bitcoin, a(lookunder(the(bonnet · bitcoin as an anti-censorship tool 5.2.2 workﬂow as mentioned...

Boris Škorić

Bitcoin, a look under the bonnet

ANP colloquium May 26, 2015

Outline

2

• Bitcoin 101 • Crypto - one-‐way func7ons - digital signatures

• Transac7ons • Mining

• Binding it all together • An7-‐censorship • Cau7onary notes

What this talk is NOT about

NOT:

• History of cryptocurrencies • Economics / poli7cs

• How to become rich

• How to aHack Bitcoin

3

Bitcoin 101

• Cryptocurrency - assets are purely digital - secret key gives access to "account" - crypto for proving ownership - crypto for signing transac7ons - crypto for crea7ng new money

• Decentralized - peer to peer communica7on

• "Block chain" - all transac7on history is public

4

Quick facts about Bitcoin

• Created in 2008 by "Satoshi Nakamoto" - open source - based on lots of prior work - but with unique combina7on of ingredients

• Accepted by > 105 merchants - easy (interna7onal) transfer of money

- PR value

• Current exchange rate: 1 bitcoin = 209 euro

5

Who is Satoshi Nakamoto?

Dorian S. Nakamoto? (Los Angeles, March 2014)

1 bitcoin = 108 Satoshi

There are many allega7ons

6

Concept #1: One-‐way hash func7on

"Cryptographic hash func9on"

• easy to compute

• very difficult to invert • low prob. of collisions • compressed & unique digest

input

fixed-‐size output

Example: SHA256

• arbitrary input size • output size 256 bits

10100...11010

7

Proof of work

hash

Given: some unpredictable stuff

Find out what to put here!

Hash value must sa>sfy a tough constraint, e.g. lie in a certain small range.

• Solving this problem costs a lot of trial & error => CPU 7me.

• Solu7ons are easily verified!

8

Concept #2: Digital signature

Main concept: key pair (a, A)

private key (secret)

public key

A can be computed from a; the reverse is difficult

a

hash

random r

hash

S σ = S(h,a,r)

h

V

A

V(h,σ,A) ∊ {yes,no}

Signing Signature verifica9on

h

Signature

9

Digital signatures

Successful verifica9on of signature proves two things

1. message integrity

2. authen7city

Anyone can verify a signature

- only the public key is needed

Only one person can generate signatures consistent with A - private key a is needed

Bla. Signed by mr A

"The holder of the private key confirms this message"

Signature

10

Bitcoin accounts

Choose your own key pair • public key is your "account number"

• private key gives access to account - prove that the account is yours: signature - confirming a payment: sign it

You can make as many accounts as you want, completely for free !

11

Bitcoin transac7ons

Transaction data structure

in 1 out 1

in 2 out 2

in M out N

...

...

"in" data: • payments to your account • each "in" data proves ownership

- digital signature - possibly different accounts

• each signature also covers all the "out" data

10 to Vercon

0.02 to Francesco

0.01 to Luigi

23000 to myself

Berlusconi

Al Capone

Don Corleone

Small transac2on fee: out < in

C.o.s.a.™

12

Transac7on: Script language

in#1# out#1#

in#2# out#2#

in#M# out#N#

...#

...#

in#1# out#1#

in#2# out#2#

in#M# out#N#

...#

...#

Challenge script

Response script

Parser 1. Execute Response script 2. Keep the stack 3. Execute Challenge script 4. Check if top of stack is True

Verifica9on

(Everybody can verify)

Pointer to specific output in some past transac>on

(past) (new)

The Script language is too expressive

• leads to implementa7on bugs

• many op7ons are now forbidden

yes/no

13

Allowed challenge script types

Type Prove knowledge of:

Pay to Pub.key private key

Pay to Pub.key hash pub.key & priv.key

Mul7sig n out of k private keys n,k heavily restricted

Nulldata -‐-‐-‐ 40 bytes arbitrary data; Max one Nulldata per transac7on

Pay to script hash challenge script + whatever it demands

Must be one of the above script types

14

peer-‐to-‐peer

Mining

Users Miners • Collect transac7ons • Signatures OK? • Fees OK? • Scripts OK? • Double spending? • Proof of work

...

We want to do these transac>ons:

hash

pointer to previous block

BLOCK

list of collected transac7ons

coinbase transac7on

Find out what to put here

should be smaller than target T

(simplified view)

T ≈ 2188

Lowered every 2016 blocks

15

Block chain

block chain

orphaned block

Incen9ves for the miner: • reward for proof of work, currently 25 BC • transac7on fees

The incen9ves stabilize the system • transac7on confirma7on mechanism brings reward

16

An7-‐censorship

Whole block chain must be visible • otherwise you cannot trust bitcoin • Difficult to censor!

How to write data into blockchain? • Control over data within transac7on • Plenty of op7ons!

Krzysztof Okupski MSc thesis, Dec. 2014:

"(Ab)using Bitcoin for an an>-‐censorship tool" • Bitcoin specifica7on document • open-‐source tool

17

Embedding data in transac7ons

74 (Ab)using Bitcoin as an Anti-Censorship Tool

5.2.2 Workflow

As mentioned before, there are two core functions that are implemented by the mes-saging system, the embedding of messages into the blockchain and their consecutiveextraction from the blockchain. In the following we will describe both functions in moredetail.

Embedding messagesThe process of embedding a message begins with reading it. Next it is compressed andthe embedding costs are estimated. The estimate is computed by building a transactionchain embedding the compressed data and calculating from it the transaction costs.After verification that the wallet holds su�cient funds, the process is continued.

In the next step the compressed data is embedded in a transaction chain. As the processis fairly complex, only a rough outline will be given. Firstly, two transactions are cre-ated and a pointer is set to the first transaction. Secondly, the optimal parameters arecalculated and the compressed data is embedded into the transaction in the followingorder - P2SH Multisig transaction input-output pairs, the Nulldata transaction outputand finally the budget split and budget claim. Note that the data will span over bothtransactions due to the inherent nature of scripts. Finally, if there is any remainingdata, then another transaction is added, the pointer is incremented and the last step isrepeated.

Figure 5.2: Transaction Structure with Embedded Data

The resulting structure after embedding data resembles the transaction chain depictedin Fig. 5.2. The first transaction has one transaction input that supplies the chain withfunds and marks the beginning of the chain. Then, the embedded data spans from thetransaction outputs of the first transaction to the transaction inputs of the last transac-tion. Finally, the last transaction has one transaction output that bundles the remainingfunds and marks the end of the chain.

During the embedding of messages into a transaction chain a trick is applied to ensurechaining between messages from the same sender. After the first message has been sent,


5.2.2 Workflow








5.2.2 Workflow







• Create 2^N accounts ⟹ N bits of info in account iden7fier

• Keep pumping ALL money through your accounts

• Pay to scripthash, with 1-‐out-‐of-‐14 mul7sig

Put informa9on in: • nulldata output • choice of 14 public keys

in challenge scripts • permuta7on of "in" w.r.t. "out" • splitup of the budget

(combinatorics: "composi7on") • signatures

Addi9onal tricks: • text only • reduced character set • compression

Fees: 16 Satoshi per embedded byte

18

Reading data from transac7ons

Reading is not dangerous • Anybody can read the blockchain • You don't even have to be part of the P2P network • What you need to know:

- where to look - how to parse

19

Remarks (1/2)

Black market, crime, etc. • Public keys are pseudonyms

• But: full history is visible; exchange knows your iden7ty • Special effort needed for laundering/mixing/anonymizing

TheX • ∃ specialized bitcoin-‐stealing malware

• Store private keys offline

• Use private keys offline (air gap)

Supposedly decentralized, but ... • Small number of en77es dominates mining

• Chinese mining farms

20

Remarks (2/2)

Bitcoin crypto seems flawless • That's a first.

Bitcoin is cluZered • scripts instead of fixed flowchart • too many transac7on types

• ....

Mining is a tremendous waste of energy • Nothing useful is created, only "art" • Find beHer confirma7on mechanism

21

Summary

22

Well designed system basics • stabilizing incen7ves • solid crypto

A look under Bitcoin's bonnet • one-‐way hashes • signed transac7ons • proofs of work • meshed together in the block chain

An9-‐censorship • embed data in transac7ons

• cost = fees: ≈16 Satoshi/byte

bitcoin, a(lookunder(the(bonnet · bitcoin as an anti-censorship tool 5.2.2 workﬂow as mentioned...

Documents