
O line
Anonymity Can’t Double spend Unforgeable signature
transaction
Advantages of Cash
IDEA: “The bearer of this note may redeem it for one dollar by presenting it to me” with my signature attached
Less Online
Can Double spend Can forge signatures
anonymous transaction
Initial ideas to address these issues came from David Chaum through Cryptography in 1983
Background
Background: Cryptocurrency
How can be the cryptocurrencies made scarce? Solving a puzzle that takes while to crack to mint money
Bitcoin is a cryptocurrency that has advantages barring ONLINE TRANSACTIONS with puzzles to mint money
Background
Background: Blockchain
Timestamped
(txn. time)
Immutable Distributed
(irreversible) (shared)
Properties
Unanimous Secure
(uni ied) Anonymous (encrypted)
(hidden ID)
Since information in each block is carried to next block through HASH, one need not worry about previous blocks
Primitives
If someone wants to target the hash function to have output value Puzzle
given part of input , then its di icult to ind the input in time less than friendliness
𝖧
𝗑
𝗒𝗄𝟤
𝗑
𝗑
𝗑
𝗒
𝗒
𝖧
𝗑
𝖧
𝗒
𝗇
ff
f
ff
f
f
Primitives
An adversary cannot tamper any data at any point of time. If she does, subsequent ( )s will change
All we need is to store the head of the chain or the last hash pointer to check for tampering; E cient storage
𝖧
𝖧
𝖧
ffi
Primitives
Signature has to unique; but veri able by anyone Should be tied to intended document; unforgeable
Secret key is kept privately to a user and revelation happens through public key. Public key is your identity
Bitcoin uses Elliptic Curve Digital Signature Algorithm for digital signatures
Size of Secret key: 256 bits Size of Public key: 512 bits
𝗉
𝗌
𝗌
𝗆
𝗌
𝗂
𝗌
𝗌
𝗌
𝗄
𝗂
𝗄
𝗂
𝗄
𝗀
𝖵
𝗀
𝗄
𝖾
𝗌
𝖺
𝗌
𝗉
𝗅
𝗂
𝖺
𝗄
𝖽
𝗀
𝗌
𝖾
𝗂
𝗀
𝗇
𝗏
𝗀
𝗌
𝖾
𝖾
𝗄
𝗋
𝗇
𝗂
𝖿
𝗆
𝖾
𝗒
𝗋
𝖾
𝖺
𝗉
𝗌
𝗍
𝗄
𝖾
𝗌
𝖪
𝖺
𝗆
𝗀
𝖾
𝖾
𝗒
𝖾
𝗌
𝗌
𝗌
𝗄
𝖺
𝖾
𝗀
𝗒
𝖾
𝗌
𝗂
𝗌
𝗓
𝗂
𝖾
𝗀
fi
Primitives
Unforgeability game
In Bitcoin, ATTACKER cannot forge a signature if the number of guesses is less than 280
No matter what algorithm ATTACKER is using, his chances of forging is extremely small, which will never happen in practice
Goofy can create coins whenever he wants Append-only ledger to track transactions
Rules
Whoever owns a coin a transfer it to someone else
Bitcoin Mechanics
Let there be nodes that have an input value. Some are faulty or malicious. A distributed
consensus protocol has following two properties:
• Must terminate with all honest nodes agreeing on the value
• The output must have been generated by an honest code.
To come to consensus on a block, at regular intervals (10 minutes) every node proposes its pool to include in next block.
If accepted, nodes indicate acceptance by updating the hash pointer; otherwise, stick to previous hash pointer
𝗇
𝗇
f
Bitcoin Mechanics
Since we don’t know their real identities to pay them in dollars, can we pay them digitally? — BITCOIN
Node that creates a block can include a special transaction Block reward gets halved for every 210,000 blocks created
In 2015, block reward is 25 bitcoins Dynamics are still unclear and is an open problem
𝖢
𝖳
𝗋
𝗈
𝖺
𝗂
𝗇
𝗇
𝖢
𝗌
𝖺
𝗋
𝖼
𝖾
𝗍
𝖺
𝗂
𝗈
𝗍
𝗂
𝗇
𝗈
𝖿
𝗇
𝖾
𝖳
𝖾
𝗋
𝖺
𝗇
𝗌
𝖺
𝖼
𝗍
𝗂
𝗈
𝗇
ff
Bitcoin Mechanics
Proof-of-work
Recall that the node selection process is still random. How can we improve the selection? — Proof-of-work
Key idea: Approximate the selection by selecting nodes in proportion to computing power
Bitcoin achieves proof-of-work using hash puzzles — Bitcoin mining
A completely decentralised system is possible with appropriate hash puzzles and proof-of-work.
1
Properties of hash
Di icult to compute In 2015, size of the target space is less than of the size of output space
1020
puzzles
Trivial to verify A simple property, yet the important property that takes central authority out of context
Parameterizable
Instead of having xed cost for computing, cost has to be function of parameters
cost
𝖧
𝗇
𝗈
𝗇
𝗇
𝖼
𝗈
𝖾
𝗇
𝖼
𝖾
𝗉
𝗋
𝖾
𝗏
𝗁
𝖺
𝗌
𝗁
𝗍
𝗑
𝗍
𝗑
𝗍
𝗑
𝗍
𝖺
𝗋
𝗀
𝖾
𝗍
ff
fi
Bitcoin Mechanics
Parameterizable cost
Suppose you are a miner and invested in hardware to do Bitcoin mining. With time, overall mining ecosystem is growing and
more miners are deploying faster hardware, which results in creation of more blocks than expected.
If blocks come very close together, ine ciencies arise and optimisation bene ts will be lost.
Hence, keeping 10 minutes as constant, miners recalculate the size of target space for every 2016 blocks (once in two weeks)
This recalculation assures that the cost is not xed and depends on parameters
If you are miner, you are interested in how long will it take you to ind a block
Solving a hash puzzle is probabilistic: falls within target or not — Bernoulli trial
Nodes try many nonces, a discrete probability process, resulting in Poisson process
10 minutes
mean time to next block for a miner =
fraction of hash power
If you have 0.1% of total hash power, you are going to nd blocks once every
10,000 minutes, which is about a week
𝗇
𝗈
𝗇
𝖼
𝖾
ffi
fi
fi
f
fi
Game Theory
Each transaction contains a signature, recipient’s public key and a hash to previous transaction of sender.
Alice pays Bob through his public key using the hash pointer (). Her updated pointer is ()
Now, Alice pays Carol through his public key using the hash pointer () instead of (), starting a double spending attack
Hypothetically, let’s assume that these two transactions are broadcast to two non-overlapping networks
Two di erent networks approve this attack since they don’t know that Alice has doubly spent
There will be two consensus chains that di er only in the last block. How can the Bitcoin prevent double spend attack?
Miners heuristically extend the block that they detect rst on peer-to-peer network. Hence, only one of the chains is built on further.
It is possible that the chain that has Carol’s transaction is extended. But the other chain is orphaned.
If Bob and Carol are merchants and they need to provide Alice some service, either one can wait for six con rmations
Good trade-o between waiting time and transaction guarantee
𝟣
𝟤
𝟣
𝟤
𝖧
𝖧
𝖧
𝖧
ff
ff
ff
fi
fi
Game Theory
51 percent attack
Let there be an attacker who holds 51% of the mining power. Can he distort the Bitcoin mechanics?
Let’s say 51% attacker does not like Alice. He can suppress transactions, i.e., reject blocks that contain Alice’s transactions. But he can’t
prevent the Alice’s transactions from being broadcast to other peers. As a result, some honest will approve Alice’s transactions.
Since he doesn’t control the entire network, he cannot change the block reward. Honest nodes will recognise the attack
Let’s assume he creates a lot of double spend attacks and succeeds. People lose con dence in the Bitcoin and exchange rate would plummet.
From a nancial point of view, cost incurred to attain 51% power is substantial and any rational attacker will not do that.
𝗌
𝗄
fi
f
fi
Game Theory
Miners can make strategic decisions to allot their mining time optimally.
There is no complete model that con rms that default mining strategy is optimal
Where most miners choose the default strategy rather than strategising, Bitcoin seem to work well
fi
Game Theory
Mining pools
Since the variance of nding new blocks is high, miners can aggregate and form a pool while mining
Founder of Bitcoin is a mystery. He/She/They has/have proposed the idea using the name “SATOSHI NAKAMOTO”
fi
fi
ff
Thank you..!