Your SlideShare is downloading. ×
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Some Thoughts On Bitcoin
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Some Thoughts On Bitcoin


Published on

Dan Kaminsky's thoughts on BitCoin

Dan Kaminsky's thoughts on BitCoin

Published in: Technology, Education
  • What the hell? VISA has on average 4 thousand transactions per second (or 4000 transactions per seconds), which means: (80+32)*4000 bytes per second = 224000 bytes per second = 224 kilobytes per second =~ 1.792 MBit per second, which is perfectly doable.
    Are you sure you want to  Yes  No
    Your message goes here
  • Now: 'supernode'
    Tomorrow: mobile phone
    Ask him again in 5 years from now. Everyone has G4 with 1GB/s on a quad-core low end smartphone. So what?
    Maybe he might be right for a while. But if there is 1 bad guy then 10 good guys stand up and run a 16GB, 100MBit flat, Quad-core node for $60 somethere. Internet via cable has 100Mbit for 30 bugs ... There are more supernodes out there than he is thinking.
    Are you sure you want to  Yes  No
    Your message goes here
  • Supernodes and normal nodes are true, but it can not compare this to the normal banking system, because:

    a.) in bitcoin 'supernode' model, everyone can become a bank

    b.) you can not do fractional reserve banking easily (or if you do, it gets self-regulated like old times with no central bank)

    The difference is not that there are no banks, that's irrelevant. The difference is that there is no central bank. And that is a huge difference.
    Are you sure you want to  Yes  No
    Your message goes here
  • About the supernodes: I think it is a false dichotomy that the transaction network EITHER must be a completely decentralized peer-to-peer network OR a completely centralized, hierarchically structured bank network. There is a very interesting class of networks / graphs / structures called ’small world networks’. They have extremely interesting properties, for example a very high connectivity and extremely short average and maximum distances while being highly decentralized. What matters is that a subset of the nodes are strongly connected and that they have far-reaching connections. Such networks are very frequent in social relationships and many other domains. I think that such a network would not behave like a bank or a hierarchically organized army. It would be more like a village spreading rumors.
    Are you sure you want to  Yes  No
    Your message goes here
  • There is serious optimization possible on the storage side. If you want to host a Bitcoin archive of all time, then yes, you have to store all blocks. If you only want to be able to verify transactions and keep a history of /your/ wallet, then it’s possible to prune old transactions: say transactions that are made obsolete by a valid transaction of more than a month old. The limiting factor is that if the block chain splits (network split, DOS attack on propagating nodes) and suddenly you discover a longer block chain with more authority, you have to be able to retrace your state to that better block chain. A month-long network split is quite unimaginable, unless you live in Egypt or something. But then you don’t receive the transactions in the rest of the world, so storage cost in that time is also reduced.

    In slide 17 you mention that SHA-256 is a poor choice of the hash, because it is quick with a GPU and it creates a shortage in GPUs. I argue that it is not a poor choice, because a quick hash means it’s quick to verify (smaller cost to run a wallet). The cost to miners is the same with SHA-256 or bcrypt, because the cost of mining (difficulty) is determined by the demand in Bitcoin, measured in USD. It’s an equilibrium: if mining is too cheap, more miners will start or miners will expand. With SHA-256 we have a GPU shortage, but with bcrypt we could have a motherboard shortage or something. Or maybe FPGAs are best for bcrypt, then we would get a shortage of those.

    You do have a point about ananonymity and Bitcoin losing the lightweight atmosphere it has now, those are big disadvantages. Interesting slides!

    Also, the people on reddit have some interesting comments:
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Some Thoughts On Bitcoin
    Dan Kaminsky
  • 2. If You’re Smart
    Leave the room right now
    “Bitcoin turns nerd forums into libertarian forums”
    This is true
    Bitcoin is a particularly effective DoS against security professionals
  • 3. Security Inversion
    Normal Code
    Looks like it might be OK up front
    Scratch the surface, it’s actually really bad
    Looks really bad up front
    Scratch the surface, it’s actually surprisingly good
    We aren’t used to systems with these characteristics
    This code has the mark of having been audited by People Like Us
    And quants
  • 4. The basic summary
    BitCoin is absolutely not anonymous
    BitCoin clearly does not scale
    In the long term
    It does work for now though
    This isn’t 0day stuff, this is basically declared almost entirely up front
  • 5. What Is BitCoin
    A really strange use of cryptography
    “Strange” is not a sufficient, interesting, or even vaguely competent way to mark a system as insecure
    It’s a decent way to say “this is not the normal way things are put together”
    Two systems mated together
    A peer to peer network that does a best case effort to synchronize data (loose “transactions” and solved “blocks”) across as many nodes as possible
    A Chinese Lottery that canonicalizes subsets of synchronized data, using the difficulty of finding partial hash collisions
  • 6. The Basic Idea (In A Nutshell)
    1) I’m hearing about all these transactions going on – Alice is paying Bob, Bob is paying Charlie, etc
    2) I hash all the transactions I’ve heard about, with some random information, and the hash of the last time someone did that, until there’s a partial collision
    First n bits equals 0
    N is automatically determined based on how hard it has to be for one block to be found about every 10 minutes
    This is a block
    3) I send everyone my “block” – transactions plus hash of previous block plus random data. This gives me 50 bitcoins (for now).
    4) I can now “sign over” those bitcoins, from my private key, to other people’s (or my) public key.
    5) Repeat until there’s lots of people with lots of BitCoins
    Possibly purchased instead of “mined”
  • 7. Interesting Traits
    The basic concept is actually relatively solid
    Assuming partial collisions are predictably hard to find
    Assuming ECDSA works
    Basic Idea 1: Money can’t be created from nothing – hashing is needed
    Basic Idea 2: Transactions can’t be blocked or reversed by a central entity – “is none”
    It makes security engineers talk like monetary scientists
    That’s sort of OK, economists pretend to do that too…
    Seriously, that’s silly– lets just talk tech, OK?
  • 8. Epic Scalability Quote 1(
    “The core BitCoin network can scale to very high transaction rates assuming a distributed version of the node software is built. This would not be very complicated.”
    Because there’s nothing easier to do, than make a system distributed
    This is totally not one of the Hard Problems Of Computer Science
    By “Distributed” they mean “Centralized”
    WhyBitCoin is uniquely hard to audit
    It claims the advantages of its present architecture, and its future architecture, while rebutting the disadvantages of one with the advantages of the other
    Instead of saying, “We don’t do that”, they say “Something else could do that”
  • 9. Scalability Costs: Network Bandwidth
    “Let's assume an average rate of 2000tps, so just VISA…. Shifting 60 gigabytes of data in, say, 60 seconds means an average rate of 1 gigabyte per second, or 8 gigabits per second.”
  • 10. Up and Down
    Going up
    “Let's take 4,000 tps as starting goal. Obviously if we want BitCoin to scale to all economic transactions worldwide, including cash, it'd be a lot higher than that, perhaps more in the region of a few hundred thousand transactions/sec.”
     And the need to be able to withstand DoS attacks (which VISA does not have to deal with) implies we would want to scale far beyond the standard peak rates.
    Going down
    Even at 1/100th of VISA, that’s still 10MB/sec
  • 11. Are There Future Optimizations?
    “Because nodes are very likely to have already seen a transaction when it was first broadcast, this means the size of a block to download would be trivial (80 bytes + 32 bytes per transaction). If a node didn't see a transaction broadcast, it can ask the connected node to provide it.”
    Potential 50% savings!
    Could go from 1GB to 500MB/sec
  • 12. What About Storage?
    In order to validate a transaction, you need all blocks up to the present one
    Joining BitCoin today == downloading 200+MB history all the way to the start of time
    That only increases
    “ A 3 terabyte hard disk costs less than $200 today and will be cheaper still in future, so you'd need one such disk for every 21 days of operation (at 1gb per block).”
    So you get to participate directly in BitCoin, at the low low cost of $200 a month
    Assuming zero costs of running a storage array
  • 13. CPU?
     ”A network node capable of keeping up with VISA would need roughly 50 cores + whatever is used for mining (done by separate machines/GPUs).”
    In the long run, that’s what it takes to participate (assuming no DoS, which would take 5000 cores)
    (You actually need to validate all historical transactions too)
  • 14. OK, so you end up with supernodes and normal nodes
    What are the characteristics of supernodes?
    They’re banks
    “Welcome to the new boss, who looks suspiciously like the old boss”
    I’m not saying banks are bad or anything
    The “peer to peer” model of BitCoin eventually goes away; as soon as the thing gets big, the entire thing switches to a banking model
  • 15. Reality of Banking
    As the network gets bigger, fewer and fewer nodes can be banks
    Only so many parties can exchange a gigabyte a second.
    The 50% threshold is inevitable
    BitCoin banks still can’t gin up money
    BitCoin banks can’t forcibly take money
    Unless they hold the private keys for the user, which they might
    BitCoin banks can refuse to accept blocks with “undesirable” transactions
    Don’t need 50% -- just need enough to inconvenience 50% to accept your opinion
    Can block undesirable transactions
    Can recompute blocks w/o certain transactions (reversal)
    This offers a host of ugly semantics
  • 16. Already Suffering This
    BitCoin’s security model is base on the idea that nobody can control more than 50% of the network
    Exact PetaFlop count unclear, but >40 and <200
    Weird metric, given that crypto uses integer operations when FLOPS are floating point
    Several times more than largest supercomputer
    Pools are breaking this
    #1 pool has 41%
    #2 pool has 30%
    “Security through ostracism” to Pitchfork Security
    DDoS against #1 pool
  • 17. Bad Choice Of Hash Standard
    Existing model can be accelerated massively with GPUs
    Just 2x SHA-256
    Could have been bcrypt or the like, in which performance does not scale with pure processing speed
    Basically adds memory and serialization dependencies
    Wasn’t implemented, so now we have shortages of GPUs…
  • 18. What About Anonymity?
    The full worldwide transaction history is stored and shared, forever and ever
    Everyone has names like:
    How do you know who you’re paying? You don’t
    Everyone is encouraged to make up new names for every transaction
    Actually how you can tell why someone is paying you
    Out of band, you tell someone “to pay me, pay this address”
    When that address is paid, you can dereference to your own private transaction
    Do lots of random names equal anonymity?
  • 19. Names Are Linkable (see
    All FROM sources are effectively the same person (or linked IDs)
    Almost all TO destinations are payee and payor
  • 20. Reality of Anonymity
    As BitCoin “fights fragmentation”, it merges identities
    As it merges identities, it…well, merges identities
    There are other models of using BitCoin in which money goes in, stays, and then presumably goes back out
    Again, it’s amazing how much this looks like a bank.
    Not saying banks are bad, just don’t tell me BitCoin doesn’t morph into the banking system
  • 21. So, with this all being said
    BitCoin is working, today
    That counts for a lot
    It will not work this way forever
    It will not have today’s security properties forever
    If you define the loss of today’s properties a serious loss of value, then there are Ponzi-ish characteristics in plain view
    I’m not going to make that claim, however
  • 22. Conclusion
    This was just a quick summary
    BitCoin is actually well designed, if you accept that anonymity and scaling forces the entire present model to be shifted into something that effectively looks like banking
    I’ll talk about more another time