dec 7, 2015 andrew miller bitcoin and...
TRANSCRIPT
Bitcoin and Cryptocurrenciesand what they mean for cybersecurity research
Andrew MillerDec 7, 2015
http://www.cs.umd.edu/~amiller/https://twitter.com/socrates1024
Bitcoin is not aloneBetween 150-500 altcoins launched to date
Altcoins launched per month(genesis block)
Data from mapofcoins.com
BitcoinNamecoin
LitecoinPeercoin
Dogecoin
Ideal Bank Account Functionality
Public Bank
Alice:$10Bob: $20
Account Balances
Alice Bob
“Send $2 from my account to Bob.” “You’ve got Money!
$2 from Alice.”
Alice:$08Bob: $22
-2
+2
A single transaction: Ledger -> Ledger’ (or failure)Valid transactions don’t spend more money than they have.
(note: privacy is not provided)
What are the security goals?- Money supply is conserved
Alice can’t spend more money than she has
- Transactions are “authorized”Alice can’t spend Bob’s money
- The service is “available”Bob can’t prevent Alice from spending her money
- Transactions are consistent, permanentAlice can’t send Bob money, and then take it back
From Ideal to Bitcoin in 5 Steps
1. Implement the Bank as a trusted third party
BankAlice Bob
(e.g., Paypal)
Digitally signed messages, or password authentication
“Send $2 from my account to Bob.”
2. Implement the Bank as a multi-party computation
Alice Bob
P1 P2
P5P4
P3
- Standard results in fault- tolerance apply here, (e.g. paxos, bft)
- PKI or similar is assumed
Why not just include everyone?
- Protocols are unscalable- How to prevent Sybil attacks without
administrators?
From Ideal to Bitcoin in 5 Steps
3. Suppose we have a magic token that chooses parties at random.
Whoever has the token gets to broadcast *once*If t parties are malicious, Pr[honest selected] = (n-t)/tThm. If majority are honest, transaction log converges
Alice Bob
? ?
??
? *caveats
From Ideal to Bitcoin in 5 Steps4. Replace the token with computational puzzle
- Solvable by independent participants- No advantage over brute force
Alice Bob
? ?
??
?
Scratchd(puz, m): r ← {0,1}k; if H(puz || m || r) < 2k-d then return r
From Ideal to Bitcoin in 5 Steps5. Finally, provide participation incentives
- give each “lottery winner” a reward
- also solves the problem of initial allocation
Alice Bob
? ?
??
?
How mining works
H( ) H( )
H( ) H( ) H( ) H( )
25.0→Acoinbase:
0x0000...00
transaction transaction transaction
mrkl_root: H( )prev: H( )
mrkl_root: H( )
hash: 0x0000nonce: 0x7a83
prev: H( )
hash: hash: 0x3485...hash: 0x6a1f...nonce: 0x0000...nonce: 0x0001...hash: 0xc9c8...nonce: 0x0002...hash: 0x300c...nonce: 0xffff...hash: nonce: 0x0000...
25.0→Acoinbase:
0x0000...01
hash: 0xd0c7...nonce: 0x0001...hash: 0x0224...
25.0→Acoinbase:
0x3df5...65
hash: 0x0000...nonce: 0xf77e...
GPU mining
● GPUs designed for high-performance graphics○ high parallelism○ high throughput
● First used for Bitcoin ca. October 2010● Implemented in OpenCL
○ Later: hacks for specific cards
FPGA mining
● Field Programmable Gate Area● First used for Bitcoin ca. June 2011● Implemented in Verilog
Professional mining centers
BitFury mining center, Republic of Georgia
Needs:● cheap power● good network● cool climate
Whirlwind tour of cryptocurrency research topics
SoK: Research Perspectives and Challenges for Bitcoin and Cryptocurrencies. Joseph Bonneau, Andrew Miller, Jeremy Clark, Arvind Narayanan, Joshua A. Kroll, Edward W. Felten. IEEE Security & Privacy (Oakland), May 2015.
Ad-hoc cryptographic marketplacesBitcoin-OTC: 12,000 users with PGP keys
“Web-of-Trust” reputation tracking tool
Bitcoin sidestepped 30+ years of research in E-Cash“First Generation” cryptocurrencies:
- Blind Signatures and untraceable payments. David Chaum, 1982
- Untraceable electronic cash. Chaum, Fiat, Naor, 1988.
- Payword and Micromint. Rivest and Shamir. 2001
- Peppercoin. Micali and Rivest, 2002.
Many of these old ideas can be seen in new light
Alice:$10Bob: $20
Alice Bob
Alice:$08Bob: $22
….. anyone
….. anyonevolunteers
Is mining needed at all?
Example: 2-player lottery&Alice, &Bob (hardcoded pubkeys)
wait to receive $10 from &Alice
wait to receive $10 from &Bob
pick a random bit x
if x == 0: send $20 to &Alice
else: send $20 to &Bob
Possible Applications- Games: board games, gambling, etc
- Global services- Domain Name Registration
- Financial coordination- Auctions- Crowdfunding (reach the target, or get refunded)- Risk swaps / betting / prediction markets
- Service Level Agreement enforcement- Is the server computing the right results?- Is the server storing the data? With redundancy?- Has the server provisioned enough resources?- Does the server have insurance?
- Virtual machine images (to simplify setup)- Self-contained guide, notes- Recorded lectures from 1-day workshop
Use smart contracts to teach applied cryptography:signatures, Merkle trees, proofs-of-retrievability, ZK proofs
Nonoutsourceable puzzlesto discourage
Bitcoin mining coalitionsAndrew Miller / University of Maryland
+ Ahmed Kosba, Elaine Shi, Jonathan Katz
CCS 2015
Typical Bitcoin mining pool
Pool Operator
Pool Members
Solution!“shares”
Payout divided among members