centrally banked cryptocurrencies · rolling hash chain of log acts as commitment to actions send...

Centrally Banked Cryptocurrencies

George Danezis (University College London)Sarah Meiklejohn (University College London)

2

who’s interested in ‘blockchain’?

2

who’s interested in ‘blockchain’?

2

who’s interested in ‘blockchain’?

2

who’s interested in ‘blockchain’?

2

who’s interested in ‘blockchain’?

2

who’s interested in ‘blockchain’?

2

who’s interested in ‘blockchain’?

3

fully decentralized cryptocurrencies

3

fully decentralized cryptocurrencies

3

fully decentralized cryptocurrencies

txtx(addrA→addrB)

3

fully decentralized cryptocurrencies

tx(generate transaction ledger)

“mining”

(generate monetary supply)tx(addrA→addrB)

3

fully decentralized cryptocurrencies

append-only

tx(generate transaction ledger)

“mining”

(generate monetary supply)tx(addrA→addrB)

3

fully decentralized cryptocurrencies

transparentappend-only

tx(generate transaction ledger)

“mining”

(generate monetary supply)tx(addrA→addrB)

3

fully decentralized cryptocurrencies

transparentpseudonyms

append-only

tx(generate transaction ledger)

“mining”

(generate monetary supply)tx(addrA→addrB)

4

issues with Bitcoin

hashing rates are out of controlincentive structure is messed up

attacks on mining

no control over monetary policy

4

issues with Bitcoin

hashing rates are out of controlincentive structure is messed up

attacks on mining

no control over monetary policy

not suitable for most applications!

RSCoin

5

RSCoin

5

monetary supply decentral centralcentral

RSCoin

5

monetary supplyledger centraldistributedecentral

decentral centralcentral

RSCoin

5

monetary supplyledger centraldistributedecentral

decentral centralcentral

transparent? y y (or n) n

RSCoin

5

monetary supplyledger centraldistributedecentral

decentral centralcentral

transparent? y y (or n) n

pseudonyms? y y (or n) n

RSCoin

5

monetary supplyledger centraldistributedecentral

decentral centralcentral

transparent? y y (or n) n

pseudonyms? y y (or n) n

computation high! low low

6

6

bank (generate monetary supply)

6

mintettemintette

mintette mintette

bank (generate monetary supply)

(generate transaction ledger)

6

mintettemintette

mintette mintette

bank

user

(generate monetary supply)

(generate transaction ledger)

6

mintettemintette

mintette mintette

bank

user

(generate monetary supply)

(generate transaction ledger)

6

mintettemintette

mintette mintette

bank

user

(generate monetary supply)

(generate transaction ledger)

7

mintettemintette

mintette mintette

bank

user

7

mintettemintette

mintette mintette

bank

user

consensus?

7

mintettemintette

mintette mintette

bank

user

what gets sent?

consensus?

7

mintettemintette

mintette mintette

bank

user

what gets sent?

consensus?

how do mintettes collect txs?

7

mintettemintette

mintette mintette

bank

user

what gets sent?

consensus?

how do mintettes collect txs?

consensus?

8

user

1 2tx:

consensus

8

user

1 2tx:

consensus

each address is owned by a set of mintettes

8

user

1 2tx:

consensus

each address is owned by a set of mintettes

a d d r e s s e smintettemintettemintette

mintettemintettemintettemintettemintettemintette

mintettemintettemintettemintettemintettemintette

mintettemintettemintette

9

mintette1

mintette1

user

1 2tx:

mintette1

1

consensus

9

mintette1

mintette1

user

1 2tx:

mintette1

1

mintettes check for double spending…

…using lists of unspent transaction outputs (utxo)

consensus

10

mintette1

mintette1

user

1 2tx:

✓ mintette1

✓

1

signed ‘yes’ vote (and head h)

consensus

11

mintette1

mintette1

user

1 2tx:

✓ mintette1

✓

mintette2

mintette2

mintette2

1tx ✓✓

“bundle of evidence” contains ‘yes’ votes from majority of mintettes in shard

consensus

11

mintette1

mintette1

user

1 2tx:

✓ mintette1

✓

mintette2

mintette2

mintette2

1tx ✓✓

mintettes check validity of bundle by checkingfor signatures from authorized mintettes…

consensus

12

mintette1

mintette1

user

1 2tx:

✓ mintette1

✓

mintette2

mintette2

mintette2

1tx ✓✓tx

tx

…and if satisfied they add transaction to be committed and send back receipt

consensus

13

consensus features

13

consensus features

simple (adaption of Two-Phase Commit)

13

consensus features

scalable!simple (adaption of Two-Phase Commit)

13

consensus features

scalable!T = set of txs generated per second

Q = # mintettes per shard M = # mintettes

simple (adaption of Two-Phase Commit)

13

consensus features

scalable!T = set of txs generated per second

Q = # mintettes per shard M = # mintettes

simple (adaption of Two-Phase Commit)

∑tx∈T 2(mtx+1)QMcomm. per mintette per sec =

13

consensus features

scalable!T = set of txs generated per second

Q = # mintettes per shard M = # mintettes

simple (adaption of Two-Phase Commit)

∑tx∈T 2(mtx+1)Q

scales infinitely as more mintettes are added!

Mcomm. per mintette per sec =

14

14

each new mintette adds≈ 75 tx/sec

14

each new mintette adds≈ 75 tx/sec

compared to Bitcoin’s 7

what gets sent?

15

mintettemintette

mintette mintette

bank

user

what gets sent?

how do mintettes collect txs?

(2PC)consensus?consensus?

what gets sent?

15

mintettemintette

mintette mintette

bank

user

what gets sent?

how do mintettes collect txs?

(2PC)

how do mintettes collect txs?

(contacted based on shard)

consensus?

what gets sent?

15

mintettemintette

mintette mintette

bank

user

what gets sent?

how do mintettes collect txs?

(2PC)

(contacted based on shard)

what gets sent?

consensus?

16

security properties

no double spending (only “good” transactions get included)

16

security properties

no double spending (only “good” transactions get included)

(if honest majority)

17

security properties

no double spending (only “good” transactions get included)non-repudiation (mintettes are held to their promises)

17

security properties

no double spending (only “good” transactions get included)non-repudiation (mintettes are held to their promises)

(because mintettes provide receipt uponcommitting transaction)

18

security properties

no double spending (only “good” transactions get included)non-repudiation (mintettes are held to their promises)auditability (mintettes can’t cheat without detection)

19

mintette logs

borrow ideas from Certificate Transparency to log actions

19

mintette logs

borrow ideas from Certificate Transparency to log actionsmintettes create log entry every time they:

-act as mintette in first phase (Query) -act as mintette in second phase (Commit) -publish head of hash chain (CloseEpoch)

rolling hash chain of log acts as commitment to actions

19

mintette logs

borrow ideas from Certificate Transparency to log actionsmintettes create log entry every time they:

-act as mintette in first phase (Query) -act as mintette in second phase (Commit) -publish head of hash chain (CloseEpoch)

rolling hash chain of log acts as commitment to actionsmintettes cross-hash chains to provide evidence of activity

19

mintette logs

borrow ideas from Certificate Transparency to log actionsmintettes create log entry every time they:

-act as mintette in first phase (Query) -act as mintette in second phase (Commit) -publish head of hash chain (CloseEpoch)

rolling hash chain of log acts as commitment to actions

send logs to bank at end of every periodmintettes cross-hash chains to provide evidence of activity

20

security properties

no double spending (only “good” transactions get included)non-repudiation (mintettes are held to their promises)auditability (mintettes can’t cheat without detection)

20

security properties

no double spending (only “good” transactions get included)non-repudiation (mintettes are held to their promises)auditability (mintettes can’t cheat without detection)

21

mintettemintette

mintette mintette

bank

user

what gets sent?

how do mintettes collect txs?

(2PC)

(contacted based on shard)

what gets sent?(cross-hashed chains)

consensus?

21

mintettemintette

mintette mintette

bank

user

what gets sent?

how do mintettes collect txs?

(2PC)

(contacted based on shard)

(cross-hashed chains)

-collate transactions

consensus?

21

mintettemintette

mintette mintette

bank

user

what gets sent?

how do mintettes collect txs?

(2PC)

(contacted based on shard)

(cross-hashed chains)

-collate transactions-allocate fees-audit mintettes

consensus?

21

mintettemintette

mintette mintette

bank

user

what gets sent?

how do mintettes collect txs?

(2PC)

(contacted based on shard)

(cross-hashed chains)

-collate transactions-allocate fees-audit mintettes(-add coin generation)-authorize mintettes

consensus?

RSCoin

22

monetary supplyledger centraldistributedecentral

decentral centralcentral

transparent? y y (or n) n

pseudonyms? y y (or n) n

computation high! low low

RSCoin

22

monetary supplyledger centraldistributedecentral

decentral centralcentral

transparent? y y (or n) n

pseudonyms? y y (or n) n

computation high! low low

Thanks! Any questions?