Bitcoin: 2014

Concepts, Practice, and IttayEyal,

Research Directions Emin

• Unbelievable security of core system 2014 • The mining industry IttayEyal,

• Classical attacks Emin

• Centralization n • Misaligned incentives: Sirer • Transactions • Mining • Reducing pool sizes • User-side security

2014 2014

IttayEyal,

n Sirer Almost always on.

Despite no shortage of attack motivation.

• Miner with version 0.8.0 generated a large block. 2014

• Old versions rejected it. IttayEyal,

Emin G

version 0.8.0 miners ü

n Sirer

pre-0.8.0 miners Solution: 1. Major miners downgraded to pre-0.8.0. 2. Upgrade to 0.8.1 prevented large blocks. 3. 5 months later: Upgrade done right.

2014 2014

IttayEyal,

Difficulty rise: 2014 Total Network Hash Rate IttayEyal,

20,000 Emin

n Sirer 2,000

200 Hash Rate [TH/sec] HashRate

20 Mar’13 Jul’13 Jan’14

[Blockchain.info] 6

2014 2014

IttayEyal,

n Sirer

2014 2014

IttayEyal,

n Sirer

2014 2014

IttayEyal,

n Sirer

2014 2014

IttayEyal,

n Sirer

• 2014 Avalon IttayEyal, • ASIC Miner

• BitMine Emin

• Butterfly Labs n Sirer • CoinTerra • GAW Miners • HashFast • KnC Miner • Spondoolies

• BitMine Emin

• Butterfly Labs n Sirer • CoinTerra • GAW Min ers • HashFast • KnC Miner • Spondoolies

• BitMine Emin

• Butterfly Labs n Sirer • CoinTerra • GAW Min ers • HashFast • KnC Miner • Spondoolies

2014 2014

IttayEyal,

n Sirer

2014 2014

IttayEyal,

n Sirer This is what makes Bitcoin secure.

2014 2014

IttayEyal,

Eve buys coffee from Bob but keeps her money: 2014 IttayEyal,

B Emin

Attacker produces the longest chain. 2014

IttayEyal,

n Sirer

Attacker cannot steal. Attacker can: • Require excessive transaction fees, • take ransom from a single user, or • prevent all transactions (DoS).

2014 2014

IttayEyal,

ü n Centralization Sirer

One entity gains control of the blockchain: IttayEyal, • Single majority miner

• Consortium of pools Emin

n Sirer

Breaks Bitcoin’s essential premise.

Pool GHash.IO (w/ CEX.IO) surpassed 50%. 2014 IttayEyal, Community raged.

DoS attacks on pool. Emin

GHash promptly reduced its rate. n Sirer

Pool GHash.IO (w/ CEX.IO) surpassed 50%. 2014 IttayEyal, Community raged.

DoS attacks on pool. Emin

GHash promptly reduced its rate. n Sirer

(Almost) no good reason for such large pools. • Nice interface. • Good uptime.

2014 2014

IttayEyal,

ü n Misaligned Incentives:Sirer Transaction Propagation

Nodes should propagate transactions. IttayEyal,

But why would they?

Actual incentive: don’t propagate. Sirer

[1] Babaioff, Dobzinski, Oren, and Zohar, On Bitcoin and Red Balloons. EC’12 24

DARPA Network Challenge ’09: Winner: MIT Group IttayEyal, Find 10 red balloons in US.

Technique: Emin G

$2000 to finder ü n $1000 to recruiter Sirer $500 to 2nd recruiter …

DARPA Network Challenge ’09: Winner: MIT Group IttayEyal, Find 10 red balloons in US.

Technique: Emin G

$2000 to finder ü n $1000 to recruiter Sirer $500 to 2nd recruiter …

Applicable to Bitcoin?

2014 2014 IttayEyal,

Red balloons technique not applicable to Bitcoin.

ü n • Why recruit your own competition? Sirer Unlike balloons case where you recruit far away.

• Can masquerade as your own recruits. Unlike balloons case where you physically show up.

Solution sketch: 2014 IttayEyal, Set integers 퐻 and 훽 according to topology.

Then, for a chain of length 푙: Emin

n Sirer If 푙 > 퐻 • no reward. Otherwise, • miner gets 1 + 퐻 − 푙 + 1 훽, • others get 1.

2014 2014

IttayEyal,

ü n Misaligned Incentives:Sirer Selfish Mining

Nakamoto’s Bitcoin mining protocol is incentive IttayEyal,

compatible (assuming an honest majority)

ü n 1. Best strategy: being honest Sirer

2. Revenue proportional to compute power

Goal: Get more than fair share. IttayEyal,

How: Maintain secret blocks, publish judiciously.

n Sirer

Intuition: Risk some work, others waste a lot.

(a) Any state but two branches of length 1. 2014 IttayEyal, Pool finds a block.

Keep it secret. No revenue. Emin

n Sirer

(h) Lead more than 2. 2014 IttayEyal, Others find a block.

Publish one block. Selfish gets 1. Emin

n Sirer

(g) Lead of 2. 2014 IttayEyal, Others find a block.

Publish secret chain. Selfish gets 2. Emin

n Sirer

(f) Lead of 1. 2014 IttayEyal, Others find a block.

Publish secret block. No revenue. Emin

n Sirer

훾: Ratio of others that follow pool

(b) Two branches of length 1. IttayEyal, Pool finds a block.

Publish branch. Selfish gets 2. Emin

n Sirer

(c) Two branches of length 1. 2014 IttayEyal, Others find a block after pool head.

Revenue: Each get 1. Emin

n Sirer

(d) Two branches of length 1. 2014 IttayEyal, Others find a block after others’ head.

Revenue: Others get 2. Emin

n Sirer

(e) No private branch. 2014 IttayEyal, Others find a block.

Revenue: Others get 1. Emin

n Sirer

2014 2014

IttayEyal,

ü n Selfish Mining: Sirer Analysis

2014 2014

IttayEyal,

Emin G

1 − 훼 ü n

0’ 훼 훼 훼 훼 Sirer (1 − 훾)(1 − 훼) 훾(1 − 훼) 훼 1 2 3 4 0 훼 1 − 훼 1 − 훼 1 − 훼 1 − 훼 1 − 훼

1 − 훼 IttayEyal, 0’ 훼 훼 훼 훼 (1 − 훾)(1 − 훼) 훾(1 − 훼)

훼 1 2 3 4 Emin G

훼 ü 0 1 − 훼 1 − 훼 1 − 훼 n 1 − 훼 Sirer 1 − 훼

1 − 훼 IttayEyal, 0’ 훼 훼 훼 훼 (1 − 훾)(1 − 훼) 훾(1 − 훼)

훼 1 2 3 4 Emin G

훼 ü 0 1 − 훼 1 − 훼 1 − 훼 n 1 − 훼 Sirer 1 − 훼

Auto-adjusting difficulty, so: IttayEyal,

푟푝표표푙 Emin

푅 = G

푝표표푙 ü n

푟푝표표푙 + 푟표푡ℎ푒푟푠 Sirer

2014 2014

IttayEyal,

n Sirer

2014 2014

IttayEyal,

n Sirer

2014 2014

IttayEyal,

n Sirer

2014 2014

IttayEyal,

n Sirer

2014 2014

IttayEyal,

Unknown ~February 2014 Unknown 2014

P2Pool IttayEyal, Ghash.IO

n Sirer

BTC Guild Eligius

After threshold: IttayEyal,

Rational miners want Emin

ü n to join selfish pool. Sirer

Superlinear growth: IttayEyal,

Selfish pool wants to Emin

ü n grow. Sirer

2014 2014 IttayEyal, Rational miners want

to join selfish pool. Emin

+ n Sirer Selfish pool wants to grow. = Selfish pool may grow towards 50% NOT GOOD.

Unknown

Unknown ~February 2014 2014 2014

P2Pool

Ghash.IO IttayEyal,

BTC Guild Eligius n Sirer April 16, 2014

Ghash.IO

Algorithm change: IttayEyal, • Propagate all blocks of longest chain.

• Choose one at random to mine on. Emin

n Sirer

Algorithm change: IttayEyal, • Propagate all blocks of longest chain.

• Choose one at random to mine on. Emin

n Sirer Benefits: • Proved threshold • Backward compatible • Progressive • Simple

2014 2014

IttayEyal,

ü n Reducing Pool Sizes Sirer

A peer to peer distributed pool. IttayEyal,

n Sirer • A separate blockchain with Easy PoW • Blocks distribute potential revenue among miners. • Actual revenue on full PoW.

• Non-outsourcable PoW [1] 2014 Cryptographic technique: A miner can steal IttayEyal,

from the pool when it finds a block. Emin G

• Pool cannot outsource differently. ü n • Block does not reveal secret. Sirer

• Permacoin [2] Proof of storage rather than work. Storage should not be outsourceable.

[1] Miller, Shi, Kosba, and Katz. Nonoutsourceable Scratch-Off Puzzles to Discourage Bitcoin Mining Coalitions. TR [2] Miller, Juels, Shi, Parno and Katz. Permacoin: Repurposing Bitcoin Work for Data Preservation. TR 61

Split the proof of work. IttayEyal, • Phase 1: Standard Bitcoin, but easier.

• Phase 2: Requires coinbase secret key. Emin

n Sirer Benefits: • Existing infrastructure controlled phase-out. HW, datacenters. • Pool must trust miners to outsource phase 2. Miner could try and steal the coinbase.

2014 2014

IttayEyal,

ü n User-side security Sirer

Client must keep private keys secret. IttayEyal,

High availability vs. security Emin

n Sirer Individual and large organizations security differs only in scale.

Unprecedented security requirements from commodity systems.

Tools: 2014

• Standard client IttayEyal,

• Software wallets (for phone) Emin

• Online wallets G

ü n • Brain wallets Sirer • Hardware wallets Practice: • Limited amount on phone • Cold storage – replicated • Use correct cryptography [1]

[1] Bos, Halderman, Heninger, Moore, Naehrig and Wustrow: Elliptic Curve Cryptography in Practice, FC’14 65

Tools: IttayEyal, • Plenty of firewalls

• Bullet proof front-end systems Emin

• Bullet proof back-end systems n Sirer

Practice: Powered by • Cold storage • Auditing

Transaction hash used to track transactions. 2014

But it’s possible to change a transaction: IttayEyal,

input 1 output 1, amount 1 Emin

n Sirer

input 1 output 1, amount 1

Change scriptSig: Still valid, for same content, different bits. 1. Change signature. (Crypto trick) 2. Change script. (Protocol trick)

The MtGox con: 2014

IttayEyal,

n Sirer

The MtGox con: 2014

IttayEyal,

ü n 1. Issue withdraw command. Sirer 2. Generate malformed txn, place in public buffer. 3. Change txn and publish it; get the money. 4. Call Mt.Gox to complain. 5. Pay again with new txn. 6. Get money again. 69

• The BGP attack IttayEyal,

n Sirer

BGP Get STRATUM Attack

n Sirer

Get work, Get work, Send PoW Send PoW

• The BGP attack IttayEyal, • Block Withholding

Miner sends pool PoW Emin

Unless it’s an actual solution Sirer

Bitcoin: 2014

• Alt-coins 2014 • Extensions IttayEyal,

• Privacy Emin

• Contemporary issues n Sirer

2014 2014

IttayEyal,

• Block frequency 2014 IttayEyal, • Faster confirmation

• More forks Emin

n Sirer • PoW choice • More green? (no) • More fair? (no)

• Difficulty adjustment rate • Defense against flash miners

Goal: 2014 IttayEyal, • Save some trees.

• Power to the users! (rather than miners) Emin

n Sirer Method: • Proof of Stake (PoS) instead of Proof of Work: Lock coins to create block.

Goal: 2014 IttayEyal, • Save some trees.

• Power to the users! (rather than miners) Emin

n Sirer Method: • Proof of Stake (PoS) instead of Proof of Work: Lock coins to create block. S1 S2

But nothing is at stake! S1 S2

[1] King and Nadal. PPCoin: Peer-to-Peer Crypto-Currency with Proof of Stake, August ‘12 6

2014 2014 IttayEyal, Bitcoin PoW contains: • Emin

Useless transaction (alt-coin header hash x) G

n Sirer

Alt-coin PoW contains: • Alt-coin header with hash x • Bitcoin header with transaction x

2014 2014

IttayEyal,

n Sirer Miners benefit from mining both chains together. So they do.

Alt-coin gets mining power from day one.

• Smart Contracts: IttayEyal, • 푚 out of 푛 signatures.

• Time-locked transactions: Emin

• Time to place in blockchain. Sirer • Time to use outputs.

• Ethereum: outsource distributed computing (got 31k BTC, at $18 million) • Transactions generate transactions. • Transactions activate one another.

• Colored coins: 2014

Associate assets to individual Bitcoins. IttayEyal,

n Sirer

• Side chains: • Faster • backed by main blockchain • less secure

2014 2014

IttayEyal,

All transactions remain in Blockchain forever. 2014

IttayEyal,

n Sirer

All transactions remain in Blockchain forever. 2014 One can associate addresses by detective work. IttayEyal,

[1] [2Emin ]

n Sirer

• For large scale crime? Not great. • For somewhat secret activity? Pretty good. [1] Ron and Shamir, FC’14 [2] Meiklejohn, Pomarole, Jordan, Levchenko, McCoy, Voelker, Savage. IMC’13 14 Zerocoin and Zerocash Copyright ©

Zerocash [2]: 2014 IttayEyal, Privacy preserving alt-coin on top of Bitcoin.

(preceded by Zerocoin [1]) Emin

n Sirer

[1] Miers et al., IEEE S&P, 2013 [2] Ben-Sasson et al., TR, 2014 15

The key: IttayEyal,

To move funds: prove* that Emin

“I know the secret for moving certain coins”. G

n Sirer Without revealing the sources or the value. But still preventing double-spending.

*Zero-knowledge Succinct Non-interactive Arguments of Knowledge (zk-SNARKs)

[1] Miers et al., IEEE S&P, 2013 [2] Ben-Sasson et al., TR, 2014 16

The goal: IttayEyal,

Untrackable transactions to public address.

The method: Sirer 1. Bob publishes address template 푥. 2. Alice sends Bitcoin to augmented address 푥′. 3. Bob finds 푥′ and controls it.

• No one but Alice and Bob know x’. Need either Alice’s secrets or Bob’s. • Only Alice controls x’.

2014 2014

IttayEyal,

Initialization: 2014 • Blockchain over 22GB. Linear growth. IttayEyal,

• Long time for bootstrapping Emin

ü n Running (at 7 txn/sec) : Sirer CPU: Insignificant UTXO + Mempool Memory: ~100MB Network: ~30Kb/sec

[1] Gavin Andresen, A Scalability Roadmap, BTC Foundation Blog, October 2014 19

2014 2014 IttayEyal,

Lightweight clients: Simple Proof Verification Emin

n Sirer

Initialization speedup: [1] • Headers first • UTXO first

[1] Gavin Andresen, A Scalability Roadmap, BTC Foundation Blog, October 2014 20

2014 2014 IttayEyal, UTXO set becoming large.

Miners can choose to skip transaction verification. Emin

n Sirer

Mempool becoming large Miners can publish empty blocks.

Block propagation time: IttayEyal, • Too long.

• Depends on block size. Emin

n Sirer Suggested solutions: • Transaction set reconciliation. • Header first.

2014 2014

IttayEyal,

n Sirer

Bitcoin: 2014

ü n Part IV Sirer Non-technical Ittay Eyal, Emin Gün Sirer Computer Science, Cornell University DISC Bitcoin Tutorial, October 2014

• Deflationary (21 million total) IttayEyal,

• What is it? Emin

• Store of value? Sirer • Method to transact USD?

• So what’s the potential value (USD/BTC)? • Function of mining cost? No! Rate is set. • Ratio of world economy? • Ratio of world transactions, and a function of the time it needs to store value? 2 Reasons for Volatility Copyright ©

• Regulation 2014 • Anti Money Laundering (US/Europe) IttayEyal, •

Adoption / rejection (China, Russia) Emin

• Fiat regulation (Cyprus, greece) G

ü n • Adoption Sirer • Large companies (Dell, PayPal) • Illegal (Silk Road) • Security • Mt. Gox • Technical • Not really

Commodity or currency? Something else? 2014 IttayEyal,

Revenue in Bitcoin Exchange

n Sirer

Mining?

• Payment for illicit goods. 2014

IttayEyal,

n Sirer

• Money laundering • Tumblers • w/ pool fees • Bitcoin ATMs

Diverse – a lot of players 2014 IttayEyal,

• Community health Emin G

• Maturing ü

n Sirer • Governance Mostly the Bitcoin Foundation • Protocol changes • Interaction with state regulation • Bitcoin central bank?

• Large service auditing 6

2014 2014

IttayEyal,

ü Average 12.6 Average input 1 n

output 1, amount 1 Sirer 40 input 2 6.5 output 2, amount 2 input 3

Get STRATUM B BGP Attack

2014 2014

IttayEyal,

ü Average Average input 1 n

output 1, amount 1 Sirer

12.6 40 input 2 6.5 output 2, amount 2 input 3

Get STRATUM B BGP Attack