CS 3700

Networks and Distributed

Systems
Bitcoin
Brief History of Currency
Towards Decentralized, Online
Currency
Bitcoin
Bitcoin in Practice
What is Currency?

• Medium of exchange
• May or may not have intrinsic value (e.g. gold)
• Value is based on future exchanges
• Trust is essential

• Store of value
• Allows one to store “value” rather than objects
• Facilitates lending, debt, investing, and other financial innovations
Ancient Coinage

• Ancient coinage was based on precious metals

• Typically copper, silver, and gold
• Value of currency based the intrinsic value of the metal
• Largely obviated the problem of counterfeiting
• A “fake” gold coin is still made of gold
• Limited technology for creating diluted, composite metals
• Lack of advanced mining techniques limited inflation
• Very challenging to extract new metal from the ground, flood the market
• Problems?
• Cumbersome to move and store large amounts of currency
• Limited capability to mint new coins (requires raw materials)
• In theory, currency’s value may fluctuate wildly, i.e. through speculation
Paper Currency

• Paper bearer tokens began to replace coinage around 600 BC

• Paper was exchangeable for a commodity, e.g. gold, copper, salt
• Advantages
• Easier to carry, mint large denomination bills
• Gives the issuing authority flexibility to inflate or deflate the currency
• Problems?
• Counterfeiting
• Runaway inflation – issuing authority may print too much paper (e.g. to pay debts)
• Bank runs – gold supply may run out during a panic if everyone tries to convert
Fiat Currency

• Modern physical currency is based on fiat

• Not linked to a hard commodity, based entirely on trust
• Why does fiat currency have “value”?
• Social contract – everyone accepts the currency, therefor it has value
• Centralized power – the government has the power to enforce taxation, and
they accept currency as a means to pay taxes
• All the advantages of commodity-backed paper currency, without the
need to stockpile commodities
• All the problems of commodity-backed paper currency, but even more
trust must be placed in the issuing authority
Physical Currency

Advantages Disadvantages
• Easily portable • Easy to steal
• Cannot double-spend • Paper is a bearer token
• Spend the same piece of paper >1 • Hard to monitor/tax transactions
times
• Again, paper is semi-anonymous
• Cannot repudiate payment
• Once you’ve given the paper, you
• Requires trust in the centralized
can’t get it back issuing authority
• Semi-anonymous • Doesn’t work online
• Modulo tracking serial numbers • I can’t email you a scan of the
• Issuing authority can inflate/deflate paper :(
as necessary
What About Electronic Currency?
• The rise of telecommunications networks gives rise to a need for
electronic forms of currency
• Credit cards, Paypal, bank e-checks
• Computers store the amount of money held by each individual/company
• Transactions move money between parties
• Why do we trust the electronic money system?
• Denominated in a physical, fiat currency
• Rules are enforced by strict regulation and audits
• E.g. Paypal can’t just decide to mint a trillion dollars for themselves
• Again, trust is centralized in the issuing authority, i.e. the government
• What is the incentive to participate in the electronic money system?
• Transaction fees
• E.g. Visa charges 1.51% of each transaction plus $0.10
 Electronic Currency

Advantages Disadvantages
• Works online • Requires trust in the issuing authority and
• Easy for issuing authority to third-parties
monitor/tax/control • E.g. Visa, Paypal
• Strict regulations and auditing • Manual oversight and auditing

• Cannot double-spend • Issuing authority may prohibit

• All transactions are monitored transactions and/or third-parties
• Took Paypal years to become legitimized
• Transactions can be repudiated
• Credit card chargebacks • High transaction fees
• No privacy
• All transactions are monitored
Towards Non-fiat Electronic Currency

• Goal: e-cash without a centralized issuing authority

• Store and transfer value without a reliance on commodities or central banks
• Anyone can join the system and be party to transactions
• Bitcoin is, arguably, the first viable non-fiat electronic currency
• Invented by Satoshi Nakamoto in 2009
• Released as a whitepaper plus open-source implementation
• Name is a pseudonym, true author is unknown
• Built on top of an unstructured P2P system
• Participants validate transactions and mint currency
• System works as long as the majority of users (i.e. a quorum) are honest
• Elegantly solves challenges in computer science and economics
Brief History of Currency
Towards Decentralized, Online
Currency
Bitcoin
Bitcoin in Practice
Why is P2P Currency Hard?

• The most obvious challenge is determining ownership

• Who owns a given unit of currency?
• Without strong ownership…
• Forgery – a user can mint arbitrary currency
• Double spending – how do you validate and enforce transactions?
• Theft – impossible to separate true and false claims about ownership

• Rest of lecture: build up design of Bitcoin using strawman proposals

• Let’s call our hypothetical currency neucoin
Requirements and Expectations

Requirements Expectations
• No centralized control • Clear ownership of each neucoin
• Central banks, governments, police • Cannot generate money you don’t
have
• No “strong identities”
• Cannot double spend
• ID cards, passports
• Cannot steal arbitrarily
• Impossible to enforce without
centralized control • No repudiation
• Ideally, we would like anonymity
(like physical paper cash)
• Entirely electronic
• Not backed by commodities
Motivating Example
I, Alice, transfer 1 neucoin to Bob.
Alice Bob
1 neucoin 1 neucoin
I, Alice, transfer 1 neucoin to Charlie.

I, Alice, transfer 1 neucoin to Mallory.

Mallory Charlie
1 neucoin 1 neucoin

Can transactions be forged? Yes

Can neucoins be stolen? Yes
Can users double spend? Yes
Introducing Cryptography
Alice Sa Sb Bob

Pa Pb

• Each entity in neucoin is defined by a public/private keypair

• Simply referred to as wallets
• Knowledge of private key gives ownership of neucoins in the associated wallet
• Coins are transferred from one public key to another public key
 Example v2 Signed by Alice’s
Private Key

Pa transfers 1 neucoin to Pb
Alice Sa Sa Sb Bob
1 neucoin 1 neucoin
Pa Pa transfers 1 neucoin to Pc Pb
Sa

Mallory Sm Pa transfers 1 neucoin to Pm Sc Charlie

Sm 1 neucoin
Pm Pc

Can transactions be forged? No

Can neucoins be stolen? No, assuming the private key isn’t stolen
Can users double spend? Yes
Serial Numbers

• How do we prevent users from minting arbitrary neucoins?

• Add a trusted third-party that issues serial numbers
• Also known as a bank
• Let’s assume bank is trusted, has a well known public key

10238 26671 00392

B B B
 Example v3
Pa transfers 10238 to Pb
Alice Sa B Sa Sb Bob
10238 10238
B Pa Pa transfers 10238 to Pc Pb B
B Sa

Mallory Sm Sc Charlie
Pm 10238
Pc B

Can transactions be forged? No

Can neucoins be stolen? No, assuming the private key isn’t stolen
Can users double spend? Yes
Preventing Double Spending

• What if the trusted bank also tracked who owns each neucoin?
• Bank would have a ledger, serve as official record of ownership
• Charlie can contact the bank, verify that Alice owns a given coin
• Problems?
• Centralized ledger totally defeats the purpose of neucoin
• Instead, the network is the bank
• Participants in neucoin collectively keep track of all transactions
• Known as the public ledger
• To verify that Alice isn’t double spending, Charlie can check the public ledger
 Example v4
neucoin Network
Is the signature in this
Pa transfers 10238 to Pbc transaction valid?
Alice Sa Sa Does Pa own 10238?
10238 Pa
Public Ledger
Bob Sb • Pa owns 10238
• 10238 from Pa to Pb
10238
Pb

Charlie Sc

Pc
Brief History of Currency
Towards Decentralized, Online
Currency
Bitcoin
Bitcoin in Practice
 Bitcoin at a High-Level

• Bitcoin is a P2P network of nodes (Bitcoin clients)

• Each node keeps a log (ledger) of all Bitcoin transactions, ever
• This log is known as the blockchain
• Transactions are broadcast to nodes in the P2P network
• Nodes validate transactions
• Correct signatures and correct ownership of coins
• Valid transactions are added to the blockchain and broadcast to other peers
• Transaction is considered accepted once it appears in the blockchain
• Ultimate goal: all transactions are known and agreed upon by the network
• In other words, we want global consensus of events in log
• Sound familiar?
Open Questions

• How much of the network must commit a transaction to their local

blockchain for it to be considered accepted?
• may not be feasible if N is large
• Suppose
  there is a fork in the blockchain. How do you reconcile?
• How to defend against Sybil attacks?
• What is the incentive for users to help maintain the blockchain?
• Bandwidth, CPU, and storage aren’t free
 Sybil Attack
• Classic attack that
Mallory’s Sybils all P2P systems
Pm transfers 10238 to Pb
Sm are vulnerable to
Mallory Sm • Mallory can
Pm transfers 10238 to Pc
10238 Sm introduce many
Pm
fake nodes into
the network
Bob Sb
• N/2 respond to
10238
Pb Bob, N/2 respond
to Charlie
Charlie Sc • Implication: one
node = one vote
10238
Pc doesn’t work
Proof-of-Work

• Need to tie voting to a resource that is hard to obtain

• In the past, we would have used a commodity (e.g. gold)
• Identity (e.g. passports) would work, but defeats the purpose
• Key idea: tie voting to control of computational resources
• To add a transaction to the ledger, you must present a proof-of-work
• Proof-of-work can be generated by solving a cryptopuzzle
• Why is this a good idea?
• Cryptopuzzles prove that a node expended significant effort
• Obviates the need for Sybil prevention
• E.g. one machine pretending to be 100 Sybils doesn’t magically get 100x CPU power
Cryptopuzzles

• Cryptographic hash functions, e.g. MD5, SHA-1, etc.

• Deterministic, high entropy, and collision resistant
• Locating A’ such that hash(A) = hash(A’) takes a long time
• Example: 221 tries for MD5
• A hash function is cryptographically secure iff it is hard to find a pre-image
(i.e. a collision) given a hash value H
• Implement cryptopuzzles in neucoin as follows:
• Find V such that Hash(V + [some other fixed data]) < target
• Nodes in the network have no choice but to brute force V
• Difficulty can be adjusted by making target larger or smaller
 Proof-of-work in Bitcoin

• Key idea: a node can only add an entry to the blockchain if it solves a
cryptopuzzle
• Other nodes can easily validate new blocks to ensure the puzzle has been solved
• Changes “one node/one vote” to “one CPU/one vote”
• To dominate the network, Mallory must control significant CPU resources

• Implementing proof-of-work in Bitcoin

• Nodes receive transactions, group them into blocks
• Nodes attempt to solve a cryptopuzzle based on the previous block and the new block
• Blocks are linked, hence the name blockchain
 Mining Blocks

Prev. Block Hash Nonce Y Block Hash Prev. Block Hash Nonce X Block Hash Prev. Block Hash No
Transaction L Transaction I Transaction F
Transaction M Transaction J Transaction G
Transaction N Transaction K Transaction H

• Block hash = Hash(Prev Block Hash | Nonce X | <Transactions>)

• Concatenate all the fields in green
• Nonce X is the number chosen to make the block hash < target
• Changing the nonce changes the output of the hash function unpredictably
• All nodes are competing to identify a nonce that solves the puzzle
• Creation of new blocks is known as mining
Building the Blockchain

• At any given time, all nodes are searching for the next block
• Searching == trying different nonces to solve the puzzle
• Hoping to get lucky, identify nonce X such that block hash < target
• Hashing power of the network grows over time
• More peers join the network, CPUs get faster
• Bitcoin automatically adjusts target over time
• Attempts to maintain 1 block/10 minutes on average
• Once a node discovers a block, it broadcasts it to other peers
• Other nodes validate (easy, simply recompute the hash)
• Nodes begin working on the next block (with the new block as Prev)
Forking the Blockchain
• What happens if two nodes find different block simultaneously?
• Let’s call them Dave and Edgar
• Both Dave and Edgar broadcast
• Some fraction of the network will start working on Dave’s fork, others on
Edgar’s
• This is bad. Who is right? Dave and Edgar’s blocks may contain different
transactions
• In Bitcoin, nodes always accept the longest chain
• The longest chain represents the most work
• Eventually, either Dave or Edgar’s fork will find the next block first
• When this is broadcast, all nodes will switch to the longer chain
Forking Example

• In case of a fork, network searches for next block in both chains

• First chain to be lengthened “wins”, all nodes eventually switch
• Blocks in “loser” fork are ignored, transactions go back in the queue
Open Questions, Revisited

• How to defend against Sybil attacks?

• Require nodes to solve cryptopuzzles to commit transactions to the blockchain
• Suppose there is a fork in the blockchain. How do you reconcile?
• Longest chain of blocks wins
• How much of the network must confirm a transaction for it to be
considered accepted?
• Only one node needs to solve the cryptopuzzle to create a new block
• However, a single block may not be good enough for confirmation
• Suppose that one block is part of a fork – it may get replaced in the future
• More on this later
• What is the incentive for users to help maintain the blockchain?
Creation of New Coins

• What is the incentive for users to act as Bitcoin nodes?

• Computing hashes is CPU intensive
• Bandwidth of communication with peers and users
• Storage cost of storing the entire blockchain
• Bitcoin solves the incentive problem in two ways
• Transactions may include a transaction fee
• Paid to whoever “wins” first, i.e. mines a block that includes the transaction
• New blocks mint new coins
• Node who wins “mines” a fixed amount of coins as a prize
• This is why it’s called mining
• Current reward is 25 BTC (worth around $9000!)
• Called a coinbase transaction
Coinbase Transactions

Block Hash Prev. Block Hash Nonce X

Transaction I
Transaction J
Coinbase Transaction K

• Elegantly solves several problems

• Where do bitcoins come from? How are they minted?
• Who gets newly minted coins?
• Reward for mining halves every 210,000 blocks
• Currently 25 BTC, was 50 BTC until 2012
• Will become 0 in year 2140; 21 million total bitcoins
• At this point, only transaction fees will incentivize miners
Do We Need Serial Numbers?

• Final annoyance: where do bitcoin serial numbers come from?

• Trick question – bitcoins don’t have serial numbers
• Idea: “bitcoins” don’t matter, only transactions matter
• All transactions have IDs, simply the hash of their fields
• To transfer bitcoins
• Simply state the transaction ID where you received the coins
• Easy to verify that the transaction exists, as well as coin ownership (via the signature)
• What if you don’t want to move all coins from a previous transaction?
• Bitcoin transactions may have multiple inputs and outputs
• Pay the change back to yourself ;)
 Real Bitcoin Transactions

• Transactions have multiple inputs and

outputs
• Each input is the ID of a previous transaction
• All value must be included
• Nodes verify that no other transactions refer to
the input IDs
• Each output is an amount and a public key
• Signed by owners private key
• Implicit output: sum(input) – sum(output)
• If it exists, can be claimed by the miner as the
transaction fee
 Example Transactions
Tx 1234, coinbase: Pa -> 25 BTC
Alice Sa
25 BTC
24
22
21
Pa Tx 2578: input {1234},
output {Pa -> 24 BTC, Pb -> 1 BTC}

Bob Sb Tx 3002: input {2578},

1 BTC
2 output {Pa -> 22 BTC, Pb -> 1 BTC, Pc -> 1 BTC}
Pb
0.01 BTC left over
Tx 3587: input {3002}, as a transaction fee
output {Pa -> 21 BTC, Pc -> 0.99 BTC}
Charlie Sc
1.99
2.99
1 BTC
Pc Tx 3587: input {2578, 3002},
output {Pb -> 1 BTC, Pc -> 1 BTC}
Is Bitcoin Secure?

• Can I fake a transaction? (i.e. steal your bitcoins)

• No, you would need access to the victim’s private key
• Can I edit the blockchain? (i.e. remove or modify old transactions)
• No, all blocks are linked by their hashes
• Changing historical block Bt would require changing all blocks [Bt , Bcurrent]
• Can I repudiate a transaction? (i.e. deny that I paid you)
• No, all of your transactions are signed by your private key
• Plus, you can’t go back and change previous blocks
• Can I mint money out of thin air?
• Yes, but only through legitimately solving a cryptopuzzle (i.e. a coinbase txn)
• All peers can validate that your block (and the minted coins) are correct
What About Double Spending?

• Can I double spend?

• Sort of – you could publish two new transactions with the same inputs
• But, the network will only accept of them eventually
• However, there may be a period of time where both new transactions
are committed
• If the blockchain forks, both transactions may exist concurrently
• When should a recipient conclude that a transaction is truly accepted?
• Wait for C confirmations, i.e. blocks after the transaction in question
• The longer the chain, the less likely it will be replaced by a fork
• If a vendor requires 6 confirmations and an attacker controls 10% of the networks hashing
power, the attack will succeed 0.02428% of the time
CPU Monopoly

• What if I control 51% of the networks hashing power?

• All bets are off
• Attacker can control all future blocks
• Monopolize creation of new coins
• Double spend
• Deny arbitrary transactions

• Network needs to be diverse to prevent this kind of attack

Incentives, Revisited

• Why do nodes accept transactions?

• Coinbase transactions and transaction fees
• Essentially, monetary rewards

• Why do nodes “accept” a new block?

• Couldn’t they just ignore it and keep mining the old one?
• No incentive: mining is guessing, so it’s not like you are “close”
• Also, all other nodes will switch to new block
• To succeed, you now need to mine two blocks in a row
What About Anonymity?

• Are bitcoin transactions truly anonymous?

• No, transactions are pseudonymous
• Everyone is identified by their public key(s)
• The blockchain (all transactions ever) is public
• Current owner of any coin can be determined
• The provenance of any bitcoin can be ascertained (past ownership)
• Related question: are bitcoins fungible?
• Fungible – mutually interchangeable
• Physical dollars are fungible, one is just as good as another
• Since the provenance of bitcoins can be tracked, they may not be fungible
• E.g. if coin X is stolen, user may refuse to accept X in future transactions in retaliation
Brief History of Currency
Towards Decentralized, Online
Currency
Bitcoin
Bitcoin in Practice
• BTC to USD exchange rate has been very volatile over time
• Highs over $1000, now around $400
• Several “bitcoin millionaires” exist
• Mined a bunch of coins back in 2009
• One guy threw away a machine with a private key linked to >$500k in coins :(
Bitcoin Wallets
• Two options Electrum
• Desktop client: You participate as node in the network
• Direct access to peers and the blockchain, but no mining
• Private key on your machine (lose it, lose your coins)
• Online Service: You give your private key to a company/site
• Log in to site to view “balance”, make transactions; easy to use
• They have your key

• What’s up with the stolen bitcoins?

• All from Wallet sites
• Hackers break in, get private keys, transfer bitcoins to themselves
Anonymity

• Recall that bitcoin is pseudonymous

• What if you want stronger anonymity?
• Best practice: generate a new wallet for every transaction
• Users can have many wallet addresses (i.e. keypairs)
• Makes linkability somewhat more difficult
• Even more anonymity: use a “mixing” service to launder your coins
• Service uses a well known wallet address
• Accepts bitcoins from any source
• Return the coins after some time (minus a small fee)
• Assuming volume is high, provides unlinkability of inputs and outputs
 Mining

• In theory, anyone can download

bitcoin and start mining
• Your node will search for blocks
• But in practice, you will never win
• Arms race: CPU < GPU < FPGA < ASICs
• Real miners use thousands of chips
custom designed to solve cryptopuzzles
• Much faster and more power efficient
than general purpose hardware
• Many miners operate in Iceland
(cheap power and free cooling)
 Mining Pools
• Problem: Bitcoin is a lottery
• You are extremely unlikely to win
• Can we make it more “fair”?
• Nodes “get out” what they “put in”?
• Solution: mining pools
• Groups of nodes that work together
• Split proceeds when any node finds
the next block (more fair)
• Lots of mining pools today
• Some represent up to 25% of mining
capacity!
Proof-of-Work in Mining Pools

• How to evenly distribute coins in a mining pool?

• How to determine what nodes “put in”?
• Nodes could lie, say “I worked really hard!”
• Elegant solution: Nodes report “best hash” they found for block
• i.e., they say “I didn’t win, but here’s the best I did”
• Corresponds to amount of effort expended
• Payout distribution then based on how “hard” best hash was
• Closer to target, more coins
 Civil War
• Bitcoin functions because of its community
• Now that bitcoin is popular, the community is large
• To make changes, everyone must agree and adopt new software
• Blocksize and transactions
• Currently, the max block size is 1 MB, and block rate is 1 every 10 minutes
• This effectively caps the max capacity and speed of the bitcoin network
• To compete with Visa, bitcoin needs to handle more transactions at lower
latencies
• How to solve these scalability challenges?
• Bitcoin XT proposes to gradually increase the blocksize over time
• Sidechains – push tiny transactions out of the main blockchain
• Do nothing – let transaction fees rise for people seeking high-priority transactions
Altcoins

• P2P + cryptopuzzles + blockchain + incentives is a general formula

• Can be applied to other distributed systems problems besides currency
• Bitcoin is open-source
• Led to the creation of dozens of alternate coins
• Litecoin – faster mining rate and scrypt instead of SHA-256 (harder to design
ASICS)
• NXT – designed for securities trading
• Filecoin – designed for storing files in the blockchain
• Namecoin – designed as a replacement for DNS
• Dogecoin – litecoin + shiba inus