Crypto Lecture 12

Cryptography lecture 12
Digital cash and Bitcoin
Jonathan Jogenfors
Link
oping University
2016-10-14
Secure Electronic Transactions (SET)
Bank
Merchant
Called for by Mastercard and VISA in 1996
Is complex, and uses a PKI, SSL and more
Besides Autenticity, Integrity, and Security, SET

must also preserve Privacy, keeping
I
Cardholder
Payment Instructions (PI, including card

numbers) secret to the Merchant
Goods and Service Orders (GSO, what is
being bought) secret to the bank

Privacy is achieved by dual signatures
Bank
Merchant
Cardholder
1. Cardholder sends Merchant EM (GSO), EB (PI),

H EB (PI), and

h

i

DS = DC H H EB (PI) H EM (GSO)

Bank
Merchant
Cardholder

H EB (PI), and

h

i

2. Merchant
checks
h
that
i
H H EB (PI) H EM (GSO) = EC (DS),
decrypts EM (GSO),
and sends the Bank

H EM (GSO) , EB (PI), and DS

Bank
Merchant
Cardholder

H EB (PI), and

h

i

2. Merchant
checks
h
that
i
decrypts EM (GSO),
and sends the Bank

3. The
h Bank now
checks that i
decrypts EB (PI), and returns an encrypted (with
EM ) digitally signed authorization

Bank
Merchant
Cardholder

H EB (PI), and

h

i

2. Merchant
checks
h
that
i
decrypts EM (GSO),
and sends the Bank

3. The
h Bank now
checks that i
decrypts EB (PI), and returns an encrypted (with
EM ) digitally signed authorization
4. Merchant checks the signature, and gives
Cardholder an encrypted (with EC ) digitally signed
receipt
SET never took off
Instead, card companies have started using 3-D Secure.
Our money versus the Internet

Many everyday things have moved to the Internet.
Communications, relations, entertainment. . . but not money.
Why do we still need these?
But what about credit cards?

Credit cards are inherently insecure.
Entire model is backwards:
1. Merchant takes the customers CC number
2. Merchant goes to the bank
3. Merchant gives CC number to the customers bank
4. Bank gives money from the customers account to the merchant.
Something like this would be better:

1. Customer tells bank to give money to merchant
2. Thats it!
Making money digital

Why not create a currency based on cryptography?
Our design goals should1 be a currency with the following properties:

1. Secure transfer in computer networks
2. Cannot be copied and reused
3. Anonymity
4. Offline transactions
5. Can be transferred to others
6. Can be subdivided
Okamoto and Ohta 1991.
Textbook example of digital cash

The course textbook (Ch. 11) contains an example of digital cash (not
part of the course).
Note the difference:

I
Digital cash: Electronic version of existing currency (USD)
Digital currency: Entirely new currency (i.e. Bitcoin)
The textbook example is a centralized system, where a bank is needed

for everything to work.
The failure of electronic cash

There have been several proposals for digital money.
Until a few years ago, all had failed.
No gain over existing systems:

I
Still need a central point of trust
Privacy: Who monitors the system?
Can we entrust a bank with managing an entire currency?
There is no need for centralization

With cryptography we can actually create something better than
electronic cash.
This is not in the textbook; its too new.
A currency that is peer-to-peer.
All functions of a bank can be taken over by the network.
In essence, we create a system with distributed consensus.
Bitcoin
The Bitcoin protocol was proposed2 in 2008.
Takes care of:

I
Creation of new currency
Secure transactions
Protection against double-spending
Anybody can be a merchant or a customer.
Pseudo-anonymity
Nakamoto 2008.
We will now create Bitcoin from scratch

Step by step, we create a peer-to-peer currency.
In each step we discuss strengths and weaknesses.
Lets call one unit of currency Southfork.
Southfork = the protocol
southfork = the currency
Southfork version 1: Public, signed

transactions
Alice publishes a signed message: I, Alice, send one southfork to Bob

Good stuff:
I
Bob can verify the signature as being from Alice.
The transaction cannot be undone
Bad stuff:
I
No account balances
Infinite number of southfork
Very incomplete. . .
Southfork version 2: Serial numbers
I, Alice, send southfork no. 856034 to Bob

Duplicate transactions are easily spotted.
How are the serial numbers created?
The (too) easy solution: Serial numbers generated by a trusted source,

like a bank.
A bank works, but. . .
This is where Nakamoto put the stroke of genius
No central point of trust, instead a

blockchain
We remove the central point of trust.
Instead, we establish a list of all transactions ever made.
Computing an account balance is done by summing over all previous

transactions for that account.
This list is called the blockchain and is shared by all users.
Southfork version 3: The blockchain
Bob checks his blockchain before accepting the transaction

If he sees that the southfork in question is owned by Alice, he accepts
it.
After the transaction is complete, Bob broadcasts his acceptance.
As soon as the other peers hear this broadcast, they will not allow
double-spending.
Double-spending is still possible
Alice can perform a double-spend before the acceptance broadcast is

heard by enough peers
He he

He he

To solve this problem, we make Bob ask everybody else if a
transaction is valid.
Double-spending will be noticed before payment is accepted.
Asking the network about the transaction

How many answers should Bob require? How can the answers be
trusted?
A majority vote is impossible, what if Alice spams Bob with false

confirmations?
There is no way to perform traditional authentication.
But Southfork wont work if transactions cant be reliably verified. . .
Southfork version 4 (final): Proof of work

The finished Southfork protocol uses Proof of Work (PoW).
Basic idea: We only trust solutions that are accompanied by a proof of

someone having committed a large amount of resources to a problem.
That is, we dont authenticate a user, but we authenticate the fact

that time/money/energy/etc. has been spent.
In order for Alice to make a double-spend, she first has to spend

energy before Bob trusts her.
Even better: We turn proof-of-work into a competition.
Constructing the PoW challenge

We want a problem that. . .
I
. . . is difficult to solve
. . . has solution(s) that are easy to verify
. . . has scalable difficulty (will be discussed later)
Constructing the PoW challenge

We want a problem that. . .
I
. . . is difficult to solve
. . . has solution(s) that are easy to verify
. . . has scalable difficulty (will be discussed later)
Remember lecture eight? A one-way hash function h(x ) has the

following properties:
I
Easy to calculate h(x) from x
Given h(x ), it is hard to find x 0 so that h(x 0 ) = h(x ).
Finding preimages is the perfect proof of work!
The verifications are done by miners

Alices transaction message m is broadcast:
I, Alice, transfer southfork no. 3869303 to Bob.
A miner selects a random k and computes h(m + k).
If h(m + k) > T the miner chooses a new k and tries again.
After a long time we get h(m + k) < T and the miner broadcasts k.
Bob receives k and checks that h(m + k) < T .
We will talk more about T at the end of the lecture.
A simple example of Proof of Work

Let the threshold T be so that the hash value h(m + k) needs five
leading zeros and let m =AAA.
m+k
h(k + m)
AAA0
802dbe2e69. . .

m+k
h(k + m)
AAA0
AAA1
802dbe2e69. . .
bbfce0d522. . .

m+k
h(k + m)
AAA0
AAA1
AAA2
802dbe2e69. . .
bbfce0d522. . .
7bb4db476f. . .

m+k
h(k + m)
AAA0
AAA1
AAA2
...
AAA770239
802dbe2e69. . .
bbfce0d522. . .
7bb4db476f. . .
...
00000921ac. . .
k = 770239 is a valid solution

Note that in the normal case, k is chosen randomly.
There are several solutions k to the problem h(m + k) < T .
Mining is a competition to find a solution
Transaction

19395?
5536233?
Transaction
!!
64203?

260394?
116534?
Transaction
!!
423787?

298360?
372983?
Transaction
!!
7239345?
8890153!!
372983?
Transaction
!!
7239345?
Charlie is the lucky winner
Transaction
Bob can trust the acknowledgment from Charlie.
!!
A block is a large number of transactions
Alice 1 southfork to Bob

Charlie 500 southfork to Mallory
Alice 50 southfork to Mallory
Victor 4 southfork to Trent
Peggy 7000 southfork to Victor
Eve 15 southfork to Alice
Bob 100 southfork to Peggy

2015-10-14 13:44:17
Block #236434
2015-10-14 13:44:17
Block #236434
Previous hash value
2015-10-14 13:44:17
Block #236434
Previous hash value
2015-10-14 13:44:17
Nonce k
Block #236434
Previous hash value
2015-10-14 13:44:17
Nonce k
A block is only valid if its hash value is less than T .
Transactions are verified by miners

The process of turning transactions into blocks is mining.
The blocks are numbered and form a long chain, blockchain.



(abandoned)

(abandoned)

(abandoned)
If two miners find a valid block simultaneously, the resolution strategy

is to randomize and then work on the longest chain.
Each block gives security to the previous ones

Hash
TX
Hash
TX
Hash
TX
Hash
TX
Hash
Bob waits a number of blocks before accepting Alices transaction.
This is how Bitcoin works!

Southfork now essentialy works like Bitcoin.
Digital signatures initiate the transaction
Miners verify the transactions
Bob accepts the transaction after six successive blocks (takes one
hour).
New currency is created by rewarding miners.
Everybody has the blockchain

All transactions are in the blockchain.
Anybody can see all transactions

Today, the blockchain takes up more than 40 gigabyte.
Security analysis
The only way for Alice to cheat is the following:
1. Buy a supercomputer
2. Save up money for the electric bill
3. Broadcast an invalid transaction m to Bob
4. Let the supercomputer search for a block containing m.
5. The computer must be faster than everybody elses, combined.
6. Even if she manages to solve an illegal block, no other miner
will accept it.
Alice has a hard time cheating Bob.
Even if she has 1 % of the hashing power, the chance of mining six
blocks in a row is (0.01)6 = 1 1012 .
Sending and receiving bitcoin

Bitcoin uses cryptographic addresses.
Private key:
E9873D79C6D87DC0FB6A5778633389F4
453213303DA61F20BD67FC233AA33262

Private key:
E9873D79C6D87DC0FB6A5778633389F4
453213303DA61F20BD67FC233AA33262
ECDSA

Private key:
E9873D79C6D87DC0FB6A5778633389F4
453213303DA61F20BD67FC233AA33262
ECDSA
RIPEMD-160

Private key:
E9873D79C6D87DC0FB6A5778633389F4
453213303DA61F20BD67FC233AA33262
ECDSA
RIPEMD-160
base58

Private key:
E9873D79C6D87DC0FB6A5778633389F4
453213303DA61F20BD67FC233AA33262
ECDSA
RIPEMD-160
base58
Address:
3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
Detailed view of a transaction
A bitcoin wallet
Bitcoin trading
Today: 1 B 2000 SEK.
Bitcoin can be bought and sold like any other currency.
Bitcoin ATM in Stockholm.
Volatility is a big problem
Adresses are global and fast

My bitcoin address: 12bs44bxxe2k3ax2c9pQHtodUhPSrbJqbe
Built-in check code.
Fits well with QR codes:
Only an address is needed
Only an address is needed
This sign was shown on ESPN, giving 24 000 USD
Bitcoin for merchants
Bitcoin and trust
In Bitcoin, the users only need to trust the algorithm, nothing else.
In contrast, with traditional currency trust in the central bank, The

Bitcoin protocol is a system without inherent trust.
You dont even need to trust the initial creator, Nakamoto.
Bitcoin mining is big business

Whenever a miner finds a valid block, he or she is rewarded.
Industrial-scale mining. Photo from KnC Miner
Bitcoin mining has scalable difficulty

Bitcon dynamically scales the mining difficulty.
The goal is one mined block per 10 minutes, globally.
Smaller T gives higher difficulty.
Currently, you need hash values beginning with 16 (!) zeros.
00000000000000001093a79b7a3a5939f7b032b7e6927799eed667149dc71007
Extreme competition in bitcoin mining
Note the logarithmic scale!

Today: Hash rate is more than 440 Phash/s.
Specialized ASIC miners are expensive
The Swedish miner KnC Neptune costs thousands of dollars and

performs 3 106 hashes per second. Today, that gives roughly 160
USD per month (expenses not included).
Bitcoin 2.0: Digital contracts

A Bitcoin transaction between two parties; a digital contract.
Digital contracts can do much more than just money.
Currently in development: Ethereum.
Turing-complete money!
Contract for difference
Multisignature escrows
Peer to peer gambling
Simple example of a digital contract

Alice sets up a savings account.
She is quite lazy, so she hire Bob to manage her money.
Bob and Alice dont fully trust each other.
They establish a contract with the following rules:

1. Alice alone can withdraw 1 % per day.
2. Bob alone can withdraw 0.05 % per day.
3. Alice and Bob together can withdraw all the money right away.
The savings account

Alice only needs small amounts of money every day.
If she needs more, she can ask Bob for permission.
If Bob turns out to be evil, Alice can withdraw money 20 times as fast.
If Alices key is compromised, she can run to Bob and they move the
money to a new contract.
If Alice loses her key, Bob can eventually help her get her money back.
Digital contracts: Beyond currencies

A digital contract has a life on its own
An autonomous agent that enforces the rules in the network.
Similar to secret sharing, but better.
Digital contracts are even beyond currencies:
I
Distributed, incentivized Dropbox storage
Anonymous, encrypted message distribution
Web of trust
...
Digital contracts: Very new and paving way for new, previously
unthinkable innovations.
More reading if you are interested

After this course you have the neccessary background to understand
Bitcoin.
The Bitcoin whitepaper: Read it!
https://bitcoin.org/bitcoin.pdf
How the Bitcoin protocol actually works:
http://www.michaelnielsen.org/ddi/
how-the-bitcoin-protocol-actually-works/
More detailed explanation of transaction and keys:
http://www.righto.com/2014/02/
bitcoins-hard-way-using-raw-bitcoin.html
(These slides will be on the homepage shortly)
Summary of methods
Transactions are signed with digital signatures: ECDSA
The elliptic curve used in Bitcoin is secp256k1.

E : y2 = x3 + 7
mod p
where
p = 2256 232 29 28 27 26 24 1.
Transactions are verified collectively by finding preimages of hash

functions.
The challenges
As a currency, bitcoin is very young.
Transactions are safe, storage is not.
If Alice loses her key, she loses her money.
If Eve finds Alices key, she can take her money and gets away with it.
Many questions remain: Taxation? Volatility? Illicit trade?
Summary
Secure Electronic Transactions: Centralized and tied to a currency
Bitcoin: Peer-to-peer, decentralized.
Ethereum: Digital, autonomous contracts
Extreme development, stay tuned!
Jonathan Jogenfors, jonathan.jogenfors@liu.se

Crypto Lecture 12

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Crypto Lecture 12

Uploaded by

Copyright:

Available Formats

Cryptography lecture 12

Digital cash and Bitcoin

Secure Electronic Transactions (SET)

Called for by Mastercard and VISA in 1996

Is complex, and uses a PKI, SSL and more

Besides Autenticity, Integrity, and Security, SET

Payment Instructions (PI, including card

Secure Electronic Transactions (SET)

1. Cardholder sends Merchant EM (GSO), EB (PI),

Secure Electronic Transactions (SET)

1. Cardholder sends Merchant EM (GSO), EB (PI),

Secure Electronic Transactions (SET)

1. Cardholder sends Merchant EM (GSO), EB (PI),

Secure Electronic Transactions (SET)

1. Cardholder sends Merchant EM (GSO), EB (PI),

SET never took off

Instead, card companies have started using 3-D Secure.

Our money versus the Internet

Why do we still need these?

But what about credit cards?

Something like this would be better:

Making money digital

Our design goals should1 be a currency with the following properties:

Okamoto and Ohta 1991.

Textbook example of digital cash

Note the difference:

Digital cash: Electronic version of existing currency (USD)

Digital currency: Entirely new currency (i.e. Bitcoin)

The textbook example is a centralized system, where a bank is needed

The failure of electronic cash

Until a few years ago, all had failed.

No gain over existing systems:

Still need a central point of trust

Privacy: Who monitors the system?

Can we entrust a bank with managing an entire currency?

There is no need for centralization

This is not in the textbook; its too new.

A currency that is peer-to-peer.

All functions of a bank can be taken over by the network.

In essence, we create a system with distributed consensus.

Takes care of:

Creation of new currency

Protection against double-spending

Anybody can be a merchant or a customer.

We will now create Bitcoin from scratch

In each step we discuss strengths and weaknesses.

Lets call one unit of currency Southfork.

Southfork = the protocol

southfork = the currency

Southfork version 1: Public, signed

Alice publishes a signed message: I, Alice, send one southfork to Bob

Bob can verify the signature as being from Alice.

The transaction cannot be undone

Infinite number of southfork

Southfork version 2: Serial numbers

I, Alice, send southfork no. 856034 to Bob

How are the serial numbers created?

The (too) easy solution: Serial numbers generated by a trusted source,

A bank works, but. . .

This is where Nakamoto put the stroke of genius

No central point of trust, instead a

Instead, we establish a list of all transactions ever made.

Computing an account balance is done by summing over all previous

This list is called the blockchain and is shared by all users.