Introduction to Cryptocurrencies

Viewer
Transcript

Introduction to Cryptocurrencies [ACM CCS’15 tutorial, duration: 4 hours] Stefan Dziembowski University of Warsaw

ABSTRACT The goal of this tutorial is to provide a research-oriented introduction to the cryptographic currencies. We will start with a description of Bitcoin and its main design principles. We will then discuss some of its weaknesses, including the selfish mining attack, and show some ideas for dealing with these problems. We will talk about the mechanics of the mining pools and ideas for discouraging the mining pool creation. We will also provide an introduction to the smart contracts, and give some examples of them, including the multiparty lotteries. We will then present alternative currencies that were designed to remedy some of the problems of Bitcoin. In particular, we will talk about the Litecoin (which was created to make hardware mining less profitable), the Primecoin and Permacoin (created to make mining “useful” for some purpose), the Proofs of Stake and the Proofs of Space (which is an attempt to replace the proofs of work by some other method for reaching consensus). We will also discuss the problem of true anonymity in cryptocurrencies and explain the main ideas behind the Zerocoin, which is a new currency that provides the true anonymity. Finally, we will present some examples of the blockchain technology being used for other (non-financial) purposes. We will be mostly interested in the “conceptual” aspects of this topic. In other words: our goal will be to explain the most interesting ideas that emerged in this area, and we will ignore many technical details that are not relevant to this (like: the practical aspects of setting up a Bitcoin miner). We will also discuss the most important research challenges in this area.

1.

INTRODUCTION

The cryptographic currencies (also dubbed the cryptocurrencies) are a fascinating recent concept whose popularity exploded in the past few years. Their main distinguishing feature is that they are not controlled by any single entity

(like a central bank). Instead, they are jointly maintained by their anonymous users connected via peer-to-peer networks. Their security is based purely on the security of the underlying cryptographic primitives, and additionally on some global assumptions about the behavior of their users (like, e.g., an assumption that the majority of the computing power is controlled by the honest participants). Historically the first, and the most prominent cryptocurrency is the Bitcoin, introduced in 2008 by an anonymous developer using a pseudonym “Satoshi Nakamoto” [25]. Although initially these currencies were used mostly by a limited group enthusiasts, they quickly gained noticeable attention among the general public, and their economic importance is already quite significant — the current capitalization of Bitcoin is above 3.5 billion USD, and the average number of transactions per day is typically above 100.000. Admittedly, this currency is not yet widely accepted by the merchants, but this situation is likely to change in close future. Probably the most intriguing technical innovations of Bitcoin are: the mechanism for reaching consensus in fully distributed peer-to-peer networks (the so-called blockchain technology), and the transaction syntax that allows to execute distributed financial operations that are much more complex than simple money transfers. Even the sheer financial importance of the cryptocurencies makes them an interesting research area. In our opinion, however, what makes this topic even more fascinating are the conceptual ideas behind it, especially since they have a potential to be used also in other applications. Goal of this tutorial. The goal of this tutorial is to provide a research-oriented introduction to the cryptocurrencies. Our main focus will be the Bitcoin, but we will also talk about some alternative ideas used in other currencies. We will present the main principles of the Bitcoin design, discuss some of its weaknesses, and show some ideas for improvements. We will also discuss the most important research challenges in this area. We will be mostly interested in the “conceptual” aspects of this topic. In other words: our goal will be to explain the most interesting scientific ideas that emerged in this area, and we will ignore many technical details that are not relevant to this (like: the practical aspects of setting up a Bitcoin miner).

Intended audience. This tutorial will be suitable for all the ACM CCS participants, both coming from the academia and from the industry. Prerequisite knowledge. We will assume familiarity with the basic cryptographic primitives, such as the hash functions, the signature schemes, and encryption. No prior knowledge of Bitcoin or other cryptographic currencies is required.

2. PROGRAM 2.1 Introduction [15 mins] We will start with a brief overview of the history of the cryptocurrencies. We will identify the main financial and social aspects that contributed to the success of Bitcoin, and mention some opinions of prominent economists about the cryptocurrencies, both those supporting this idea, and those that are skeptical about it. We will show how the popularity of Bitcoin grew over time, and how its price fluctuated. We will also mention some important events in the history of the Bitcoin community (like the MtGox collapase). We will not discuss these issues in detail, since the economic aspects of Bitcoin are not the main focus of this tutorial.

2.2

Bitcoin main design principles [40 mins]

We will introduce the transaction ledger, as a technique that can be used to prevent double-spending of electronic cash. We will point out that the Sybil attacks [13] should be taken into account when designing a protocol that emulates such a ledger. We will explain what are the Proofs of Work (PoWs) [14] and how to apply them to thwart the Sybil attacks. We will present the Bitcoin PoW, and show how it is used in the construction of the blockchain (the Bitcoin implementation of the transaction ledger). We will describe the main assumptions that are needed for the security of this construction, and in particular we will show why it requires an assumption that the majority of the computing power is controlled by honest users, and present an informal argument that this assumption suffices (the gaps in this reasoning will be shown later, see Section 2.4). We will then describe the Bitcoin design in more detail. Then will show how the Bitcoin ledger is maintained by the users called miners that solve the PoWs, in a process called mining. We will show what are the incentives to engage in it. We will explain how the reward for finding new block changes over time, and explain the role of the transaction fees. We will explain the concept of the hashrate and show how the total hashrate of Bitcoin users changed over the time. We will also describe how the hardness of Bitcoin’s PoW’s is adjusted to the changing hashrate. We will then talk about the transaction syntax. We will start with the standard transactions. We will show how the signature schemes are used to validate the transactions. We will then present some basic types of transactions: multioutput, multi-input, time-locked, multi-signature, and payto-hash. We will then highlight that much more general forms of transactions are possible. For a moment we will not go into the details of this, as it will be discussed later (cf. Section 2.5) Throughout this part of the tutorial we will frequently use examples of blocks and transactions from the real blockchain.

2.3

Bitcoin mining pools [40 mins]

Mining pools are coalitions of miners that share the reward from mining new blocks. This part of the tutorial will be partly based on [28]. We will discuss the economic reasons for joining the mining pools (reducing the variance of the mining reward). We will then talk about the mechanics of the mining pool reward systems. We will start with the basic systems: the Pay-per-share, and the proportional one. We will show the pool hopping attack against the proportional system. We will discuss some of the systems that were created as a response to this attack (Slush’s system, Geometric, and Pay-per-last-N -shares). We will discuss some other attacks against the mining pool systems (Sabotage and Lie in wait). We will also show how mining pools can be decentralized vie the so-called peer-to-peer mining technique. Discouraging the mining pool creation. We will explain the risks behind the pooled miming. In particular, we will point out that it leads to the centralization of the control over mining. We will illustrate it with the example of the Ghash.io pool gaining control over the majority of the hashrate in June 2014. We will then discuss some ideas for the Bitcoin modifications that discourage the mining pool creation [24, 17].

2.4

Security weaknesses of Bitcoin [45 mins]

We will discuss the quality of the Bitcoin design. We will mention some incidents when programming errors lead to forks that needed to be resolved “manually” (which indicates that some degree of centralized control is in fact needed in Bitcoin). We will also explain the transaction malleability problem and show why it makes the Bitcoin software development more prone to programming errors. We will then present more fundamental problems with the blockchain technology. In particular we will explain the selfish mining attack introduced in the groundbreaking paper of Eyal and Sirer [18] (see also [20]). In this method the miners that control a minority of computing power can obtain more revenue from mining by deviating from the official protocol by withholding some of the blocks that they mine. We will then describe the difficulty raising attack of Lear Bahack [6, 12] that exploits the way in which the miming difficulty is adjusted in Bitcoin. We will also talk about the birbery attacks of [10], where the attacker rents the computing power of other user in order to break the system. We will discuss the subtleties in the Bitcoin economical model that are needed to analyze this attack, and that were ignored in Nakamoto’s paper [25]. We will go back to this while discussing the open problems in this area 2.7.

2.5

Smart contracts [40 mins]

One of the most intriguing properties of Bitcoin is the possibility of creating the so-called smart contracts (originally proposed in 1990s by Nick Szabo [29]). Such contracts can be viewed as financial agreements between a number of parties, whose implementations are enforced by the Bitcoin system. Simple examples of such agreements include the escrow and dispute mediation, and the assurance contracts [31]. More advanced types of contracts are the fair multiparty protocols, and in particular the decentralized lotteries [5, 3, 8]. We will give an overview of this area: we will start with explaining in more detail the Bitcoin transaction syntax, and

then we will show the basic contracts, and informally explain some of the more advanced ones. Since we want this tutorial to be accessible to the general ACM CCS audience we will avoid going too much into the formal details of the secure multiparty protocols. We will also give an overview of the Ethereum project, which is a new currency especially designed for making creating the distributed contracts.

scratch”, possibly using the techniques from the distributed cryptography area (the first step in this direction has been taken in [2]). What are the alternatives to the Proofs of Work, besides of those described in Section 2.6? Are there any ideas for discouraging the hardware mining than other the Litecoin method? Are there any more ideas for making the work performed by the miners “useful”?

2.6

We will also mention the open problems concerning the distributed contracts, in particular we will discuss what obstacles need to be overcome to make them really practical (formal modeling of the contracts [4], the need for an external oracle). Finally, we will also describe the problems with securely storing the Bitcoin secret keys (in the so-called wallets).

Other cryptocurrencies [40 mins]

Discouraging hardware mining. One of the problems of Bitcoin is that mining in hardware is much more efficient than mining in software, and hence it is completely infeasible nowadays to be a miner without investing in specialized hardware. This makes the mining process less democratic, and prevents some applications (e.g. mining as a micropayment). A natural question is weather one can design currencies which are not economical to mine in hardware. We will describe Litecoin [30], which is a currency that was supposed to have this property (unfortunately, recently hardware miners also for this currency became available on the market). It is based on a memory-hard function Scrypt [27]. We will describe it, and show some weaknesses of the model used in [27] that were pointed out in [1]. Less “wasteful” cryptocurrencies. One problem with the Proofs of Work is that they require the miners to spend significant amounts of electricity on mining. A significant effort has been taken to create less “wasteful” cryptocurrencies. There are essentially two approaches here. The first one is to create a cryptocurrency where the work is spent on some “useful” task. We will give an overview of the currencies belonging to this class: the Permacoin [23], and the Primecoin [21]. The second approach is to replace “work” by some other type of resource. This includes the Proofs of Stake [9] (one example being the NXT currency), and the Proofs of Space [15], which is used in the recent Spacecoin proposal [26]. We will give a short overview of these approaches. More anonymity. Since the Bitcoin’s transaction ledger is public the only anonymity in this system comes from the fact that the users are using pseudonyms, instead if their real names. As recently shown in [22] this does not provide sufficient privacy protection. We will briefly talk about this result, and then we will explain (on a high level) the main design principles of Zerocash [7], which is a new proposal for a currency that provides true anonymity. Other applications of the blockchain technology. We will also mention some cases of the blockchain technology being used for other (non-financial) purposes, e.g., the Namecoin system.

2.7

Research directions [20 mins]

We will conclude with an overview of the open research problems in this area (see also [11]). We will go back to the attacks described in Section 2.4, and argue that more understanding of the Bitcoin security model is needed (taking into account the game-theoretic aspects of this problem, see also [16, 19]). A natural question to ask is how to improve the blockchain technology so it is secure in the model that is as realistic as possible. Another option is to design a new technique for emulating the transaction ledger “from

3.

REFERENCES

[1] Jo¨el Alwen and Vladimir Serbinenko. High parallel complexity graphs and memory-hard functions. In Rocco A. Servedio and Ronitt Rubinfeld, editors, 47th ACM STOC, pages 595–603, Portland, OR, USA, June 14–17, 2015. ACM Press. [2] Marcin Andrychowicz and Stefan Dziembowski. Pow-based distributed cryptography with no trusted setup, 2015. accepted to the 35th International Cryptology Conference CRYPTO 2015. [3] Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, and Lukasz Mazurek. Fair two-party computations via bitcoin deposits. In Rainer Bohme, Michael Brenner, Tyler Moore, and Matthew Smith, editors, Financial Cryptography and Data Security, volume 8438 of Lecture Notes in Computer Science, pages 105–121. Springer Berlin Heidelberg, 2014. [4] Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, and Lukasz Mazurek. Modeling bitcoin contracts by timed automata. In Axel Legay and Marius Bozga, editors, Formal Modeling and Analysis of Timed Systems, volume 8711 of Lecture Notes in Computer Science, pages 7–22. Springer International Publishing, 2014. [5] Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, and Lukasz Mazurek. Secure multiparty computations on bitcoin. In 2014 IEEE Symposium on Security and Privacy, pages 443–458, Berkeley, California, USA, May 18–21, 2014. IEEE Computer Society Press. [6] Lear Bahack. Theoretical bitcoin attacks with less than half of the computational power (draft). arXiv preprint arXiv:1312.7013, 2013. [7] Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. Zerocash: Decentralized anonymous payments from bitcoin. In 2014 IEEE Symposium on Security and Privacy, pages 459–474, Berkeley, California, USA, May 18–21, 2014. IEEE Computer Society Press. [8] Iddo Bentov and Ranjit Kumaresan. How to use bitcoin to design fair protocols. In Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part II, volume 8617 of LNCS, pages 421–439, Santa Barbara, CA, USA, August 17–21, 2014. Springer, Berlin, Germany. [9] Iddo Bentov, Charles Lee, Alex Mizrahi, and Meni

[10]

[11]

[12]

[13]

[14]

[15]

[16] [17]

[18]

[19]

[20]

[21]

[22]

Rosenfeld. Proof of activity: Extending Bitcoin’s proof of work via proof of stake. Cryptology ePrint Archive, Report 2014/452, 2014. http://eprint.iacr.org/2014/452. Joseph Bonneau, Edward W. Felten, Steven Goldfeder, Joshua A. Kroll, and Arvind Narayanan. Why buy when you can rent? Bribery attacks on Bitcoin consensus, November 2014. manuscript available at http://www.jbonneau.com/doc/ BFGKN14-bitcoin_bribery.pdf. Joseph Bonneau, Andrew Miller, Jeremy Clark, Arvind Narayanan, Joshua A. Kroll, and Edward W. Felten. Sok: Research perspectives and challenges for bitcoin and cryptocurrencies, 2015. 36th IEEE Symposium on Security and Privacy. Nicolas T. Courtois and Lear Bahack. On subversive miner strategies and block withholding attack in bitcoin digital currency. CoRR, abs/1402.1718, 2014. John R. Douceur. The sybil attack. In Revised Papers from the First International Workshop on Peer-to-Peer Systems, IPTPS ’01, pages 251–260, London, UK, UK, 2002. Springer-Verlag. Cynthia Dwork and Moni Naor. Pricing via processing or combatting junk mail. In Ernest F. Brickell, editor, CRYPTO’92, volume 740 of LNCS, pages 139–147, Santa Barbara, CA, USA, August 16–20, 1993. Springer, Berlin, Germany. Stefan Dziembowski, Sebastian Faust, Vladimir Kolmogorov, and Krzysztof Pietrzak. Proofs of space. Cryptology ePrint Archive, Report 2013/796, 2015. http://eprint.iacr.org/2013/796, accepted to CRYPTO 2015 is the 35th International Cryptology Conference. Ittay Eyal. The miner’s dilemma, 2015. 36th IEEE Symposium on Security and Privacy. ˜ Ittay Eyal and Emin GAijn Sirer. How to disincentivize large bitcoin mining pools. a blog post at Hacking, Distributed blog, available at http://hackingdistributed.com/2014/06/18/ how-to-disincentivize-large-bitcoin-mining-pools/, 2014. Ittay Eyal and Emin G¨ un Sirer. Majority is not enough: Bitcoin mining is vulnerable. In Nicolas Christin and Reihaneh Safavi-Naini, editors, FC 2014, volume 8437 of LNCS, pages 436–454, Christ Church, Barbados, March 3–7, 2014. Springer, Berlin, Germany. Ed Felten. Game theory and bitcoin, 2013. Freedom to Tinker blog post, available at https://freedom-to-tinker.com/blog/felten/ game-theory-and-bitcoin/. Juan A. Garay, Aggelos Kiayias, and Nikos Leonardos. The bitcoin backbone protocol: Analysis and applications. In Elisabeth Oswald and Marc Fischlin, editors, EUROCRYPT 2015, Part II, volume 9057 of LNCS, pages 281–310, Sofia, Bulgaria, April 26–30, 2015. Springer, Berlin, Germany. Sunny King. Primecoin: Cryptocurrency with prime number proof-of-work, 2013. available at http://primecoin.io/bin/primecoin-paper.pdf. Sarah Meiklejohn, Marjori Pomarole, Grant Jordan, Kirill Levchenko, Damon McCoy, Geoffrey M. Voelker,

[23]

[24]

[25] [26]

[27] [28] [29]

[30]

[31]

and Stefan Savage. A fistful of bitcoins: Characterizing payments among men with no names. In Proceedings of the 2013 Conference on Internet Measurement Conference, IMC ’13, pages 127–140, New York, NY, USA, 2013. ACM. Andrew Miller, Ari Juels, Elaine Shi, Bryan Parno, and Jonathan Katz. Permacoin: Repurposing bitcoin work for data preservation. In 2014 IEEE Symposium on Security and Privacy, pages 475–490, Berkeley, California, USA, May 18–21, 2014. IEEE Computer Society Press. Andrew Miller, Elaine Shi, Ahmed Kosba, and Jonathan Katz. Preprint: Nonoutsourceable scratch-off puzzles to discourage bitcoin mining coalitions. available at https://cs.umd.edu/ ~amiller/nonoutsourceable_full.pdf, 2015. Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system, 2008. Sunoo Park, Krzysztof Pietrzak, Jo¨el Alwen, Georg Fuchsbauer, and Peter Peter Gaˇzi. Spacecoin: A cryptocurrency based on proofs of space. Cryptology ePrint Archive, Report 2015/528, 2015. http://eprint.iacr.org/2015/528. Colin Percival and Simon Josefsson. The scrypt password-based key derivation function. 2012. Meni Rosenfeld. Analysis of bitcoin pooled mining reward systems. CoRR, abs/1112.4980, 2011. Nick Szabo. Formalizing and securing relationships on public networks. First Monday, 2(9), 1997. available at http://firstmonday.org/ojs/index.php/fm/ article/view/548. Bitcoin talk discussion group. Litecoin - a lite version of bitcoin. launched! bitcointalk.org/index.php?topic=47417.0, Accessed on 27.05.2014. Bitcoin Wiki. Contracts. https://en.bitcoin.it/wiki/Contracts.

03 Storing Cryptocurrencies - Cryptography and Wallets.pdf ...

Mastering Bitcoin: Unlocking Digital Cryptocurrencies By Andreas ...

$pdf-1453\introduction-to-psychoneuroimmunology-introduction-to ...$

pdf-1453\introduction-to-psychoneuroimmunology-introduction-to ...

INTRODUCTION TO MATLAB

Introduction to HTML

INTRODUCTION TO MATLAB

Introduction to Lab 2

Introduction to Algorithms - GitHub

Introduction to HTML

Introduction to Java Programming

Introduction to R - GitHub

Introduction To DCA - GitHub

Introduction to Java Programming

Introduction to Linux

Introduction to Unix

122COM: Introduction to C++ - GitHub

Introduction to Lab 2 (LEGO)