Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Master Degree in Data Science
Sapienza University of Rome
Academic Year 2018-2019
Instructor: Daniele Venturi(Slides from a series of lectures by Stefan Dziembowski)
DATA PRIVACY AND SECURITY
BitcoinData Privacy and Security
2
Part VI: Cryptocurrencies
History of Digital Cash
BitcoinData Privacy and Security
3
• 1990: Chaum’s anonymous eCash
– Uses sophisticated crypto to achieve security and user anonimity
withdrawal
pay
deposit
Company foundedin 1990… Went
bankrupt in 1998
History of Digital Cash
BitcoinData Privacy and Security
4
• 2008: Bitcoin announced by Satoshi Nakamoto
• 2011-2013: Popular for buying illegal goods
– E.g., Silk Road anonymous marketplace
• End of 2013: Market price skyrockets and the world notices
Main difference with eCash:
The Bitcoin Revolution
BitcoinData Privacy and Security
5
• Problems of earlier ecash systems
– Need trusted center (money does not circulate)
– High transaction fees
• Solutions in bitcoin ecosystem
– Decentralized system (money circulates)
– Variable transaction fees
Bitcoin’s Success
BitcoinData Privacy and Security
6
• Probably one of the most discussedcryptographic technologies ever!
Bitcoin
Snowden
Encryption
No Trusted Servers!
BitcoinData Privacy and Security
7
• Nobody controls the money
– The amount of money that will ever be created isfixed to around 21 mln Bitcoin (no inflation)
Exchange rate fluctuates
Next Block Halving
BitcoinData Privacy and Security
8
Really No Trusted Server?
BitcoinData Privacy and Security
9
• The client software is written by people whoare in charge to change the system
• Software contains so-called checkpoints (more on this later)
• Popular clients:
The people behindthe software are not
anonymous
Bitcoin in Context
BitcoinData Privacy and Security
10
Bitcoin:• Protocol• Client
software• Data
(blockchain)
Bitcoin Ecosystem
Financial Sector
• Banks• Fonds• Regulators• Treasury
• Exchanges• Mining pools• Remote wallets
Real Economy
• Agents• Goods• Markets (legal/illegal)• Externalities
Updates?
BitcoinData Privacy and Security
11
• How to update the protocol if there is no governing body?
• Updates take the form of Bitcoin ImprovementProposals (BIPs)
• The Bitcoin community votes on BIPs
– Weight of votes proportional to computing power
– Voting process organised centrally (via a forum)
Bitcoin ≈ Real Money?
BitcoinData Privacy and Security
12
• Bitcoin values comes from the fact that: "People expect that other people will accept itin the future."
It’s like realmoney
It’s a "Ponzischeme"
Enthusiasts:
Sceptics:
Some Economist Are More Positive
BitcoinData Privacy and Security
13
• Billions of VC funding, many major banks and companies are interested
While these types of innovations may pose risks related to law enforcement and
supervisory matters, there are also areas in which they may hold long-term
promise, particularly if the innovations promote a faster, more secure and more
efficient payment system
Ben Bernanke
Why Bitcoin Became So Popular?
BitcoinData Privacy and Security
14
• Ideological reasons
– Crypto anarchy (nobody controls the money)
• Good timing due to financial crisis in 2008
– No money printing in Bitcoin
• Trading of illegal goods due to seeminganonymity (pseudonimity)
• Payments can be cheap
– Almost no fees for long time (PayPal 2-10%)
• Novel technology for distributed systems
Illegal Market Places
BitcoinData Privacy and Security
15
• What is sold?
• Mostly non-professional sellers
– Most items only listed for few days
• All markets value: 600.000 USD per day
Category # of items % of total
Weed 3338 13.7
Prescriptions 1784 7,3
Books 955 3,9
Cannabis 877 3,6
Cocaine 630 2,6
LSD 440 1,8
Downsides of Decentralization
BitcoinData Privacy and Security
16
• There are no regulators
– MtGox (handling 70% of all Bitcoin transactions) shut down on Feb 2014, reporting 850.000 BTC (450 million USD) stolen
• Transactions cannot be reserved
– But see a later lecture for alternatives
• Software bugs immediately exploited ashackers can make money
– Ransomware
– Virus stealing bitcoins
BitcoinData Privacy and Security
17
Bitcoin's Design Principles
Doublespending
BitcoinData Privacy and Security
18
• Main problem with the digital money is that itis much easier to copy than real money
– Bits are easier to copy than paper
16fab13fc6890
Bitcoin’s Idea (Simplified)
BitcoinData Privacy and Security
19
• The users emulate a public bulletin-boardcontaining a list of transactions
– A transaction if of the form: «User 𝑃1 transfers a coin #16fab13fc6890 to user 𝑃2»
16fab13fc6890
You have alreadyspent this!
Trusted Bulletin-Board Emulation
BitcoinData Privacy and Security
20
Ideal World Real World
Main difficulty:Some parties can
cheat!
An Idea
BitcoinData Privacy and Security
21
• Assume honest majority and implement the bulletin-board by voting
– Every transaction is broadcast
Transaction id Value
ddbs21239864k… 0.084 BTC
edd98763hn3nr… 1.2 BTC
mkk8765g4g2j3… 0.036 BTC
YES NO YES NO
Is this the correctbulletin-board?
In cryptocurrencies this is called
the consensus protocol
How to Implement Consensus?
BitcoinData Privacy and Security
22
• A very well-studied problem in distributedcomputing
• Idea: Use techniques from MPC
– Agreement requires honest majority
– Problem: Sybil attack
– How to define majority in a context whereeverybody can join the network?
Bitcoin’s solution
BitcoinData Privacy and Security
23
• Majority = Majority of computing power
• Now creating multiple identities does not help
How is this verified?
BitcoinData Privacy and Security
24
• Use Proofs of Work (PoW) – Dwork & Naor ‘92
• Basic idea: User solve moderately hard puzzle
• Digital puzzle: Use cryptographic hashing
– Hash function 𝐇 with running time TIME 𝐇
– Solve: Find input s.t. output starts with 𝑛 zeroes
– Verify: Compute hash
Hard to find solution Easy to verify
Simple PoW
BitcoinData Privacy and Security
25
Hash function 𝐇 with running time TIME(𝐇)
Random 𝑥
Answer 𝑠
Find 𝑠 s.t. 𝐇(𝑠||𝑥)starts with 𝑛 zeroes (time 2𝑛 ∙ TIME(𝐇))
Check that 𝐇(𝑠||𝑥)starts with 𝑛 zeroes
(time TIME(𝐇))
Setup for the Bulletin-Board
BitcoinData Privacy and Security
26
• Users maintaining the bulletin-board are called miners
• Miners maintain a chain of blocks:
Block 0 Block 1 Block 2 Block 3
Transactionsfrom period 1
Transactionsfrom period 2
Transactionsfrom period 3
The genesis block, createdby Nakamoto on 03/01/09
Block size < 1MB ≈ 7 trans./sec
Period ≈ 10 mins
Extending the Blockchain
BitcoinData Privacy and Security
27
• The chain is extended by using the PoW
• PoW challenge: 𝐇(Salt||𝐇 Block𝑖 ||TX) startswith 𝑛 zeroes (hardness parameter)
Block 0 Block 1 Block 2
Transactions Transactions
𝐇 𝐇
Salt Salt
In Bitcoin 𝐇= SHA-256
Adjusting the Hardness Parameter
BitcoinData Privacy and Security
28
• The computing power of the miners changes
• Miners should generate a new block every 10 minutes (on average)
• Thus the hardness parameter is periodicallyadjusted to the mining power
– It happens once every 2016 blocks
– Automatic process, in a way that depends on the time it took to generate the 2016 blocks
– Possible because each block contains a timestamp
Hash Rate
BitcoinData Privacy and Security
29
• January 2017: 2,550,000 TH/s
• January 2018: 15,000,000 TH/s
• September 2018: 50,000,000 TH/s
How it Looks in Real Life
BitcoinData Privacy and Security
30
Height Timestamp Transactions Miner Size
550168 6 minutes ago 2796 DPOOL 1,1 MB
550167 11 minutes ago 2348 BTC.com 1,5 MB
550166 27 minutes ago 2227 … …
550165 44 minutes ago … …
550164 49 minutes ago … …
How to Post on the Board
BitcoinData Privacy and Security
31
• Broadcast over the internet your transactionto the miners
• Hope they will add it to the next block
– Miners are incentivized to do so
• Miners never add invalid transactions (e.g., doublespending)
– A chain with an invalid transaction is itself notvalid, so no rational miner would do it
• When a miner finds an extension he broadcasts it to all the users
Forks
BitcoinData Privacy and Security
32
• The longest chain counts!
Block i
Block i+1
Block i+2
Block i+3
Block’ i+2
This chain is valid
Makes no sense to work on a shorter chain, as everybodyelse is working on extending
the longest one
Consequences
BitcoinData Privacy and Security
33
• The system should quickly self-stabilize
• If there is a fork, then one branch will die
– What if your transaction ends up in a deadbranch?
– Recommendation: To make sure it doesn’t happenwait 6 blocks (≈1 hour)
Can Transactions be Reversed?
BitcoinData Privacy and Security
34
• Requires a fork in the past
– Unlikely with minority computing power
– Honest miners always ahead of the adversary
Attack based on Hardness Parameter
BitcoinData Privacy and Security
35
⋯ ⋯ ⋯
⋯⋯
1) Secretly compute another chain with fake
timestamps (indicating thatit took a long time to
produce it)
2016 blocks
2) The difficulty dropsdrammatically, so can
quickly produce a chainlonger than the valid one
and publish it
The Strongest Chain
BitcoinData Privacy and Security
36
• For this reason, in Bitcoin it is not the longestchain that matters, but rather the strongest
• Strength of each block is 2𝑛
• Strength of the chain is the sum of the strength of all blocks
– This clearly prevents the previous attack
Joining the Network
BitcoinData Privacy and Security
37
• How to identify a user? Use a digital signaturescheme (𝐊, 𝐒, 𝐕)
– Bitcoin uses ECDSA
New user
Publish 𝑝𝑘and keep 𝑠𝑘 secret
(𝑝𝑘, 𝑠𝑘) ←$ 𝐊
Every userhas his own
key pair
Digital Signature Standard (DSS)
BitcoinData Privacy and Security
38
• Approved by US government in 1994
– Designed by NIST & NSA
– Originally using SHA-1, but now SHA-2 isrecommended
– DSS is the standard and DSA is the algorithm
• A variant of ElGamal PKE
– Security based on the hardness of DL
– Creates a 320-bit signature (vs 1024 bits with RSA)
– Most of the computation is mod a 160-bit prime
DSA Key Generation
BitcoinData Privacy and Security
39
• Shared global public values (𝑝, 𝑞, 𝛼)
– Prime 𝑝 of size 1024 bits
– Prime 𝑞 of size 160 bits (factor of 𝑝 − 1)
• Value 𝛼 ∈ ℤ𝑝∗ of order 𝑞
– Pick 𝑔 ∈ ℤ𝑝∗ and compute 𝛼 = 𝑔(𝑝−1)/𝑞mod 𝑝
– Repeat if 𝛼 = 1
• Each user generates (𝑎, 𝛽)
– Private key 𝑎 ←$ ℤ𝑞
– Public key 𝛽 = 𝛼𝑎mod 𝑝
DSA Signing
BitcoinData Privacy and Security
40
• Let 𝑥 ∈ {0,1}∗ be the message to be signed
– Pick random 𝑘 ←$ ℤ𝑞
– Let 𝑟 = 𝛼𝑘 mod 𝑝 mod 𝑞
– Let 𝑠 = 𝐒𝐇𝐀𝟐 𝑥 + 𝑎 ∙ 𝑟 𝑘−1mod 𝑞
– Repeat if 𝑟 = 0 or 𝑠 = 0
• Signature is 𝑦 = (𝑟, 𝑠)
– Value 𝑘 should be destroyed and never reused
Signature Verification
BitcoinData Privacy and Security
41
• Give message 𝑥 and signature 𝑦 = (𝑟, 𝑠)
– Compute 𝑢 = 𝑠−1 ∙ 𝐒𝐇𝐀𝟐 𝑥 mod 𝑞
– Compute 𝑡 = 𝑠−1 ∙ 𝑟 mod 𝑞
– Let 𝑣 = 𝛼𝑢𝛽𝑡mod 𝑝 mod 𝑞
• Accept iff 𝑣 = 𝑟
• Correctness𝑣 = 𝛼𝑢+𝑎𝑡mod 𝑝 mod 𝑞
= 𝛼𝑠−1(𝐒𝐇𝐀𝟐 𝑥 +𝑎𝑟)mod 𝑝 mod 𝑞
= 𝛼𝑠−1𝑘𝑠mod 𝑝 mod 𝑞 = 𝑟 mod 𝑞
Remarks on DSA
BitcoinData Privacy and Security
42
• Important to check 𝑟, 𝑠 ≠ 0
– If 𝑟 = 0, then 𝑠 = 𝐒𝐇𝐀𝟐 𝑥 ∙ 𝑘−1mod 𝑞 isindependent of the secret key 𝑎
– If 𝑠 = 0, then 𝑠−1mod 𝑞 cannot be computed
– Both events very unlikely (probability ≈ 2−160)
• Operations on both sides are performed mod𝑞, only one operation is performed mod 𝑝
Elliptic Curve DSA (ECDSA)
BitcoinData Privacy and Security
43
• Variant of DSA using elliptic curve groups
• Signature is 320 bits
• All operations are mod a 160-bit prime (or slightly more)
– Minimum size 163 or 192 bits
• Security depends on hardness of solving DL in an elliptic curve group
Validating Blockchains
BitcoinData Privacy and Security
44
• What is needed in order to decide whichblockchain is valid?
• One needs to know:
– The initial rules of the game
– The genesis block
• Given many candidates pick the one that:
– Verifies correctly
– Is the longest (i.e., the strongest)
• Verification can take several hours (blockchainsize ≈ 185GB as of September 2018)
Checkpoints
BitcoinData Privacy and Security
45
• Old block hash hardcoded into Bitcoinsoftware
• In theory: Not needed
• Goes against the decentralized spirit of Bitcoin
• But useful in practice:
– Prevent some DoS attacks (flooding nodes with unusable chains)
– Prevent attacks involving isolating nodes and providing them fake chains
– Optimization for initial blockchain download
Protocol Updates
BitcoinData Privacy and Security
46
• The Bitcoin protocol can be updated
• Proposals can be submitted to the Bitcoinfoundation in the form of BitcoinImprovement Proposals (BIPs)
• Only the miners can vote
– Votes included in the minted blocks
– Currently, need 75% approval which roughlycorresponds to 75% of computing power
Summary of Main Features
BitcoinData Privacy and Security
47
• Extending blockchain is computationally hard
• Once a miner finds an extension he broadcaststhe new block to everybody
• Users will always accept the longest chain asthe valid one
– In practice it is a bit more complex
• How are the miners incentivized to followthese rules?
– Short answer: They are payed in bitcoins!
Where Do These Bitcoins Come From?
BitcoinData Privacy and Security
48
• A miner that solves the PoW gets a reward
– 50 BTC for the first 210000 blocks (≈ 4 years)
– 25 BTC for the next 210000 blocks
– 12.5 BTC for the next 210000 blocks
– … and so on
• Note that: 210000 50 + 25 + 12.5 +⋯ = 21000000
More in Details…
BitcoinData Privacy and Security
49
• Each block contains a transaction thattransfers the reward to the miner
– A so-called coinbase transaction
• Advantages:
– It provides an incentive to be a miner
– It makes miners interested in broadcasting the new block asap
An Important Feature
BitcoinData Privacy and Security
50
• Assuming everybody follows the protocol, the following invariant is maintained:
• Fract. of computing power ≈ fract. of revenue
• This is because 𝑃𝑖’s chances of solving the PoW are proportional to the number of times𝑃𝑖 can evaluate the hash function
Every miner 𝑃𝑖 whose computing power is a 𝛼𝑖-fraction of the total computing power mines a
𝛼𝑖-fraction of the blocks
Freshness of the Genesis Block
BitcoinData Privacy and Security
51
Genesisblock
I did not know the genesisblock before Bitcoin waslaunched (Jan 3, 2009)
Here is a heuristic proof: «The genesis block contains a hash of a title from a front page of the London Times on Jan 3, 2009.»
Why Does it Matter?
BitcoinData Privacy and Security
52
Genesisblock
• Otherwise Satoshi could «pre-mine»1) Secretely start miningin 1980 and produce a
very strong chain
3) On Jan 3, 2010 publish secret chain
2) Honest miners start working on Jan 3, 2009;
since they have lesstime after 1 year their
chain is still weaker
Bitcoin’s Money Mechanics
BitcoinData Privacy and Security
53
• Bitcoin is transaction based
• Technically there is no notion of coin
• Users 𝑃7 and 𝑃8 hold 5 BTC, whereas user 𝑃9holds 40 BTC
25 BTC createdby 𝑃1
25 BTC sent to 𝑃2
5 BTC sent to 𝑃45 BTC sent to 𝑃3
15 BTC sent to 𝑃5
25 BTC created by 𝑃6
15 BTC from 𝑃5 + 25 BTC from 𝑃6
to 𝑃9
5 BTC sent to 𝑃75 BTC sent to 𝑃8
TIME
Syntax of Transactions (Simplified)
BitcoinData Privacy and Security
54
User 𝑃1 creates 25 BTC
User 𝑃1 sends 25 BTC from 𝑇1 to 𝑃2Signature of 𝑃1
on 𝑇2
User 𝑃2 sends 25 BTC from 𝑇2 to 𝑃3Signature of 𝑃2
on 𝑇3
𝑇1 =
𝑇2 =
𝑇3 =
𝑃1
𝑃2
𝑃3
During the mining process
We say 𝑇3redeems 𝑇2
Multiple Output Transactions
BitcoinData Privacy and Security
55
User 𝑃1 sends 10 BTC from 𝑇1 to 𝑃2User 𝑃1 sends 8 BTC from 𝑇1 to 𝑃3User 𝑃1 sends 7 BTC from 𝑇1 to 𝑃4
Signature of 𝑃1on 𝑇2
𝑇2 =
𝑃1
𝑃2 𝑃3
10 BTC 7 BTC
𝑃4
Multiple Input Transactions
BitcoinData Privacy and Security
56
User 𝑃2 sends 10 BTC from 𝑇3 to 𝑃1User 𝑃3 sends 8 BTC from 𝑇3 to 𝑃1User 𝑃4 sends 7 BTC from 𝑇3 to 𝑃1
Signature of 𝑃2 on 𝑇4Signature of 𝑃3 on 𝑇4Signature of 𝑃4 on 𝑇4
𝑇4 =
𝑃1
𝑃2 𝑃3
10 BTC 7 BTC
𝑃4
All signaturesneed to be valid
Time Locks
BitcoinData Privacy and Security
57
User 𝑃1 sends 25 BTC from 𝑇1 to 𝑃2if time 𝑡 has passed
Signature of 𝑃1 on 𝑇2𝑇2 =
Transaction specifiestime 𝑡 after which it is
considered valid
Measured in blocks or real time
Generalizations
BitcoinData Privacy and Security
58
• All these features can be combined
• The total value of in-coming transactions can be larger than the total value of outgoingtransactions
– The difference is called the fee
– Goes to the miner
• The conditions for redeeming a transactioncan be more general (the so-called smartcontracts)
Block Structure in More Details
BitcoinData Privacy and Security
59
𝐇
𝐇 𝐇
𝐇 𝐇 𝐇 𝐇
𝑇𝑋1 𝑇𝑋2 𝑇𝑋3 𝑇𝑋4 𝑇𝑋5 𝑇𝑋6 𝑇𝑋7 𝑇𝑋8
ℎ00 ℎ01 ℎ10 ℎ11
ℎ1ℎ0
Prevhash
SaltTXBlock
Header
𝐇
Block
Merkle tree
How to Verify Merkle Trees
BitcoinData Privacy and Security
60
𝐇
𝐇 𝐇
𝐇 𝐇 𝐇
𝑇𝑋1 𝑇𝑋2 𝑇𝑋3 𝑇𝑋4 𝑇𝑋5 𝑇𝑋6 𝑇𝑋7 𝑇𝑋8
ℎ00 ℎ01 ℎ10 ℎ11
ℎ1ℎ0
TX
𝐇
Root
Proofs are log(depth) and verification requires log(depth) time
Why Merkle Trees?
BitcoinData Privacy and Security
61
• Merkle root always of same small size
– Easily transmittable for pooled mining
– Simplifies writing hashing algorithms in hardware
• Light clients
– No need to process the entire block
• Pruning of old spend transactions
– Old transactions are not needed in order to verifythe validity of the blockchain
BitcoinData Privacy and Security
62
Mining Pools and Attacks
Solo Mining
BitcoinData Privacy and Security
63
• Variance of income too high for solo miners
• Here is a rough estimate:
40,000,000 THash/s
14 THash/s≈ 2857142
≈ 54.4 ∙ (365 ∙ 24 ∙ 6)
• Waiting time for mining a block ≈ 50 years
Total hash rate asof Nov. 2018
ASICS Antminer S9 – 14 THash/s (3,000 USD)
Mining Pools
BitcoinData Privacy and Security
64
• Miners create cartels called mining pools
• Mining pools are either operated centrally or in a peer-to-peer fashion
• Some of the pools charge fees for their service
– E.g., if the operator gets 25 BTC for mining, then itwill share 25 − 𝜑 BTC (where 𝜑 is the fee)
• Expected revenue is lower on average, butvariance is significantly smaller
– Tricky bit: How to prevent cheating? How to reward the miners?
Biggest Mining Pools
BitcoinData Privacy and Security
65
As of July 13, 2017
How to Design a Mining Pool?
BitcoinData Privacy and Security
66
Nonce 𝑠𝑖
A transaction 𝑇𝑖 and a hash 𝐇(𝐵𝑖)
Tries to find 𝑠𝑖 such that𝐇(𝑠𝑖 , 𝐇 𝐵𝑖 , 𝑇
𝑖) starts with 𝑛 zeroes
MinerMining Pool
Operator
Current hardnessparameter
𝑝𝑘
Includes coinbase transactiontransferring money to 𝑝𝑘
Once nonce is found by one of the pool members, each of them is rewardedproportionally to his work
But how to verifyhow much work a
miner did?
Proportional Method
BitcoinData Privacy and Security
67
Nonce 𝑠𝑖But also submit partialsolutions, i.e. values 𝑠𝑖′
such that 𝐇(𝑠𝑖 , 𝐇 𝐵𝑖 , 𝑇𝑖)
starts with 𝑛′ ≪ 𝑛 zeroes
A transaction 𝑇𝑖 and a hash 𝐇(𝐵𝑖)
Tries to find 𝑠𝑖 such that𝐇(𝑠𝑖 , 𝐇 𝐵𝑖 , 𝑇
𝑖) starts with 𝑛 zeroes
MinerMining Pool Operator
Current hardnessparameter
𝑝𝑘
Amount of work measured in # of partial solutions
Probability of Success
BitcoinData Privacy and Security
68
• Probability of pool winning is 𝛼1 + 𝛼2 + 𝛼3
• Reward for Alice: BTC 25 ∙𝛼1
𝛼1+𝛼2+𝛼3
≈ proportional to 𝛼1
≈ proportional to 𝛼2
≈ proportional to 𝛼3
𝛼1
𝛼2
𝛼3
time
proportion of computing power
submitted share
Expected rewardBTC 25 ∙ 𝛼1
Pool Hopping
BitcoinData Privacy and Security
69
• What if miners change pool?
– Expected revenue is 𝛼𝑖 (from new pool)
– Plus the revenue form old pool (small extra)
• It is profitable to escape from pools with lotsof share holders
– Because such pools have too many «mouths to feed»
Slush’s Method
BitcoinData Privacy and Security
70
• Solution: Use a scoring function that assigns to each share a score 𝜎
• Then assign rewards proportionally to the score 𝜎
• Slush’s scoring function: 𝜎 = 𝑒𝑇/𝑐
– 𝑇: time since beginning of this round
– 𝑐: some constant
• Intuitively this gives advantage to miners whojoined late
Other Methods
BitcoinData Privacy and Security
71
• Pay-per-share: Operator pays for each partialsolution, no matter if he mined the block
– Risky for operator (leading to higher fees)
• Score-based: Geometric method, double geometric method…
• See also:
– Meni Rosenfeld, Analysis of Bitcoin Pooled MiningReward Systems, 2011
Security of Mining Pools
BitcoinData Privacy and Security
72
• Typically assume the operator is honest
– Because he has reputation
• Miners are instead untrusted
• We will describe two attacks:
– Sabotage attack
– Lie-in-wait attack
• Both attacks are based on withholding certainblocks
– Similar to selfish-mining attack (see later)
Sabotage Attack
BitcoinData Privacy and Security
73
• Based on submitting only partial solutions
– Pool loses money
– Dishonest miner does not earn anything (actuallyit loses a little bit)
• Ultimate goal: Make the pool go bankrupt
– E.g., because it is a competing pool
– Mining pool Eligus lost 300 BTC back in 2014
Mining Pool OperatorPartial solutions
RewardComplete solution
Miner
Lie-in-Wait Attack
BitcoinData Privacy and Security
74
• Once solution is found (say for 𝑃2)
– Wait submitting it and mine for 𝑃2 only
– Send it to 𝑃2 after some time
• Intuition is that this is profitable because 𝑃2 isa very likely winner
1/3 computing power
Mining pool 𝑃1
Mining pool 𝑃2
Mining pool 𝑃3
Mine for several pools
Peer-to-Peer Mining
BitcoinData Privacy and Security
75
• General idea: Miners create a blockchain with hardness parameter 𝑛′ ≪ 𝑛 on top last block
– Every 𝐵𝑖𝑗
is a valid extension of 𝐵𝑖 (hardness 𝑛′)
– Requires to use other fields in the block
• Parameter 𝑛′ chosen in such a way that new blocks appear often (say every 30 sec)
Block 𝐵𝑖 Block 𝐵𝑖1 Block 𝐵𝑖
2 Block 𝐵𝑖3
How to Do it
BitcoinData Privacy and Security
76
𝐵𝑖:
…
…
…
𝐵𝑖2:
nonce
𝐇(𝐵𝑖)
trans.
𝐇(𝐵𝑖1)
𝐇(∙)
𝐵𝑖3:
nonce
𝐇(𝐵𝑖)
trans.
𝐇(𝐵𝑖2)
𝐇(∙)
𝐵𝑖1:
nonce
𝐇(𝐵𝑖)
trans.
𝐇(∙)
• The blocks contain extra space that can be
used to store the hash values 𝐇(𝐵𝑖𝑗)
Reward
BitcoinData Privacy and Security
77
• Block 𝐵𝑖𝑘 enters the main blockchain as 𝐵𝑖+1
• Reward can be computed using some formula
• Each miner is incentivized to behave nicely
Block 𝐵𝑖 Block 𝐵𝑖1 Block 𝐵𝑖
2 𝐵𝑖𝑘 = 𝐵𝑖+1…
Ends with 𝑛 zeroes
𝑃2𝑃1 𝑃𝑘
Includes a payment to 𝑃1
Includes a payment to 𝑃1, … , 𝑃𝑘−1
Possible Attack Goals
BitcoinData Privacy and Security
78
• Double spending
• Get more money than you should
• Short selling
– Bet that the price of BTC will drop and thendestroy the system (i.e., make the price of BTC go to zero)
• Someone (government?) interested in shutting Bitcoin down
The 51% Attack
BitcoinData Privacy and Security
79
• An adversary controlling majority of computational power cannot
– Steal money from earlier transactions (requiresforging a signature)
– Generate money without effort (still needs to solve PoW)
• However such an adversary can
– Fork the chain and doublespend
– Reject all other miners’ blocks
– Exclude certain transactions
Programming Errors
BitcoinData Privacy and Security
80
• Block 74638 (Aug 2010) contained a transaction with 2 outputs summing to over 184 billion BTC
– Integer overflow in Bitcoin software
– Solved by software update + manual fork
• Fork at block 225430 caused by an error in the software update
– Solved by reverting to older version
• Moral: Nothing can be fully decentralized
– Sometimes human intervention is needed
Transaction Malleability
BitcoinData Privacy and Security
81
• Transactions are identified by their hashes
• One can change TxId by mauling a signature
– In ECDSA if 𝜎 = (𝑟, 𝑠) is a valid signature of message 𝑚, so is 𝜎′ = (𝑟, −𝑠)
User 𝑃1 sends 1 BTC from 𝑇1 to 𝑃2Signature of 𝑃1
on 𝑇2𝑇2 =
𝐇(∙)
TxId = 𝐇(𝑇2)
How to Exploit Malleability
BitcoinData Privacy and Security
82
• As a result TxId changes!
• Often not a problem as semantically nothingchanged
• Problematic for Bitcoin contracts
Miners
Claimed Attack on MtGox
BitcoinData Privacy and Security
83
• MtGox cannot see transaction with TxId 𝐇(𝑇) in blockchain
– As if transaction did not happen
– Doublespending possible
• Decker-Wattenhofer 14: This isprobably not true
Deposit 1BTC
Withdraw 1BTC
𝐵𝑖 𝐵𝑖+1 𝐵𝑖+2 𝐵𝑖+3
"MtGox pays 1 BTC to 𝐴"
𝐴
Lack of Anonimity
BitcoinData Privacy and Security
84
• Bitcoin only guarantees pseudonymity
• Can sometimes be de-anonymized
– Meiklejohn et al.: A Fistful of Bitcoin, 2013
1 BTC 1 BTC
1 BTC
Can be linked!
Heuristic solution:
Hardware Mining
BitcoinData Privacy and Security
85
• Evolution of mining habits
– CPU -> GPU -> FPGA -> ASIC
• Several drawbacks
– Makes the whole process non-democratic
– Might be exploited by very powerful adversary
– Excludes some applications (e.g., mining asmicropayment)
• Advantages
– Security against botnets and makes minersinterested in long-term stability of the system
How long term? Hashrate can go up by 100x
in a year
Risks Associated with Pool Mining
BitcoinData Privacy and Security
86
• June 2014: The Ghash.io pool got > 50% of the total hash power
– What we were promised: A distributed currencyindependent of the central banks
– What we got (June 2014): Currency controlled by single company
• Miners lost control of which blocks they mine
– Not possible to choose Bitcoin transactions
– Common believe: 99% of the miners only care about highest possible block reward
How to Break Bitcoin?
BitcoinData Privacy and Security
87
• Start a number of mining pools with a negative fee
• Wait to get > 50% computational power
• Will the miners join?
– Well, yes if they only care about block reward
• Is Bitcoin secure?
– Need to assume that majority behaves honestlyeven if it has incentives not to do so
– Maybe the only reason why it is still unbroken isthat nobody was really interested in doing it
Majority is not Enough (Selfish Mining)
BitcoinData Privacy and Security
88
• Ittay Eyal and Emin G. Sirer: Bitcoin Mining is Vulnerable
• Basic idea: When a new block is found keep itfor yourself
• Goal: Make the honest miners waste theireffort to mine blocks that will never make it to the blockchain
• The proportion of minted blocks is higher, yielding a revenue greater than the fair share
Bitcoin is not Incentive Compatible
BitcoinData Privacy and Security
89
• Recall with the honest strategy every minerwith 𝛼-fraction of computing power gets 𝛼-fraction of the revenue
• But if there is a strategy that is more beneficialthan the honest strategy, miners have an incentive to misbehave
– The larger 𝛼 the more beneficial the dishoneststrategy is
– Hence miners have incentive to join a large pool that uses this strategy
Simplifying Assumption
BitcoinData Privacy and Security
90
• What happens if there is a fork?
• Assume that the adversary is always first
– E.g., he puts a lots of fake nodes acting as sensors
– We will remove this assumption later
Bitcoin specification: "From twochains of equal length mine on the one that was received first."
Selfish Mining (Basic Idea)
BitcoinData Privacy and Security
91
• Adversary finds new block and keeps it
• Two things can happen:
In this case the adversarypublishes his own block
and loses nothingPublish the chain when the public one equalizes
Towards the Full Attack
BitcoinData Privacy and Security
92
• The assumption that the adversary is alwaysfirst might look unrealistic
• Eyal and Sirer show a modification of the attack that works without this assumption
• Let 𝛾 be the probability that a honest minerwill choose to mine on the adversary’s chain
• Assume the adversary controls an 𝛼- fractionof the computing power
– The other miners hold 1 − 𝛼 -fract. for 𝛼 < 1/2
An Observation
BitcoinData Privacy and Security
93
• What is the probability that the adversary’schain is selected?
• Let 𝛿 = 𝛼 + (1 − 𝛼) ∙ 𝛾
Adversaryextends the
chain
Honest minerextends the
chain
Adversary’schain getsextended
Honest chaingets extended
State Transitions
BitcoinData Privacy and Security
94
State 0
State 1
State 0’State 2
1 − 𝛼 𝛼
1 − 𝛿
𝛿
Initial state (no forks)
Adversary findsnew block
Adversary findsanother block
Adversary’sblock winsHonest block
wins
Honest minersalso find a block
State 0
State 0
Adversarypublishes hischain ASAP
Continuing from State 2
BitcoinData Privacy and Security
95
State 3
State 2
Adversarypublishes hischain ASAP
1 − 𝛼
𝛼
State 0
Resulting State Machine
BitcoinData Privacy and Security
96
State 0 State 1 State 2 State 3 State 4
1 − 𝛼 1 − 𝛼 1 − 𝛼
𝛼 𝛼 𝛼 𝛼
…
State 0’
1 − 𝛼1
Calculating the Revenue
BitcoinData Privacy and Security
97
State 0 State 1 State 2 State 3 State 4
+1 +1 +1
…
State 0’
(∗)
• Apply theory of Markov chains
– Stationary distribution: 𝑝0, 𝑝0′, 𝑝1, 𝑝2, …
Expected Revenue: 𝛿 ∙ 𝑝0′ + 𝛼 ∙ 𝑝1 + 𝛼 ∙ 𝑝2 +⋯
∗ = +1 iff attacker wins a fork (happens with probability 𝛿)
The Final Result
BitcoinData Privacy and Security
98
• Eyal and Sirer show that the expected revenueexceeds that of the honest strategy as long as
𝛼 >1 − 𝛾
3 − 2𝛾
𝛼
𝛾
1/31/4
11/2
How to Fix it?
BitcoinData Privacy and Security
99
• One simple idea is to choose 𝛾 = 1/2
– This means choosing which fork to mine uniformlyat random
• The threshold for 𝛼 moves to ¼
– This means that with such a modification Bitcoinwould be secure as long as a ¾-fraction of computing power is honest
– Smaller than the believed ½-fraction but betterthan current reality
Summary of Other Attacks
BitcoinData Privacy and Security
100
• Whale transactions
– Make transactions with huge fees
– Incentivizes miners to mine on old blocks
– Accidentally happened in the past
• Flood attack
– Send big amount of small transactions
– Countermeasure: Increase transactions fees
• Destroy Bitcoins
– Send Bitcoins to unspendable output addresses to burn them