lecture 4 - department of computer scienceabhishek/classes/cs601-641-441-spring2018/lect… ·...
TRANSCRIPT
![Page 1: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/1.jpg)
Lecture 4Bitcoin Consensus
![Page 2: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/2.jpg)
Bitcoin consensus: theory & practice
● Bitcoin consensus: initially, seemed to work better in practice than in theory
● Theory has been steadily catching up to explain why Bitcoin consensus works [e.g., Garay-Kiayias-Leonardos’15,Pass-Shelat-Shi’17,Garay-Kiayias-Leonardos’17,…]
● Theory is important, can help predict unforeseen attacks
![Page 3: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/3.jpg)
Some things Bitcoin does differently
Introduces incentives• Possible only because it’s a currency!
Embraces randomness• Does away with the notion of a specific end-point• Consensus happens over long time scales — about 1 hour
![Page 4: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/4.jpg)
Consensus without identity: the blockchain
![Page 5: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/5.jpg)
Why identity?
Pragmatic: some protocols need node IDs
Security: assume less than 50% malicious
![Page 6: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/6.jpg)
Why don’t Bitcoin nodes have identities?
Identity is hard in a P2P system — Sybil attack
Pseudonymity is a goal of Bitcoin
![Page 7: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/7.jpg)
Weaker assumption: select random node
Analogy: lottery or raffle
When tracking & verifying identities is hard, we give people tokens, tickets, etc.
Now we can pick a random ID & select that node
![Page 8: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/8.jpg)
Key idea: implicit consensus
In each round, random node is picked
This node proposes the next block in the chain
Other nodes implicitly accept/reject this block• by either extending it • or ignoring it and extending chain from earlier block
Every block contains hash of the block it extends
![Page 9: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/9.jpg)
Consensus algorithm (simplified)
1. New transactions are broadcast to all nodes2. Each node collects new transactions into a block3. In each round a random node gets to broadcast its
block4. Other nodes accept the block only if all transactions in
it are valid (unspent, valid signatures)5. Nodes express their acceptance of the block by
including its hash in the next block they create
![Page 10: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/10.jpg)
What can a malicious node do?
CA → B
CA → A’
Pay to pkB : H( )signed by A
Pay to pkA’ : H( )signed by A
Double-spending attack
Honest nodes will extend the longest valid branch
![Page 11: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/11.jpg)
From Bob the merchant’s point of view
CA → B
CA → A’
Hear about CA → B transaction0 confirmations
1 confirmation
double-spendattempt
3 confirmations
Double-spend probability decreases exponentiallywith # of confirmations
Most common heuristic: 6 confirmations
![Page 12: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/12.jpg)
Recap
Protection against invalid transactions is cryptographic, but enforced by consensus
Protection against double-spending is purely by consensus
You’re never 100% sure a transaction is in consensus branch. Guarantee is probabilistic
![Page 13: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/13.jpg)
Incentives and proof of work
![Page 14: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/14.jpg)
Can we give nodes incentives for behaving honestly?
Everything so far is just a distributed consensus protocolBut now we utilize the fact that the currency has value
Assumption of honesty is problematic
Can we penalize the node that created this block?
Can we reward nodes that created these blocks?
![Page 15: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/15.jpg)
Incentive 1: block reward
Creator of block gets to• include special coin-creation transaction in the block• choose recipient address of this transaction
Value is fixed: currently 12.5 BTC, halves every 4 years
Block creator gets to “collect” the reward only if the block ends up on long-term consensus branch!
![Page 16: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/16.jpg)
There’s a finite supply of bitcoins
Block reward is how new bitcoins are created
Runs out in 2040. No new bitcoins unless rules change
Year
Tota
l bit
coin
s in
cir
cula
tion
First inflection point:reward halved from 50BTC to 25BTC
Total supply: 21 million
![Page 17: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/17.jpg)
Incentive 2: transaction fees
Creator of transaction can choose to make output value less than input value
Remainder is a transaction fee and goes to block creator
Purely voluntary, like a tip
![Page 18: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/18.jpg)
Remaining problems
1. How to pick a random node?
1. How to avoid a free-for-all due to rewards?
1. How to prevent Sybil attacks?
![Page 19: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/19.jpg)
Proof of work
To approximate selecting a random node: select nodes in proportion to a resource that no one can monopolize (we hope)
• In proportion to computing power: proof-of-work• In proportion to ownership: proof-of-stake
![Page 20: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/20.jpg)
Equivalent views of proof of work
1. Select nodes in proportion to computing power
1. Let nodes compete for right to create block
1. Make it moderately hard to create new identities
![Page 21: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/21.jpg)
Hash puzzles
To create block, find nonce s.t.H(nonce ‖ prev_hash ‖ tx ‖ … ‖ tx) is very small
Output space of hash
Target space If hash function is secure:
only way to succeed is to try enough nonces until you get lucky
nonceprev_h
TxTx
![Page 22: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/22.jpg)
PoW property 1: difficult to compute
As of Aug 2014: about 1020 hashes/block
Only some nodes bother to compete —miners
![Page 23: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/23.jpg)
PoW property 2: parameterizable cost
Nodes automatically re-calculate the target every two weeks
Goal: average time between blocks = 10 minutes
Prob (Alice wins next block) = fraction of global hash power she controls
![Page 24: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/24.jpg)
Key security assumption
Attacks infeasible if majority of miners weighted by hash power follow the protocol
![Page 25: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/25.jpg)
Solving hash puzzles is probabilistic
Time to next block (entire network)
Prob
abili
ty d
ensi
ty
10minutes
![Page 26: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/26.jpg)
PoW property 3: trivial to verify
Nonce must be published as part of block
Other miners simply verify thatH(nonce ‖ prev_hash ‖ tx ‖ … ‖ tx) < target
![Page 27: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/27.jpg)
Mining economics
Complications:• fixed vs. variable costs• reward depends on global hash rate
If mining reward (block reward + Tx fees) > hardware +
electricity cost→ Profit
![Page 28: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/28.jpg)
Putting it all together
![Page 29: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/29.jpg)
Recap
Identities
Transactions
P2P network
Block chain & consensus
Hash puzzles & mining
![Page 30: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/30.jpg)
Bitcoin is bootstrapped
security of block chain
value of currency
health of mining
ecosystem
![Page 31: Lecture 4 - Department of Computer Scienceabhishek/classes/CS601-641-441-Spring2018/Lect… · Bitcoin consensus: theory & practice Bitcoin consensus: initially, seemed towork better](https://reader035.vdocuments.mx/reader035/viewer/2022071013/5fcb7029a9b0e9282f50e379/html5/thumbnails/31.jpg)
What can a “51% attacker” do?
Steal coins from existing address?
Suppress some transactions?• From the block chain• From the P2P network
Change the block reward?
Destroy confidence in Bitcoin?
✗
✓✗
✗
✓✓