Pettycoin: Losing Tiny Amounts of Bitcoin At Scale!

1,022 views

Published on

linux.conf.au 2014 talk:

This talk presents a pre-alpha implementation of an adjunct network where gateways ferry between the
current bitcoin network and a new "pettycoin" network, which trades bitcoin's robustness for scalability. When complete, the result should be a network suitable for genuine microtransactions at the rate of thousands per second.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,022
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
8
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Pettycoin: Losing Tiny Amounts of Bitcoin At Scale!

  1. 1. Pettycoin Losing Tiny Amounts of Bitcoin At Scale! Rusty Russell rusty@rustcorp.com.au
  2. 2. Contents ● Bitcoin Basics ● An Adjunct Network ● Problems – ● With some solutions Status
  3. 3. Bitcoin Basics ● Transactions: – Take N inputs and provide M outputs – Broadcast in a peer-to-peer network – Create your private key and away you go!
  4. 4. Bitcoin Basics ● Blocks: – Bundle up transactions – Really hard to generate! ● Difficulty changes to keep it down to ~10 minutes
  5. 5. Bitcoin Block
  6. 6. Bitcoin Blockchain
  7. 7. Bitcoin Blockchain
  8. 8. Bitcoin Blockchain ● If more than one chain, longest wins – Presumably represents majority view
  9. 9. Bitcoin Blockchain ● If more than one chain, longest wins – ● Presumably represents majority view Transactions are checked against previous: – Inputs must not have already been used. – Value of inputs must be >= outputs
  10. 10. Bitcoin Blockchain ● https://en.bitcoin.it/wiki/Scalability – To handle 10k tps, need ~ 40Mb/second
  11. 11. 100,000 TPS?
  12. 12. 100,000 TPS? ● Is there a way to create a useful network without everyone knowing everything? – What if we trade robustness for scalability?
  13. 13. 100,000 TPS? ● Is there a way to create a useful network without everyone knowing everything? – What if we trade robustness for scalability? What if we throw out the baby and the bathwater?
  14. 14. An Adjunct, Not An Altcoin! ● Use real bitcoins ● Mirrors bitcoin addresses
  15. 15. An Adjunct, Not An Altcoin!
  16. 16. An Adjunct, Not An Altcoin!
  17. 17. An Adjunct, Not An Altcoin!
  18. 18. An Adjunct, Not An Altcoin!
  19. 19. An Adjunct, Not An Altcoin! ● ● Send bitcoin to gateway, it injects onto pettycoin network (minus support fee) Send pettycoins to gateway, it injects onto bitcoin network (minus transaction fee)
  20. 20. An Adjunct, Not An Altcoin! ● ● Send bitcoin to gateway, it injects onto pettycoin network (minus support fee) Send pettycoins to gateway, it injects onto bitcoin network (minus transaction fee) A transaction network, not a store of value!
  21. 21. Shrinking The Chain
  22. 22. Shrinking The Chain ● 13GB download! – Unfair, should be a few hundred MB
  23. 23. Reduce Transaction Size
  24. 24. Reduce Transaction Size ● Each input: – Signed to prove you can spend (ECDSA: 64 bytes) – Identifies previous transaction (SHA256: 32 bytes)
  25. 25. Reduce Transaction Size ● Each input: – – ● Signed to prove you can spend (ECDSA: 64 bytes) Identifies previous transaction (SHA256: 32 bytes) Each output: – Identify destination (ECDSA: 33 bytes) – Specifies amount (1-9 bytes)
  26. 26. Reduce Transaction Size ● Each input: – – ● Signed to prove you can spend (ECDSA: 64 bytes) Identifies previous transaction (SHA256: 32 bytes) Each output: – – ● Identify destination (ECDSA: 33 bytes) Specifies amount (1-9 bytes) Bitcoin inputs and outputs are actually scripts...
  27. 27. Reduce Transaction Size
  28. 28. Reduce Transaction Size ● Only allow one signature for all inputs – – ● ie. one input address. Limit to 4 inputs Only allow one output (implying change)
  29. 29. Reduce Transaction Size ● Only allow one signature for all inputs – – ● ie. one input address. Limit to 4 inputs Only allow one output (implying change) => 132 + 34N bytes
  30. 30. Reduce Chain Length? ● Transactions only valid for ~1 month (10080 blocks)?
  31. 31. Reduce Chain Length? ● Transactions only valid for ~1 month (10080 blocks)? A transaction network, not a store of value!
  32. 32. Shard the Network
  33. 33. Shard the Network ● Use upper 12 bits of address – Both input(s) and output address – So a transaction appears on up to 5 of 4096 shards
  34. 34. Shard the Network ● Use upper 12 bits of address – – ● Both input(s) and output address So a transaction appears on up to 5 of 4096 shards You can monitor a single network shard to find out what's happening for a given address
  35. 35. Shard the Network ● Use upper 12 bits of address – – ● Both input(s) and output address So a transaction appears on up to 5 of 4096 shards You can monitor a single network shard to find out what's happening for a given address – But you actually have to be on two, so it's all connected
  36. 36. Shard the Block ● Order transactions by (output address) shard within block
  37. 37. Shard the Block ● Order transactions by (output address) shard within block – Transactions with an input address on that shard will be scattered throughout block
  38. 38. Block in Batches ● We divide block into batches of 4096 transactions
  39. 39. Block in Batches
  40. 40. Block in Batches Merkle Tree
  41. 41. Pettycoin Block
  42. 42. Partial Knowledge ● If I send you a batch of transactions, you can prove it is in the block
  43. 43. Partial Knowledge ● If I send you a single transaction and 12 hashes you can also prove it is in the block.
  44. 44. Partial Knowledge ● If I send you a single transaction and 12 hashes you can also prove it is in the block.
  45. 45. Partial Knowledge ● If I send you a single transaction and 12 hashes you can also prove it is in the block.
  46. 46. Partial Knowledge ● If I send you a single transaction and 12 hashes you can also prove it is in the block.
  47. 47. Partial Knowledge ● If I send you a single transaction and 12 hashes you can also prove it is in the block.
  48. 48. Partial Knowledge ● If I send you a single transaction and 12 hashes you can also prove it is in the block.
  49. 49. What Clients Need To Know
  50. 50. What Clients Need To Know ● The block chain (of headers) – About 1 new block every 10 minutes – 74 bytes + ~44 per batch of 4096 transactions – 650 kbytes for 100,000 TPS ● Around 8kbits
  51. 51. Sending A Transaction
  52. 52. Sending A Transaction ● Send me your transaction
  53. 53. Sending A Transaction ● ● Send me your transaction Also send me transactions whose outputs you use
  54. 54. Sending A Transaction ● ● Send me your transaction Also send me transactions whose outputs you use – And a 12-hash merkle proof for each one
  55. 55. Sending A Transaction ● ● Send me your transaction Also send me transactions whose outputs you use – ● And a 12-hash merkle proof for each one And the same for each transaction they use...
  56. 56. Sending A Transaction ● If average transaction has 2.1 inputs
  57. 57. Sending A Transaction ● If average transaction has 2.1 inputs – After a coin has been spent 10 times, 1700 transactions – Each transaction is 200 bytes – Each proof is 264 bytes ● 788k to send you a transaction
  58. 58. Sending A Transaction ● If average transaction has 2.1 inputs – After a coin has been spent 10 times, 1700 transactions – Each transaction is 200 bytes – Each proof is 264 bytes ● ● 788k to send you a transaction! After 1M, you have to send back to gateway.
  59. 59. Sending A Transaction ● If average transaction has 2.1 inputs – After a coin has been spent 10 times, 1700 transactions – Each transaction is 200 bytes – Each proof is 264 bytes ● ● 788k to send you a transaction! After 1M, you have to send back to gateway. A transaction network, not a store of value!
  60. 60. TODO: Sending A Transaction ● Longer time inside pettycoin:
  61. 61. TODO: Sending A Transaction ● Longer time inside pettycoin: – Gateway reinject? – Larger transactions? – Less bits in merkle proof? – Incomplete proofs?
  62. 62. What Miners Need To Know
  63. 63. What Miners Need To Know ● “Double spends” are illegal in the chain – If you can prove it, network will reject block
  64. 64. What Miners Need To Know ● “Double spends” are illegal in the chain – ● If you can prove it, network will reject block Thus, miners need to check transaction inputs – Or trust the network to filter them!
  65. 65. What Miners Need To Know ● “Double spends” are illegal in the chain – ● If you can prove it, network will reject block Thus, miners need to check transaction inputs – Or trust the network to filter them! => Miners need complete knowledge of chain
  66. 66. TODO: What Miners Need To Know
  67. 67. TODO: What Miners Need To Know ● Optimization of block transmission based on known transactions
  68. 68. Problems With Partial Knowledge
  69. 69. Problems With Partial Knowledge ● Double Spend Detection ● Ensuring Honest Miners ● Mining Rewards ● Trusting Gateways
  70. 70. Double Spend Detection
  71. 71. Double Spend Detection ● Easy to prove if you spot a duplicate in a block:
  72. 72. Double Spend Detection ● Easy to prove if you spot a duplicate in a block: – Send complaint packet with both proofs – Network will reject that block
  73. 73. Double Spend Detection ● Mostly bitcoin network doesn't wait for transactions to enter blocks for small amounts
  74. 74. Double Spend Detection ● Mostly bitcoin network doesn't wait for transactions to enter blocks for small amounts – Listen for 5 seconds to see if double spend
  75. 75. Double Spend Detection ● Mostly bitcoin network doesn't wait for transactions to enter blocks for small amounts – ● Listen for 5 seconds to see if double spend Can we do better? – Karame, Ghassan, Elli Androulaki, and Srdjan Capkun. "Two Bitcoins at the Price of One? DoubleSpending Attacks on Fast Payments in Bitcoin." IACR Cryptology ePrint Archive 2012 (2012): 248.
  76. 76. TODO: Double Spend Detection
  77. 77. TODO: Double Spend Detection ● Rewards for reporting double spend?
  78. 78. TODO: Double Spend Detection ● Rewards for reporting double spend? – Can't be taken from actual double spend ● ● Noone would ever allow that to happen. Would penalize recipient of first spend.
  79. 79. TODO: Double Spend Detection ● Rewards for reporting double spend? – Can't be taken from actual double spend ● ● – Noone would ever allow that to happen. Would penalize recipient of first spend. Hard to “prove” who found the double spend ● ● Trust the majority to be honest? Require a small PoW?
  80. 80. TODO: Double Spend Detection ● Rewards for reporting double spend? – Can't be taken from actual double spend ● ● – Hard to “prove” who found the double spend ● ● ● Noone would ever allow that to happen. Would penalize recipient of first spend. Trust the majority to be honest? Require a small PoW? Need to inject double spends to provide incentive... (but not enough to cheat!)
  81. 81. Ensuring Honest Miners
  82. 82. Ensuring Honest Miners ● Hide a batch from the network!
  83. 83. Ensuring Honest Miners ● Hide a batch from the network! – Later, miner reveals it to double spend. – Will invalidate a future block.
  84. 84. Ensuring Honest Miners ● Hide a batch from the network! – – ● Later, miner reveals it to double spend. Will invalidate a future block. Prove you know last 10 blocks' transactions... – Prepend your address to each previous transaction
  85. 85. Ensuring Honest Miners
  86. 86. TODO: Ensuring Honest Miners
  87. 87. TODO: Ensuring Honest Miners ● 10 blocks back insufficient?
  88. 88. TODO: Ensuring Honest Miners ● 10 blocks back insufficient? ● Forgiveness if double spend old enough? – Restrict number of transactions in a block? – Restrict amount transferred in any one transaction.
  89. 89. Mining Rewards
  90. 90. Mining Rewards ● In bitcoin, miner gets 50/25/12.5... – Plus leftover from transactions in block (“transaction fees”)
  91. 91. Mining Rewards ● In bitcoin, miner gets 50/25/12.5... – ● Plus leftover from transactions in block (“transaction fees”) We can't mint bitcoins
  92. 92. Mining Rewards ● In bitcoin, miner gets 50/25/12.5... – ● ● Plus leftover from transactions in block (“transaction fees”) We can't mint bitcoins Without full knowledge, can't use transaction fees
  93. 93. Mining Rewards ● In bitcoin, miner gets 50/25/12.5... – ● ● ● Plus leftover from transactions in block (“transaction fees”) We can't mint bitcoins Without full knowledge, can't use transaction fees If we offered flat fee, why bother collecting transactions?
  94. 94. TODO: Mining Rewards
  95. 95. TODO: Mining Rewards ● Statistical rewards!
  96. 96. TODO: Mining Rewards ● Statistical rewards! – “claim transaction”: ● ● ● A valid transaction which was in your block Proof that it was A recent gateway injection transaction (last 20 blocks?)
  97. 97. TODO: Mining Rewards ● Statistical rewards! – “claim transaction”: ● ● ● – A valid transaction which was in your block Proof that it was A recent gateway injection transaction (last 20 blocks?) Reward amount depends on difference between hash of that transaction xor of hash of next 100 blocks ● ● More similar the better Encourages more transactions.
  98. 98. TODO: Mining Rewards ● Miners also include a double spend report in their claim?
  99. 99. TODO: Mining Rewards ● Miners also include a double spend report in their claim? – Would be worth 1% of reward to claimant – An honor system...
  100. 100. TODO: Mining Rewards ● Tax the future to pay for the present?
  101. 101. TODO: Mining Rewards ● Tax the future to pay for the present? – eg. after 4 years, pay 50% of rewards back to first two years blocks.
  102. 102. TODO: Mining Rewards ● Tax the future to pay for the present? – eg. after 4 years, pay 50% of rewards back to first two years blocks. – Needs smoothing of course, but it'll never be “fair”
  103. 103. Trusting Gateways
  104. 104. Trusting Gateways ● The gateway is holding your bitcoin!
  105. 105. Trusting Gateways ● The gateway is holding your bitcoin! – You can monitor it, but you have to trust. – Will only relay small amounts. – A good reason for limiting history.
  106. 106. Trusting Gateways ● The gateway is holding your bitcoin! – You can monitor it, but you have to trust. – Will only relay small amounts. – A good reason for limiting history. I don't want your money!
  107. 107. Trusting Gateways ● The gateway is holding your bitcoin! – You can monitor it, but you have to trust. – Will only relay small amounts. – A good reason for limiting history. I don't want your money! A transaction network, not a store of value!
  108. 108. TODO: Trusting Gateways
  109. 109. TODO: Trusting Gateways ● Independent gateways with multisig transactions?
  110. 110. TODO: Trusting Gateways ● ● Independent gateways with multisig transactions? Clients could differentiate pettycoins by source gateway?
  111. 111. TODO: Trusting Gateways ● ● Independent gateways with multisig transactions? Clients could differentiate pettycoins by source gateway? – Think harder!
  112. 112. Bootstrap
  113. 113. Bootstrap ● Testnet
  114. 114. Bootstrap ● Testnet ● Full knowledge
  115. 115. Bootstrap ● Testnet ● Full knowledge ● Gateway returns old funds
  116. 116. An Example Application
  117. 117. An Example Application ● Tip 0.1c to every webpage you visit?
  118. 118. An Example Application ● Tip 0.1c to every webpage you visit? – Tip on way out (or delay!) so you can cancel it!
  119. 119. Status
  120. 120. Status ● Domain name registered!
  121. 121. Status ● Domain name registered! ● Block generation code works.
  122. 122. Status ● Domain name registered! ● Block generation code works. ● Nodes talk to each other.
  123. 123. Status ● Domain name registered! ● Block generation code works. ● Nodes talk to each other. ● World's worst CPU miner mostly works.
  124. 124. Status ● Domain name registered! ● Block generation code works. ● Nodes talk to each other. ● World's worst CPU miner mostly works. ● Gateway transactions can be injected.
  125. 125. Status ● Domain name registered! ● Block generation code works. ● Nodes talk to each other. ● World's worst CPU miner mostly works. ● Gateway transactions can be injected. ● Normal transactions not yet handled.
  126. 126. Status ● Domain name registered! ● Block generation code works. ● Nodes talk to each other. ● World's worst CPU miner mostly works. ● Gateway transactions can be injected. ● Normal transactions not yet handled. ● Bitcoin gateway not written
  127. 127. Status ● Domain name registered! ● Block generation code works. ● Nodes talk to each other. ● World's worst CPU miner mostly works. ● Gateway transactions can be injected. ● Normal transactions not yet handled. ● Bitcoin gateway not written ● Pettycoin explorer not written
  128. 128. Status ● Domain name registered! ● Block generation code works. ● Nodes talk to each other. ● World's worst CPU miner mostly works. ● Gateway transactions can be injected. ● Normal transactions not yet handled. ● Bitcoin gateway not written ● Pettycoin explorer not written ● HTTP transaction receive not written.
  129. 129. FAQ ● What if the pettycoin binary has a flaw? ● What if pettycoin protocol has a flaw? ● What if the gateways are hacked? ● What if lawyers/governments/MIB shut it down? ● What if someone threatens your family?
  130. 130. FAQ ● What if the pettycoin binary has a flaw? YOU WILL LOSE YOUR MONEY ● What if pettycoin protocol has a flaw? YOU WILL LOSE YOUR MONEY ● What if the gateways are hacked? YOU WILL LOSE YOUR MONEY ● What if lawyers/governments/MIB shut it down? YOU WILL LOSE YOUR MONEY ● What if someone threatens your family? YOU WILL LOSE YOUR MONEY
  131. 131. Disclaimer ● This is not a spec! ● Almost-working incomplete code at: – https://github.com/rustyrussell/pettycoin

×