1 of 59

Bitcoin Tutorial

Bitcoin and Cryptocurrency Workshop

CITP, Princeton

Joseph Bonneau

Thanks to Andrew Miller, Arvind Narayanan, Jeremy Clark, Joshua Kroll, Ed Felten

2 of 59

Bitcoin has many different parts!

3 of 59

Part I: Bitcoin in 6 easy steps

4 of 59

Double spending: why ecash is hard

BANK

Alice

Bob

Sign_A(Transfer X to B)

Charlie

Sign_A(Transfer X to C)

Sign_Z(Transfer X to A)

Redeem X?

5 of 59

Step 1: Make the bank a global log

Sign_A(Transfer X to C)

...

Sign_A(Transfer X to B)

...

Sign_A(Transfer X to C)

(the block chain)

Signature_BANK

6 of 59

Step 2: Participants vote on blocks

Signature_A Signature_B Signature_C ...

Signature_A Signature_B Signature_D ...

7 of 59

Step 3: A random user picks

N-2

N-1

Sign_A(Transfer X to C)

Signature_B

Signature_A

Signature_C

8 of 59

Step 4: Resolve conflicts by forking

Sign_A(Transfer X to B)

Signature_B

Signature_A

Sign_A(Transfer X to C)

Signature_C

Signature_D

Signature_E

9 of 59

Step 5: Incentivise correct blocks

Signature_B

Signature_A

Signature_C

Signature_D

Signature_E

Mint(X, A)

Mint(X, B)

Mint(X, D)

Mint(X, E)

Mint(X, C)

10 of 59

Step 6: Choose by hash power!

Mint(X, A)

Mint(X, B)

Mint(X, C)

SHA-256(Block_N-1, n) = 0x00000000000000003f89...

SHA-256(Block_N-1, n) = 0x00000000000000008c71...

Mining difficulty

11 of 59

Preventing double spending

Sign_A(Transfer X to B)

Sign_A(Transfer X to C)

Sign_A(Transfer X to B)

Longest chain wins

12 of 59

Transaction confirmation (~6 blocks)

13 of 59

Bitcoin is transaction-based

IN:

scriptSig ...

OUT:

scriptPub A, 5.9

...

IN:

scriptSig A

OUT:

scriptPubB, 5.0

scriptPubA, 0.9

IN:

scriptSig A

OUT:

scriptPubC, 10.0

IN:

scriptSig ...

OUT:

scriptPubA, 9.2

...

14 of 59

Bitcoin transactions specify scripts

scriptPubKey: OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG

IN:

scriptSig ...

OUT:

scriptPub A, 5.9

IN:

scriptSig A

OUT:

scriptPubB, 5.0

scriptPubA, 0.9

<sig> <pubKey> OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG

scriptSig: <sig> <pubKey>

Redemption script:

15 of 59

Bitcoin transactions specify scripts

<sig> <pubKey> OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG

<sig>

✓

16 of 59

Bitcoin script features

multiple signatures
escrow
time locking
commitment opening

...

smart contracts?

17 of 59

Part II: Mining & Consensus

18 of 59

51% attacks

Goldfinger Attack?

19 of 59

Checkpointing

How decentralized is Bitcoin?

20 of 59

Selfish mining

Observation: for 0.33 < x < 0.5, a fraction x of selfish miners can earn greater than a fraction x of rewards

Secret Block

Majority is not enough: Bitcoin mining is vulnerable

Ittay Eyal and Emin Gün Sirer. Financial Crypto 2014

21 of 59

Mining difficulty

bitcoinwisdom.com

22 of 59

Difficulty adjustment

bitcoinwisdom.com

10 minutes

2 weeks

23 of 59

Mining rewards

Courtesy:

Brian Warner

24 of 59

Total network capacity

2⁶⁴ hashes per block (every 10 minutes!)
2⁷⁵ hashes in 2013

In exchange for ~US$250M

Consuming > 100 MW

25 of 59

Bitcoin mining hardware

26 of 59

Should I mine bitcoins?

Chilkoot pass, Klondike 1898

27 of 59

Mining pools

Mint(25, K_POOL)

0x00000000000000003f89...

0x000000000000490c6b00...

0x00000000000000003f89...

0x0000000000001e8709ce...

0x00000000000007313f89...

0x00000000000045a1611f...

0x000000000000a877902e...

28 of 59

Mining pools

29 of 59

Part III: Bitcoin as a currency

30 of 59

Why does Bitcoin have value?

Consensus

Consensus in state (blockchain)
Consensus in payment
Consensus in rules

The Economics of Bitcoin Mining, or Bitcoin in the Presence of Adversaries

Joshua Kroll, Ian Davey, Ed Felten. WEIS 2013

31 of 59

Price during 2013

32 of 59

Black Markets

Silk Road: US$14M in Revenue in 2012 [Christin 2012]

Traveling the Silk Road: A measurement analysis of a large anonymous online marketplace

Nicolas Christin, WWW 2013

33 of 59

Capital controls

35 of 59

Bitcoin exchanges

Beware the middleman: Empirical analysis of Bitcoin-exchange risk

Tyler Moore and Nicolas Christin, Financial Crypto 2013

36 of 59

Part IV: Neat applications

37 of 59

Green Addresses

(speeding up payments)

IN:

scriptSig ...

OUT:

scriptPub A, 10.0

IN:

scriptSig A

OUT:

scriptPub O, 1.0

scriptPub A, 9.0

x 6

38 of 59

Green Addresses

(speeding up payments)

IN:

scriptSig ...

OUT:

scriptPub G, 10.0

IN:

scriptSig A

OUT:

scriptPub O, 1.0

scriptPub A, 9.0

I promise to never double-spend!

39 of 59

Sequential micropayments

IN:

scriptSig ...

OUT:

scriptPub G, 10.0

I promise to never double-spend!

IN:

scriptSig A

OUT:

scriptPub O, 0.1

scriptPub A, 9.9

IN:

scriptSig A

OUT:

scriptPub O, 0.2

scriptPub A, 9.8

IN:

scriptSig A

OUT:

scriptPub O, 0.3

scriptPub A, 9.7

IN:

scriptSig A

OUT:

scriptPub O, 0.4

scriptPub A, 9.6

40 of 59

Secure commitments (timestamping)

Hash

Data

CommitCoin: carbon dating commitments with Bitcoin

Jeremy Clark, Aleksander Essex. Financial Crypto 2012

41 of 59

Randomness Beacon

Hash

42 of 59

Part V: Anonymity

43 of 59

Tracing Bitcoin transactions

IN:

scriptSig A₁

scriptSig A₂

OUT:

scriptPub A₃, 5.9

...

IN:

scriptSig A₃

OUT:

scriptPubB, 5.0

scriptPubA₄, 0.9

Joint control

Change addresses

44 of 59

Building the transaction graph

A Fistful of Bitcoins: Characterizing Payments Among Men with No Names

Sarah Meiklejohn et al, IMC 2013

45 of 59

Bitcoins carry a transaction history

identification
censorship

recovery from theft
economic analysis

Towards Risk Scoring of Bitcoin Transactions

Möser, Malte, Rainer Böhme, and Dominic Breuker, BITCOIN 2013

47 of 59

Mixes today

Caution: Mixing services may themselves be operating with anonymity. As such, if the mixing output fails to be delivered or access to funds is denied there is no recourse. Use at your own discretion.

-The Bitcoin Wiki

An inquiry into money laundering tools in the Bitcoin ecosystem

Möser, Malte, Rainer Böhme, and Dominic Breuker, ECRIME 2013

48 of 59

Better mixes with warranties

If v ➡ k_esc by t_in, but not v ➡ k_out by t_out

The client publishes

If I send you v bitcoins by time t_in

Will you send v to my address k_out by time t_out?

Sure! Just send your coins k_esc

Sign(v, t_in, t_out,k_out ,k_esc}

Anyone can verify cheating

(Ideally) no one trusts anymore

Mixcoin: Anonymity for Bitcoin with accountable mixes

J. Bonneau, A. Narayanan, A. Miller, J. Clark, J. Kroll, E. Felten. Financial Crypto 2013

49 of 59

Coin Join

IN:

scriptSig P

scriptSig M

scriptSig S

OUT:

scriptPub P’, 1.0

scriptPub M’, 1.0

scriptPub S’, 1.0

50 of 59

Zerocoin

Bitcoin

Zerocoin

CRYPTO!

Zerocoin: Anonymous distributed e-cash from bitcoin

Ian Miers, Christina Garman, Matthew Green, Avi Rubin. IEEE Oakland 2013

51 of 59

Zerocash

“Cryptocurrencies are just a gateway drug to SNARKS”

Zerocash: Decentralized Anonymous Payments from Bitcoin

E. Ben-Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, M. Virza IEEE Oakland 2014

52 of 59

Part VI: Extensions & Altcoins

53 of 59

Types of changes to Bitcoin

overlay
soft fork
hard fork
alternate chain
alternate systems

Easy

Hard

Deployment

difficulty

1 of 59

2 of 59

3 of 59

4 of 59

5 of 59

6 of 59

7 of 59

8 of 59

9 of 59

10 of 59

11 of 59

12 of 59

13 of 59

14 of 59

15 of 59

16 of 59

17 of 59

18 of 59

19 of 59

20 of 59

21 of 59

22 of 59

23 of 59

24 of 59

25 of 59

26 of 59

27 of 59

28 of 59

29 of 59

30 of 59

31 of 59

32 of 59

33 of 59

34 of 59

35 of 59

36 of 59

37 of 59

38 of 59

39 of 59

40 of 59

41 of 59

42 of 59

43 of 59

44 of 59

45 of 59

46 of 59

47 of 59

48 of 59

49 of 59

50 of 59

51 of 59

52 of 59

53 of 59

54 of 59

55 of 59

56 of 59

57 of 59

58 of 59

59 of 59