2. ||
Motivation of Bitcoin
Underlying data structure of Bitcoin
Accounting with Bitcoin
Mathematical background of Bitcoin security
Underlying data structure for efficiency
1.12.2014 2
Overview
3. ||
”Improve the existing electronic cash system”
Ecash [David Chaum, 1983]
Transaction with 3rd party
Rely on 3rd party
Subject to financial
situation of bank
Problems
3rd party may bankrupt
Vulnerable to the
financial crisis
(Remember “Lehman shock”)
1.12.2014 3
The motivation of Bitcoin
Existing electronic cash system
(Trust based model)
4. ||
”Create new currency w/o central organization !”
How do we create currency?
Currency must be trusted
by everyone spending it
Existing system
3rd party guarantees the value of currency
-> How ?
1.12.2014 4
The motivation of Bitcoin: Eliminating 3rd party
5. ||
Source of trust: transaction record
They know ALL the transaction history
Prevent mainly 2 things
1. Double-Spending Problem :
To copy and pay same coin for different person
2. Coin robbery :
To change the history of transaction
and get someone’s coin
1.12.2014 5
How do 3rd parties guarantee the value?
Existing electronic coin system
(Trust based model)
A -> B: 5 CHF
D -> C: 100 CHF
A -> C: 7 CHF
…
6. ||
They know ALL the transaction history
Prevents mainly 2 things
1. Double-Spending Problem
To spend same coin for different payment.
1.12.2014 6
Double-Spending Problem
Your successive
transactions have same
coin IDs.
Payment Invalid.
I wanna do
Me -> A: 5 CHF
Me -> B: 5 CHF
at the same time
with same coin,man.
7. ||
They know ALL the transaction history
Prevents mainly 2 things
1. Double-Spending Problem
2. Coin robbery :
To change the history of transaction
and get someone’s coin
1.12.2014 7
Coin robbery
A -> B: 5 CHF
D -> C: 100 CHF
A -> C: 7 CHF
…
I wanna change
D -> C: 100 CHF
Into
D -> Me: 100CHF
But I can’t…damn!
8. ||
They know ALL the transaction history
Prevents mainly 2 things
1. Double-Spending Problem
2. Coin robbery :
To change the history of transaction
and get someone’s coin
How do we substitute 3rd party?
-> Blockchain ! [Nakamoto, 2009]
1.12.2014 8
How do we eliminate the 3rd party?
9. ||
Block: A group of transactions (transferring of currency)
Blockchain: A sequence of Blocks
Rule: The longest chain is always true
1.12.2014 9
Blockchain: New form of transaction record
Tx
Previous
block
hash Integer
Tx
A -> B: 10 CHF C -> D: 2 CHF
10. ||
Everyone trusts the longest chain to be true history
Free to extend the chain, and the block will be verified by others
Once you get behind, it is really hard to catch up with the top block -> Why ?
1.12.2014 10
Blockchain: in P2P network
P2P network
11. ||
Proof of work
Meant to be
time-consuming math problem
-> Require about 10 minutes to solve
Block is created only after finding the nonce(integer) s.t.
hash(nonce+other data) = 000…05fs2ce91a
If someone tries to change Tx1
-> They have to find another corresponding nonce
-> Same work must be done for subsequent blocks
1.12.2014 11
Blockchain: Proof of Work
Tx
1
Tx
2
Tx
3
Tx
4
Tx
5
Tx
6
Unjustified
Transactions
Tx1
Previous
block
hash nonce hash
n
12. || 1.12.2014 12
Blockchain: How does it get added?
Transaction
Tx
1
Tx
2
Tx
3
Tx
4
Tx
5
Tx
6
Unjustified
Transactions
Block Block Block
Current blocks
Finding a nonce
cast
Block Block Block Block Block Block Block Block Block Block Block Block Block Block Block
13. || 1.12.2014 13
Block & Transaction creation
Transaction
Tx
1
Tx
2
Tx
3
Tx
4
Tx
5
Tx
6
Unjustified
Transactions
Block Block Block
Current blocks
New block
With tx4
New block
With tx4
New block
With tx5
Finding a nonce
14. || 1.12.2014 14
Block & Transaction creation
Transaction
Tx
1
Tx
2
Tx
3
Tx
4
Tx
5
Tx
6
Unjustified
Transactions
Block Block Block
Current blocks
New block
With tx4
New block
With tx4
New block
With tx5
“I found the
answer!”
15. || 1.12.2014 15
Block & Transaction creation
Transaction
Tx
1
Tx
2
Tx
3
Tx
4
Tx
5
Tx
6
Unjustified
Transactions
Block Block Block
Current blocks
New
block
With tx4
New block
With tx4
New block
With tx5
Block candidates
nonce
16. || 1.12.2014 16
Block & Transaction creation
Transaction
Tx
1
Tx
2
Tx
3
Tx
4
Tx
5
Tx
6
Unjustified
Transactions
Block Block Block
Current blocks
New
block
With tx4
Block candidates
“Is nonce correct?”
(easy work)
“Let’s check the validity of
each transactions”
nonce
17. || 1.12.2014 17
Block & Transaction creation
Transaction
Tx
1
Tx
2
Tx
3
Tx
4
Tx
5
Tx
6
Unjustified
Transactions
Block Block Block
Current blocks
New
block
With tx4
Block candidates
“Correct!” ”I don’t give a shit”“Correct!” “Correct!”
4/5 agreed.
“I’m sure it’s
correct, huh”
18. || 1.12.2014 18
Block & Transaction creation
Transaction
Tx
1
Tx
2
Tx
3
Tx
4
Tx
5
Tx
6
Unjustified
Transactions Current blocks
Block Block Block
New
block
With tx4
Every node updates their
block
Bloc
k
Bloc
k
Bloc
k
New block
With tx4
Bloc
k
Bloc
k
Bloc
k
New block
With tx4
Bloc
k
Bloc
k
Bloc
k
New block
With tx4
Bloc
k
Bloc
k
Bloc
k
New block
With tx4
Once it gets accepted,
NO incentive for ignoring it
19. || 1.12.2014 19
Block & Transaction creation
Transaction
Tx
1
Tx
2
Tx
3
Tx
4
Tx
5
Tx
6
Unjustified
Transactions
Block Block Block
Current blocks
New
block
With tx4
The block creator can get a bitcoin
This incident will be written on the new block
20. || 1.12.2014 20
Blockchain security
Block Block Block
New
block
With tx4
Let us recall…
how does blockchain cope with…
1. Double-Spending Problem ?
2. Coin robbery ?
21. || 1.12.2014 21
Blockchain against Double-Spending Problem
1. Double-Spending Problem
Each Transaction has coin’s hash
Blockchain does not allow transactions to
have the same coin hash
If same coin hash found in 2 transactions,
only one will be valid
Tx1
Previous
block
hash Integer
- Coin’s hash
- Sender ID
- Receiver ID
Transaction
In more detail…
- Coin’s hash: hash of previous tx
- Sender ID: Sender’s digital signature
- Receiver ID: Receiver’s public key
22. || 1.12.2014 22
Blockchain against Coin robbery
2. Coin robbery
He might change the
transaction arbitrarily
-> Actually, he can
However…
A lot of Proof of Work are
waiting for him !
Tx1Previous
block
hash Nonce
Previous
block
I can modify the
transaction like:
Before:
Alice -> Bob:
100 Bitcoin
After:
AliceMe:
100 Bitcoin
23. || 1.12.2014 23
Blockchain against Coin robbery
2. Coin robbery
He might change the
transaction arbitrarily
-> Actually, he can
However…
A lot of Proof of Work are
waiting for him !
The modification for block
makes hash completely different
-> He needs to find the new nonce accordingly
-> 10 minutes work on average
Tx1Previous
block
hash Nonce
Previous
block
I can modify the
transaction like:
Before:
Alice -> Bob:
100 Bitcoin
After:
AliceMe:
100 Bitcoin
24. || 1.12.2014 24
Can attacker catch up with the top block?
Block Block Block
Attacker is
modifying
Honest nodes
are creating
25. || 1.12.2014 25
Can attacker catch up with the top block?
Block Block Block
Honest nodes
are creating
Attacker is
modifying
Block
26. || 1.12.2014 26
Can attacker catch up with the top block?
Block Block Block
Honest nodes
are creating
Attacker is
modifying
Block
27. || 1.12.2014 27
Can attacker catch up with the top block?
Block Block Block
Honest nodes
are creating
Attacker is
modifying
Block Block
He cannot catch up as long as majority of nodes are honest !
28. ||
Is it really impossible for attacker to modify the history?
𝑝: 𝑃𝑟𝑜𝑏(Honest nodes can proceed to the next block)
𝑞: 𝑃𝑟𝑜𝑏(Attacker nodes can proceed to the next block)
𝑞𝑖: 𝑃𝑟𝑜𝑏(the attacker eventually can catch up from the position of i )
1.12.2014 28
Mathematical proof
Block Block Block
Attacker Honest nodes
are creatingZ blocks
29. ||
Let us focus on 𝑞𝑖
-> Gambler’s Ruining Problem (Binomial Random Walk)
The gambler starts with money i to reach N
if i=0, gambler lose (cannot play anymore)
𝑝: 𝑃𝑟𝑜𝑏(Honest majority can proceed to the next block)
𝑞: 𝑃𝑟𝑜𝑏(Attacker majority can proceed to the next block)
𝑞𝑖: 𝑃𝑟𝑜𝑏(the attacker eventually can catch up from the position of i )
(𝑞0= 0, 𝑞 𝑁 = 1)
1.12.2014 29
A H
𝑞𝑝
𝑖 𝑁
Mathematical proof
31. ||
Mathematical proof
Worst case:
He tries to catch up for unlimited times
∴ lim
𝑖→∞
𝑞𝑖 =
1
(
𝑞
𝑝
) 𝑍
We assume 𝑝 > 𝑞
Some people in majority can win the attacker
1.12.2014
The time to solve proof of
work 31
A
H𝑞𝑝
… 𝑝 ≤ 𝑞
𝑖 𝑁
… 𝑝 > 𝑞
vs
10min 1 day
32. || 1.12.2014 32
Summary
Block
Nonce, Transactions
Blockchain
Sequence of blocks (current length: 513552 blocks)
Long chain makes tampering difficult
-> An incentive is paid for the creator of new block
(Amount: 12.5 BTC =~106,416 CHF per block!!)
33. || 1.12.2014 33
Disk space problem
Bloc
k
Bloc
k
Bloc
k
New block
With tx4
Bloc
k
Bloc
k
Bloc
k
New block
With tx4
Bloc
k
Bloc
k
Bloc
k
New block
With tx4
Bloc
k
Bloc
k
Bloc
k
New block
With tx4
Bloc
k
Bloc
k
Bloc
k
New block
With tx4
Block size easily gets super huge…
# transactions = 304,134,203
1 transaction size = 250 ~ 500 B [https://blockchain.info/]
250B * 304,134,203 = 76TB !!!
How do we compress the transaction?
34. || 1.12.2014 34
Disk space problem
Bloc
k
Bloc
k
Bloc
k
New block
With tx4
Bloc
k
Bloc
k
Bloc
k
New block
With tx4
Bloc
k
Bloc
k
Bloc
k
New block
With tx4
Bloc
k
Bloc
k
Bloc
k
New block
With tx4
Bloc
k
Bloc
k
Bloc
k
New block
With tx4
Block size easily gets super huge…
# transactions = 304,134,203
1 transaction size = 250 ~ 500 B [https://blockchain.info/]
250B * 304,134,203 = 76TB !!!
How do we compress the transaction?
-> Just remove the transaction !
35. ||
Some transactions: unnecessary!
Only if the same coins in Tx A are spent
by another latest transactions Tx B,
Tx A will be unnecessary
Merkle Tree “transforms”
sequential Tx into Root Hash
If the coin in Tx0, 1, 2 is spent in
another newly created block…
1.12.2014 35
Disk space problem: Solution
Tx
1
Tx
3
Hash z
(Root Hash)
Hash
y
Hash
x
Hash
1
Hash
0
Hash
3
Hash
2
Tx
0
Tx
2
nonce
Prev
hash
Block header
Block
36. ||
Some transactions: unnecessary!
Only if the same coins in Tx A are spent
by another latest transactions Tx B,
Tx A will be unnecessary
Merkle Tree “transforms”
sequential Tx into Root Hash
If the coin in Tx0, 1, 2 is spent in
another newly created block…
-> Tx0, 1, 2 gets removed.
Hashcodes still remain
1.12.2014 36
Disk space problem: Solution
Tx
3
Hash z
(Root Hash)
Hash
y
Hash
x
Hash
3
Hash
2
nonce
Prev
hash
Block header
Block
37. ||
Bitcoin: transaction history without 3rd party
Block: Multiple transactions + previous hash + nonce
Source of trust: Majority agreement with block
Tampering of history:
It is difficult if the attacker starts from a few blocks behind,
unless the attackers occupy the majority of computational power
Vulnerability to the malicious majority
These days the mining is so competitive that they form some
groups (pool)
What happens if they occupy half of the computational power ?
1.12.2014 37
Conclusions
Block Block Block
Editor's Notes
My talk is devided into 5 parts
motivation of bitcoin, why its invented
underlying data structure, blockchain
transactions
mathematical proof
data structure for efficiencyThen, next, finanly
We already have some frameworks of electronic payment.
One of them is the system called ecash.
In this system, for the first, they exchange their physical money with virtual cash by paying for central organization.After that, they can pay online by using that virtual cash.
This allows us to exchange our cash online, but all the transactions must go through the central bank, which means it relies on ...
Of course, the problem is the risk of bankrupt of the company.
If that happens, the virtual cash will no longer useful.
And they are vulnerable to financial crisis like Lehman shock, which makes us doubtful of trust based currency model.
To tackle with these problems, satoshi nakamoto tried to create …
but, how do we create new currency?
To go into the solution, let us refer to the existing system with 3rd party.
One thing they have is the transaction of record
(read the slide)
for example, they have some database for storing all the transaction since the beginning. A payed 5 chf to B...
So, this record is the source of trust.
Thanks to keeping this record, it succeeds in preventing 2 things from happening.
Double spending problem.
For the first problem, the guy says like ...
He executes the second transactions right after the first transactions.
He expects both of the transactions get accepted somehow.
However, the company definitely find that...
This is not happening.
For the coin robbery
Repalace C with himself.
It seems that cent.. plays an important role in having all the transaction records with them.
But we are now trying to eliminate that central party.
How do we do this??
6:37
solution is the blockchain.
We define a block as a group of txs. It has several transaction data inside.
They link these blocks to create very long chain.
The reason of linking block is because it increases its security.
I will talk about it soon but one thing im gonna stress is that hey contain the hash value of previous blocks.
If someone changes the data of previous block, it will change the hash value of next block.
So it is easy to detect the change.
Anyways, our objective is to create a block and extend the chain with it.
Everyone has chain with them in P2P network, and has the right to create the block.
Once the block was created, it needs to be verified by at least half of the people.
If verified, the chain will get longer, and it is recommended that everyone should catch up with the latest chain.
Otherwise, once you get bihind, …
This is because: creating block: takes long time. Because we have to solve some mathematical task.
We call this proof of work. It is just meant to be…
But why does it take so long time?
Because it requires us to calculate the special integer called nonce.
We have to find the nonce which makes the hash of nonce + other data contain n-digits of 0s in its top.
Other data contains a number of transaction data.
You know, the only way to find this nonce is just trying from 0. It is like brute force.
Hash function outputs completely different number even if the input gets slightly changed.
If I try to change previous transactions in this red block, the modification will change the hash in next block, so I have to find the another correspnding nonce again, which requires another 10 minutes of work.
--
Proof of work is used ...
Block is created only ... Finding the value called nonce, which makes first n-bit of hash code 0.
Each blocks have several transactions inside, and the hashcode of previous block.
In addition to these data
N is chosen in a way that the calculation takes 10 min.
If someone tries to change old blocks, he must calculate all the corresponding nonce for subsequent blocks
OK, we already know that block is linked to form a chain, and to create the chain, we need to do proof of work.
Here I wanna visualize the procedure of creating block.
Lets say there are 5 pcs on p2p world, and transaction has just done and cast to transactions pool.
In this pool, they have many unconfirmed transactions.
Since this is P2P networks, they have same copy of blockchain on each computers.
And some of them are off line. And three of them are trying to make new block.
They have some copy locally
After a while, 3 computers try to create a block, they can choose whatever txs they want.
As I explained, they have to calculate the nonce to make the hash code followed by n-bits of 0s.
In 10 minutes or so, the most powerful computer finds the nonce.
He broadcasts about the finding to all the other computers.
The newly creted block is cast into candidates pool and the loser stops creating their block.
Another nodes will check the answer = newly found nonce, by calculating the hash of nonce+other data.
They only calculates the hash code of (data and calculated nonce), which is quite simple work.
So this verification process does not take so long
If majority of the nodes agree….
They update their blockchain with newly created block.
There is some guy who does not agree on the block, and can continue creating his own block.
But as I said, it is diff to catch up with the latest chain once you get behind.
So he would choose to accept that block rather than sticking to his block.
The strongest PC can get new bitcoin for the reward of creation of the block.
This reward is also recorded as transaction, and added on the newly created block.
This is how the coin gets created and added to its chain.
So we have covered how the chain is created.
If anything unclear, ask me later.
And I want you to remember those 2 things.
The challenging part of creating currency is …
So lets see how does ...
For the first, lets recall double spending problem.
Double spending problem is that malicious guy copy the coin and pay for multiple person at the same time.
In this block, each transaction contains coins hash. The transaction has SenderID, ReceiverID, coin’s hash.
Coin’s hash is made of previous transactions, sender ID and receiver ID are created by the digital signature with their public key and private key like typical digital signature does.
Anyway, the point is that blockchain only accepts unique coin hash. If transaction has same coin hash as the one used before,
The later transaction will be invalid.
Then, how about the coin robery?
He was like…trying to illegaly get 100 francs instead of Bob.
(He can replace the Bob with himself.)
Actually, the attacker …
So, the thing is,
the change for transaction will also change the hash of the next block. He must calculate nonce accordingly.
A lot of proof of work...
Let us visualize what I said.
Attacker starts to modify 3 blocks before the current block. While the majority is trying to calculate the nonce for the next block.
Attacker can create the block earlier than the majority do, but…
The chain will be extended If at least one of the majority finds the nonce.
It is difficult for attacker to create the block by beating all the majority.
That means he cannot catch up with the top.
The paper also introduces mathematical background for the attacker’s disadvantage.
The setting is like this. Attacker started modifying block which is Z block behind the newest one.
He defines p, q, q_i.
P is the probability that …
This situation can be modeled as GRP, which is based on BRW
Gamber starts playing casino game by betting one coin.
He starts with money I and continue to play until he gets N money or he goes bunkrupt.
We can find q_i by solving recursion equation.
I will omit the details, and we can get the q_i.
To be certain about the security, we have to consider the worst case here.
The worst case is that attacker never gives up and tries to create his own block.
That prob is given by considering the infinity of q_i.
The probability of catching up decreases exponentially.
Here we can assume p larger than q because it is hard for attacker to defeat all the majority.
Besides, the time to … is distributed like this figure.
Some guy takes less than 10 minutes, while some takes 1 day.
Even if one attacker has an super smart computer, it is assumed that there will be someone who can solve the problem earlier than he does.
So here we assume p is larger than q.
To summarize the content so far,
Block is composed of …,
And block chain is the ...
Long chain makes tampering difficult because it is hard to catch up with the top once you get behind.
To stimulate this work of extension, the reward is given to the creator of the block.
I wanna introduce another techniques that blockchain exploits.
The transaction is usually 250 to 500 B of size.
And for now, the number of transactions so far is three hundred millions.
If we simply calculate the size of the whole blockchain …
How do we manage to compress the transaction?
The answer is, just to remove the unnecessary transactions.
Actually, some of the past transactions are unnecessary.
Let us say there is some past block with transaction A, if the coin from tx:A was spend by the recipient later on,
The transaction A will be needless.
By simply removing these transaction will change the hash of the data, so they just replace the transaction with corresponding hash value.
By keeping each hash value, we use Merkle tree.
If it contains 4 transactions, we conbine two hashes to create one hash, we repeat these process till we get only one hash called Root Hash.
This figure shows the example of merkle tree.
Lets say …
Those transaction can be removed with keeping its hashcode.
By doing this, we can save a lot of spaces.
To sum up, we looked into the detail of bitcoin.
Block is compsed of….
And it needs the agreement by majority to keep the reliability.
The problem that ecently came up was it is …
These days,...The largest party occupies more than 20 percent of the network computational power.
What happens if they occupy…
Even if they can do, the value of block chain will be lost for ever.
So they dont have any motivations to do this, actually.
The future work is how they deal with these potential risks
Thank you all for listening.