8: Bitcoins and the Blockchain

2017-05-12: The Wanacry ransomware worm (here in Germany)

–192– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain The Workflow of Ransomware 1: Infection 2: Encryption 3: Demand/Threat 4: Payment? 5: Decryption??

5 4 100 1 Oops! You have been crypted! ...

3 2

–193– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain What do you see, if it happens?

2017-05-04: Screenshot of Thundercrypt

–194– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain What do you see, if it happens? (2)

I count-down

I list of encyrpted files

I encryption method (here: RSA-2048 + symmetric)

I “we can recover your files”

I how to pay

I hint: switch off anti-virus

I helpdesk (!)

I offer to decrypt some files (here: only one)

–195– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain professional “service”

–196– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain Payment using Bitcoins . . . and how do bitcoins work at all?

I Digital Signatures

I Proofs of Work

I Blockchains

Proofs of Work and Blockchains are “modes of operation” for cryptographic hash functions.

–197– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.1: HashCash – Proofs of Work(A. Back, 2002)

I no payment scheme (in spite of “Cash”)

I n-bit hashfunction

∗ n H : {0, 1} → {0, 1} = ZZ2n

I hardness factor k I V defines prefix (“nonce”) N n−k I Z := 2 I P searches for X with

H(N||X)/Z = 0.

(integer division, drop remainder) [2k calls of H] I P sends X to V I V checks H(N||X)/Z = 0 [1 call of H] I Example application: SPAM-Prevention

I k sufficiently small that legitimately sending mails is not an issue I k large enough to slow dwon SPAMming massively –198– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.1: HashCash – Proofs of Work SPAM-Prevention example application for HashCash

I Fix H and k. I Sender:

I N = hversioni||k||hdate,timei||haddressi n−k I search X with H(N||X)/2 = 0 I Receiver:

I Is hdate,timei less than two days off? I And is the address mine? I And is (N, X) not yet in my database (“double-use”)? I Then → store (N, X) in database and accept email. I Used in practice?

I Generally reject mails without a valid HashCash “stamp”? → To the best of my knowledge: No!

I Bonus for valid “stamps”? → Yes, e.g., SPAM-Assassin.

–199– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.1: HashCash – Proofs of Work HashCash Critique

I “undemocratic”:

I slow on “normal” PCs, I faster on parallel hardware (GPUs) I much faster on dedicated hardware (ASICs)

I “not green”: “Proof of Work” = “Proof of Power Consumption”

I possible alternative: “Proof of Storage”

–200– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.1: HashCash – Proofs of Work 8.2: Blockchain

Example: Timestamping Server

Timestamp Ti for block Bi Proof for Bi

I old: Ti−1 I current: Ta mit a ≥ i

I Block: Bi I Ti−1 I new: I H(header, Mj ) (i < j ≤ a)

Ti = H(Ti−1, H(header, Bi )) I chain from Ti−1 to Ta

–201– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.2: Blockchain The Security of the Blockchain Theorem 20 Model H as a random oracle.

1. Given the blocks {Bb+1,..., Ba}, choose B 6∈ {Bb+1,..., Ba}. On the average, the adversary needs

2n queries a − b to forge a “stamp” for B, which would date back B into the time between b + 1 and a. 2. On the average, the aversary needs

2n/2 queries

0 to choose two messages Mi 6= Mi , such that the “stamp” Ti for Mi 0 is also valid for Mi .

–202– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.2: Blockchain Centralised Blockchain

I public database I everyone can verify the correctness of entries

I is B in blockchiain, i.e., B ∈ {B1,... Ba} I if yes, what is the index i with B = Bi ?

I If “the public” knows the value Hi , not even the central sever can change the blocks Bj for j ≤ i!

–203– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.2: Blockchain Decentralised Blockchain “miners” extend the block chain

I collect messages for a block

I need a proof of work to extend the block

I proof depends on previous block

I the first “miner” succeeds

I all miners start again with the new block I Bitcoin:

I k set such that blockchain grows every 10 minutes I incentive for miners: reward by bitcoins

–204– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.2: Blockchain Consensus

two different “new” blocks (either due to malice, or by accident):

I each miners decides for itself, which “new” block to continue

I the majority chain (by computing power) will “win”

I eventually, miners go to the longest branch

I the work for the other (shorter) branches is lost

I malicious users would need a majority to cheat

–205– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.2: Blockchain 8.3: Bitcoins – The First Decentralised Cryptocurrency

2008: Satoshi Nakamoto, “Bitcoin: A Peer-to-Peer Electronic Cash System” https://bitcoin.org/bitcoin.pdf 2009: Open-Source Software by Satoshi Nakamoto 2017: 2.9–5.8 million unique users with cryptocurrency wallets, most of them use bitcoins (report from University of Cambridge)

Remark: Satoshi Nakamoto is a pseudonym. Nobody knows who this person really is – it may even be more than one single person. S.N. as active in the development of bitcoin up until December 2010. Since S.N. did mine the first few bitcoins, S.N. is believed to own up to roughly one million bitcoins (≈ 2 billion $, in May, 2017). (https://en.wikipedia.org/wiki/Satoshi_Nakamoto)

–206– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.3: Bitcoins Transactions all transactions public; owner’s identities can be secret; public key = pseudonym

–207– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.3: Bitcoins Public Ledger smallish example: X, Y, Z: miners, A, B, C, D: other participants XYZ ABCD

5.5 77.5 9.04.0 5.5 2.0 6.0

12.5+ 27.5 + 1.5 + 1.5

18.050.0 9.0 31.5 4.05.0 4.5

I X creates 12.5 new bitcoin by mining;

I Y transfers 27.5 bitcoins to A;

I each of B and D transfer 1.5 bitcoins to C

–208– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.3: Bitcoins The Network of Miners

I new transactions are broadcast to all miners I transactions are valid if

I the signatures are valid and I the bitcoins have not been spent already

I each m. collects valid new tranactions into a block

I each m. tries to find a proof-of-work for its block

I after finding ap proof-of-work, the miner broadcasts the block to the entire network

I miners accept the block if the proof and the transactions are valid

I miners express their acceptance of the block by working on creating the next block in the chain,

–209– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.3: Bitcoins Are Bitcoins for Criminals (at least, mostly)?

I Bitcoins can be used for crimes (ransomware), blackmailers can publish their “account number” and request money transfered to those accounts! I But many bitcoin users are just interested in

I performing financial transactions in a digital world, and/or I emancipating themselves from governments, banks and multinational enterprises (European Central Bank, PayPal, . . . ) This is both legal and legitimate! I And, as you have seen, Bitcoins are pseudonymous, but not anonymous (unlike paper money and metal coins):

I Whenever you Bitcoins are used to buy “real world” good, or transfered into “normal” money, criminals have to be very careful with wiping the tracks their money left in the public ledger. I Bitcoins are all but useless to launder “normal” money from “conventional” criminal activities.

–210– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.3: Bitcoins 8.4: Smart Contracts

I centralised or decentralised blockchain

I recall that the bitcoin network collects transactions in the blockchain

I what, if we also collect algorithms (executable programs/scripts) in the blockchain?

–211– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.4: Smart Contracts Example customer A buys insurance from insurer B against Trump president contract is valid if signed by both A and B

A = a890289023f4440ad9 B = 9ddd74905c94f89380

at "UTC 2017-01-21-23-59": N = query(who-is-us-president/trustworthy.org) N = to_upper(N) if N == "CLINTON": transfer 100 from A to B else: transfer 500 from B to A

+ no lawyers, no courts – very predictable outcome − no way to catch mistakes or misunderstandings (e.g., when trustworthy.org answers “HCLINTON”)? –212– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.4: Smart Contracts What could possibly go wrong with Smart Contracts? A buys insurance against high exchange volatility rate from B 2017-05-29: 1 EUR = 1.1166 $

A = a890289023f4440ad9 B = 9ddd74905c94f89380

def f(n): if n < 3: return 1 else: return f(n-f(n-1)) + f(n-f(n-2))

transfer 10 from B to A

at "UTC 2018-05-29-12-00": Rate = query(euro-per-us-dollar/exchange-rates.de) Money = f(round(abs((1/Rate-1.1166)*100))) transfer Money from A to B –213– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.4: Smart Contracts 8.5: Other Cryptocurrencies

I Lightcoin (2011): like Bitcoin, but with memory-hard proof-of-work, based on scrypt

I Ripple (2012): Somewhat similar to Bitcoin, but no proof-of-work (instead a “consensus algorithm” from Fault Tolerance Theory)

I Ethereum (2013): like Bitcoin, but with Turing-complete virtual machine for smart contracts I Ethereum Classic (2016):

I DAO: Decentralized Autonomous Organization for crowdfunding I June 2016, hackers exploited a vulnerability in the DAO code, stealing ≈ 1/3 of the funds (≈ 50 million $) I July 2016: Ethereum community decided to hard-fork the Ethereum blockchain to restore virtually all funds to the original contract. I a minority not willing to tamper with the original blockchain continued to use Ethereum with the original unforked blockchain thus creating a new cryptocurrency

–214– Stefan Lucks Hash Fun. & PW (2017) 8: Bitcoins & Blockchain 8.5: