Bitcoin: 2014

Bitcoin: 2014

<p> Copyright © </p><p>Bitcoin: 2014</p><p>Concepts, Practice, and IttayEyal, </p><p>Research Directions Emin</p><p>G</p><p>ü n Part II Sirer Security Ittay Eyal, Emin Gün Sirer Computer Science, Cornell University DISC <a href="/tags/Bitcoin/" rel="tag">Bitcoin</a> Tutorial, October 2014 Part 2 – Security Copyright © </p><p>• Unbelievable security of core system 2014 • The mining industry IttayEyal, </p><p>• Classical attacks Emin</p><p>G ü</p><p>• Centralization n • Misaligned incentives: Sirer • Transactions • Mining • Reducing pool sizes • User-side security </p><p>2</p><p>Core System Availability Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer Almost always on.</p><p>Despite no shortage of attack motivation.</p><p>3 The March 2013 Fork Copyright © </p><p>• Miner with version 0.8.0 generated a large block. 2014</p><p>• Old versions rejected it. IttayEyal, </p><p>Emin G</p><p> version 0.8.0 miners ü</p><p> n Sirer</p><p> pre-0.8.0 miners Solution: 1. Major miners downgraded to pre-0.8.0. 2. Upgrade to 0.8.1 prevented large blocks. 3. 5 months later: Upgrade done right. </p><p>4</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n The Mining Industry Sirer Mining Copyright © </p><p>Difficulty rise: 2014 Total Network Hash Rate IttayEyal, </p><p>20,000 Emin</p><p>G</p><p>ü</p><p> n Sirer 2,000</p><p>200 Hash Rate [TH/sec] HashRate </p><p>20 Mar’13 Jul’13 Jan’14</p><p>[<a href="/tags/Blockchain/" rel="tag">Blockchain</a>.info] 6</p><p>Mining Industry Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>7</p><p>Mining Industry Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>8</p><p>Mining Industry Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>9</p><p>Mining Industry Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>10 Mining Industry Copyright © </p><p>• 2014 Avalon IttayEyal, • ASIC Miner </p><p>• BitMine Emin</p><p>G ü</p><p>• Butterfly Labs n Sirer • CoinTerra • GAW Miners • HashFast • KnC Miner • Spondoolies</p><p>11 Mining Industry Copyright © </p><p>• 2014 Avalon IttayEyal, • ASIC Miner </p><p>• BitMine Emin</p><p>G ü</p><p>• Butterfly Labs n Sirer • CoinTerra • GAW Min ers • HashFast • KnC Miner • Spondoolies</p><p>12 Mining Industry Copyright © </p><p>• 2014 Avalon IttayEyal, • ASIC Miner </p><p>• BitMine Emin</p><p>G ü</p><p>• Butterfly Labs n Sirer • CoinTerra • GAW Min ers • HashFast • KnC Miner • Spondoolies</p><p>13</p><p>Mining Industry Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>14</p><p>Mining Industry Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer This is what makes Bitcoin secure.</p><p>15</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Classical Attacks Sirer Double Spending Copyright © </p><p>Eve buys coffee from Bob but keeps her money: 2014 IttayEyal, </p><p>B Emin</p><p>1. G</p><p>ü n C Sirer 2. Bob provides product to Eve. B 3. C Similar, but more feasible: The Finney attack 17 Majority Attacker, aka 51% Copyright © </p><p>Attacker produces the longest chain. 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>Attacker cannot steal. Attacker can: • Require excessive transaction fees, • take ransom from a single user, or • prevent all transactions (DoS). </p><p>18</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Centralization Sirer</p><p>Centralization Copyright © 2014 2014</p><p>One entity gains control of the blockchain: IttayEyal, • Single majority miner </p><p>• Consortium of pools Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>Breaks Bitcoin’s essential premise. </p><p>20 Centralization Copyright © </p><p>Pool GHash.IO (w/ CEX.IO) surpassed 50%. 2014 IttayEyal, Community raged. </p><p>DoS attacks on pool. Emin</p><p>G ü</p><p>GHash promptly reduced its rate. n Sirer</p><p>21 Centralization Copyright © </p><p>Pool GHash.IO (w/ CEX.IO) surpassed 50%. 2014 IttayEyal, Community raged. </p><p>DoS attacks on pool. Emin</p><p>G ü</p><p>GHash promptly reduced its rate. n Sirer</p><p>(Almost) no good reason for such large pools. • Nice interface. • Good uptime. </p><p>22</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Misaligned Incentives:Sirer Transaction Propagation</p><p>Transaction Propagation [1] Copyright © 2014 2014</p><p>Nodes should propagate transactions. IttayEyal, </p><p>But why would they? </p><p>Emin</p><p>G</p><p>ü n</p><p>Actual incentive: don’t propagate. Sirer</p><p>[1] Babaioff, Dobzinski, Oren, and Zohar, On Bitcoin and Red Balloons. EC’12 24</p><p>Transaction Propagation [1] Copyright © 2014 2014</p><p>DARPA Network Challenge ’09: Winner: MIT Group IttayEyal, Find 10 red balloons in US. </p><p>Technique: Emin G</p><p>$2000 to finder ü n $1000 to recruiter Sirer $500 to 2nd recruiter …</p><p>[1] Babaioff, Dobzinski, Oren, and Zohar, On Bitcoin and Red Balloons. EC’12 25</p><p>Transaction Propagation [1] Copyright © 2014 2014</p><p>DARPA Network Challenge ’09: Winner: MIT Group IttayEyal, Find 10 red balloons in US. </p><p>Technique: Emin G</p><p>$2000 to finder ü n $1000 to recruiter Sirer $500 to 2nd recruiter …</p><p>Applicable to Bitcoin?</p><p>[1] Babaioff, Dobzinski, Oren, and Zohar, On Bitcoin and Red Balloons. EC’12 26</p><p>Transaction Propagation [1] Copyright © </p><p>2014 2014 IttayEyal, </p><p>Red balloons technique not applicable to Bitcoin.</p><p>Emin</p><p>G</p><p>ü n • Why recruit your own competition? Sirer Unlike balloons case where you recruit far away.</p><p>• Can masquerade as your own recruits. Unlike balloons case where you physically show up.</p><p>[1] Babaioff, Dobzinski, Oren, and Zohar, On Bitcoin and Red Balloons. EC’12 27 Transaction Propagation [1] Copyright © </p><p>Solution sketch: 2014 IttayEyal, Set integers 퐻 and 훽 according to topology.</p><p>Then, for a chain of length 푙: Emin</p><p>G</p><p>ü</p><p> n Sirer If 푙 > 퐻 • no reward. Otherwise, • miner gets 1 + 퐻 − 푙 + 1 훽, • others get 1. </p><p>[1] Babaioff, Dobzinski, Oren, and Zohar, On Bitcoin and Red Balloons. EC’12 28</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Misaligned Incentives:Sirer Selfish Mining</p><p>Common Wisdom Copyright © 2014 2014</p><p>Nakamoto’s Bitcoin mining protocol is incentive IttayEyal, </p><p> compatible (assuming an honest majority) </p><p>Emin</p><p>G</p><p>ü n 1. Best strategy: being honest Sirer</p><p>2. Revenue proportional to compute power </p><p>30</p><p>Selfish Mining [1] Copyright © 2014 2014</p><p>Goal: Get more than fair share. IttayEyal, </p><p>How: Maintain secret blocks, publish judiciously. </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>Intuition: Risk some work, others waste a lot.</p><p>[1] Eyal and Sirer: Majority is not Enough: Bitcoin Mining is Vulnerable, FC’14 31 Selfish Mining Algorithm Copyright © </p><p>(a) Any state but two branches of length 1. 2014 IttayEyal, Pool finds a block. </p><p>Keep it secret. No revenue. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>32 Selfish Mining Algorithm Copyright © </p><p>(h) Lead more than 2. 2014 IttayEyal, Others find a block. </p><p>Publish one block. Selfish gets 1. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>33 Selfish Mining Algorithm Copyright © </p><p>(g) Lead of 2. 2014 IttayEyal, Others find a block. </p><p>Publish secret chain. Selfish gets 2. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>34 Selfish Mining Algorithm Copyright © </p><p>(f) Lead of 1. 2014 IttayEyal, Others find a block. </p><p>Publish secret block. No revenue. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>훾: Ratio of others that follow pool</p><p>35</p><p>Selfish Mining Algorithm Copyright © 2014 2014</p><p>(b) Two branches of length 1. IttayEyal, Pool finds a block. </p><p>Publish branch. Selfish gets 2. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>36 Selfish Mining Algorithm Copyright © </p><p>(c) Two branches of length 1. 2014 IttayEyal, Others find a block after pool head. </p><p>Revenue: Each get 1. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>37 Selfish Mining Algorithm Copyright © </p><p>(d) Two branches of length 1. 2014 IttayEyal, Others find a block after others’ head. </p><p>Revenue: Others get 2. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>38 Selfish Mining Algorithm Copyright © </p><p>(e) No private branch. 2014 IttayEyal, Others find a block. </p><p>Revenue: Others get 1. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>39</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Selfish Mining: Sirer Analysis</p><p>Selfish Mining – Probabilities Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin G</p><p>1 − 훼 ü n</p><p>0’ 훼 훼 훼 훼 Sirer (1 − 훾)(1 − 훼) 훾(1 − 훼) 훼 1 2 3 4 0 훼 1 − 훼 1 − 훼 1 − 훼 1 − 훼 1 − 훼</p><p>41</p><p>Selfish Mining – Probabilities Copyright © 2014 2014</p><p>1 − 훼 IttayEyal, 0’ 훼 훼 훼 훼 (1 − 훾)(1 − 훼) 훾(1 − 훼)</p><p>훼 1 2 3 4 Emin G</p><p>훼 ü 0 1 − 훼 1 − 훼 1 − 훼 n 1 − 훼 Sirer 1 − 훼</p><p>42</p><p>Selfish Mining – Revenue Copyright © 2014 2014</p><p>1 − 훼 IttayEyal, 0’ 훼 훼 훼 훼 (1 − 훾)(1 − 훼) 훾(1 − 훼)</p><p>훼 1 2 3 4 Emin G</p><p>훼 ü 0 1 − 훼 1 − 훼 1 − 훼 n 1 − 훼 Sirer 1 − 훼</p><p>43</p><p>Selfish Mining – Revenue Copyright © 2014 2014</p><p>Auto-adjusting difficulty, so: IttayEyal, </p><p>푟푝표표푙 Emin</p><p>푅 = G</p><p>푝표표푙 ü n</p><p>푟푝표표푙 + 푟표푡ℎ푒푟푠 Sirer</p><p>44</p><p>Selfish Mining – Analysis Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>45</p><p>Selfish Mining – Analysis Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>46</p><p>Selfish Mining – Analysis Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>47</p><p>Selfish Mining – Analysis Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>48</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Selfish Mining: Sirer Implications Attack Feasible Copyright © </p><p>Unknown ~February 2014 Unknown 2014</p><p>P2Pool IttayEyal, Ghash.IO</p><p>Slush</p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>BTC Guild Eligius</p><p>51</p><p>Catastrophe Scenario Copyright © 2014 2014</p><p>After threshold: IttayEyal, </p><p>Rational miners want Emin</p><p>G</p><p>ü n to join selfish pool. Sirer</p><p>52</p><p>Catastrophe Scenario Copyright © 2014 2014</p><p>Superlinear growth: IttayEyal, </p><p>Selfish pool wants to Emin</p><p>G</p><p>ü n grow. Sirer</p><p>53</p><p>Catastrophe Scenario Copyright © </p><p>2014 2014 IttayEyal, Rational miners want </p><p> to join selfish pool. Emin</p><p>G ü</p><p>+ n Sirer Selfish pool wants to grow. = Selfish pool may grow towards 50% NOT GOOD.</p><p>54 Attack Happening Now? Copyright © </p><p>Unknown</p><p>Unknown ~February 2014 2014 2014</p><p>P2Pool</p><p>Ghash.IO IttayEyal, </p><p>Slush</p><p>Emin</p><p>G ü</p><p>BTC Guild Eligius n Sirer April 16, 2014</p><p>Ghash.IO</p><p>55</p><p>Hardening the protocol Copyright © 2014 2014</p><p>Algorithm change: IttayEyal, • Propagate all blocks of longest chain. </p><p>• Choose one at random to mine on. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>56</p><p>Hardening the protocol Copyright © 2014 2014</p><p>Algorithm change: IttayEyal, • Propagate all blocks of longest chain. </p><p>• Choose one at random to mine on. Emin</p><p>G</p><p>ü</p><p> n Sirer Benefits: • Proved threshold • Backward compatible • Progressive • Simple</p><p>57</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Reducing Pool Sizes Sirer</p><p>P2Pool [1] Copyright © 2014 2014</p><p>A peer to peer distributed pool. IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer • A separate blockchain with Easy PoW • Blocks distribute potential revenue among miners. • Actual revenue on full PoW. </p><p>[1] Forrest Voight, p2pool: Decentralized, DoS-resistant, Hop-Proof pool, Bitcoin Forum, June 2011 60 Pool Limiting Copyright © </p><p>• Non-outsourcable PoW [1] 2014 Cryptographic technique: A miner can steal IttayEyal, </p><p> from the pool when it finds a block. Emin G</p><p>• Pool cannot outsource differently. ü n • Block does not reveal secret. Sirer</p><p>• Permacoin [2] Proof of storage rather than work. Storage should not be outsourceable. </p><p>[1] Miller, Shi, Kosba, and Katz. Nonoutsourceable Scratch-Off Puzzles to Discourage Bitcoin Mining Coalitions. TR [2] Miller, Juels, Shi, Parno and Katz. Permacoin: Repurposing Bitcoin Work for Data Preservation. TR 61</p><p>2-Phase <a href="/tags/Proof_of_work/" rel="tag">Proof of Work</a> Copyright © 2014 2014</p><p>Split the proof of work. IttayEyal, • Phase 1: Standard Bitcoin, but easier. </p><p>• Phase 2: Requires <a href="/tags/Coinbase/" rel="tag">coinbase</a> secret key. Emin</p><p>G</p><p>ü</p><p> n Sirer Benefits: • Existing infrastructure controlled phase-out. HW, datacenters. • Pool must trust miners to outsource phase 2. Miner could try and steal the coinbase. </p><p>62</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n User-side security Sirer</p><p>User-side Security Copyright © 2014 2014</p><p>Client must keep private keys secret. IttayEyal, </p><p>High availability vs. security Emin</p><p>G</p><p>ü</p><p> n Sirer Individual and large organizations security differs only in scale. </p><p>Unprecedented security requirements from commodity systems. </p><p>64 Individuals Copyright © </p><p>Tools: 2014</p><p>• Standard client IttayEyal, </p><p>• Software wallets (for phone) Emin</p><p>• Online wallets G</p><p>ü n • Brain wallets Sirer • Hardware wallets Practice: • Limited amount on phone • Cold storage – replicated • Use correct cryptography [1]</p><p>[1] Bos, Halderman, Heninger, Moore, Naehrig and Wustrow: Elliptic Curve Cryptography in Practice, FC’14 65</p><p>Large services Copyright © 2014 2014</p><p>Tools: IttayEyal, • Plenty of firewalls </p><p>• Bullet proof front-end systems Emin</p><p>G ü</p><p>• Bullet proof back-end systems n Sirer</p><p>Practice: Powered by • Cold storage • Auditing </p><p>66 Transaction Malleability Copyright © </p><p>Transaction hash used to track transactions. 2014</p><p>But it’s possible to change a transaction: IttayEyal, </p><p> input 1 output 1, amount 1 Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p> input 1 output 1, amount 1</p><p>Change scriptSig: Still valid, for same content, different bits. 1. Change signature. (Crypto trick) 2. Change script. (Protocol trick) </p><p>67 Transaction Malleability Copyright © </p><p>The MtGox con: 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>68 Transaction Malleability Copyright © </p><p>The MtGox con: 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n 1. Issue withdraw command. Sirer 2. Generate malformed txn, place in public buffer. 3. Change txn and publish it; get the money. 4. Call Mt.Gox to complain. 5. Pay again with new txn. 6. Get money again. 69</p><p>Miners and Pools Copyright © 2014 2014</p><p>• The BGP attack IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>BGP Get STRATUM Attack</p><p>70</p><p>Miners and Pools Copyright © 2014 2014</p><p>• The BGP attack IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>71</p><p>Miners and Pools Copyright © 2014 2014</p><p>• The BGP attack IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>Get work, Get work, Send PoW Send PoW</p><p>72</p><p>Miners and Pools Copyright © 2014 2014</p><p>• The BGP attack IttayEyal, • Block Withholding </p><p>Miner sends pool PoW Emin</p><p>G</p><p>ü n</p><p>Unless it’s an actual solution Sirer</p><p>73 Copyright © </p><p>Bitcoin: 2014</p><p>Concepts, Practice, and IttayEyal, </p><p>Research Directions Emin</p><p>G</p><p>ü n Part III Sirer Other Research Ittay Eyal, Emin Gün Sirer Computer Science, Cornell University DISC Bitcoin Tutorial, October 2014 Part 2 – Other Research Copyright © </p><p>• Alt-coins 2014 • Extensions IttayEyal, </p><p>• Privacy Emin</p><p>G ü</p><p>• Contemporary issues n Sirer</p><p>2</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Alt-coins & Sirer Extensions Parameter changing Copyright © </p><p>• Block frequency 2014 IttayEyal, • Faster confirmation </p><p>• More forks Emin</p><p>G</p><p>ü</p><p> n Sirer • PoW choice • More green? (no) • More fair? (no) </p><p>• Difficulty adjustment rate • Defense against flash miners </p><p>4 Proof of stake [1] Copyright © </p><p>Goal: 2014 IttayEyal, • Save some trees. </p><p>• Power to the users! (rather than miners) Emin</p><p>G</p><p>ü</p><p> n Sirer Method: • Proof of Stake (PoS) instead of Proof of Work: Lock coins to create block. </p><p>[1] King and Nadal. PPCoin: Peer-to-Peer Crypto-Currency with Proof of Stake, August ‘12 5 Proof of stake [1] Copyright © </p><p>Goal: 2014 IttayEyal, • Save some trees. </p><p>• Power to the users! (rather than miners) Emin</p><p>G</p><p>ü</p><p> n Sirer Method: • Proof of Stake (PoS) instead of Proof of Work: Lock coins to create block. S1 S2</p><p>But nothing is at stake! S1 S2</p><p>[1] King and Nadal. PPCoin: Peer-to-Peer Crypto-Currency with Proof of Stake, August ‘12 6</p><p>Merged mining Copyright © </p><p>2014 2014 IttayEyal, Bitcoin PoW contains: • Emin</p><p>Useless transaction (alt-coin header hash x) G</p><p>ü</p><p> n Sirer</p><p>Alt-coin PoW contains: • Alt-coin header with hash x • Bitcoin header with transaction x</p><p>8</p><p>Merged mining Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer Miners benefit from mining both chains together. So they do. </p><p>Alt-coin gets mining power from day one. </p><p>9</p><p>Smart Contracts Copyright © 2014 2014</p><p>• Smart Contracts: IttayEyal, • 푚 out of 푛 signatures. </p><p>• Time-locked transactions: Emin</p><p>G</p><p>ü n</p><p>• Time to place in blockchain. Sirer • Time to use outputs. </p><p>• Ethereum: outsource distributed computing (got 31k BTC, at $18 million) • Transactions generate transactions. • Transactions activate one another. </p><p>10 Extensions Copyright © </p><p>• Colored coins: 2014</p><p>Associate assets to individual <a href="/tags/Bitcoin/" rel="tag">Bitcoins</a>. IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>• Side chains: • Faster • backed by main blockchain • less secure</p><p>11</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Privacy Sirer Transaction Tracking Copyright © </p><p>All transactions remain in Blockchain forever. 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>13 Transaction Tracking Copyright © </p><p>All transactions remain in Blockchain forever. 2014 One can associate addresses by detective work. IttayEyal, </p><p>[1] [2Emin ]</p><p>G</p><p>ü</p><p> n Sirer</p><p>• For large scale crime? Not great. • For somewhat secret activity? Pretty good. [1] Ron and Shamir, FC’14 [2] Meiklejohn, Pomarole, Jordan, Levchenko, McCoy, Voelker, Savage. IMC’13 14 Zerocoin and Zerocash Copyright © </p><p>Zerocash [2]: 2014 IttayEyal, Privacy preserving alt-coin on top of Bitcoin. </p><p>(preceded by Zerocoin [1]) Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>[1] Miers et al., IEEE S&P, 2013 [2] Ben-Sasson et al., TR, 2014 15</p><p>Zerocoin and Zerocash Copyright © 2014 2014</p><p>The key: IttayEyal, </p><p>To move funds: prove* that Emin</p><p>“I know the secret for moving certain coins”. G</p><p>ü</p><p> n Sirer Without revealing the sources or the value. But still preventing double-spending. </p><p>*Zero-knowledge Succinct Non-interactive Arguments of Knowledge (zk-SNARKs) </p><p>[1] Miers et al., IEEE S&P, 2013 [2] Ben-Sasson et al., TR, 2014 16</p><p>Stealth Addresses Copyright © 2014 2014</p><p>The goal: IttayEyal, </p><p>Untrackable transactions to public address. </p><p>Emin</p><p>G</p><p>ü n</p><p>The method: Sirer 1. Bob publishes address template 푥. 2. Alice sends Bitcoin to augmented address 푥′. 3. Bob finds 푥′ and controls it. </p><p>• No one but Alice and Bob know x’. Need either Alice’s secrets or Bob’s. • Only Alice controls x’. </p><p>17</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Contemporary Issues Sirer Scalability Copyright © </p><p>Initialization: 2014 • Blockchain over 22GB. Linear growth. IttayEyal, </p><p>• Long time for bootstrapping Emin</p><p>G</p><p>ü n Running (at 7 txn/sec) : Sirer CPU: Insignificant UTXO + Mempool Memory: ~100MB Network: ~30Kb/sec </p><p>[1] Gavin Andresen, A Scalability Roadmap, BTC Foundation Blog, October 2014 19</p><p>Scalability Copyright © </p><p>2014 2014 IttayEyal, </p><p>Lightweight clients: Simple Proof Verification Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>Initialization speedup: [1] • Headers first • UTXO first </p><p>[1] Gavin Andresen, A Scalability Roadmap, BTC Foundation Blog, October 2014 20</p><p>UTXO and Mempool Maintenance Copyright © </p><p>2014 2014 IttayEyal, UTXO set becoming large. </p><p>Miners can choose to skip transaction verification. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>Mempool becoming large Miners can publish empty blocks. </p><p>21</p><p>Block Propagation Time Copyright © 2014 2014</p><p>Block propagation time: IttayEyal, • Too long. </p><p>• Depends on block size. Emin</p><p>G</p><p>ü</p><p> n Sirer Suggested solutions: • Transaction set reconciliation. • Header first. </p><p>22</p><p>BIP 70 – Payment Protocol Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>23 Copyright © </p><p>Bitcoin: 2014</p><p>Concepts, Practice, and IttayEyal, </p><p>Research Directions Emin</p><p>G</p><p>ü n Part IV Sirer Non-technical Ittay Eyal, Emin Gün Sirer Computer Science, Cornell University DISC Bitcoin Tutorial, October 2014</p><p>Economy Copyright © 2014 2014</p><p>• Deflationary (21 million total) IttayEyal, </p><p>• What is it? Emin</p><p>G</p><p>ü n</p><p>• Store of value? Sirer • Method to transact USD? </p><p>• So what’s the potential value (USD/BTC)? • Function of mining cost? No! Rate is set. • Ratio of world economy? • Ratio of world transactions, and a function of the time it needs to store value? 2 Reasons for Volatility Copyright © </p><p>• Regulation 2014 • Anti Money Laundering (US/Europe) IttayEyal, •</p><p>Adoption / rejection (China, Russia) Emin</p><p>• Fiat regulation (Cyprus, greece) G</p><p>ü n • Adoption Sirer • Large companies (Dell, PayPal) • Illegal (Silk Road) • Security • Mt. Gox • Technical • Not really </p><p>3 Tax Copyright © </p><p>Commodity or currency? Something else? 2014 IttayEyal, </p><p>Revenue in Bitcoin Exchange</p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>Mining? </p><p>4 Legal Copyright © </p><p>• Payment for illicit goods. 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>• Money laundering • Tumblers • w/ pool fees • Bitcoin ATMs</p><p>5 Community Copyright © </p><p>Diverse – a lot of players 2014 IttayEyal, </p><p>• Community health Emin G</p><p>• Maturing ü</p><p> n Sirer • Governance Mostly the <a href="/tags/Bitcoin_Foundation/" rel="tag">Bitcoin Foundation</a> • Protocol changes • Interaction with state regulation • Bitcoin central bank? </p><p>• Large service auditing 6</p><p>Conclusion Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü Average 12.6 Average input 1 n</p><p> output 1, amount 1 Sirer 40 input 2 6.5 output 2, amount 2 input 3</p><p>Get STRATUM B BGP Attack</p><p>C</p><p>1</p><p>Conclusion Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü Average Average input 1 n</p><p> output 1, amount 1 Sirer</p><p>12.6 40 input 2 6.5 output 2, amount 2 input 3</p><p>Get STRATUM B BGP Attack</p><p>C</p><p>2</p>

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    0 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us