Thomas Holenstein
ITS Science Colloquium, Nov 6, 2014


Approach: technical

Requires digital signatures and random oracles.


What are researchers doing?

What are the open problems?
Disclaimer: I own some bitcoin.





Key Generation Signing Verification
Alice
Alice
(Public)
Alice
(Secret)
Bob

Key Generation Signing Verification
Bob Alice
Alice
(Secret)

Key Generation Signing
Goal: Bob should be sure that the message originates from Alice.
Verification
Bob
Alice
(Public)
Message
Alice
Alice
(Public)
A
Alice
(Secret)

Key Generation
Public Key
Secret
Key
Message
A
Public Key
Verification
Secret
Key
Signing
Message
A
Security (informal): You cannot produce valid signatures without the secret key.

We now try to build bitcoin…
… but we will fail.


We want some kind of “digital money”.

Everyone can participate.

No central instance – no bank.


A network of computers.

Every computer can send messages to some other computers.


Every computer maintains a table: “who owns what?”

We will need: all computers have the same table.
Remark: The public keys are just bit strings.
Alice
(Public)
Bob
(Public)
Charlie
(Public)
Dora
(Public)
Eliza
(Public)
10 BTC
0.2 BTC
17 BTC
0.001 BTC
2 BTC

To send money, we use transactions . These are messages like this:
Transfer 0.1 BTC from to
Alice
(Public)
Bob
(Public)
A
In “short”, transactions look like this:
$ F T

I’LL send 0.1
Bitcoin to Bob.
$ F T
Alice
Protocol: sending BTC
1.
2.
Craft a transaction.
Give it to your computer.
Protocol: participating
On valid transactions:
1.
2.
Update ledger
Relay transaction

I can exploit this!
Black Hat
These transactions spend previously spent bitcoins!
Thank s!
Black Hat prepares two transactions:
Alice
: Give BTC from Black Hat to Alice
: Give BTC from Black Hat to Bob
Thank s!
Bob


The bad guy spends the same Bitcoins with two different transactions and .

Computers receiving transaction will have a different ledger than computers receiving transaction .


We need a protocol to agree on a transaction.

“Consensus protocols”. Studied since 1980, starting with Pease, Shostak, Lamport.

Huge literature!

Main idea for protocols:
What transaction are you using?
Protocols work if
(say) > 70% of the computers follow the protocol.

Design goal:

Everyone can participate.
By running a special program,
I will gladly participate…
With 1 000 virtual machines! a bad guy controls many virtual computers.
Like this, he can make different participants believe different things.

A random hash function is
RH: TextFile → {0, … , 2 𝑘 − 1} where all outputs are chosen uniformly at random,
RH independent of each other.
Example: 𝑥 ≔ RH "text" // x = 44709335
// x = 53639915

In practice, we hope that SHA256 behaves “like a random oracle”.
SHA256: TextFiles → 0, … , 2 256 − 1
Calculation: If we made all computers on the world compute SHA256 …
It takes ~“ 40 × 14 ⋅ 10 9
SHA256 𝑥
1 years” to find 𝑥
1
= SHA256 𝑥
2
.
≠ 𝑥
2 s.t.

Step 1: How does the protocol look like?
Step 2: What happens if people cheat?

A block 𝐵 contains

RH(𝐵′) for another block 𝐵′ ,
 a list of transactions,
 and an arbitrary number
“nonce”.
Block 𝐵 is valid if the first 𝑑 = 5 digits of the hash of 𝐵 are all zero.
0000031105830
8046465385222
RH
0000077326777

=
If we have a block, we can find a “next block”:
Take RH(𝐵′) from the previous block 𝐵′ . Add transactions.
Try different values for this string until the hash starts with 𝑑 zeros.

=
If we have a block, we can find a “next block”:
Take RH(𝐵′) from the previous block 𝐵′ . Add transactions.
Try different values for this string until the hash starts with 𝑑 zeros.
Bitcoin chooses 𝑑 such that this takes ~10 minutes.

=
If we have a block, with a bit of work, we can find a
“next block”…
...and yet another “next block”…
…or a block which continues here…
… and so on.

In general, we can build a tree of blocks like this.
But only ever downwards!

Protocol: finding blocks
1.
Take the longest chain you can find.
2.
3.
4.
Collect transactions.
Find a new valid block here.
Publish it.

Protocol: To know who owns BTC
1.
2.
Take the longest chain you can find.
Process the transactions in this chain in order.

Many people are trying to find blocks, which uses a lot of resources…
A real lot!
This is called “mining”.

If you find a block, you get bitcoins as a reward.
Transfer 0.1 BTC
Every transaction specifies a fee. It goes to the person who puts the transaction into a valid block.
A
Fee:
BTC

Protocol: participate
 Relay valid transactions.
 Relay valid blocks in the longest chain.
 Work with the longest chain.
Protocol: miners
 Collect valid transactions.
 Publish valid blocks which extend the longest chain.

Step 1: How does the protocol look like?
Step 2: What happens if people cheat?

I can exploit this!
I found a valid block!
Bob
Black Hat
Once a block is found, the double spends vanish.
Alice
Occasionally, two people find blocks at around the same time… but typically the problem disappears.

Maybe I should build another chain?
The more RH -calls are devoted to a chain, the faster it grows.
Thus, intuitively: to build a chain as fast as the rest, you need as many
RH -calls as the rest.


Bitcoin was deployed with basically no theoretical foundation.

Is the system secure? What gives it security?

What will rational agents in the Bitcoin network do?

What are possible attacks?


Ideally, we would want a model which captures the “important aspects”.

We then want theorems which describe the results.

Some of the following research goes into this direction.









Babaioff, Dobzinski, Oren, Zohar (2012). On
Bitcoin and red balloons

Karame, Androulaki, Capkun (2012). Two Bitcoins at the price of one? Double-spending attacks on fast
Bahack (2013).
Barber, Boyen, Shi, Uzun (2012).
 payments in Bitcoin
I omit many references… also how to make Bitcoin a better currency in the following!

The economics of Bitcoin
Möser, Böhme, Breuker (2014). Towards risk scoring of Bitcoin transactions
Becker, Breuker, Heide, Holler, Rauer, Bóhme

Nakamoto (2008). Bitcoin: a peer-to-peer electronic (2012). Can we afford integrity by proof-of-work?
Scenarios inspired by the Bitcoin currency http://bitcointalk.org
Better in practice than  cash system
Raulo (2011). Optimal pool abuse strategy in theory: lessons from the rise of Bitcoin
Courtois, Grajek, Naik (2013). The unreasonable fundamental incertitudes behind Bitcoin mining

Todd (2013). How a floating blocksize limit inevitably leads towards centralization

… many more.
Eyal, Sirer (2014). Majority is not enough: Bitcoin mining is vulnerable
Garay, Kiayias, Leonardos (2014). The Bitcoin backbone protocol: analysis and applications

There are some aspects of Bitcoin which will change:

The initial block reward will vanish.

I believe: the network will grow or go away.
What are the effect of such changes?
(There is previous work which studies this).

New technology gives new choices. How do we choose?

Try to make the system more powerful.

Try to make the design:
 more secure,
 faster,
 less wasteful.










Back, Corallo, Dashjr, Friedenbach, Maxwell,
Miller, Poelstra, Timón, Wuille (2014). Enabling
Blockchain Innovations with Pegged Sidechains
Bamert, Decker, Elsen, Wattenhofer, Welten
(2013). Have a Snack, Pay with Bitcoin
Dziembowski, Faust, Kolmogorov, Pietrzak (2013).
Proofs of Space etotheipi, maaku, et al. (2012). Ultimate blockchain compression w/ trust-free […]
Hearn (2013). Decentralised crime fighting using


Ben-Sasson, Chiesa, Genkin, Tromer, Virza (2013).
SNARKs for C: Verifying Program Executions Succinctly and in ZK


Bentov, Gabizon, Mizrahi (2014). Cryptocurrencies without Proof of Work
Bonneau, Clark, Miller (2014). FawkesCoin: A cryptocurrency without public-key cryptography
Buterin (2013). Ethereum White Paper .


 private set intersection protocols
Heilman (2014). One Weird Trick to Stop Selfish
Miners: Fresh Bitcoins […]
King, Nadal (2012). PPCoin: Peer-to-Peer Crypto-
Currency with Proof-of-Stake
Lee (2013). Litecoin
Maxwell (2013). Really Really ultimate blockchain compression: CoinWitness
Miller, Shi, Kosba, Katz (2014). Nonoutsourceable
Scratch-Off Puzzles to Discourage Bitcoin Mining
Coalitions
Sompolinsky, Zohar (2013). Accelerating Bitcoin's
Transaction Processing: Fast Money Grows on Trees, Not
Chains
Todd (2014). Tree-chains preliminary summary.


Computing SHA256 around 2 × 10 17 times per second seems like a big waste of energy.

Back of the envelope calculation gives a daily energy use of 5’000’000+ kWh (~ 500’000+ CHF)

Can we improve the situation?
(There is previous work which studies this).


Every transaction is broadcast and stored.

On the other hand, a priori nobody knows who owns which public key.

Is Bitcoin anonymous?







Androulaki, Karame, Roeschlin, Scherer,
Capkun (2013).
Evaluating user privacy in
Bitcoin
Biryukov, Pustogarov (2014). Bitcoin over Tor isn't a good idea
Gervais, Karame, Gruber, Capkun (2014).
On the privacy provisions of Bloom filters in lightweight Bitcoin clients
Koshy, Koshy, Mcdaniel (2014). An analysis of anonymity in Bitcoin using P2P network traffic




Meiklejohn, Pomarole, Jordan, Levchenko,
McCoy, Voelker, Savage (2013). A Fistful Of bitcoins: Characterizing payments among men with no names
Ober, Katzenbeisser, Hamacher (2013).

Structure and anonymity of the Bitcoin transaction graph
Reid, Harrigan (2012) . An analysis of anonymity in the Bitcoin system
Ron, Shamir (2014). How did dread pirate
Roberts acquire and protect his Bitcoin wealth?
Ron, Shamir (2013). Quantitative analysis of the full Bitcoin transaction graph
Spagnuolo, Maggi, Zanero (2014). BitIodine:
Extracting intelligence from the Bitcoin network theymos (2010). Anonymity





Ben-Sasson, Chiesa, Garman, Green,
Miers, Tromer, Virza (2014). Zerocash: decentralized anonymous payments from Bitcoin
Bonneau, Clark, Kroll, Miller,
Narayanan.
Mixcoin (2014).
Anonymity for Bitcoin with accountable mixes
Danezis, Fournet, Kohlweiss, Parno
(2013). Pinocchio Coin: building
Zerocoin from a succinct pairing-based proof system
Garman, Green, Miers, Rubin (2014).
Rational zero: Economic security for
Zerocoin with everlasting anonymity




Ladd (2012). Blind signatures for
Bitcoin transaction anonymity
Maxwell (2013). CoinJoin: Bitcoin privacy for the real world
Miers, Garman, Green, Rubin (2013).
Zerocoin: Anonymous distributed e-cash from Bitcoin
Saxena, Misra, Dhar (2014). Increasing anonymity in Bitcoin

If Bitcoin works, we can use the technology for other things.

Use Bitcoin as a building block

Use the blockchain technology for new applications.






Andrychowicz, Dziembowski,
Malinowski, Mazurek (2014).
Secure Multiparty Computations on
Bitcoin


Back, Bentov (2014). Note on fair coin toss via Bitcoin.
Bentov, Kumaresan (2014). How to
Use Bitcoin to Design Fair Protocols
Clark, Bonneau, Felten, Kroll, Miller,
Narayanan (2014). On
Decentralizing Prediction Markets and Order Books.
Clark, Essex (2012). CommitCoin:
Carbon Dating Commitments with
Bitcoin
Finney et al. (2010). Bitcoin overlay protocols
Miller, Juels, Shi, Parno, Katz
(2014). PermaCoin: Repurposing
Bitcoin Work for Data Preservation

Another approach is look at the current system.

What are people doing?

What happens in the network?







Decker, Wattenhofer (2013).
Information Propagation in the Bitcoin
Network
Decker, Wattenhofer (2014). Bitcoin
Transaction Malleability and MtGox
Donet Donet, Pérez-Solà, Herrera
(2014). The Bitcoin P2P network
Gandal, Halaburda (2014).
Competition in the Crypto-Currency
Market.
Johnson, Laszka, Grossklags, Vasek,
Moore (2014). Game-Theoretic
Analysis of DDoS Attacks Against
Bitcoin Mining Pools
Plohmann, Gerhards-Padilla (2012).


Case study of the miner botnet
Vasek, Thornton, Moore (2014).
Empirical Analysis of Denial-of-Service
Attacks in the Bitcoin Ecosystem
Moore, Christin (2013). Beware the
Middleman: Empirical Analysis of
Bitcoin-Exchange Risk


What are the economic foundations behind
Bitcoin?

Does it make sense that Bitcoin has value?

Do law makers have to react to Bitcoin?










Ali, Barrdear, Clews, Southgate (2014). The economics of digital currencies

Andolfatto (2014). Bitcoin and beyond: the possibilities and pitfalls of virtual currencies

Boehm, Pesch (2014). Bitcoin: a first legal analysis with reference […]

Brito, Shadab, Castillo (2014). Bitcoin financial regulation: securities, derivatives, prediction markets, & gambling

Brito, Castillo (2013). Bitcoin: A primer for policymakers.

Dion (2014): Bitcoin, regulating fraud in the economy of
Hacker-Cash

Doguet (2013): The nature of the form: Legal and regulartory issues surounding the Bitcoin digital currency system


Elwell, Murphy, Seitzinger (2014). Bitcoin: questions, answers, and analysis of legal issues
European Central Bank (2012). Virtual currency
 schemes
Grinberg (2011). Bitcoin: An innovative alternative digital currency
Güring, Grigg (2011). Bitcoin & Gresham's Law - the economic inevitability of collapse
Hileman (2014). From Bitcoin to the Brixton pound: history and prospects for alternative currencies
Luther, White (2014). Can Bitcoin Become a Major
Currency?
Marian (2013). Are cryptocurrencies 'super' tax havens?
Mimic (2014). Regulatory challenges of alternative ecurrency; Comparative analysis of Bitcoin model in US and EU jurisdictions
Möser, Böhme, Breuker (2013). An inquiry into money laundering tools in the Bitcoin ecosystem
Sapuric, Kokkinaki (2014). Bitcoin is volatile! Isn't that right?
Yermack, (2013). Is Bitcoin a real currency? [...]







Bergstra, Leeuw (2014). Bitcoin and beyond: exclusively informational monies
Lo, Wang (2014). Bitcoin as money?
Luther (2013). Cryptocurrencies, network effects, and switching costs
Maurer, Nelms, Swartz (2013). "When perhaps the real problem is money itself!": the practical materiality of Bitcoin
Rotman (2014). Bitcoin versus electronic money
Graf (2014). Sidechained Bitcoin substitutes:
A monetary commentary
… many more! Apologies to everyone whose research I missed or forgot to list!


Alessandro Chiesa

Christian Decker
Sources xkcd.com
blockchain.info
bitcoincharts.com
KnCMiner.com