<p> Copyright © </p><p>Bitcoin: 2014</p><p>Concepts, Practice, and IttayEyal, </p><p>Research Directions Emin</p><p>G</p><p>ü n Part II Sirer Security Ittay Eyal, Emin Gün Sirer Computer Science, Cornell University DISC <a href="/tags/Bitcoin/" rel="tag">Bitcoin</a> Tutorial, October 2014 Part 2 – Security Copyright © </p><p>• Unbelievable security of core system 2014 • The mining industry IttayEyal, </p><p>• Classical attacks Emin</p><p>G ü</p><p>• Centralization n • Misaligned incentives: Sirer • Transactions • Mining • Reducing pool sizes • User-side security </p><p>2</p><p>Core System Availability Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer Almost always on.</p><p>Despite no shortage of attack motivation.</p><p>3 The March 2013 Fork Copyright © </p><p>• Miner with version 0.8.0 generated a large block. 2014</p><p>• Old versions rejected it. IttayEyal, </p><p>Emin G</p><p> version 0.8.0 miners ü</p><p> n Sirer</p><p> pre-0.8.0 miners Solution: 1. Major miners downgraded to pre-0.8.0. 2. Upgrade to 0.8.1 prevented large blocks. 3. 5 months later: Upgrade done right. </p><p>4</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n The Mining Industry Sirer Mining Copyright © </p><p>Difficulty rise: 2014 Total Network Hash Rate IttayEyal, </p><p>20,000 Emin</p><p>G</p><p>ü</p><p> n Sirer 2,000</p><p>200 Hash Rate [TH/sec] HashRate </p><p>20 Mar’13 Jul’13 Jan’14</p><p>[<a href="/tags/Blockchain/" rel="tag">Blockchain</a>.info] 6</p><p>Mining Industry Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>7</p><p>Mining Industry Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>8</p><p>Mining Industry Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>9</p><p>Mining Industry Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>10 Mining Industry Copyright © </p><p>• 2014 Avalon IttayEyal, • ASIC Miner </p><p>• BitMine Emin</p><p>G ü</p><p>• Butterfly Labs n Sirer • CoinTerra • GAW Miners • HashFast • KnC Miner • Spondoolies</p><p>11 Mining Industry Copyright © </p><p>• 2014 Avalon IttayEyal, • ASIC Miner </p><p>• BitMine Emin</p><p>G ü</p><p>• Butterfly Labs n Sirer • CoinTerra • GAW Min ers • HashFast • KnC Miner • Spondoolies</p><p>12 Mining Industry Copyright © </p><p>• 2014 Avalon IttayEyal, • ASIC Miner </p><p>• BitMine Emin</p><p>G ü</p><p>• Butterfly Labs n Sirer • CoinTerra • GAW Min ers • HashFast • KnC Miner • Spondoolies</p><p>13</p><p>Mining Industry Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>14</p><p>Mining Industry Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer This is what makes Bitcoin secure.</p><p>15</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Classical Attacks Sirer Double Spending Copyright © </p><p>Eve buys coffee from Bob but keeps her money: 2014 IttayEyal, </p><p>B Emin</p><p>1. G</p><p>ü n C Sirer 2. Bob provides product to Eve. B 3. C Similar, but more feasible: The Finney attack 17 Majority Attacker, aka 51% Copyright © </p><p>Attacker produces the longest chain. 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>Attacker cannot steal. Attacker can: • Require excessive transaction fees, • take ransom from a single user, or • prevent all transactions (DoS). </p><p>18</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Centralization Sirer</p><p>Centralization Copyright © 2014 2014</p><p>One entity gains control of the blockchain: IttayEyal, • Single majority miner </p><p>• Consortium of pools Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>Breaks Bitcoin’s essential premise. </p><p>20 Centralization Copyright © </p><p>Pool GHash.IO (w/ CEX.IO) surpassed 50%. 2014 IttayEyal, Community raged. </p><p>DoS attacks on pool. Emin</p><p>G ü</p><p>GHash promptly reduced its rate. n Sirer</p><p>21 Centralization Copyright © </p><p>Pool GHash.IO (w/ CEX.IO) surpassed 50%. 2014 IttayEyal, Community raged. </p><p>DoS attacks on pool. Emin</p><p>G ü</p><p>GHash promptly reduced its rate. n Sirer</p><p>(Almost) no good reason for such large pools. • Nice interface. • Good uptime. </p><p>22</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Misaligned Incentives:Sirer Transaction Propagation</p><p>Transaction Propagation [1] Copyright © 2014 2014</p><p>Nodes should propagate transactions. IttayEyal, </p><p>But why would they? </p><p>Emin</p><p>G</p><p>ü n</p><p>Actual incentive: don’t propagate. Sirer</p><p>[1] Babaioff, Dobzinski, Oren, and Zohar, On Bitcoin and Red Balloons. EC’12 24</p><p>Transaction Propagation [1] Copyright © 2014 2014</p><p>DARPA Network Challenge ’09: Winner: MIT Group IttayEyal, Find 10 red balloons in US. </p><p>Technique: Emin G</p><p>$2000 to finder ü n $1000 to recruiter Sirer $500 to 2nd recruiter …</p><p>[1] Babaioff, Dobzinski, Oren, and Zohar, On Bitcoin and Red Balloons. EC’12 25</p><p>Transaction Propagation [1] Copyright © 2014 2014</p><p>DARPA Network Challenge ’09: Winner: MIT Group IttayEyal, Find 10 red balloons in US. </p><p>Technique: Emin G</p><p>$2000 to finder ü n $1000 to recruiter Sirer $500 to 2nd recruiter …</p><p>Applicable to Bitcoin?</p><p>[1] Babaioff, Dobzinski, Oren, and Zohar, On Bitcoin and Red Balloons. EC’12 26</p><p>Transaction Propagation [1] Copyright © </p><p>2014 2014 IttayEyal, </p><p>Red balloons technique not applicable to Bitcoin.</p><p>Emin</p><p>G</p><p>ü n • Why recruit your own competition? Sirer Unlike balloons case where you recruit far away.</p><p>• Can masquerade as your own recruits. Unlike balloons case where you physically show up.</p><p>[1] Babaioff, Dobzinski, Oren, and Zohar, On Bitcoin and Red Balloons. EC’12 27 Transaction Propagation [1] Copyright © </p><p>Solution sketch: 2014 IttayEyal, Set integers 퐻 and 훽 according to topology.</p><p>Then, for a chain of length 푙: Emin</p><p>G</p><p>ü</p><p> n Sirer If 푙 > 퐻 • no reward. Otherwise, • miner gets 1 + 퐻 − 푙 + 1 훽, • others get 1. </p><p>[1] Babaioff, Dobzinski, Oren, and Zohar, On Bitcoin and Red Balloons. EC’12 28</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Misaligned Incentives:Sirer Selfish Mining</p><p>Common Wisdom Copyright © 2014 2014</p><p>Nakamoto’s Bitcoin mining protocol is incentive IttayEyal, </p><p> compatible (assuming an honest majority) </p><p>Emin</p><p>G</p><p>ü n 1. Best strategy: being honest Sirer</p><p>2. Revenue proportional to compute power </p><p>30</p><p>Selfish Mining [1] Copyright © 2014 2014</p><p>Goal: Get more than fair share. IttayEyal, </p><p>How: Maintain secret blocks, publish judiciously. </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>Intuition: Risk some work, others waste a lot.</p><p>[1] Eyal and Sirer: Majority is not Enough: Bitcoin Mining is Vulnerable, FC’14 31 Selfish Mining Algorithm Copyright © </p><p>(a) Any state but two branches of length 1. 2014 IttayEyal, Pool finds a block. </p><p>Keep it secret. No revenue. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>32 Selfish Mining Algorithm Copyright © </p><p>(h) Lead more than 2. 2014 IttayEyal, Others find a block. </p><p>Publish one block. Selfish gets 1. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>33 Selfish Mining Algorithm Copyright © </p><p>(g) Lead of 2. 2014 IttayEyal, Others find a block. </p><p>Publish secret chain. Selfish gets 2. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>34 Selfish Mining Algorithm Copyright © </p><p>(f) Lead of 1. 2014 IttayEyal, Others find a block. </p><p>Publish secret block. No revenue. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>훾: Ratio of others that follow pool</p><p>35</p><p>Selfish Mining Algorithm Copyright © 2014 2014</p><p>(b) Two branches of length 1. IttayEyal, Pool finds a block. </p><p>Publish branch. Selfish gets 2. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>36 Selfish Mining Algorithm Copyright © </p><p>(c) Two branches of length 1. 2014 IttayEyal, Others find a block after pool head. </p><p>Revenue: Each get 1. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>37 Selfish Mining Algorithm Copyright © </p><p>(d) Two branches of length 1. 2014 IttayEyal, Others find a block after others’ head. </p><p>Revenue: Others get 2. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>38 Selfish Mining Algorithm Copyright © </p><p>(e) No private branch. 2014 IttayEyal, Others find a block. </p><p>Revenue: Others get 1. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>39</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Selfish Mining: Sirer Analysis</p><p>Selfish Mining – Probabilities Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin G</p><p>1 − 훼 ü n</p><p>0’ 훼 훼 훼 훼 Sirer (1 − 훾)(1 − 훼) 훾(1 − 훼) 훼 1 2 3 4 0 훼 1 − 훼 1 − 훼 1 − 훼 1 − 훼 1 − 훼</p><p>41</p><p>Selfish Mining – Probabilities Copyright © 2014 2014</p><p>1 − 훼 IttayEyal, 0’ 훼 훼 훼 훼 (1 − 훾)(1 − 훼) 훾(1 − 훼)</p><p>훼 1 2 3 4 Emin G</p><p>훼 ü 0 1 − 훼 1 − 훼 1 − 훼 n 1 − 훼 Sirer 1 − 훼</p><p>42</p><p>Selfish Mining – Revenue Copyright © 2014 2014</p><p>1 − 훼 IttayEyal, 0’ 훼 훼 훼 훼 (1 − 훾)(1 − 훼) 훾(1 − 훼)</p><p>훼 1 2 3 4 Emin G</p><p>훼 ü 0 1 − 훼 1 − 훼 1 − 훼 n 1 − 훼 Sirer 1 − 훼</p><p>43</p><p>Selfish Mining – Revenue Copyright © 2014 2014</p><p>Auto-adjusting difficulty, so: IttayEyal, </p><p>푟푝표표푙 Emin</p><p>푅 = G</p><p>푝표표푙 ü n</p><p>푟푝표표푙 + 푟표푡ℎ푒푟푠 Sirer</p><p>44</p><p>Selfish Mining – Analysis Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>45</p><p>Selfish Mining – Analysis Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>46</p><p>Selfish Mining – Analysis Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>47</p><p>Selfish Mining – Analysis Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>48</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Selfish Mining: Sirer Implications Attack Feasible Copyright © </p><p>Unknown ~February 2014 Unknown 2014</p><p>P2Pool IttayEyal, Ghash.IO</p><p>Slush</p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>BTC Guild Eligius</p><p>51</p><p>Catastrophe Scenario Copyright © 2014 2014</p><p>After threshold: IttayEyal, </p><p>Rational miners want Emin</p><p>G</p><p>ü n to join selfish pool. Sirer</p><p>52</p><p>Catastrophe Scenario Copyright © 2014 2014</p><p>Superlinear growth: IttayEyal, </p><p>Selfish pool wants to Emin</p><p>G</p><p>ü n grow. Sirer</p><p>53</p><p>Catastrophe Scenario Copyright © </p><p>2014 2014 IttayEyal, Rational miners want </p><p> to join selfish pool. Emin</p><p>G ü</p><p>+ n Sirer Selfish pool wants to grow. = Selfish pool may grow towards 50% NOT GOOD.</p><p>54 Attack Happening Now? Copyright © </p><p>Unknown</p><p>Unknown ~February 2014 2014 2014</p><p>P2Pool</p><p>Ghash.IO IttayEyal, </p><p>Slush</p><p>Emin</p><p>G ü</p><p>BTC Guild Eligius n Sirer April 16, 2014</p><p>Ghash.IO</p><p>55</p><p>Hardening the protocol Copyright © 2014 2014</p><p>Algorithm change: IttayEyal, • Propagate all blocks of longest chain. </p><p>• Choose one at random to mine on. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>56</p><p>Hardening the protocol Copyright © 2014 2014</p><p>Algorithm change: IttayEyal, • Propagate all blocks of longest chain. </p><p>• Choose one at random to mine on. Emin</p><p>G</p><p>ü</p><p> n Sirer Benefits: • Proved threshold • Backward compatible • Progressive • Simple</p><p>57</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Reducing Pool Sizes Sirer</p><p>P2Pool [1] Copyright © 2014 2014</p><p>A peer to peer distributed pool. IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer • A separate blockchain with Easy PoW • Blocks distribute potential revenue among miners. • Actual revenue on full PoW. </p><p>[1] Forrest Voight, p2pool: Decentralized, DoS-resistant, Hop-Proof pool, Bitcoin Forum, June 2011 60 Pool Limiting Copyright © </p><p>• Non-outsourcable PoW [1] 2014 Cryptographic technique: A miner can steal IttayEyal, </p><p> from the pool when it finds a block. Emin G</p><p>• Pool cannot outsource differently. ü n • Block does not reveal secret. Sirer</p><p>• Permacoin [2] Proof of storage rather than work. Storage should not be outsourceable. </p><p>[1] Miller, Shi, Kosba, and Katz. Nonoutsourceable Scratch-Off Puzzles to Discourage Bitcoin Mining Coalitions. TR [2] Miller, Juels, Shi, Parno and Katz. Permacoin: Repurposing Bitcoin Work for Data Preservation. TR 61</p><p>2-Phase <a href="/tags/Proof_of_work/" rel="tag">Proof of Work</a> Copyright © 2014 2014</p><p>Split the proof of work. IttayEyal, • Phase 1: Standard Bitcoin, but easier. </p><p>• Phase 2: Requires <a href="/tags/Coinbase/" rel="tag">coinbase</a> secret key. Emin</p><p>G</p><p>ü</p><p> n Sirer Benefits: • Existing infrastructure controlled phase-out. HW, datacenters. • Pool must trust miners to outsource phase 2. Miner could try and steal the coinbase. </p><p>62</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n User-side security Sirer</p><p>User-side Security Copyright © 2014 2014</p><p>Client must keep private keys secret. IttayEyal, </p><p>High availability vs. security Emin</p><p>G</p><p>ü</p><p> n Sirer Individual and large organizations security differs only in scale. </p><p>Unprecedented security requirements from commodity systems. </p><p>64 Individuals Copyright © </p><p>Tools: 2014</p><p>• Standard client IttayEyal, </p><p>• Software wallets (for phone) Emin</p><p>• Online wallets G</p><p>ü n • Brain wallets Sirer • Hardware wallets Practice: • Limited amount on phone • Cold storage – replicated • Use correct cryptography [1]</p><p>[1] Bos, Halderman, Heninger, Moore, Naehrig and Wustrow: Elliptic Curve Cryptography in Practice, FC’14 65</p><p>Large services Copyright © 2014 2014</p><p>Tools: IttayEyal, • Plenty of firewalls </p><p>• Bullet proof front-end systems Emin</p><p>G ü</p><p>• Bullet proof back-end systems n Sirer</p><p>Practice: Powered by • Cold storage • Auditing </p><p>66 Transaction Malleability Copyright © </p><p>Transaction hash used to track transactions. 2014</p><p>But it’s possible to change a transaction: IttayEyal, </p><p> input 1 output 1, amount 1 Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p> input 1 output 1, amount 1</p><p>Change scriptSig: Still valid, for same content, different bits. 1. Change signature. (Crypto trick) 2. Change script. (Protocol trick) </p><p>67 Transaction Malleability Copyright © </p><p>The MtGox con: 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>68 Transaction Malleability Copyright © </p><p>The MtGox con: 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n 1. Issue withdraw command. Sirer 2. Generate malformed txn, place in public buffer. 3. Change txn and publish it; get the money. 4. Call Mt.Gox to complain. 5. Pay again with new txn. 6. Get money again. 69</p><p>Miners and Pools Copyright © 2014 2014</p><p>• The BGP attack IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>BGP Get STRATUM Attack</p><p>70</p><p>Miners and Pools Copyright © 2014 2014</p><p>• The BGP attack IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>71</p><p>Miners and Pools Copyright © 2014 2014</p><p>• The BGP attack IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>Get work, Get work, Send PoW Send PoW</p><p>72</p><p>Miners and Pools Copyright © 2014 2014</p><p>• The BGP attack IttayEyal, • Block Withholding </p><p>Miner sends pool PoW Emin</p><p>G</p><p>ü n</p><p>Unless it’s an actual solution Sirer</p><p>73 Copyright © </p><p>Bitcoin: 2014</p><p>Concepts, Practice, and IttayEyal, </p><p>Research Directions Emin</p><p>G</p><p>ü n Part III Sirer Other Research Ittay Eyal, Emin Gün Sirer Computer Science, Cornell University DISC Bitcoin Tutorial, October 2014 Part 2 – Other Research Copyright © </p><p>• Alt-coins 2014 • Extensions IttayEyal, </p><p>• Privacy Emin</p><p>G ü</p><p>• Contemporary issues n Sirer</p><p>2</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Alt-coins & Sirer Extensions Parameter changing Copyright © </p><p>• Block frequency 2014 IttayEyal, • Faster confirmation </p><p>• More forks Emin</p><p>G</p><p>ü</p><p> n Sirer • PoW choice • More green? (no) • More fair? (no) </p><p>• Difficulty adjustment rate • Defense against flash miners </p><p>4 Proof of stake [1] Copyright © </p><p>Goal: 2014 IttayEyal, • Save some trees. </p><p>• Power to the users! (rather than miners) Emin</p><p>G</p><p>ü</p><p> n Sirer Method: • Proof of Stake (PoS) instead of Proof of Work: Lock coins to create block. </p><p>[1] King and Nadal. PPCoin: Peer-to-Peer Crypto-Currency with Proof of Stake, August ‘12 5 Proof of stake [1] Copyright © </p><p>Goal: 2014 IttayEyal, • Save some trees. </p><p>• Power to the users! (rather than miners) Emin</p><p>G</p><p>ü</p><p> n Sirer Method: • Proof of Stake (PoS) instead of Proof of Work: Lock coins to create block. S1 S2</p><p>But nothing is at stake! S1 S2</p><p>[1] King and Nadal. PPCoin: Peer-to-Peer Crypto-Currency with Proof of Stake, August ‘12 6</p><p>Merged mining Copyright © </p><p>2014 2014 IttayEyal, Bitcoin PoW contains: • Emin</p><p>Useless transaction (alt-coin header hash x) G</p><p>ü</p><p> n Sirer</p><p>Alt-coin PoW contains: • Alt-coin header with hash x • Bitcoin header with transaction x</p><p>8</p><p>Merged mining Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer Miners benefit from mining both chains together. So they do. </p><p>Alt-coin gets mining power from day one. </p><p>9</p><p>Smart Contracts Copyright © 2014 2014</p><p>• Smart Contracts: IttayEyal, • 푚 out of 푛 signatures. </p><p>• Time-locked transactions: Emin</p><p>G</p><p>ü n</p><p>• Time to place in blockchain. Sirer • Time to use outputs. </p><p>• Ethereum: outsource distributed computing (got 31k BTC, at $18 million) • Transactions generate transactions. • Transactions activate one another. </p><p>10 Extensions Copyright © </p><p>• Colored coins: 2014</p><p>Associate assets to individual <a href="/tags/Bitcoin/" rel="tag">Bitcoins</a>. IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>• Side chains: • Faster • backed by main blockchain • less secure</p><p>11</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Privacy Sirer Transaction Tracking Copyright © </p><p>All transactions remain in Blockchain forever. 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>13 Transaction Tracking Copyright © </p><p>All transactions remain in Blockchain forever. 2014 One can associate addresses by detective work. IttayEyal, </p><p>[1] [2Emin ]</p><p>G</p><p>ü</p><p> n Sirer</p><p>• For large scale crime? Not great. • For somewhat secret activity? Pretty good. [1] Ron and Shamir, FC’14 [2] Meiklejohn, Pomarole, Jordan, Levchenko, McCoy, Voelker, Savage. IMC’13 14 Zerocoin and Zerocash Copyright © </p><p>Zerocash [2]: 2014 IttayEyal, Privacy preserving alt-coin on top of Bitcoin. </p><p>(preceded by Zerocoin [1]) Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>[1] Miers et al., IEEE S&P, 2013 [2] Ben-Sasson et al., TR, 2014 15</p><p>Zerocoin and Zerocash Copyright © 2014 2014</p><p>The key: IttayEyal, </p><p>To move funds: prove* that Emin</p><p>“I know the secret for moving certain coins”. G</p><p>ü</p><p> n Sirer Without revealing the sources or the value. But still preventing double-spending. </p><p>*Zero-knowledge Succinct Non-interactive Arguments of Knowledge (zk-SNARKs) </p><p>[1] Miers et al., IEEE S&P, 2013 [2] Ben-Sasson et al., TR, 2014 16</p><p>Stealth Addresses Copyright © 2014 2014</p><p>The goal: IttayEyal, </p><p>Untrackable transactions to public address. </p><p>Emin</p><p>G</p><p>ü n</p><p>The method: Sirer 1. Bob publishes address template 푥. 2. Alice sends Bitcoin to augmented address 푥′. 3. Bob finds 푥′ and controls it. </p><p>• No one but Alice and Bob know x’. Need either Alice’s secrets or Bob’s. • Only Alice controls x’. </p><p>17</p><p>Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü n Contemporary Issues Sirer Scalability Copyright © </p><p>Initialization: 2014 • Blockchain over 22GB. Linear growth. IttayEyal, </p><p>• Long time for bootstrapping Emin</p><p>G</p><p>ü n Running (at 7 txn/sec) : Sirer CPU: Insignificant UTXO + Mempool Memory: ~100MB Network: ~30Kb/sec </p><p>[1] Gavin Andresen, A Scalability Roadmap, BTC Foundation Blog, October 2014 19</p><p>Scalability Copyright © </p><p>2014 2014 IttayEyal, </p><p>Lightweight clients: Simple Proof Verification Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>Initialization speedup: [1] • Headers first • UTXO first </p><p>[1] Gavin Andresen, A Scalability Roadmap, BTC Foundation Blog, October 2014 20</p><p>UTXO and Mempool Maintenance Copyright © </p><p>2014 2014 IttayEyal, UTXO set becoming large. </p><p>Miners can choose to skip transaction verification. Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>Mempool becoming large Miners can publish empty blocks. </p><p>21</p><p>Block Propagation Time Copyright © 2014 2014</p><p>Block propagation time: IttayEyal, • Too long. </p><p>• Depends on block size. Emin</p><p>G</p><p>ü</p><p> n Sirer Suggested solutions: • Transaction set reconciliation. • Header first. </p><p>22</p><p>BIP 70 – Payment Protocol Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>23 Copyright © </p><p>Bitcoin: 2014</p><p>Concepts, Practice, and IttayEyal, </p><p>Research Directions Emin</p><p>G</p><p>ü n Part IV Sirer Non-technical Ittay Eyal, Emin Gün Sirer Computer Science, Cornell University DISC Bitcoin Tutorial, October 2014</p><p>Economy Copyright © 2014 2014</p><p>• Deflationary (21 million total) IttayEyal, </p><p>• What is it? Emin</p><p>G</p><p>ü n</p><p>• Store of value? Sirer • Method to transact USD? </p><p>• So what’s the potential value (USD/BTC)? • Function of mining cost? No! Rate is set. • Ratio of world economy? • Ratio of world transactions, and a function of the time it needs to store value? 2 Reasons for Volatility Copyright © </p><p>• Regulation 2014 • Anti Money Laundering (US/Europe) IttayEyal, •</p><p>Adoption / rejection (China, Russia) Emin</p><p>• Fiat regulation (Cyprus, greece) G</p><p>ü n • Adoption Sirer • Large companies (Dell, PayPal) • Illegal (Silk Road) • Security • Mt. Gox • Technical • Not really </p><p>3 Tax Copyright © </p><p>Commodity or currency? Something else? 2014 IttayEyal, </p><p>Revenue in Bitcoin Exchange</p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>Mining? </p><p>4 Legal Copyright © </p><p>• Payment for illicit goods. 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü</p><p> n Sirer</p><p>• Money laundering • Tumblers • w/ pool fees • Bitcoin ATMs</p><p>5 Community Copyright © </p><p>Diverse – a lot of players 2014 IttayEyal, </p><p>• Community health Emin G</p><p>• Maturing ü</p><p> n Sirer • Governance Mostly the <a href="/tags/Bitcoin_Foundation/" rel="tag">Bitcoin Foundation</a> • Protocol changes • Interaction with state regulation • Bitcoin central bank? </p><p>• Large service auditing 6</p><p>Conclusion Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü Average 12.6 Average input 1 n</p><p> output 1, amount 1 Sirer 40 input 2 6.5 output 2, amount 2 input 3</p><p>Get STRATUM B BGP Attack</p><p>C</p><p>1</p><p>Conclusion Copyright © </p><p>2014 2014</p><p>IttayEyal, </p><p>Emin</p><p>G</p><p>ü Average Average input 1 n</p><p> output 1, amount 1 Sirer</p><p>12.6 40 input 2 6.5 output 2, amount 2 input 3</p><p>Get STRATUM B BGP Attack</p><p>C</p><p>2</p>