Bitcoin Fundamentals
N. P. O'DONNELL, MAYNOOTH UNIVERSITY
Topics Covered
Topics Covered
•Blockchain
Topics Covered
•Blockchain
•Blocks
Topics Covered
•Blockchain
•Blocks
•Keys & Addresses
Topics Covered
•Blockchain
•Blocks
•Keys & Addresses
•Scripting
Topics Covered
•Blockchain
•Blocks
•Keys & Addresses
•Scripting
•Transactions
Topics Covered
•Blockchain
•Blocks
•Keys & Addresses
•Scripting
•Transactions
•Proof-Of-Work & Mining
Topics Covered
•Blockchain
•Blocks
•Keys & Addresses
•Scripting
•Transactions
•Proof-Of-Work & Mining
•Attacks
Topics Covered
•Blockchain
•Blocks
•Keys & Addresses
•Scripting
•Transactions
•Proof-Of-Work & Mining
•Attacks
•Quantum Computing Threats ?
Blockchain
BITCOIN FUNDAMENTALS
N. P. O'DONNELL, MAYNOOTH UNIVERSITY
What Is A Blockchain?
Several Definitions:
What Is A Blockchain?
Several Definitions:
•Over-used buzzword that many people don't understand
What Is A Blockchain?
Several Definitions:
•Over-used buzzword that many people don't understand
•A very slow database
What Is A Blockchain?
Several Definitions:
•Over-used buzzword that many people don't understand
•A very slow database
•A database that can't be tampered with
What Is A Blockchain?
Several Definitions:
•Over-used buzzword that many people don't understand
•A very slow database
•A database that can't be tampered with
•An append-only database
What Is A Blockchain?
Several Definitions:
•Over-used buzzword that many people don't understand
•A very slow database
•A database that can't be tampered with
•An append-only database
•A cryptographically verified database
What Is A Blockchain?
Several Definitions:
•Over-used buzzword that many people don't understand
•A very slow database
•A database that can't be tampered with
•An append-only database
•A cryptographically verified database
•A chain of blocks
What Is A Blockchain?
Several Definitions:
•Over-used buzzword that many people don't understand
•A very slow database
•A database that can't be tampered with
•An append-only database
•A cryptographically verified database
•An immutable, append-only, hashed, cryptographically verified, singly-linked chain of blocks
What about Bitcoin's blockchain?
Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it
certainly fits the description.
What about Bitcoin's blockchain?
Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it
certainly fits the description.
•World's first blockchain (and always will be)
What about Bitcoin's blockchain?
Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it
certainly fits the description.
•World's first blockchain (and always will be)
•World's most secure blockchain I.e. highest hash rate
What about Bitcoin's blockchain?
Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it
certainly fits the description.
•World's first blockchain (and always will be)
•World's most secure blockchain I.e. highest hash rate
•World's most famous blockchain
What about Bitcoin's blockchain?
Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it
certainly fits the description.
•World's first blockchain (and always will be)
•World's most secure blockchain I.e. highest hash rate
•World's most famous blockchain
•Not the biggest blockchain (Ethereum is far bigger)
What about Bitcoin's blockchain?
Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it
certainly fits the description.
•World's first blockchain (and always will be)
•World's most secure blockchain I.e. highest hash rate
•World's most famous blockchain
•Not the biggest blockchain (Ethereum is far bigger)
•Each block contains block header plus N transactions where 0 ≤ N
What about Bitcoin's blockchain?
Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it
certainly fits the description.
•World's first blockchain (and always will be)
•World's most secure blockchain I.e. highest hash rate
•World's most famous blockchain
•Not the biggest blockchain (Ethereum is far bigger)
•Each block contains block header plus N transactions where 0 ≤ N
•Each block is limited to 1MB*
What about Bitcoin's blockchain?
Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it certainly fits
the description.
•World's first blockchain (and always will be)
•World's most secure blockchain I.e. highest hash rate
•World's most famous blockchain
•Not the biggest blockchain (Ethereum is far bigger)
•Each block contains block header plus N transactions where 0 ≤ N
•Each block is limited to 1MB*
•New block generated every 10 minutes**
What about Bitcoin's blockchain?
Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it certainly fits the
description.
•World's first blockchain (and always will be)
•World's most secure blockchain I.e. highest hash rate
•World's most famous blockchain
•Not the biggest blockchain (Ethereum is far bigger)
•Each block contains block header plus N transactions where 0 ≤ N
•Each block is limited to 1MB*
•New block generated every 10 minutes**
* Technically not true anymore, but block size still has a small, hard limit ** On average
What about Bitcoin's blockchain?
HashMerkleRoot
Block 0
HashPrevBlock HashMerkleRoot
Block 1
HashPrevBlock HashMerkleRoot
Block 2
HashPrevBlock HashMerkleRoot
Block 3
The Times
03/Jan/2009
Chancellor on
brink of
second
bailout for
banks
Blocks
BITCOIN FUNDAMENTALS
N. P. O'DONNELL, MAYNOOTH UNIVERSITY
Structure Of A Bitcoin Block
Each Bitcoin block consists of:
Structure Of A Bitcoin Block
Each Bitcoin block consists of:
• Magic Number – Used to identify block as a bitcoin block. No
cryptographic significance
Structure Of A Bitcoin Block
Each Bitcoin block consists of:
• Magic Number – Used to identify block as a bitcoin block. No
cryptographic significance
• Block Size
Structure Of A Bitcoin Block
Each Bitcoin block consists of:
• Magic Number – Used to identify block as a bitcoin block. No
cryptographic significance
• Block Size
• Block header
Structure Of A Bitcoin Block
Each Bitcoin block consists of:
• Magic Number – Used to identify block as a bitcoin block. No
cryptographic significance
• Block Size
• Block header
• Transaction counter
Structure Of A Bitcoin Block
Each Bitcoin block consists of:
• Magic Number – Used to identify block as a bitcoin block. No
cryptographic significance
• Block Size
• Block header
• Transaction counter
• The transactions themselves
Structure Of A Bitcoin Block
Each Bitcoin block consists of:
• Magic Number – Used to identify block as a bitcoin block. No
cryptographic significance
• Block Size
• Block header
• Transaction counter
• The transactions themselvesEach Bitcoin block contains a block header. This is what is
hashed and gives rise to the blockchain. The transactions
themselves are not hashed, only the merkle root of the
transactions. So technically it's a blockheader chain. Each
block header contains:
Structure Of A Bitcoin Block
Each Bitcoin block consists of:
• Magic Number – Used to identify block as a bitcoin block. No
cryptographic significance
• Block Size
• Block header
• Transaction counter
• The transactions themselvesEach Bitcoin block contains a block header. This is what is
hashed and gives rise to the blockchain. The transactions
themselves are not hashed, only the merkle root of the
transactions. So technically it's a blockheader chain. Each
block header contains:
• Version
Structure Of A Bitcoin Block
Each Bitcoin block consists of:
• Magic Number – Used to identify block as a bitcoin block. No
cryptographic significance
• Block Size
• Block header
• Transaction counter
• The transactions themselvesEach Bitcoin block contains a block header. This is what is
hashed and gives rise to the blockchain. The transactions
themselves are not hashed, only the merkle root of the
transactions. So technically it's a blockheader chain. Each
block header contains:
• Version
• HashPrevBlock – Hash of the previous block's header
Structure Of A Bitcoin Block
Each Bitcoin block consists of:
• Magic Number – Used to identify block as a bitcoin block. No
cryptographic significance
• Block Size
• Block header
• Transaction counter
• The transactions themselvesEach Bitcoin block contains a block header. This is what is
hashed and gives rise to the blockchain. The transactions
themselves are not hashed, only the merkle root of the
transactions. So technically it's a blockheader chain. Each
block header contains:
• Version
• HashPrevBlock – Hash of the previous block's header
• HashMerkleRoot – Hash of the merkle root of the
transactions in this block. Just think of it as a hash of all
the transactions treated as one blob of data
Structure Of A Bitcoin Block
Each Bitcoin block consists of:
• Magic Number – Used to identify block as a bitcoin block. No
cryptographic significance
• Block Size
• Block header
• Transaction counter
• The transactions themselvesEach Bitcoin block contains a block header. This is what is
hashed and gives rise to the blockchain. The transactions
themselves are not hashed, only the merkle root of the
transactions. So technically it's a blockheader chain. Each
block header contains:
• Version
• HashPrevBlock – Hash of the previous block's header
• HashMerkleRoot – Hash of the merkle root of the
transactions in this block. Just think of it as a hash of all
the transactions treated as one blob of data
• Time
Structure Of A Bitcoin Block
Each Bitcoin block consists of:
• Magic Number – Used to identify block as a bitcoin block. No
cryptographic significance
• Block Size
• Block header
• Transaction counter
• The transactions themselvesEach Bitcoin block contains a block header. This is what is
hashed and gives rise to the blockchain. The transactions
themselves are not hashed, only the merkle root of the
transactions. So technically it's a blockheader chain. Each
block header contains:
• Version
• HashPrevBlock – Hash of the previous block's header
• HashMerkleRoot – Hash of the merkle root of the
transactions in this block. Just think of it as a hash of all
the transactions treated as one blob of data
• Time
• Bits – Current difficulty target (more on this later)
Structure Of A Bitcoin Block
Each Bitcoin block consists of:
• Magic Number – Used to identify block as a bitcoin block. No
cryptographic significance
• Block Size
• Block header
• Transaction counter
• The transactions themselvesEach Bitcoin block contains a block header. This is what is
hashed and gives rise to the blockchain. The transactions
themselves are not hashed, only the merkle root of the
transactions. So technically it's a blockheader chain. Each
block header contains:
• Version
• HashPrevBlock – Hash of the previous block's header
• HashMerkleRoot – Hash of the merkle root of the
transactions in this block. Just think of it as a hash of all
the transactions treated as one blob of data
• Time
• Bits – Current difficulty target (more on this later)
• Nonce – Related to mining (more on this later)
Keys & Addresses
BITCOIN FUNDAMENTALS
N. P. O'DONNELL, MAYNOOTH UNIVERSITY
Keys & Addresses
Keys & Addresses
P2PKH bitcoin address
Keys & Addresses
What is a Bitcoin address? Is it just a random string of characters?
Keys & Addresses
What is a Bitcoin address? Is it just a random string of characters?
Answer: No
Keys & Addresses
What is a Bitcoin address? Is it just a random string of characters?
Answer: No
Each address is derived from a public key.
Keys & Addresses
What is a Bitcoin address? Is it just a random string of characters?
Answer: No
Each address is derived from a public key.
Each public key is derived from a private key.
Keys & Addresses
What is a Bitcoin address? Is it just a random string of characters?
Answer: No
Each address is derived from a public key.
Each public key is derived from a private key.
Private Key Public Key Address
Keys & Addresses
What is a Bitcoin address? Is it just a random string of characters?
Answer: No
Each address is derived from a public key.
Each public key is derived from a private key.
Private Key Public Key Address
Private Key Public Key Address
Keys & Addresses
Keys & Addresses
Private Key: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097
Keys & Addresses
Private Key: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097
Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1
Keys & Addresses
Private Key: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097
Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1
Generator point: 0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
Keys & Addresses
Private Key: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097
Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1
Generator point: 0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
To get the unique public key for this private key, we add the generator point to itself private key times.
Keys & Addresses
Private Key: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097
Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1
Generator point: 0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
To get the unique public key for this private key, we add the generator point to itself private key times.
Public key: 0x0380864b7759a43923d2d0c99b142843fc306199a94995e55cb204d9a91fa09feb
Keys & Addresses
Private Key: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097
Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1
Generator point: 0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
To get the unique public key for this private key, we add the generator point to itself private key times.
Public key: 0x0380864b7759a43923d2d0c99b142843fc306199a94995e55cb204d9a91fa09feb
PubkeyHash = SHA256(RipeMD160(Public Key)) = 0xd8e5899f2589b7fa9df2513bf2366d2031f2d478
Keys & Addresses
Private Key: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097
Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1
Generator point: 0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
To get the unique public key for this private key, we add the generator point to itself private key times.
Public key: 0x0380864b7759a43923d2d0c99b142843fc306199a94995e55cb204d9a91fa09feb
PubkeyHash = SHA256(RipeMD160(Public Key)) = 0xd8e5899f2589b7fa9df2513bf2366d2031f2d478
VersionByte (0x00) | PubkeyHash = 0x00d8e5899f2589b7fa9df2513bf2366d2031f2d478
Keys & Addresses
Private Key: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097
Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1
Generator point: 0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
To get the unique public key for this private key, we add the generator point to itself private key times.
Public key: 0x0380864b7759a43923d2d0c99b142843fc306199a94995e55cb204d9a91fa09feb
PubkeyHash = SHA256(RipeMD160(Public Key)) = 0xd8e5899f2589b7fa9df2513bf2366d2031f2d478
VersionByte (0x00) | PubkeyHash = 0x00d8e5899f2589b7fa9df2513bf2366d2031f2d478
SHA2562(VersionByte | PubkeyHash)[:4] (Checksum) = 0x08c131a4
Keys & Addresses
Private Key: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097
Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1
Generator point: 0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
To get the unique public key for this private key, we add the generator point to itself private key times.
Public key: 0x0380864b7759a43923d2d0c99b142843fc306199a94995e55cb204d9a91fa09feb
PubkeyHash = SHA256(RipeMD160(Public Key)) = 0xd8e5899f2589b7fa9df2513bf2366d2031f2d478
VersionByte (0x00) | PubkeyHash = 0x00d8e5899f2589b7fa9df2513bf2366d2031f2d478
SHA2562(VersionByte | PubkeyHash)[:4] (Checksum) = 0x08c131a4
VersionByte | PubkeyHash | Checksum = 0x00d8e5899f2589b7fa9df2513bf2366d2031f2d47808c131a4
Keys & Addresses
Private Key: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097
Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1
Generator point: 0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
To get the unique public key for this private key, we add the generator point to itself private key times.
Public key: 0x0380864b7759a43923d2d0c99b142843fc306199a94995e55cb204d9a91fa09feb
PubkeyHash = SHA256(RipeMD160(Public Key)) = 0xd8e5899f2589b7fa9df2513bf2366d2031f2d478
VersionByte (0x00) | PubkeyHash = 0x00d8e5899f2589b7fa9df2513bf2366d2031f2d478
SHA2562(VersionByte | PubkeyHash)[:4] (Checksum) = 0x08c131a4
VersionByte | PubkeyHash | Checksum = 0x00d8e5899f2589b7fa9df2513bf2366d2031f2d47808c131a4
Base58CheckEncode(0x00d8e5899f2589b7fa9df2513bf2366d2031f2d47808c131a4)
= 1LmqvzD5KgNs1a8tcibuiNNM1MfZxLr5pw
Scripting
BITCOIN FUNDAMENTALS
N. P. O'DONNELL, MAYNOOTH UNIVERSITY
Script
Script
• Bitcoin comes with its own scripting language called "script"
Script
• Bitcoin comes with its own scripting language called "script"
• Script is used to lock and unlock funds
Script
• Bitcoin comes with its own scripting language called "script"
• Script is used to lock and unlock funds
• All bitcoin transactions must use script. There is no other way to lock/unlock funds
Script
• Bitcoin comes with its own scripting language called "script"
• Script is used to lock and unlock funds
• All bitcoin transactions must use script. There is no other way to lock/unlock funds
• Script is non-turing-complete, which means it has no loops
Script
• Bitcoin comes with its own scripting language called "script"
• Script is used to lock and unlock funds
• All bitcoin transactions must use script. There is no other way to lock/unlock funds
• Script is non-turing-complete, which means it has no loops
• Script is a stack-based language which runs in (what some people call) a VM
Script
• Bitcoin comes with its own scripting language called "script"
• Script is used to lock and unlock funds
• All bitcoin transactions must use script. There is no other way to lock/unlock funds
• Script is non-turing-complete, which means it has no loops
• Script is a stack-based language which runs in (what some people call) a VM
• VM is basically a giant switch statement (EvalScript in src/script/interpreter.cpp)
Script
• Bitcoin comes with its own scripting language called "script"
• Script is used to lock and unlock funds
• All bitcoin transactions must use script. There is no other way to lock/unlock funds
• Script is non-turing-complete, which means it has no loops
• Script is a stack-based language which runs in (what some people call) a VM
• VM is basically a giant switch statement (EvalScript in src/script/interpreter.cpp)
• Giant switch statement is about 800 lines of C++
Script
• Bitcoin comes with its own scripting language called "script"
• Script is used to lock and unlock funds
• All bitcoin transactions must use script. There is no other way to lock/unlock funds
• Script is non-turing-complete, which means it has no loops
• Script is a stack-based language which runs in (what some people call) a VM
• VM is basically a giant switch statement (EvalScript in src/script/interpreter.cpp)
• Giant switch statement is about 800 lines of C++
• Consensus-critical code !!!
Script
Let's run a script!
Script
Interpreter Stack
OP_3 OP_5 OP_ADD OP_8 OP_EQUAL
Script
Interpreter Stack
OP_3 OP_5 OP_ADD OP_8 OP_EQUAL
3
Script
Interpreter Stack
OP_3 OP_5 OP_ADD OP_8 OP_EQUAL
5
3
Script
Interpreter Stack
OP_3 OP_5 OP_ADD OP_8 OP_EQUAL
ADD
5
3
Script
Interpreter Stack
OP_3 OP_5 OP_ADD OP_8 OP_EQUAL
8
Script
Interpreter Stack
OP_3 OP_5 OP_ADD OP_8 OP_EQUAL
8
8
Script
Interpreter Stack
OP_3 OP_5 OP_ADD OP_8 OP_EQUAL
OP_EQUAL
8
8
Script
Interpreter Stack
OP_3 OP_5 OP_ADD OP_8 OP_EQUAL
TRUE
Transactions
BITCOIN FUNDAMENTALS
N. P. O'DONNELL, MAYNOOTH UNIVERSITY
Transactions
Transactions
Each transaction contains 1 or more
inputs and 1 or more outputs.
Transactions
Transactions
• Each input contains a reference to exactly one output
in a previous transaction.
Transactions
• Each input contains a reference to exactly one output
in a previous transaction.
• This is known as an "outpoint".
Transactions
• Each input contains a reference to exactly one output
in a previous transaction.
• This is known as an "outpoint".
• Each input also contains a script.
Transactions
• Each input contains a reference to exactly one output
in a previous transaction.
• This is known as an "outpoint".
• Each input also contains a script.
Transactions
• Each output contains a value in satoshis. (1 satoshi = 10-8BTC)
• Each input contains a reference to exactly one output
in a previous transaction.
• This is known as an "outpoint".
• Each input also contains a script.
Transactions
• Each output contains a value in satoshis. (1 satoshi = 10-8BTC)
• Each output also contains a script
• Each input contains a reference to exactly one output
in a previous transaction.
• This is known as an "outpoint".
• Each input also contains a script.
Transactions
Transactions
• In a transaction, a scriptSig from a TxIn (input) is contatenated with a scriptPubKey from a
TxOut (output) to form a full script.
Transactions
• In a transaction, a scriptSig from a TxIn (input) is contatenated with a scriptPubKey from a
TxOut (output) to form a full script.
• This script is run by the script interpreter and if there's a TRUE at the top of the stack after
the script is run, the transaction is a success and the funds can be unlocked and transferred
to somebody else.
Transactions
• In a transaction, a scriptSig from a TxIn (input) is contatenated with a scriptPubKey from a
TxOut (output) to form a full script.
• This script is run by the script interpreter and if there's a TRUE at the top of the stack after
the script is run, the transaction is a success and the funds can be unlocked and transferred
to somebody else.
• If there's anything other than a TRUE at the top of the stack, the transaction is deemed a
failure and the funds remain locked.
Transactions
• In a transaction, a scriptSig from a TxIn (input) is contatenated with a scriptPubKey from a
TxOut (output) to form a full script.
• This script is run by the script interpreter and if there's a TRUE at the top of the stack after
the script is run, the transaction is a success and the funds can be unlocked and transferred
to somebody else.
• If there's anything other than a TRUE at the top of the stack, the transaction is deemed a
failure and the funds remain locked.
• A transaction containing a scriptSig which fails to unlock funds will not be broadcast by
nodes, and even some wallets may not broadcast it. This is an important spam-prevention
mechanism which ensures only transactions which spend bitcoin in the form of fees, use
network resources.
Script
P2PKH Transaction Verification Script
Script
Interpreter Stack
<SIG> <PUBKEY> OP_DUP OP_HASH160
<PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG
Script
Interpreter Stack
<SIG> <PUBKEY> OP_DUP OP_HASH160
<PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG
ScriptSig (part of Input)
Script
Interpreter Stack
<SIG> <PUBKEY> OP_DUP OP_HASH160
<PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG
ScriptPubKey (part of Output)
Script
Interpreter Stack
<SIG> <PUBKEY> OP_DUP OP_HASH160
<PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG
<SIG>
Script
Interpreter Stack
<SIG> <PUBKEY> OP_DUP OP_HASH160
<PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG
<PUBKEY>
<SIG>
Script
Interpreter Stack
<SIG> <PUBKEY> OP_DUP OP_HASH160
<PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG
OP_DUP
<PUBKEY>
<SIG>
Script
Interpreter Stack
<SIG> <PUBKEY> OP_DUP OP_HASH160
<PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG
<PUBKEY>
<PUBKEY>
<SIG>
Script
Interpreter Stack
<SIG> <PUBKEY> OP_DUP OP_HASH160
<PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG
OP_HASH160
<PUBKEY>
<PUBKEY>
<SIG>
Script
Interpreter Stack
<SIG> <PUBKEY> OP_DUP OP_HASH160
<PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG
<PUBKEYHASH>
<PUBKEY>
<SIG>
Script
Interpreter Stack
<SIG> <PUBKEY> OP_DUP OP_HASH160
<PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG
<PUBKEYHASH>
<PUBKEYHASH>
<PUBKEY>
<SIG>
Script
Interpreter Stack
<SIG> <PUBKEY> OP_DUP OP_HASH160
<PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG
OP_EQUALVERIFY
<PUBKEYHASH>
<PUBKEYHASH>
<PUBKEY>
<SIG>
Script
Interpreter Stack
<SIG> <PUBKEY> OP_DUP OP_HASH160
<PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG
<PUBKEY>
<SIG>
Script
Interpreter Stack
<SIG> <PUBKEY> OP_DUP OP_HASH160
<PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG
OP_CHECKSIG
<PUBKEY>
<SIG>
Script
Interpreter Stack
<SIG> <PUBKEY> OP_DUP OP_HASH160
<PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG
TRUE
Proof-of-Work & Mining
BITCOIN FUNDAMENTALS
N. P. O'DONNELL, MAYNOOTH UNIVERSITY
Proof-Of-Work & Mining
Proof-Of-Work & Mining
• Every bitcoin block has a 256-bit block ID (also called a block hash)
Proof-Of-Work & Mining
• Every bitcoin block has a 256-bit block ID (also called a block hash)
• Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4
Proof-Of-Work & Mining
• Every bitcoin block has a 256-bit block ID (also called a block hash)
• Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4
• Technically it’s a block header hash
Proof-Of-Work & Mining
• Every bitcoin block has a 256-bit block ID (also called a block hash)
• Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4
• Technically it’s a block header hash
• To get different block hashes, a miner changes the nonce field in the block header
Proof-Of-Work & Mining
• Every bitcoin block has a 256-bit block ID (also called a block hash)
• Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4
• Technically it’s a block header hash
• To get different block hashes, a miner changes the nonce field in the block header
• Only block hashes below a threshold are accepted - this threshold is known as the difficulty
Proof-Of-Work & Mining
• Every bitcoin block has a 256-bit block ID (also called a block hash)
• Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4
• Technically it’s a block header hash
• To get different block hashes, a miner changes the nonce field in the block header
• Only block hashes below a threshold are accepted - this threshold is known as the difficulty
• This process continues until a hash below the threshold is found
Proof-Of-Work & Mining
• Every bitcoin block has a 256-bit block ID (also called a block hash)
• Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4
• Technically it’s a block header hash
• To get different block hashes, a miner changes the nonce field in the block header
• Only block hashes below a threshold are accepted - this threshold is known as the difficulty
• This process continues until a hash below the threshold is found
• First miner to find this hash gets 12.5 BTC (EUR 82,818.68) - this is known as the block reward
Proof-Of-Work & Mining
• Every bitcoin block has a 256-bit block ID (also called a block hash)
• Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4
• Technically it’s a block header hash
• To get different block hashes, a miner changes the nonce field in the block header
• Only block hashes below a threshold are accepted - this threshold is known as the difficulty
• This process continues until a hash below the threshold is found
• First miner to find this hash gets 12.5 BTC (EUR 82,818.68) - this is known as the block reward
• This happens every 10 minutes
Proof-Of-Work & Mining
• Every bitcoin block has a 256-bit block ID (also called a block hash)
• Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4
• Technically it’s a block header hash
• To get different block hashes, a miner changes the nonce field in the block header
• Only block hashes below a threshold are accepted - this threshold is known as the difficulty
• This process continues until a hash below the threshold is found
• First miner to find this hash gets 12.5 BTC (EUR 82,818.68) - this is known as the block reward
• This happens every 10 minutes
• Each day ~ EUR 5,962,800.95 of new BTC is mined
Proof-Of-Work & Mining
• Every bitcoin block has a 256-bit block ID (also called a block hash)
• Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4
• Technically it’s a block header hash
• To get different block hashes, a miner changes the nonce field in the block header
• Only block hashes below a threshold are accepted - this threshold is known as the difficulty
• This process continues until a hash below the threshold is found
• First miner to find this hash gets 12.5 BTC (EUR 82,818.68) - this is known as the block reward
• This happens every 10 minutes
• Each day ~ EUR 5,962,800.95 of new BTC is mined
• Difficulty adjusted every 2,016 blocks
Proof-Of-Work & Mining
• Every bitcoin block has a 256-bit block ID (also called a block hash)
• Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4
• Technically it’s a block header hash
• To get different block hashes, a miner changes the nonce field in the block header
• Only block hashes below a threshold are accepted - this threshold is known as the difficulty
• This process continues until a hash below the threshold is found
• First miner to find this hash gets 12.5 BTC (EUR 82,818.68) - this is known as the block reward
• This happens every 10 minutes
• Each day ~ EUR 5,962,800.95 of new BTC is mined
• Difficulty adjusted every 2,016 blocks
• Block reward halved every 210,000 blocks
Proof-Of-Work & Mining
• Every bitcoin block has a 256-bit block ID (also called a block hash)
• Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4
• Technically it’s a block header hash
• To get different block hashes, a miner changes the nonce field in the block header
• Only block hashes below a threshold are accepted - this threshold is known as the difficulty
• This process continues until a hash below the threshold is found
• First miner to find this hash gets 12.5 BTC (EUR 82,818.68) - this is known as the block reward
• This happens every 10 minutes
• Each day ~ EUR 5,962,800.95 of new BTC is mined
• Difficulty adjusted every 2,016 blocks
• Block reward halved every 210,000 blocks
• Bitcoin mining uses the SHA-256 hash algorithm
Proof-Of-Work & Mining
• Every bitcoin block has a 256-bit block ID (also called a block hash)
• Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4
• Technically it’s a block header hash
• To get different block hashes, a miner changes the nonce field in the block header
• Only block hashes below a threshold are accepted - this threshold is known as the difficulty
• This process continues until a hash below the threshold is found
• First miner to find this hash gets 12.5 BTC (EUR 82,818.68) - this is known as the block reward
• This happens every 10 minutes
• Each day ~ EUR 5,962,800.95 of new BTC is mined
• Difficulty adjusted every 2,016 blocks
• Block reward halved every 210,000 blocks
• Bitcoin mining uses the SHA-256 hash algorithm
• All bitcoin Block IDs can be calculated with sha256(sha256(BlockHeader))
Proof-Of-Work & Mining
• Every bitcoin block has a 256-bit block ID (also called a block hash)
• Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4
• Technically it’s a block header hash
• To get different block hashes, a miner changes the nonce field in the block header
• Only block hashes below a threshold are accepted - this threshold is known as the difficulty
• This process continues until a hash below the threshold is found
• First miner to find this hash gets 12.5 BTC (EUR 82,818.68) - this is known as the block reward
• This happens every 10 minutes
• Each day ~ EUR 5,962,800.95 of new BTC is mined
• Difficulty adjusted every 2,016 blocks
• Block reward halved every 210,000 blocks
• Bitcoin mining uses the SHA-256 hash algorithm
• All bitcoin Block IDs can be calculated with sha256(sha256(BlockHeader))
• Mining can be done on any kind of hardware but is best done on specialized hardware
Mining Hardware Comparison
Mining Hardware Comparison
5.2 MH/sCore i7 3930k ($220)
Mining Hardware Comparison
749.23 MH/s
5.2 MH/sCore i7 3930k ($220)
Tesla S2070 ($18,995)
Mining Hardware Comparison
749.23 MH/s
5.2 MH/s
16 TH/s
Core i7 3930k ($220)
Tesla S2070 ($18,995)
Antminer S9 (about $300)
Mining Hardware Comparison
749.23 MH/s
5.2 MH/s
16 TH/s
Core i7 3930k ($220)
Tesla S2070 ($18,995)
Antminer S9 (about $300)
Tesla is 144 X faster than i7
Mining Hardware Comparison
749.23 MH/s
5.2 MH/s
16 TH/s
Core i7 3930k ($220)
Tesla S2070 ($18,995)
Antminer S9 (about $300)
Tesla is 144 X faster than i7
S9 is 21,355 X faster than Tesla
Bitcoin Mining Farm
(Somewhere on Earth)
Bitcoin Mining Farm
(Somewhere on Earth)
3,075,120 i7s
Bitcoin Mining Farm
(Somewhere on Earth)
3,075,120 i7s
• Many such mining farms on earth
Bitcoin Mining Farm
(Somewhere on Earth)
3,075,120 i7s
• Many such mining farms on earth
• Often in secret locations
Bitcoin Mining Farm
(Somewhere on Earth)
3,075,120 i7s
• Many such mining farms on earth
• Often in secret locations
• Impossible to find their locations
Bitcoin Mining Farm
(Somewhere on Earth)
3,075,120 i7s
• Many such mining farms on earth
• Often in secret locations
• Impossible to find their locations
• Usually in cold countries with cheap electricity
Bitcoin Mining Farm
(Somewhere on Earth)
3,075,120 i7s
• Many such mining farms on earth
• Often in secret locations
• Impossible to find their locations
• Usually in cold countries with cheap electricity
• Bitcoin mining uses enough electricity to power 3
Irelands
Bitcoin Mining Farm
(Somewhere on Earth)
3,075,120 i7s
• Many such mining farms on earth
• Often in secret locations
• Impossible to find their locations
• Usually in cold countries with cheap electricity
• Bitcoin mining uses enough electricity to power 3
Irelands
• Many rumors about who is mining Bitcoin
Bitcoin Mining Farm
(Somewhere on Earth)
3,075,120 i7s
• Many such mining farms on earth
• Often in secret locations
• Impossible to find their locations
• Usually in cold countries with cheap electricity
• Bitcoin mining uses enough electricity to power 3
Irelands
• Many rumors about who is mining Bitcoin
• One thing we do know: more mining farms are
springing up because the hash rate is growing
Bitcoin Mining Farm
(Somewhere on Earth)
3,075,120 i7s
• Many such mining farms on earth
• Often in secret locations
• Impossible to find their locations
• Usually in cold countries with cheap electricity
• Bitcoin mining uses enough electricity to power 3
Irelands
• Many rumors about who is mining Bitcoin
• One thing we do know: more mining farms are
springing up because the hash rate is growing
• How do we know this ?
Finding The Network Hash Rate
Finding The Network Hash Rate
Finding The Network Hash Rate
Finding The Network Hash Rate
The "Great Crash" of 2017
Finding The Network Hash Rate
1,923,076,923,077 i7s
Finding The Network Hash Rate
But how does blockchain.info know the hash rate ?
Finding The Network Hash Rate
But how does blockchain.info know the hash rate ?
Nobody knows where all the mining farms are.
Finding The Network Hash Rate
But how does blockchain.info know the hash rate ?
Nobody knows where all the mining farms are.
Answer: They use math
Proof-Of-Work & Mining
Proof-Of-Work & Mining
PBH = 1
Proof-Of-Work & Mining
PBH = 1
"The mining equation"
Proof-Of-Work & Mining
PBH = 1
"The mining equation"
P = probability of mining block below difficulty target in 1 try
Proof-Of-Work & Mining
PBH = 1
"The mining equation"
P = probability of mining block below difficulty target in 1 try
B = block time (s)
Proof-Of-Work & Mining
PBH = 1
"The mining equation"
P = probability of mining block below difficulty target in 1 try
B = block time (s)
H = # of tries per second, a.k.a. hash rate (h/s)
Proof-Of-Work & Mining
PBH = 1
"The mining equation"
P = probability of mining block below difficulty target in 1 try
B = block time (s)
H = # of tries per second, a.k.a. hash rate (h/s)
P = 1/BH
B = 1/PH
H = 1/PB
Example Hash Rate Calculation
Probability of mining a block in single attempt is 0.1. I'm trying 10 hashes per
second, what is my block time?
Example Hash Rate Calculation
Probability of mining a block in single attempt is 0.1. I'm trying 10 hashes per
second, what is my block time?
P = 0.1
Example Hash Rate Calculation
Probability of mining a block in single attempt is 0.1. I'm trying 10 hashes per
second, what is my block time?
P = 0.1
H = 10
Example Hash Rate Calculation
Probability of mining a block in single attempt is 0.1. I'm trying 10 hashes per
second, what is my block time?
P = 0.1
H = 10
B = 1/PH
Example Hash Rate Calculation
Probability of mining a block in single attempt is 0.1. I'm trying 10 hashes per
second, what is my block time?
P = 0.1
H = 10
B = 1/PH
B = 1/(0.1 × 10)
Example Hash Rate Calculation
Probability of mining a block in single attempt is 0.1. I'm trying 10 hashes per
second, what is my block time?
P = 0.1
H = 10
B = 1/PH
B = 1/(0.1 × 10)
B = 1/1
Example Hash Rate Calculation
Probability of mining a block in single attempt is 0.1. I'm trying 10 hashes per
second, what is my block time?
P = 0.1
H = 10
B = 1/PH
B = 1/(0.1 × 10)
B = 1/1
Average block time is 1 second
Example Hash Rate Calculation
Let's try a real example!
Example Hash Rate Calculation
The home page of blockchain.info looks like this: What is the current network hash rate?
Example Hash Rate Calculation
We have:
Example Hash Rate Calculation
We have:
• 8 most recent block hashes:
• 000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a
• 0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934
• 0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c
• 0000000000000000000c65f787061574865988894a721900fe46dbbe85580950
• 0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d
• 00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05
• 00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41
• 000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b
Example Hash Rate Calculation
We have:
• 8 most recent block hashes:
• 000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a
• 0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934
• 0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c
• 0000000000000000000c65f787061574865988894a721900fe46dbbe85580950
• 0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d
• 00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05
• 00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41
• 000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b
• 8 most recent block timestamps:
• 2019-12-06 02:37
• 2019-12-06 02:19
• 2019-12-06 02:12
• 2019-12-06 01:46
• 2019-12-06 01:44
• 2019-12-06 01:26
• 2019-12-06 01:24
• 2019-12-06 01:15
Example Hash Rate Calculation
We want:
• P (probability of finding correct hash in one try)
• B (block time)
• So we can solve H = 1/PB
Example Hash Rate Calculation
B is easier to find so we'll start with it.
Example Hash Rate Calculation
B is easier to find so we'll start with it.
Step 1: Convert 8 timestamps into seconds:
• 2019-12-06 02:37
• 2019-12-06 02:19
• 2019-12-06 02:12
• 2019-12-06 01:46
• 2019-12-06 01:44
• 2019-12-06 01:26
• 2019-12-06 01:24
• 2019-12-06 01:15
Example Hash Rate Calculation
B is easier to find so we'll start with it.
Step 1: Convert 8 timestamps into seconds:
• 2019-12-06 02:37 => 1575599820
• 2019-12-06 02:19 => 1575598740
• 2019-12-06 02:12 => 1575598320
• 2019-12-06 01:46 => 1575596760
• 2019-12-06 01:44 => 1575596640
• 2019-12-06 01:26 => 1575595560
• 2019-12-06 01:24 => 1575595440
• 2019-12-06 01:15 => 1575594900
Example Hash Rate Calculation
B is easier to find so we'll start with it.
Step 1: Convert 8 timestamps into seconds:
• 2019-12-06 02:37 => 1575599820
• 2019-12-06 02:19 => 1575598740
• 2019-12-06 02:12 => 1575598320
• 2019-12-06 01:46 => 1575596760
• 2019-12-06 01:44 => 1575596640
• 2019-12-06 01:26 => 1575595560
• 2019-12-06 01:24 => 1575595440
• 2019-12-06 01:15 => 1575594900
Step 2: Calculate intervals
• 1575599820 – 1575598740
• 1575598740 – 1575598320
• 1575598320 - 1575596760
• 1575596760 - 1575596640
• 1575596640 - 1575595560
• 1575595560 - 1575595440
• 1575595440 - 1575594900
Example Hash Rate Calculation
B is easier to find so we'll start with it.
Step 1: Convert 8 timestamps into seconds:
• 2019-12-06 02:37 => 1575599820
• 2019-12-06 02:19 => 1575598740
• 2019-12-06 02:12 => 1575598320
• 2019-12-06 01:46 => 1575596760
• 2019-12-06 01:44 => 1575596640
• 2019-12-06 01:26 => 1575595560
• 2019-12-06 01:24 => 1575595440
• 2019-12-06 01:15 => 1575594900
Step 2: Calculate intervals
• 1575599820 – 1575598740 = 1080
• 1575598740 – 1575598320 = 420
• 1575598320 - 1575596760 = 1560
• 1575596760 - 1575596640 = 120
• 1575596640 - 1575595560 = 1080
• 1575595560 - 1575595440 = 120
• 1575595440 - 1575594900 = 540
Example Hash Rate Calculation
B is easier to find so we'll start with it.
Step 1: Convert 8 timestamps into seconds:
• 2019-12-06 02:37 => 1575599820
• 2019-12-06 02:19 => 1575598740
• 2019-12-06 02:12 => 1575598320
• 2019-12-06 01:46 => 1575596760
• 2019-12-06 01:44 => 1575596640
• 2019-12-06 01:26 => 1575595560
• 2019-12-06 01:24 => 1575595440
• 2019-12-06 01:15 => 1575594900
Step 2: Calculate intervals
• 1575599820 – 1575598740 = 1080
• 1575598740 – 1575598320 = 420
• 1575598320 - 1575596760 = 1560
• 1575596760 - 1575596640 = 120
• 1575596640 - 1575595560 = 1080
• 1575595560 - 1575595440 = 120
• 1575595440 - 1575594900 = 540
Step 3: Compute median: 120 120 420 540 1080 1080 1560
Example Hash Rate Calculation
B is easier to find so we'll start with it.
Step 1: Convert 8 timestamps into seconds:
• 2019-12-06 02:37 => 1575599820
• 2019-12-06 02:19 => 1575598740
• 2019-12-06 02:12 => 1575598320
• 2019-12-06 01:46 => 1575596760
• 2019-12-06 01:44 => 1575596640
• 2019-12-06 01:26 => 1575595560
• 2019-12-06 01:24 => 1575595440
• 2019-12-06 01:15 => 1575594900
Step 2: Calculate intervals
• 1575599820 – 1575598740 = 1080
• 1575598740 – 1575598320 = 420
• 1575598320 - 1575596760 = 1560
• 1575596760 - 1575596640 = 120
• 1575596640 - 1575595560 = 1080
• 1575595560 - 1575595440 = 120
• 1575595440 - 1575594900 = 540
Step 3: Compute median: 120 120 420 540 1080 1080 1560
• => B = 540
Example Hash Rate Calculation
To find P, we can average the block hashes of the last 8 blocks, then multiply by 2 to get the difficulty target. We then express that as a
fraction of 2256.
•
Example Hash Rate Calculation
To find P, we can average the block hashes of the last 8 blocks, then multiply by 2 to get the difficulty target. We then express that as a
fraction of 2256.
Reasoning: If I keep asking to choose numbers between 1 and 100, and write down only the numbers below 10, the average of the
numbers I write down will be 5.
•
Example Hash Rate Calculation
0x000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a
0x0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934
0x0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c
0x0000000000000000000c65f787061574865988894a721900fe46dbbe85580950
0x0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d
0x00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05
0x00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41
+ 0x000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b
Example Hash Rate Calculation
0x000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a
0x0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934
0x0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c
0x0000000000000000000c65f787061574865988894a721900fe46dbbe85580950
0x0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d
0x00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05
0x00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41
+ 0x000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b
0x6d6d1b6a06bf99a5c038058aa31eed1eb8d878a5154fc8
Example Hash Rate Calculation
0x000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a
0x0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934
0x0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c
0x0000000000000000000c65f787061574865988894a721900fe46dbbe85580950
0x0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d
0x00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05
0x00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41
+ 0x000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b
0x6d6d1b6a06bf99a5c038058aa31eed1eb8d878a5154fc8
÷ 0x04
Example Hash Rate Calculation
0x000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a
0x0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934
0x0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c
0x0000000000000000000c65f787061574865988894a721900fe46dbbe85580950
0x0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d
0x00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05
0x00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41
+ 0x000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b
0x6d6d1b6a06bf99a5c038058aa31eed1eb8d878a5154fc8
÷ 0x04
0x1b5b46da81afe669700e0162a8c7bb47ae361e294553f2
Example Hash Rate Calculation
0x000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a
0x0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934
0x0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c
0x0000000000000000000c65f787061574865988894a721900fe46dbbe85580950
0x0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d
0x00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05
0x00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41
+ 0x000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b
0x6d6d1b6a06bf99a5c038058aa31eed1eb8d878a5154fc8
÷ 0x04
0x1b5b46da81afe669700e0162a8c7bb47ae361e294553f2
÷ 0x020x100
Example Hash Rate Calculation
0x000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a
0x0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934
0x0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c
0x0000000000000000000c65f787061574865988894a721900fe46dbbe85580950
0x0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d
0x00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05
0x00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41
+ 0x000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b
0x6d6d1b6a06bf99a5c038058aa31eed1eb8d878a5154fc8
÷ 0x04
0x1b5b46da81afe669700e0162a8c7bb47ae361e294553f2
÷ 0x020x100
0.0000000000000000000000226...
Example Hash Rate Calculation
0x000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a
0x0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934
0x0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c
0x0000000000000000000c65f787061574865988894a721900fe46dbbe85580950
0x0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d
0x00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05
0x00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41
+ 0x000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b
0x6d6d1b6a06bf99a5c038058aa31eed1eb8d878a5154fc8
÷ 0x04
0x1b5b46da81afe669700e0162a8c7bb47ae361e294553f2
÷ 0x020x100
0.0000000000000000000000226...
=> P = 0.0000000000000000000000226
Example Hash Rate Calculation
H = 1/PB
Example Hash Rate Calculation
H = 1/PB
H = 1/(0.0000000000000000000000226 × 540)
Example Hash Rate Calculation
H = 1/PB
H = 1/(0.0000000000000000000000226 × 540)
H = 81836032937956668986
Example Hash Rate Calculation
H = 1/PB
H = 1/(0.0000000000000000000000226 × 540)
H = 81836032937956668986
H = 81,836,032,937,956,668,986
Example Hash Rate Calculation
H = 1/PB
H = 1/(0.0000000000000000000000226 × 540)
H = 81836032937956668986
H = 81,836,032,937,956,668,986
H = 81.8 EH/s
Example Hash Rate Calculation
H = 1/PB
H = 1/(0.0000000000000000000000226 × 540)
H = 81836032937956668986
H = 81,836,032,937,956,668,986
H = 81.8 EH/s
Within 10% of the correct answer.
Only out by a few quintillion !
Attacks
BITCOIN FUNDAMENTALS
N. P. O'DONNELL, MAYNOOTH UNIVERSITY
Key Guessing Attack
Key Guessing Attack
• If you can successfully guess somebody's private key, you can take all their bitcoin
Key Guessing Attack
• If you can successfully guess somebody's private key, you can take all their bitcoin
• Individual addresses have 256-bit security
Key Guessing Attack
• If you can successfully guess somebody's private key, you can take all their bitcoin
• Individual addresses have 256-bit security
• Assuming a good RNG was used, the chance of correctly guessing are virtually zero
Key Guessing Attack
• If you can successfully guess somebody's private key, you can take all their bitcoin
• Individual addresses have 256-bit security
• Assuming a good RNG was used, the chance of correctly guessing are virtually zero
• Not the case if you use "brain wallets" which are insecure
Key Guessing Attack
• If you can successfully guess somebody's private key, you can take all their bitcoin
• Individual addresses have 256-bit security
• Assuming a good RNG was used, the chance of correctly guessing are virtually zero
• Not the case if you use "brain wallets" which are insecure
• Don't use brain wallets!
Key Guessing Attack
• If you can successfully guess somebody's private key, you can take all their bitcoin
• Individual addresses have 256-bit security
• Assuming a good RNG was used, the chance of correctly guessing are virtually zero
• Not the case if you use "brain wallets" which are insecure
• Don't use brain wallets!
• Famous brain wallets:
Key Guessing Attack
• If you can successfully guess somebody's private key, you can take all their bitcoin
• Individual addresses have 256-bit security
• Assuming a good RNG was used, the chance of correctly guessing are virtually zero
• Not the case if you use "brain wallets" which are insecure
• Don't use brain wallets!
• Famous brain wallets:
• "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD
Key Guessing Attack
• If you can successfully guess somebody's private key, you can take all their bitcoin
• Individual addresses have 256-bit security
• Assuming a good RNG was used, the chance of correctly guessing are virtually zero
• Not the case if you use "brain wallets" which are insecure
• Don't use brain wallets!
• Famous brain wallets:
• "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD
• "hello": 1HoSFymoqteYrmmr7s3jDDqmggoxacbk37
Key Guessing Attack
• If you can successfully guess somebody's private key, you can take all their bitcoin
• Individual addresses have 256-bit security
• Assuming a good RNG was used, the chance of correctly guessing are virtually zero
• Not the case if you use "brain wallets" which are insecure
• Don't use brain wallets!
• Famous brain wallets:
• "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD
• "hello": 1HoSFymoqteYrmmr7s3jDDqmggoxacbk37
• "satoshi": 1ADJqstUMBB5zFquWg19UqZ7Zc6ePCpzLE
Key Guessing Attack
• If you can successfully guess somebody's private key, you can take all their bitcoin
• Individual addresses have 256-bit security
• Assuming a good RNG was used, the chance of correctly guessing are virtually zero
• Not the case if you use "brain wallets" which are insecure
• Don't use brain wallets!
• Famous brain wallets:
• "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD
• "hello": 1HoSFymoqteYrmmr7s3jDDqmggoxacbk37
• "satoshi": 1ADJqstUMBB5zFquWg19UqZ7Zc6ePCpzLE
• Bots are running 24/7 ready to take any bitcoin sent to brain wallets
Key Guessing Attack
• If you can successfully guess somebody's private key, you can take all their bitcoin
• Individual addresses have 256-bit security
• Assuming a good RNG was used, the chance of correctly guessing are virtually zero
• Not the case if you use "brain wallets" which are insecure
• Don't use brain wallets!
• Famous brain wallets:
• "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD
• "hello": 1HoSFymoqteYrmmr7s3jDDqmggoxacbk37
• "satoshi": 1ADJqstUMBB5zFquWg19UqZ7Zc6ePCpzLE
• Bots are running 24/7 ready to take any bitcoin sent to brain wallets
• Bots use massive hash tables of pre-computed brain wallets
Key Guessing Attack
• If you can successfully guess somebody's private key, you can take all their bitcoin
• Individual addresses have 256-bit security
• Assuming a good RNG was used, the chance of correctly guessing are virtually zero
• Not the case if you use "brain wallets" which are insecure
• Don't use brain wallets!
• Famous brain wallets:
• "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD
• "hello": 1HoSFymoqteYrmmr7s3jDDqmggoxacbk37
• "satoshi": 1ADJqstUMBB5zFquWg19UqZ7Zc6ePCpzLE
• Bots are running 24/7 ready to take any bitcoin sent to brain wallets
• Bots use massive hash tables of pre-computed brain wallets
• I lost about 500 euros to one such bot
Key Guessing Attack
• If you can successfully guess somebody's private key, you can take all their bitcoin
• Individual addresses have 256-bit security
• Assuming a good RNG was used, the chance of correctly guessing are virtually zero
• Not the case if you use "brain wallets" which are insecure
• Don't use brain wallets!
• Famous brain wallets:
• "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD
• "hello": 1HoSFymoqteYrmmr7s3jDDqmggoxacbk37
• "satoshi": 1ADJqstUMBB5zFquWg19UqZ7Zc6ePCpzLE
• Bots are running 24/7 ready to take any bitcoin sent to brain wallets
• Bots use massive hash tables of pre-computed brain wallets
• I lost about 500 euros to one such bot
• Best kind of wallet is a hardware wallet
Key Guessing Attack
• If you can successfully guess somebody's private key, you can take all their bitcoin
• Individual addresses have 256-bit security
• Assuming a good RNG was used, the chance of correctly guessing are virtually zero
• Not the case if you use "brain wallets" which are insecure
• Don't use brain wallets!
• Famous brain wallets:
• "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD
• "hello": 1HoSFymoqteYrmmr7s3jDDqmggoxacbk37
• "satoshi": 1ADJqstUMBB5zFquWg19UqZ7Zc6ePCpzLE
• Bots are running 24/7 ready to take any bitcoin sent to brain wallets
• Bots use massive hash tables of pre-computed brain wallets
• I lost about 500 euros to one such bot
• Best kind of wallet is a hardware wallet
• Hardware wallets are resistant to any intrusion on your computer including viruses, remote attackers, etc
Key Guessing Attack
• If you can successfully guess somebody's private key, you can take all their bitcoin
• Individual addresses have 256-bit security
• Assuming a good RNG was used, the chance of correctly guessing are virtually zero
• Not the case if you use "brain wallets" which are insecure
• Don't use brain wallets!
• Famous brain wallets:
• "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD
• "hello": 1HoSFymoqteYrmmr7s3jDDqmggoxacbk37
• "satoshi": 1ADJqstUMBB5zFquWg19UqZ7Zc6ePCpzLE
• Bots are running 24/7 ready to take any bitcoin sent to brain wallets
• Bots use massive hash tables of pre-computed brain wallets
• I lost about 500 euros to one such bot
• Best kind of wallet is a hardware wallet
• Hardware wallets are resistant to any intrusion on your computer including viruses, remote attackers, etc
• Hardware wallet stores private key and signs transactions on behalf of the user
Key Guessing Attack
51% Attack
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
• Can be used for:
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
• Can be used for:
• Preventing certain transactions from being confirmed
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
• Can be used for:
• Preventing certain transactions from being confirmed
• Double-spending
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
• Can be used for:
• Preventing certain transactions from being confirmed
• Double-spending
• Network interruption
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
• Can be used for:
• Preventing certain transactions from being confirmed
• Double-spending
• Network interruption
• Cannot be used to:
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
• Can be used for:
• Preventing certain transactions from being confirmed
• Double-spending
• Network interruption
• Cannot be used to:
• Steal coins
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
• Can be used for:
• Preventing certain transactions from being confirmed
• Double-spending
• Network interruption
• Cannot be used to:
• Steal coins
• Best protected against with:
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
• Can be used for:
• Preventing certain transactions from being confirmed
• Double-spending
• Network interruption
• Cannot be used to:
• Steal coins
• Best protected against with:
• Many miners
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
• Can be used for:
• Preventing certain transactions from being confirmed
• Double-spending
• Network interruption
• Cannot be used to:
• Steal coins
• Best protected against with:
• Many miners
• Incentivizing mining pools (where individual miners are free to choose transactions)
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
• Can be used for:
• Preventing certain transactions from being confirmed
• Double-spending
• Network interruption
• Cannot be used to:
• Steal coins
• Best protected against with:
• Many miners
• Incentivizing mining pools (where individual miners are free to choose transactions)
• Competition
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
• Can be used for:
• Preventing certain transactions from being confirmed
• Double-spending
• Network interruption
• Cannot be used to:
• Steal coins
• Best protected against with:
• Many miners
• Incentivizing mining pools (where individual miners are free to choose transactions)
• Competition
• Real-life examples:
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
• Can be used for:
• Preventing certain transactions from being confirmed
• Double-spending
• Network interruption
• Cannot be used to:
• Steal coins
• Best protected against with:
• Many miners
• Incentivizing mining pools (where individual miners are free to choose transactions)
• Competition
• Real-life examples:
• May 2018: Bitcoin Gold was 51% attacked - $18,000,000 stolen
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
• Can be used for:
• Preventing certain transactions from being confirmed
• Double-spending
• Network interruption
• Cannot be used to:
• Steal coins
• Best protected against with:
• Many miners
• Incentivizing mining pools (where individual miners are free to choose transactions)
• Competition
• Real-life examples:
• May 2018: Bitcoin Gold was 51% attacked - $18,000,000 stolen
• December 2018: Vertcoin was 51% attacked - $100,000 stolen
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
• Can be used for:
• Preventing certain transactions from being confirmed
• Double-spending
• Network interruption
• Cannot be used to:
• Steal coins
• Best protected against with:
• Many miners
• Incentivizing mining pools (where individual miners are free to choose transactions)
• Competition
• Real-life examples:
• May 2018: Bitcoin Gold was 51% attacked - $18,000,000 stolen
• December 2018: Vertcoin was 51% attacked - $100,000 stolen
• Unlikely to happen to Bitcoin because:
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
• Can be used for:
• Preventing certain transactions from being confirmed
• Double-spending
• Network interruption
• Cannot be used to:
• Steal coins
• Best protected against with:
• Many miners
• Incentivizing mining pools (where individual miners are free to choose transactions)
• Competition
• Real-life examples:
• May 2018: Bitcoin Gold was 51% attacked - $18,000,000 stolen
• December 2018: Vertcoin was 51% attacked - $100,000 stolen
• Unlikely to happen to Bitcoin because:
• Hash-power is massive and well-diversified
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
• Can be used for:
• Preventing certain transactions from being confirmed
• Double-spending
• Network interruption
• Cannot be used to:
• Steal coins
• Best protected against with:
• Many miners
• Incentivizing mining pools (where individual miners are free to choose transactions)
• Competition
• Real-life examples:
• May 2018: Bitcoin Gold was 51% attacked - $18,000,000 stolen
• December 2018: Vertcoin was 51% attacked - $100,000 stolen
• Unlikely to happen to Bitcoin because:
• Hash-power is massive and well-diversified
• Hash-power distribution is well known
51% Attack
• To perform this attack, attacker must possess over 50% of the hashing power
1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
3. Once goods/services have arrived, attacker broadcasts alternative blockchain
4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
• Any blockchain where one entity controls over 50% of hashing power should be considered compromised
• Small blockchains are susceptible
• Can be used for:
• Preventing certain transactions from being confirmed
• Double-spending
• Network interruption
• Cannot be used to:
• Steal coins
• Best protected against with:
• Many miners
• Incentivizing mining pools (where individual miners are free to choose transactions)
• Competition
• Real-life examples:
• May 2018: Bitcoin Gold was 51% attacked - $18,000,000 stolen
• December 2018: Vertcoin was 51% attacked - $100,000 stolen
• Unlikely to happen to Bitcoin because:
• Hash-power is massive and well-diversified
• Hash-power distribution is well known
• Miners want Bitcoin to succeed and price to go up. 51% attack would cause price crash
Quantum Computing
Threats ?
BITCOIN FUNDAMENTALS
N. P. O'DONNELL, MAYNOOTH UNIVERSITY
Quantum Computing Threats ?
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
• Breaking bitcoin requires a QC that can run Shor's algorithm
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
• Breaking bitcoin requires a QC that can run Shor's algorithm
• Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5)
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
• Breaking bitcoin requires a QC that can run Shor's algorithm
• Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5)
• Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012).
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
• Breaking bitcoin requires a QC that can run Shor's algorithm
• Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5)
• Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012).
• Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm)
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
• Breaking bitcoin requires a QC that can run Shor's algorithm
• Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5)
• Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012).
• Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm)
• How could a 22-bit number be factored on a 5-bit QC?
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
• Breaking bitcoin requires a QC that can run Shor's algorithm
• Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5)
• Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012).
• Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm)
• How could a 22-bit number be factored on a 5-bit QC?
• Answer: 2088459 = 2017 × 2027
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
• Breaking bitcoin requires a QC that can run Shor's algorithm
• Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5)
• Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012).
• Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm)
• How could a 22-bit number be factored on a 5-bit QC?
• Answer: 2088459 = 2017 × 2027
• 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used.
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
• Breaking bitcoin requires a QC that can run Shor's algorithm
• Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5)
• Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012).
• Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm)
• How could a 22-bit number be factored on a 5-bit QC?
• Answer: 2088459 = 2017 × 2027
• 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used.
• Numbers were cherry-picked.
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
• Breaking bitcoin requires a QC that can run Shor's algorithm
• Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5)
• Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012).
• Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm)
• How could a 22-bit number be factored on a 5-bit QC?
• Answer: 2088459 = 2017 × 2027
• 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used.
• Numbers were cherry-picked.
• More promising results with quantum annealing:
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
• Breaking bitcoin requires a QC that can run Shor's algorithm
• Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5)
• Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012).
• Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm)
• How could a 22-bit number be factored on a 5-bit QC?
• Answer: 2088459 = 2017 × 2027
• 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used.
• Numbers were cherry-picked.
• More promising results with quantum annealing:
• 376,289 = 571 × 659 was factored on D-wave 2000Q quantum annealer by Shuxian Jiang, Keith A. Britt, Travis S. Humble, and Sabre Kais (2018)
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
• Breaking bitcoin requires a QC that can run Shor's algorithm
• Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5)
• Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012).
• Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm)
• How could a 22-bit number be factored on a 5-bit QC?
• Answer: 2088459 = 2017 × 2027
• 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used.
• Numbers were cherry-picked.
• More promising results with quantum annealing:
• 376,289 = 571 × 659 was factored on D-wave 2000Q quantum annealer by Shuxian Jiang, Keith A. Britt, Travis S. Humble, and Sabre Kais (2018)
• Not cherry-picked, but these are still tiny numbers
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
• Breaking bitcoin requires a QC that can run Shor's algorithm
• Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5)
• Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012).
• Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm)
• How could a 22-bit number be factored on a 5-bit QC?
• Answer: 2088459 = 2017 × 2027
• 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used.
• Numbers were cherry-picked.
• More promising results with quantum annealing:
• 376,289 = 571 × 659 was factored on D-wave 2000Q quantum annealer by Shuxian Jiang, Keith A. Britt, Travis S. Humble, and Sabre Kais (2018)
• Not cherry-picked, but these are still tiny numbers
• Does not use Shor's algorithm, but variant of Grover's algorithm. Doubtful if the method used can scale to large numbers
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
• Breaking bitcoin requires a QC that can run Shor's algorithm
• Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5)
• Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012).
• Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm)
• How could a 22-bit number be factored on a 5-bit QC?
• Answer: 2088459 = 2017 × 2027
• 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used.
• Numbers were cherry-picked.
• More promising results with quantum annealing:
• 376,289 = 571 × 659 was factored on D-wave 2000Q quantum annealer by Shuxian Jiang, Keith A. Britt, Travis S. Humble, and Sabre Kais (2018)
• Not cherry-picked, but these are still tiny numbers
• Does not use Shor's algorithm, but variant of Grover's algorithm. Doubtful if the method used can scale to large numbers
• If QC does break Bitcoin tomorrow, it will break everything else too. Banks, Governments, Hospitals, Airlines, Military, Big Tech...
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
• Breaking bitcoin requires a QC that can run Shor's algorithm
• Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5)
• Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012).
• Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm)
• How could a 22-bit number be factored on a 5-bit QC?
• Answer: 2088459 = 2017 × 2027
• 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used.
• Numbers were cherry-picked.
• More promising results with quantum annealing:
• 376,289 = 571 × 659 was factored on D-wave 2000Q quantum annealer by Shuxian Jiang, Keith A. Britt, Travis S. Humble, and Sabre Kais (2018)
• Not cherry-picked, but these are still tiny numbers
• Does not use Shor's algorithm, but variant of Grover's algorithm. Doubtful if the method used can scale to large numbers
• If QC does break Bitcoin tomorrow, it will break everything else too. Banks, Governments, Hospitals, Airlines, Military, Big Tech...
• Such a QC would be the greatest weapon imaginable in information warfare
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
• Breaking bitcoin requires a QC that can run Shor's algorithm
• Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5)
• Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012).
• Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm)
• How could a 22-bit number be factored on a 5-bit QC?
• Answer: 2088459 = 2017 × 2027
• 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used.
• Numbers were cherry-picked.
• More promising results with quantum annealing:
• 376,289 = 571 × 659 was factored on D-wave 2000Q quantum annealer by Shuxian Jiang, Keith A. Britt, Travis S. Humble, and Sabre Kais (2018)
• Not cherry-picked, but these are still tiny numbers
• Does not use Shor's algorithm, but variant of Grover's algorithm. Doubtful if the method used can scale to large numbers
• If QC does break Bitcoin tomorrow, it will break everything else too. Banks, Governments, Hospitals, Airlines, Military, Big Tech...
• Such a QC would be the greatest weapon imaginable in information warfare
• No palpable sense of urgency from these entities to upgrade to post-quantum cryptography
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
• Breaking bitcoin requires a QC that can run Shor's algorithm
• Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5)
• Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012).
• Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm)
• How could a 22-bit number be factored on a 5-bit QC?
• Answer: 2088459 = 2017 × 2027
• 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used.
• Numbers were cherry-picked.
• More promising results with quantum annealing:
• 376,289 = 571 × 659 was factored on D-wave 2000Q quantum annealer by Shuxian Jiang, Keith A. Britt, Travis S. Humble, and Sabre Kais (2018)
• Not cherry-picked, but these are still tiny numbers
• Does not use Shor's algorithm, but variant of Grover's algorithm. Doubtful if the method used can scale to large numbers
• If QC does break Bitcoin tomorrow, it will break everything else too. Banks, Governments, Hospitals, Airlines, Military, Big Tech...
• Such a QC would be the greatest weapon imaginable in information warfare
• No palpable sense of urgency from these entities to upgrade to post-quantum cryptography
• As things stand – a tiny computer such as an Apple watch is far better at breaking crypto and prime factorization than today's multi-million dollar QCs
Quantum Computing Threats ?
• Bitcoin uses 256-bit EC cryptography
• To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
• These need to be stable qubits
• To "break bitcoin", this means 2,000 stable qubits are required
• It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
• It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
• Adding qubit n introduces n – 1 new interactions to the system
• Breaking bitcoin requires a QC that can run Shor's algorithm
• Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5)
• Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012).
• Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm)
• How could a 22-bit number be factored on a 5-bit QC?
• Answer: 2088459 = 2017 × 2027
• 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used.
• Numbers were cherry-picked.
• More promising results with quantum annealing:
• 376,289 = 571 × 659 was factored on D-wave 2000Q quantum annealer by Shuxian Jiang, Keith A. Britt, Travis S. Humble, and Sabre Kais (2018)
• Not cherry-picked, but these are still tiny numbers
• Does not use Shor's algorithm, but variant of Grover's algorithm. Doubtful if the method used can scale to large numbers
• If QC does break Bitcoin tomorrow, it will break everything else too. Banks, Governments, Hospitals, Airlines, Military, Big Tech...
• Such a QC would be the greatest weapon imaginable in information warfare
• No palpable sense of urgency from these entities to upgrade to post-quantum cryptography
• As things stand – a tiny computer such as an Apple watch is far better at breaking crypto and prime factorization than today's multi-million dollar QCs
• Basically there's nothing to worry about.
The End
BITCOIN FUNDAMENTALS
N. P. O'DONNELL, MAYNOOTH UNIVERSITY
Questions?
BITCOIN FUNDAMENTALS
N. P. O'DONNELL, MAYNOOTH UNIVERSITY

Bitcoin fundamentals

  • 1.
    Bitcoin Fundamentals N. P.O'DONNELL, MAYNOOTH UNIVERSITY
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
    Topics Covered •Blockchain •Blocks •Keys &Addresses •Scripting •Transactions
  • 8.
    Topics Covered •Blockchain •Blocks •Keys &Addresses •Scripting •Transactions •Proof-Of-Work & Mining
  • 9.
    Topics Covered •Blockchain •Blocks •Keys &Addresses •Scripting •Transactions •Proof-Of-Work & Mining •Attacks
  • 10.
    Topics Covered •Blockchain •Blocks •Keys &Addresses •Scripting •Transactions •Proof-Of-Work & Mining •Attacks •Quantum Computing Threats ?
  • 11.
    Blockchain BITCOIN FUNDAMENTALS N. P.O'DONNELL, MAYNOOTH UNIVERSITY
  • 12.
    What Is ABlockchain? Several Definitions:
  • 13.
    What Is ABlockchain? Several Definitions: •Over-used buzzword that many people don't understand
  • 14.
    What Is ABlockchain? Several Definitions: •Over-used buzzword that many people don't understand •A very slow database
  • 15.
    What Is ABlockchain? Several Definitions: •Over-used buzzword that many people don't understand •A very slow database •A database that can't be tampered with
  • 16.
    What Is ABlockchain? Several Definitions: •Over-used buzzword that many people don't understand •A very slow database •A database that can't be tampered with •An append-only database
  • 17.
    What Is ABlockchain? Several Definitions: •Over-used buzzword that many people don't understand •A very slow database •A database that can't be tampered with •An append-only database •A cryptographically verified database
  • 18.
    What Is ABlockchain? Several Definitions: •Over-used buzzword that many people don't understand •A very slow database •A database that can't be tampered with •An append-only database •A cryptographically verified database •A chain of blocks
  • 19.
    What Is ABlockchain? Several Definitions: •Over-used buzzword that many people don't understand •A very slow database •A database that can't be tampered with •An append-only database •A cryptographically verified database •An immutable, append-only, hashed, cryptographically verified, singly-linked chain of blocks
  • 20.
    What about Bitcoin'sblockchain? Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it certainly fits the description.
  • 21.
    What about Bitcoin'sblockchain? Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it certainly fits the description. •World's first blockchain (and always will be)
  • 22.
    What about Bitcoin'sblockchain? Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it certainly fits the description. •World's first blockchain (and always will be) •World's most secure blockchain I.e. highest hash rate
  • 23.
    What about Bitcoin'sblockchain? Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it certainly fits the description. •World's first blockchain (and always will be) •World's most secure blockchain I.e. highest hash rate •World's most famous blockchain
  • 24.
    What about Bitcoin'sblockchain? Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it certainly fits the description. •World's first blockchain (and always will be) •World's most secure blockchain I.e. highest hash rate •World's most famous blockchain •Not the biggest blockchain (Ethereum is far bigger)
  • 25.
    What about Bitcoin'sblockchain? Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it certainly fits the description. •World's first blockchain (and always will be) •World's most secure blockchain I.e. highest hash rate •World's most famous blockchain •Not the biggest blockchain (Ethereum is far bigger) •Each block contains block header plus N transactions where 0 ≤ N
  • 26.
    What about Bitcoin'sblockchain? Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it certainly fits the description. •World's first blockchain (and always will be) •World's most secure blockchain I.e. highest hash rate •World's most famous blockchain •Not the biggest blockchain (Ethereum is far bigger) •Each block contains block header plus N transactions where 0 ≤ N •Each block is limited to 1MB*
  • 27.
    What about Bitcoin'sblockchain? Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it certainly fits the description. •World's first blockchain (and always will be) •World's most secure blockchain I.e. highest hash rate •World's most famous blockchain •Not the biggest blockchain (Ethereum is far bigger) •Each block contains block header plus N transactions where 0 ≤ N •Each block is limited to 1MB* •New block generated every 10 minutes**
  • 28.
    What about Bitcoin'sblockchain? Since "blockchain" is an overloaded term, let's examine Bitcoin's blockchain alone, since it certainly fits the description. •World's first blockchain (and always will be) •World's most secure blockchain I.e. highest hash rate •World's most famous blockchain •Not the biggest blockchain (Ethereum is far bigger) •Each block contains block header plus N transactions where 0 ≤ N •Each block is limited to 1MB* •New block generated every 10 minutes** * Technically not true anymore, but block size still has a small, hard limit ** On average
  • 29.
    What about Bitcoin'sblockchain? HashMerkleRoot Block 0 HashPrevBlock HashMerkleRoot Block 1 HashPrevBlock HashMerkleRoot Block 2 HashPrevBlock HashMerkleRoot Block 3 The Times 03/Jan/2009 Chancellor on brink of second bailout for banks
  • 30.
    Blocks BITCOIN FUNDAMENTALS N. P.O'DONNELL, MAYNOOTH UNIVERSITY
  • 31.
    Structure Of ABitcoin Block Each Bitcoin block consists of:
  • 32.
    Structure Of ABitcoin Block Each Bitcoin block consists of: • Magic Number – Used to identify block as a bitcoin block. No cryptographic significance
  • 33.
    Structure Of ABitcoin Block Each Bitcoin block consists of: • Magic Number – Used to identify block as a bitcoin block. No cryptographic significance • Block Size
  • 34.
    Structure Of ABitcoin Block Each Bitcoin block consists of: • Magic Number – Used to identify block as a bitcoin block. No cryptographic significance • Block Size • Block header
  • 35.
    Structure Of ABitcoin Block Each Bitcoin block consists of: • Magic Number – Used to identify block as a bitcoin block. No cryptographic significance • Block Size • Block header • Transaction counter
  • 36.
    Structure Of ABitcoin Block Each Bitcoin block consists of: • Magic Number – Used to identify block as a bitcoin block. No cryptographic significance • Block Size • Block header • Transaction counter • The transactions themselves
  • 37.
    Structure Of ABitcoin Block Each Bitcoin block consists of: • Magic Number – Used to identify block as a bitcoin block. No cryptographic significance • Block Size • Block header • Transaction counter • The transactions themselvesEach Bitcoin block contains a block header. This is what is hashed and gives rise to the blockchain. The transactions themselves are not hashed, only the merkle root of the transactions. So technically it's a blockheader chain. Each block header contains:
  • 38.
    Structure Of ABitcoin Block Each Bitcoin block consists of: • Magic Number – Used to identify block as a bitcoin block. No cryptographic significance • Block Size • Block header • Transaction counter • The transactions themselvesEach Bitcoin block contains a block header. This is what is hashed and gives rise to the blockchain. The transactions themselves are not hashed, only the merkle root of the transactions. So technically it's a blockheader chain. Each block header contains: • Version
  • 39.
    Structure Of ABitcoin Block Each Bitcoin block consists of: • Magic Number – Used to identify block as a bitcoin block. No cryptographic significance • Block Size • Block header • Transaction counter • The transactions themselvesEach Bitcoin block contains a block header. This is what is hashed and gives rise to the blockchain. The transactions themselves are not hashed, only the merkle root of the transactions. So technically it's a blockheader chain. Each block header contains: • Version • HashPrevBlock – Hash of the previous block's header
  • 40.
    Structure Of ABitcoin Block Each Bitcoin block consists of: • Magic Number – Used to identify block as a bitcoin block. No cryptographic significance • Block Size • Block header • Transaction counter • The transactions themselvesEach Bitcoin block contains a block header. This is what is hashed and gives rise to the blockchain. The transactions themselves are not hashed, only the merkle root of the transactions. So technically it's a blockheader chain. Each block header contains: • Version • HashPrevBlock – Hash of the previous block's header • HashMerkleRoot – Hash of the merkle root of the transactions in this block. Just think of it as a hash of all the transactions treated as one blob of data
  • 41.
    Structure Of ABitcoin Block Each Bitcoin block consists of: • Magic Number – Used to identify block as a bitcoin block. No cryptographic significance • Block Size • Block header • Transaction counter • The transactions themselvesEach Bitcoin block contains a block header. This is what is hashed and gives rise to the blockchain. The transactions themselves are not hashed, only the merkle root of the transactions. So technically it's a blockheader chain. Each block header contains: • Version • HashPrevBlock – Hash of the previous block's header • HashMerkleRoot – Hash of the merkle root of the transactions in this block. Just think of it as a hash of all the transactions treated as one blob of data • Time
  • 42.
    Structure Of ABitcoin Block Each Bitcoin block consists of: • Magic Number – Used to identify block as a bitcoin block. No cryptographic significance • Block Size • Block header • Transaction counter • The transactions themselvesEach Bitcoin block contains a block header. This is what is hashed and gives rise to the blockchain. The transactions themselves are not hashed, only the merkle root of the transactions. So technically it's a blockheader chain. Each block header contains: • Version • HashPrevBlock – Hash of the previous block's header • HashMerkleRoot – Hash of the merkle root of the transactions in this block. Just think of it as a hash of all the transactions treated as one blob of data • Time • Bits – Current difficulty target (more on this later)
  • 43.
    Structure Of ABitcoin Block Each Bitcoin block consists of: • Magic Number – Used to identify block as a bitcoin block. No cryptographic significance • Block Size • Block header • Transaction counter • The transactions themselvesEach Bitcoin block contains a block header. This is what is hashed and gives rise to the blockchain. The transactions themselves are not hashed, only the merkle root of the transactions. So technically it's a blockheader chain. Each block header contains: • Version • HashPrevBlock – Hash of the previous block's header • HashMerkleRoot – Hash of the merkle root of the transactions in this block. Just think of it as a hash of all the transactions treated as one blob of data • Time • Bits – Current difficulty target (more on this later) • Nonce – Related to mining (more on this later)
  • 44.
    Keys & Addresses BITCOINFUNDAMENTALS N. P. O'DONNELL, MAYNOOTH UNIVERSITY
  • 45.
  • 46.
    Keys & Addresses P2PKHbitcoin address
  • 47.
    Keys & Addresses Whatis a Bitcoin address? Is it just a random string of characters?
  • 48.
    Keys & Addresses Whatis a Bitcoin address? Is it just a random string of characters? Answer: No
  • 49.
    Keys & Addresses Whatis a Bitcoin address? Is it just a random string of characters? Answer: No Each address is derived from a public key.
  • 50.
    Keys & Addresses Whatis a Bitcoin address? Is it just a random string of characters? Answer: No Each address is derived from a public key. Each public key is derived from a private key.
  • 51.
    Keys & Addresses Whatis a Bitcoin address? Is it just a random string of characters? Answer: No Each address is derived from a public key. Each public key is derived from a private key. Private Key Public Key Address
  • 52.
    Keys & Addresses Whatis a Bitcoin address? Is it just a random string of characters? Answer: No Each address is derived from a public key. Each public key is derived from a private key. Private Key Public Key Address Private Key Public Key Address
  • 53.
  • 54.
    Keys & Addresses PrivateKey: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097
  • 55.
    Keys & Addresses PrivateKey: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097 Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1
  • 56.
    Keys & Addresses PrivateKey: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097 Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1 Generator point: 0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
  • 57.
    Keys & Addresses PrivateKey: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097 Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1 Generator point: 0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 To get the unique public key for this private key, we add the generator point to itself private key times.
  • 58.
    Keys & Addresses PrivateKey: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097 Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1 Generator point: 0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 To get the unique public key for this private key, we add the generator point to itself private key times. Public key: 0x0380864b7759a43923d2d0c99b142843fc306199a94995e55cb204d9a91fa09feb
  • 59.
    Keys & Addresses PrivateKey: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097 Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1 Generator point: 0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 To get the unique public key for this private key, we add the generator point to itself private key times. Public key: 0x0380864b7759a43923d2d0c99b142843fc306199a94995e55cb204d9a91fa09feb PubkeyHash = SHA256(RipeMD160(Public Key)) = 0xd8e5899f2589b7fa9df2513bf2366d2031f2d478
  • 60.
    Keys & Addresses PrivateKey: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097 Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1 Generator point: 0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 To get the unique public key for this private key, we add the generator point to itself private key times. Public key: 0x0380864b7759a43923d2d0c99b142843fc306199a94995e55cb204d9a91fa09feb PubkeyHash = SHA256(RipeMD160(Public Key)) = 0xd8e5899f2589b7fa9df2513bf2366d2031f2d478 VersionByte (0x00) | PubkeyHash = 0x00d8e5899f2589b7fa9df2513bf2366d2031f2d478
  • 61.
    Keys & Addresses PrivateKey: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097 Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1 Generator point: 0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 To get the unique public key for this private key, we add the generator point to itself private key times. Public key: 0x0380864b7759a43923d2d0c99b142843fc306199a94995e55cb204d9a91fa09feb PubkeyHash = SHA256(RipeMD160(Public Key)) = 0xd8e5899f2589b7fa9df2513bf2366d2031f2d478 VersionByte (0x00) | PubkeyHash = 0x00d8e5899f2589b7fa9df2513bf2366d2031f2d478 SHA2562(VersionByte | PubkeyHash)[:4] (Checksum) = 0x08c131a4
  • 62.
    Keys & Addresses PrivateKey: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097 Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1 Generator point: 0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 To get the unique public key for this private key, we add the generator point to itself private key times. Public key: 0x0380864b7759a43923d2d0c99b142843fc306199a94995e55cb204d9a91fa09feb PubkeyHash = SHA256(RipeMD160(Public Key)) = 0xd8e5899f2589b7fa9df2513bf2366d2031f2d478 VersionByte (0x00) | PubkeyHash = 0x00d8e5899f2589b7fa9df2513bf2366d2031f2d478 SHA2562(VersionByte | PubkeyHash)[:4] (Checksum) = 0x08c131a4 VersionByte | PubkeyHash | Checksum = 0x00d8e5899f2589b7fa9df2513bf2366d2031f2d47808c131a4
  • 63.
    Keys & Addresses PrivateKey: 0x69bc69641bd3111e47d55c40b8f1e912577c78edabb1c8ca5d2907bff7a93097 Private key is just a random number between 0 and 2256 - 232 - 29 - 28 - 27 - 26 - 24 – 1 Generator point: 0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 To get the unique public key for this private key, we add the generator point to itself private key times. Public key: 0x0380864b7759a43923d2d0c99b142843fc306199a94995e55cb204d9a91fa09feb PubkeyHash = SHA256(RipeMD160(Public Key)) = 0xd8e5899f2589b7fa9df2513bf2366d2031f2d478 VersionByte (0x00) | PubkeyHash = 0x00d8e5899f2589b7fa9df2513bf2366d2031f2d478 SHA2562(VersionByte | PubkeyHash)[:4] (Checksum) = 0x08c131a4 VersionByte | PubkeyHash | Checksum = 0x00d8e5899f2589b7fa9df2513bf2366d2031f2d47808c131a4 Base58CheckEncode(0x00d8e5899f2589b7fa9df2513bf2366d2031f2d47808c131a4) = 1LmqvzD5KgNs1a8tcibuiNNM1MfZxLr5pw
  • 64.
    Scripting BITCOIN FUNDAMENTALS N. P.O'DONNELL, MAYNOOTH UNIVERSITY
  • 65.
  • 66.
    Script • Bitcoin comeswith its own scripting language called "script"
  • 67.
    Script • Bitcoin comeswith its own scripting language called "script" • Script is used to lock and unlock funds
  • 68.
    Script • Bitcoin comeswith its own scripting language called "script" • Script is used to lock and unlock funds • All bitcoin transactions must use script. There is no other way to lock/unlock funds
  • 69.
    Script • Bitcoin comeswith its own scripting language called "script" • Script is used to lock and unlock funds • All bitcoin transactions must use script. There is no other way to lock/unlock funds • Script is non-turing-complete, which means it has no loops
  • 70.
    Script • Bitcoin comeswith its own scripting language called "script" • Script is used to lock and unlock funds • All bitcoin transactions must use script. There is no other way to lock/unlock funds • Script is non-turing-complete, which means it has no loops • Script is a stack-based language which runs in (what some people call) a VM
  • 71.
    Script • Bitcoin comeswith its own scripting language called "script" • Script is used to lock and unlock funds • All bitcoin transactions must use script. There is no other way to lock/unlock funds • Script is non-turing-complete, which means it has no loops • Script is a stack-based language which runs in (what some people call) a VM • VM is basically a giant switch statement (EvalScript in src/script/interpreter.cpp)
  • 72.
    Script • Bitcoin comeswith its own scripting language called "script" • Script is used to lock and unlock funds • All bitcoin transactions must use script. There is no other way to lock/unlock funds • Script is non-turing-complete, which means it has no loops • Script is a stack-based language which runs in (what some people call) a VM • VM is basically a giant switch statement (EvalScript in src/script/interpreter.cpp) • Giant switch statement is about 800 lines of C++
  • 73.
    Script • Bitcoin comeswith its own scripting language called "script" • Script is used to lock and unlock funds • All bitcoin transactions must use script. There is no other way to lock/unlock funds • Script is non-turing-complete, which means it has no loops • Script is a stack-based language which runs in (what some people call) a VM • VM is basically a giant switch statement (EvalScript in src/script/interpreter.cpp) • Giant switch statement is about 800 lines of C++ • Consensus-critical code !!!
  • 74.
  • 75.
  • 76.
    Script Interpreter Stack OP_3 OP_5OP_ADD OP_8 OP_EQUAL 3
  • 77.
    Script Interpreter Stack OP_3 OP_5OP_ADD OP_8 OP_EQUAL 5 3
  • 78.
    Script Interpreter Stack OP_3 OP_5OP_ADD OP_8 OP_EQUAL ADD 5 3
  • 79.
    Script Interpreter Stack OP_3 OP_5OP_ADD OP_8 OP_EQUAL 8
  • 80.
    Script Interpreter Stack OP_3 OP_5OP_ADD OP_8 OP_EQUAL 8 8
  • 81.
    Script Interpreter Stack OP_3 OP_5OP_ADD OP_8 OP_EQUAL OP_EQUAL 8 8
  • 82.
    Script Interpreter Stack OP_3 OP_5OP_ADD OP_8 OP_EQUAL TRUE
  • 83.
    Transactions BITCOIN FUNDAMENTALS N. P.O'DONNELL, MAYNOOTH UNIVERSITY
  • 84.
  • 85.
    Transactions Each transaction contains1 or more inputs and 1 or more outputs.
  • 86.
  • 87.
    Transactions • Each inputcontains a reference to exactly one output in a previous transaction.
  • 88.
    Transactions • Each inputcontains a reference to exactly one output in a previous transaction. • This is known as an "outpoint".
  • 89.
    Transactions • Each inputcontains a reference to exactly one output in a previous transaction. • This is known as an "outpoint". • Each input also contains a script.
  • 90.
    Transactions • Each inputcontains a reference to exactly one output in a previous transaction. • This is known as an "outpoint". • Each input also contains a script.
  • 91.
    Transactions • Each outputcontains a value in satoshis. (1 satoshi = 10-8BTC) • Each input contains a reference to exactly one output in a previous transaction. • This is known as an "outpoint". • Each input also contains a script.
  • 92.
    Transactions • Each outputcontains a value in satoshis. (1 satoshi = 10-8BTC) • Each output also contains a script • Each input contains a reference to exactly one output in a previous transaction. • This is known as an "outpoint". • Each input also contains a script.
  • 93.
  • 94.
    Transactions • In atransaction, a scriptSig from a TxIn (input) is contatenated with a scriptPubKey from a TxOut (output) to form a full script.
  • 95.
    Transactions • In atransaction, a scriptSig from a TxIn (input) is contatenated with a scriptPubKey from a TxOut (output) to form a full script. • This script is run by the script interpreter and if there's a TRUE at the top of the stack after the script is run, the transaction is a success and the funds can be unlocked and transferred to somebody else.
  • 96.
    Transactions • In atransaction, a scriptSig from a TxIn (input) is contatenated with a scriptPubKey from a TxOut (output) to form a full script. • This script is run by the script interpreter and if there's a TRUE at the top of the stack after the script is run, the transaction is a success and the funds can be unlocked and transferred to somebody else. • If there's anything other than a TRUE at the top of the stack, the transaction is deemed a failure and the funds remain locked.
  • 97.
    Transactions • In atransaction, a scriptSig from a TxIn (input) is contatenated with a scriptPubKey from a TxOut (output) to form a full script. • This script is run by the script interpreter and if there's a TRUE at the top of the stack after the script is run, the transaction is a success and the funds can be unlocked and transferred to somebody else. • If there's anything other than a TRUE at the top of the stack, the transaction is deemed a failure and the funds remain locked. • A transaction containing a scriptSig which fails to unlock funds will not be broadcast by nodes, and even some wallets may not broadcast it. This is an important spam-prevention mechanism which ensures only transactions which spend bitcoin in the form of fees, use network resources.
  • 98.
  • 99.
    Script Interpreter Stack <SIG> <PUBKEY>OP_DUP OP_HASH160 <PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG
  • 100.
    Script Interpreter Stack <SIG> <PUBKEY>OP_DUP OP_HASH160 <PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG ScriptSig (part of Input)
  • 101.
    Script Interpreter Stack <SIG> <PUBKEY>OP_DUP OP_HASH160 <PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG ScriptPubKey (part of Output)
  • 102.
    Script Interpreter Stack <SIG> <PUBKEY>OP_DUP OP_HASH160 <PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG <SIG>
  • 103.
    Script Interpreter Stack <SIG> <PUBKEY>OP_DUP OP_HASH160 <PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG <PUBKEY> <SIG>
  • 104.
    Script Interpreter Stack <SIG> <PUBKEY>OP_DUP OP_HASH160 <PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG OP_DUP <PUBKEY> <SIG>
  • 105.
    Script Interpreter Stack <SIG> <PUBKEY>OP_DUP OP_HASH160 <PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG <PUBKEY> <PUBKEY> <SIG>
  • 106.
    Script Interpreter Stack <SIG> <PUBKEY>OP_DUP OP_HASH160 <PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG OP_HASH160 <PUBKEY> <PUBKEY> <SIG>
  • 107.
    Script Interpreter Stack <SIG> <PUBKEY>OP_DUP OP_HASH160 <PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG <PUBKEYHASH> <PUBKEY> <SIG>
  • 108.
    Script Interpreter Stack <SIG> <PUBKEY>OP_DUP OP_HASH160 <PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG <PUBKEYHASH> <PUBKEYHASH> <PUBKEY> <SIG>
  • 109.
    Script Interpreter Stack <SIG> <PUBKEY>OP_DUP OP_HASH160 <PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG OP_EQUALVERIFY <PUBKEYHASH> <PUBKEYHASH> <PUBKEY> <SIG>
  • 110.
    Script Interpreter Stack <SIG> <PUBKEY>OP_DUP OP_HASH160 <PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG <PUBKEY> <SIG>
  • 111.
    Script Interpreter Stack <SIG> <PUBKEY>OP_DUP OP_HASH160 <PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG OP_CHECKSIG <PUBKEY> <SIG>
  • 112.
    Script Interpreter Stack <SIG> <PUBKEY>OP_DUP OP_HASH160 <PUBKEYHASH> OP_EQUALVERIFY OP_CHECKSIG TRUE
  • 113.
    Proof-of-Work & Mining BITCOINFUNDAMENTALS N. P. O'DONNELL, MAYNOOTH UNIVERSITY
  • 114.
  • 115.
    Proof-Of-Work & Mining •Every bitcoin block has a 256-bit block ID (also called a block hash)
  • 116.
    Proof-Of-Work & Mining •Every bitcoin block has a 256-bit block ID (also called a block hash) • Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4
  • 117.
    Proof-Of-Work & Mining •Every bitcoin block has a 256-bit block ID (also called a block hash) • Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4 • Technically it’s a block header hash
  • 118.
    Proof-Of-Work & Mining •Every bitcoin block has a 256-bit block ID (also called a block hash) • Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4 • Technically it’s a block header hash • To get different block hashes, a miner changes the nonce field in the block header
  • 119.
    Proof-Of-Work & Mining •Every bitcoin block has a 256-bit block ID (also called a block hash) • Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4 • Technically it’s a block header hash • To get different block hashes, a miner changes the nonce field in the block header • Only block hashes below a threshold are accepted - this threshold is known as the difficulty
  • 120.
    Proof-Of-Work & Mining •Every bitcoin block has a 256-bit block ID (also called a block hash) • Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4 • Technically it’s a block header hash • To get different block hashes, a miner changes the nonce field in the block header • Only block hashes below a threshold are accepted - this threshold is known as the difficulty • This process continues until a hash below the threshold is found
  • 121.
    Proof-Of-Work & Mining •Every bitcoin block has a 256-bit block ID (also called a block hash) • Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4 • Technically it’s a block header hash • To get different block hashes, a miner changes the nonce field in the block header • Only block hashes below a threshold are accepted - this threshold is known as the difficulty • This process continues until a hash below the threshold is found • First miner to find this hash gets 12.5 BTC (EUR 82,818.68) - this is known as the block reward
  • 122.
    Proof-Of-Work & Mining •Every bitcoin block has a 256-bit block ID (also called a block hash) • Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4 • Technically it’s a block header hash • To get different block hashes, a miner changes the nonce field in the block header • Only block hashes below a threshold are accepted - this threshold is known as the difficulty • This process continues until a hash below the threshold is found • First miner to find this hash gets 12.5 BTC (EUR 82,818.68) - this is known as the block reward • This happens every 10 minutes
  • 123.
    Proof-Of-Work & Mining •Every bitcoin block has a 256-bit block ID (also called a block hash) • Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4 • Technically it’s a block header hash • To get different block hashes, a miner changes the nonce field in the block header • Only block hashes below a threshold are accepted - this threshold is known as the difficulty • This process continues until a hash below the threshold is found • First miner to find this hash gets 12.5 BTC (EUR 82,818.68) - this is known as the block reward • This happens every 10 minutes • Each day ~ EUR 5,962,800.95 of new BTC is mined
  • 124.
    Proof-Of-Work & Mining •Every bitcoin block has a 256-bit block ID (also called a block hash) • Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4 • Technically it’s a block header hash • To get different block hashes, a miner changes the nonce field in the block header • Only block hashes below a threshold are accepted - this threshold is known as the difficulty • This process continues until a hash below the threshold is found • First miner to find this hash gets 12.5 BTC (EUR 82,818.68) - this is known as the block reward • This happens every 10 minutes • Each day ~ EUR 5,962,800.95 of new BTC is mined • Difficulty adjusted every 2,016 blocks
  • 125.
    Proof-Of-Work & Mining •Every bitcoin block has a 256-bit block ID (also called a block hash) • Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4 • Technically it’s a block header hash • To get different block hashes, a miner changes the nonce field in the block header • Only block hashes below a threshold are accepted - this threshold is known as the difficulty • This process continues until a hash below the threshold is found • First miner to find this hash gets 12.5 BTC (EUR 82,818.68) - this is known as the block reward • This happens every 10 minutes • Each day ~ EUR 5,962,800.95 of new BTC is mined • Difficulty adjusted every 2,016 blocks • Block reward halved every 210,000 blocks
  • 126.
    Proof-Of-Work & Mining •Every bitcoin block has a 256-bit block ID (also called a block hash) • Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4 • Technically it’s a block header hash • To get different block hashes, a miner changes the nonce field in the block header • Only block hashes below a threshold are accepted - this threshold is known as the difficulty • This process continues until a hash below the threshold is found • First miner to find this hash gets 12.5 BTC (EUR 82,818.68) - this is known as the block reward • This happens every 10 minutes • Each day ~ EUR 5,962,800.95 of new BTC is mined • Difficulty adjusted every 2,016 blocks • Block reward halved every 210,000 blocks • Bitcoin mining uses the SHA-256 hash algorithm
  • 127.
    Proof-Of-Work & Mining •Every bitcoin block has a 256-bit block ID (also called a block hash) • Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4 • Technically it’s a block header hash • To get different block hashes, a miner changes the nonce field in the block header • Only block hashes below a threshold are accepted - this threshold is known as the difficulty • This process continues until a hash below the threshold is found • First miner to find this hash gets 12.5 BTC (EUR 82,818.68) - this is known as the block reward • This happens every 10 minutes • Each day ~ EUR 5,962,800.95 of new BTC is mined • Difficulty adjusted every 2,016 blocks • Block reward halved every 210,000 blocks • Bitcoin mining uses the SHA-256 hash algorithm • All bitcoin Block IDs can be calculated with sha256(sha256(BlockHeader))
  • 128.
    Proof-Of-Work & Mining •Every bitcoin block has a 256-bit block ID (also called a block hash) • Ex. Block hash: 00000000000000000005b5a0046b4e542a11f790b3fca15964bc58ad7b4386a4 • Technically it’s a block header hash • To get different block hashes, a miner changes the nonce field in the block header • Only block hashes below a threshold are accepted - this threshold is known as the difficulty • This process continues until a hash below the threshold is found • First miner to find this hash gets 12.5 BTC (EUR 82,818.68) - this is known as the block reward • This happens every 10 minutes • Each day ~ EUR 5,962,800.95 of new BTC is mined • Difficulty adjusted every 2,016 blocks • Block reward halved every 210,000 blocks • Bitcoin mining uses the SHA-256 hash algorithm • All bitcoin Block IDs can be calculated with sha256(sha256(BlockHeader)) • Mining can be done on any kind of hardware but is best done on specialized hardware
  • 129.
  • 130.
    Mining Hardware Comparison 5.2MH/sCore i7 3930k ($220)
  • 131.
    Mining Hardware Comparison 749.23MH/s 5.2 MH/sCore i7 3930k ($220) Tesla S2070 ($18,995)
  • 132.
    Mining Hardware Comparison 749.23MH/s 5.2 MH/s 16 TH/s Core i7 3930k ($220) Tesla S2070 ($18,995) Antminer S9 (about $300)
  • 133.
    Mining Hardware Comparison 749.23MH/s 5.2 MH/s 16 TH/s Core i7 3930k ($220) Tesla S2070 ($18,995) Antminer S9 (about $300) Tesla is 144 X faster than i7
  • 134.
    Mining Hardware Comparison 749.23MH/s 5.2 MH/s 16 TH/s Core i7 3930k ($220) Tesla S2070 ($18,995) Antminer S9 (about $300) Tesla is 144 X faster than i7 S9 is 21,355 X faster than Tesla
  • 135.
  • 136.
    Bitcoin Mining Farm (Somewhereon Earth) 3,075,120 i7s
  • 137.
    Bitcoin Mining Farm (Somewhereon Earth) 3,075,120 i7s • Many such mining farms on earth
  • 138.
    Bitcoin Mining Farm (Somewhereon Earth) 3,075,120 i7s • Many such mining farms on earth • Often in secret locations
  • 139.
    Bitcoin Mining Farm (Somewhereon Earth) 3,075,120 i7s • Many such mining farms on earth • Often in secret locations • Impossible to find their locations
  • 140.
    Bitcoin Mining Farm (Somewhereon Earth) 3,075,120 i7s • Many such mining farms on earth • Often in secret locations • Impossible to find their locations • Usually in cold countries with cheap electricity
  • 141.
    Bitcoin Mining Farm (Somewhereon Earth) 3,075,120 i7s • Many such mining farms on earth • Often in secret locations • Impossible to find their locations • Usually in cold countries with cheap electricity • Bitcoin mining uses enough electricity to power 3 Irelands
  • 142.
    Bitcoin Mining Farm (Somewhereon Earth) 3,075,120 i7s • Many such mining farms on earth • Often in secret locations • Impossible to find their locations • Usually in cold countries with cheap electricity • Bitcoin mining uses enough electricity to power 3 Irelands • Many rumors about who is mining Bitcoin
  • 143.
    Bitcoin Mining Farm (Somewhereon Earth) 3,075,120 i7s • Many such mining farms on earth • Often in secret locations • Impossible to find their locations • Usually in cold countries with cheap electricity • Bitcoin mining uses enough electricity to power 3 Irelands • Many rumors about who is mining Bitcoin • One thing we do know: more mining farms are springing up because the hash rate is growing
  • 144.
    Bitcoin Mining Farm (Somewhereon Earth) 3,075,120 i7s • Many such mining farms on earth • Often in secret locations • Impossible to find their locations • Usually in cold countries with cheap electricity • Bitcoin mining uses enough electricity to power 3 Irelands • Many rumors about who is mining Bitcoin • One thing we do know: more mining farms are springing up because the hash rate is growing • How do we know this ?
  • 145.
  • 146.
  • 147.
  • 148.
    Finding The NetworkHash Rate The "Great Crash" of 2017
  • 149.
    Finding The NetworkHash Rate 1,923,076,923,077 i7s
  • 150.
    Finding The NetworkHash Rate But how does blockchain.info know the hash rate ?
  • 151.
    Finding The NetworkHash Rate But how does blockchain.info know the hash rate ? Nobody knows where all the mining farms are.
  • 152.
    Finding The NetworkHash Rate But how does blockchain.info know the hash rate ? Nobody knows where all the mining farms are. Answer: They use math
  • 153.
  • 154.
  • 155.
    Proof-Of-Work & Mining PBH= 1 "The mining equation"
  • 156.
    Proof-Of-Work & Mining PBH= 1 "The mining equation" P = probability of mining block below difficulty target in 1 try
  • 157.
    Proof-Of-Work & Mining PBH= 1 "The mining equation" P = probability of mining block below difficulty target in 1 try B = block time (s)
  • 158.
    Proof-Of-Work & Mining PBH= 1 "The mining equation" P = probability of mining block below difficulty target in 1 try B = block time (s) H = # of tries per second, a.k.a. hash rate (h/s)
  • 159.
    Proof-Of-Work & Mining PBH= 1 "The mining equation" P = probability of mining block below difficulty target in 1 try B = block time (s) H = # of tries per second, a.k.a. hash rate (h/s) P = 1/BH B = 1/PH H = 1/PB
  • 160.
    Example Hash RateCalculation Probability of mining a block in single attempt is 0.1. I'm trying 10 hashes per second, what is my block time?
  • 161.
    Example Hash RateCalculation Probability of mining a block in single attempt is 0.1. I'm trying 10 hashes per second, what is my block time? P = 0.1
  • 162.
    Example Hash RateCalculation Probability of mining a block in single attempt is 0.1. I'm trying 10 hashes per second, what is my block time? P = 0.1 H = 10
  • 163.
    Example Hash RateCalculation Probability of mining a block in single attempt is 0.1. I'm trying 10 hashes per second, what is my block time? P = 0.1 H = 10 B = 1/PH
  • 164.
    Example Hash RateCalculation Probability of mining a block in single attempt is 0.1. I'm trying 10 hashes per second, what is my block time? P = 0.1 H = 10 B = 1/PH B = 1/(0.1 × 10)
  • 165.
    Example Hash RateCalculation Probability of mining a block in single attempt is 0.1. I'm trying 10 hashes per second, what is my block time? P = 0.1 H = 10 B = 1/PH B = 1/(0.1 × 10) B = 1/1
  • 166.
    Example Hash RateCalculation Probability of mining a block in single attempt is 0.1. I'm trying 10 hashes per second, what is my block time? P = 0.1 H = 10 B = 1/PH B = 1/(0.1 × 10) B = 1/1 Average block time is 1 second
  • 167.
    Example Hash RateCalculation Let's try a real example!
  • 168.
    Example Hash RateCalculation The home page of blockchain.info looks like this: What is the current network hash rate?
  • 169.
    Example Hash RateCalculation We have:
  • 170.
    Example Hash RateCalculation We have: • 8 most recent block hashes: • 000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a • 0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934 • 0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c • 0000000000000000000c65f787061574865988894a721900fe46dbbe85580950 • 0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d • 00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05 • 00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41 • 000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b
  • 171.
    Example Hash RateCalculation We have: • 8 most recent block hashes: • 000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a • 0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934 • 0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c • 0000000000000000000c65f787061574865988894a721900fe46dbbe85580950 • 0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d • 00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05 • 00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41 • 000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b • 8 most recent block timestamps: • 2019-12-06 02:37 • 2019-12-06 02:19 • 2019-12-06 02:12 • 2019-12-06 01:46 • 2019-12-06 01:44 • 2019-12-06 01:26 • 2019-12-06 01:24 • 2019-12-06 01:15
  • 172.
    Example Hash RateCalculation We want: • P (probability of finding correct hash in one try) • B (block time) • So we can solve H = 1/PB
  • 173.
    Example Hash RateCalculation B is easier to find so we'll start with it.
  • 174.
    Example Hash RateCalculation B is easier to find so we'll start with it. Step 1: Convert 8 timestamps into seconds: • 2019-12-06 02:37 • 2019-12-06 02:19 • 2019-12-06 02:12 • 2019-12-06 01:46 • 2019-12-06 01:44 • 2019-12-06 01:26 • 2019-12-06 01:24 • 2019-12-06 01:15
  • 175.
    Example Hash RateCalculation B is easier to find so we'll start with it. Step 1: Convert 8 timestamps into seconds: • 2019-12-06 02:37 => 1575599820 • 2019-12-06 02:19 => 1575598740 • 2019-12-06 02:12 => 1575598320 • 2019-12-06 01:46 => 1575596760 • 2019-12-06 01:44 => 1575596640 • 2019-12-06 01:26 => 1575595560 • 2019-12-06 01:24 => 1575595440 • 2019-12-06 01:15 => 1575594900
  • 176.
    Example Hash RateCalculation B is easier to find so we'll start with it. Step 1: Convert 8 timestamps into seconds: • 2019-12-06 02:37 => 1575599820 • 2019-12-06 02:19 => 1575598740 • 2019-12-06 02:12 => 1575598320 • 2019-12-06 01:46 => 1575596760 • 2019-12-06 01:44 => 1575596640 • 2019-12-06 01:26 => 1575595560 • 2019-12-06 01:24 => 1575595440 • 2019-12-06 01:15 => 1575594900 Step 2: Calculate intervals • 1575599820 – 1575598740 • 1575598740 – 1575598320 • 1575598320 - 1575596760 • 1575596760 - 1575596640 • 1575596640 - 1575595560 • 1575595560 - 1575595440 • 1575595440 - 1575594900
  • 177.
    Example Hash RateCalculation B is easier to find so we'll start with it. Step 1: Convert 8 timestamps into seconds: • 2019-12-06 02:37 => 1575599820 • 2019-12-06 02:19 => 1575598740 • 2019-12-06 02:12 => 1575598320 • 2019-12-06 01:46 => 1575596760 • 2019-12-06 01:44 => 1575596640 • 2019-12-06 01:26 => 1575595560 • 2019-12-06 01:24 => 1575595440 • 2019-12-06 01:15 => 1575594900 Step 2: Calculate intervals • 1575599820 – 1575598740 = 1080 • 1575598740 – 1575598320 = 420 • 1575598320 - 1575596760 = 1560 • 1575596760 - 1575596640 = 120 • 1575596640 - 1575595560 = 1080 • 1575595560 - 1575595440 = 120 • 1575595440 - 1575594900 = 540
  • 178.
    Example Hash RateCalculation B is easier to find so we'll start with it. Step 1: Convert 8 timestamps into seconds: • 2019-12-06 02:37 => 1575599820 • 2019-12-06 02:19 => 1575598740 • 2019-12-06 02:12 => 1575598320 • 2019-12-06 01:46 => 1575596760 • 2019-12-06 01:44 => 1575596640 • 2019-12-06 01:26 => 1575595560 • 2019-12-06 01:24 => 1575595440 • 2019-12-06 01:15 => 1575594900 Step 2: Calculate intervals • 1575599820 – 1575598740 = 1080 • 1575598740 – 1575598320 = 420 • 1575598320 - 1575596760 = 1560 • 1575596760 - 1575596640 = 120 • 1575596640 - 1575595560 = 1080 • 1575595560 - 1575595440 = 120 • 1575595440 - 1575594900 = 540 Step 3: Compute median: 120 120 420 540 1080 1080 1560
  • 179.
    Example Hash RateCalculation B is easier to find so we'll start with it. Step 1: Convert 8 timestamps into seconds: • 2019-12-06 02:37 => 1575599820 • 2019-12-06 02:19 => 1575598740 • 2019-12-06 02:12 => 1575598320 • 2019-12-06 01:46 => 1575596760 • 2019-12-06 01:44 => 1575596640 • 2019-12-06 01:26 => 1575595560 • 2019-12-06 01:24 => 1575595440 • 2019-12-06 01:15 => 1575594900 Step 2: Calculate intervals • 1575599820 – 1575598740 = 1080 • 1575598740 – 1575598320 = 420 • 1575598320 - 1575596760 = 1560 • 1575596760 - 1575596640 = 120 • 1575596640 - 1575595560 = 1080 • 1575595560 - 1575595440 = 120 • 1575595440 - 1575594900 = 540 Step 3: Compute median: 120 120 420 540 1080 1080 1560 • => B = 540
  • 180.
    Example Hash RateCalculation To find P, we can average the block hashes of the last 8 blocks, then multiply by 2 to get the difficulty target. We then express that as a fraction of 2256. •
  • 181.
    Example Hash RateCalculation To find P, we can average the block hashes of the last 8 blocks, then multiply by 2 to get the difficulty target. We then express that as a fraction of 2256. Reasoning: If I keep asking to choose numbers between 1 and 100, and write down only the numbers below 10, the average of the numbers I write down will be 5. •
  • 182.
    Example Hash RateCalculation 0x000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a 0x0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934 0x0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c 0x0000000000000000000c65f787061574865988894a721900fe46dbbe85580950 0x0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d 0x00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05 0x00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41 + 0x000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b
  • 183.
    Example Hash RateCalculation 0x000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a 0x0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934 0x0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c 0x0000000000000000000c65f787061574865988894a721900fe46dbbe85580950 0x0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d 0x00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05 0x00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41 + 0x000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b 0x6d6d1b6a06bf99a5c038058aa31eed1eb8d878a5154fc8
  • 184.
    Example Hash RateCalculation 0x000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a 0x0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934 0x0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c 0x0000000000000000000c65f787061574865988894a721900fe46dbbe85580950 0x0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d 0x00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05 0x00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41 + 0x000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b 0x6d6d1b6a06bf99a5c038058aa31eed1eb8d878a5154fc8 ÷ 0x04
  • 185.
    Example Hash RateCalculation 0x000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a 0x0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934 0x0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c 0x0000000000000000000c65f787061574865988894a721900fe46dbbe85580950 0x0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d 0x00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05 0x00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41 + 0x000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b 0x6d6d1b6a06bf99a5c038058aa31eed1eb8d878a5154fc8 ÷ 0x04 0x1b5b46da81afe669700e0162a8c7bb47ae361e294553f2
  • 186.
    Example Hash RateCalculation 0x000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a 0x0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934 0x0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c 0x0000000000000000000c65f787061574865988894a721900fe46dbbe85580950 0x0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d 0x00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05 0x00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41 + 0x000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b 0x6d6d1b6a06bf99a5c038058aa31eed1eb8d878a5154fc8 ÷ 0x04 0x1b5b46da81afe669700e0162a8c7bb47ae361e294553f2 ÷ 0x020x100
  • 187.
    Example Hash RateCalculation 0x000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a 0x0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934 0x0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c 0x0000000000000000000c65f787061574865988894a721900fe46dbbe85580950 0x0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d 0x00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05 0x00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41 + 0x000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b 0x6d6d1b6a06bf99a5c038058aa31eed1eb8d878a5154fc8 ÷ 0x04 0x1b5b46da81afe669700e0162a8c7bb47ae361e294553f2 ÷ 0x020x100 0.0000000000000000000000226...
  • 188.
    Example Hash RateCalculation 0x000000000000000000156ef4be0d0c90b655f9fb08fac67aa151032bfcdfa51a 0x0000000000000000000dd8b04dcf588433bbb4838d20ea8e3682c5b5328f3934 0x0000000000000000000ba39636a6dd75584f400da3217c5aec4d91116307243c 0x0000000000000000000c65f787061574865988894a721900fe46dbbe85580950 0x0000000000000000000825524292c9ad4938a85c3a0cd08965182272912d087d 0x00000000000000000013f660755e5aa1f9daf8eaa0663a4ecddd17d75e608d05 0x00000000000000000010f252e6a289adcdcce0577afa29d9f62082b7a416bc41 + 0x000000000000000000050de301e9b99dcc253f51b186a3d6333ae5c5f9a2f22b 0x6d6d1b6a06bf99a5c038058aa31eed1eb8d878a5154fc8 ÷ 0x04 0x1b5b46da81afe669700e0162a8c7bb47ae361e294553f2 ÷ 0x020x100 0.0000000000000000000000226... => P = 0.0000000000000000000000226
  • 189.
    Example Hash RateCalculation H = 1/PB
  • 190.
    Example Hash RateCalculation H = 1/PB H = 1/(0.0000000000000000000000226 × 540)
  • 191.
    Example Hash RateCalculation H = 1/PB H = 1/(0.0000000000000000000000226 × 540) H = 81836032937956668986
  • 192.
    Example Hash RateCalculation H = 1/PB H = 1/(0.0000000000000000000000226 × 540) H = 81836032937956668986 H = 81,836,032,937,956,668,986
  • 193.
    Example Hash RateCalculation H = 1/PB H = 1/(0.0000000000000000000000226 × 540) H = 81836032937956668986 H = 81,836,032,937,956,668,986 H = 81.8 EH/s
  • 194.
    Example Hash RateCalculation H = 1/PB H = 1/(0.0000000000000000000000226 × 540) H = 81836032937956668986 H = 81,836,032,937,956,668,986 H = 81.8 EH/s Within 10% of the correct answer. Only out by a few quintillion !
  • 195.
    Attacks BITCOIN FUNDAMENTALS N. P.O'DONNELL, MAYNOOTH UNIVERSITY
  • 196.
  • 197.
    Key Guessing Attack •If you can successfully guess somebody's private key, you can take all their bitcoin
  • 198.
    Key Guessing Attack •If you can successfully guess somebody's private key, you can take all their bitcoin • Individual addresses have 256-bit security
  • 199.
    Key Guessing Attack •If you can successfully guess somebody's private key, you can take all their bitcoin • Individual addresses have 256-bit security • Assuming a good RNG was used, the chance of correctly guessing are virtually zero
  • 200.
    Key Guessing Attack •If you can successfully guess somebody's private key, you can take all their bitcoin • Individual addresses have 256-bit security • Assuming a good RNG was used, the chance of correctly guessing are virtually zero • Not the case if you use "brain wallets" which are insecure
  • 201.
    Key Guessing Attack •If you can successfully guess somebody's private key, you can take all their bitcoin • Individual addresses have 256-bit security • Assuming a good RNG was used, the chance of correctly guessing are virtually zero • Not the case if you use "brain wallets" which are insecure • Don't use brain wallets!
  • 202.
    Key Guessing Attack •If you can successfully guess somebody's private key, you can take all their bitcoin • Individual addresses have 256-bit security • Assuming a good RNG was used, the chance of correctly guessing are virtually zero • Not the case if you use "brain wallets" which are insecure • Don't use brain wallets! • Famous brain wallets:
  • 203.
    Key Guessing Attack •If you can successfully guess somebody's private key, you can take all their bitcoin • Individual addresses have 256-bit security • Assuming a good RNG was used, the chance of correctly guessing are virtually zero • Not the case if you use "brain wallets" which are insecure • Don't use brain wallets! • Famous brain wallets: • "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD
  • 204.
    Key Guessing Attack •If you can successfully guess somebody's private key, you can take all their bitcoin • Individual addresses have 256-bit security • Assuming a good RNG was used, the chance of correctly guessing are virtually zero • Not the case if you use "brain wallets" which are insecure • Don't use brain wallets! • Famous brain wallets: • "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD • "hello": 1HoSFymoqteYrmmr7s3jDDqmggoxacbk37
  • 205.
    Key Guessing Attack •If you can successfully guess somebody's private key, you can take all their bitcoin • Individual addresses have 256-bit security • Assuming a good RNG was used, the chance of correctly guessing are virtually zero • Not the case if you use "brain wallets" which are insecure • Don't use brain wallets! • Famous brain wallets: • "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD • "hello": 1HoSFymoqteYrmmr7s3jDDqmggoxacbk37 • "satoshi": 1ADJqstUMBB5zFquWg19UqZ7Zc6ePCpzLE
  • 206.
    Key Guessing Attack •If you can successfully guess somebody's private key, you can take all their bitcoin • Individual addresses have 256-bit security • Assuming a good RNG was used, the chance of correctly guessing are virtually zero • Not the case if you use "brain wallets" which are insecure • Don't use brain wallets! • Famous brain wallets: • "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD • "hello": 1HoSFymoqteYrmmr7s3jDDqmggoxacbk37 • "satoshi": 1ADJqstUMBB5zFquWg19UqZ7Zc6ePCpzLE • Bots are running 24/7 ready to take any bitcoin sent to brain wallets
  • 207.
    Key Guessing Attack •If you can successfully guess somebody's private key, you can take all their bitcoin • Individual addresses have 256-bit security • Assuming a good RNG was used, the chance of correctly guessing are virtually zero • Not the case if you use "brain wallets" which are insecure • Don't use brain wallets! • Famous brain wallets: • "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD • "hello": 1HoSFymoqteYrmmr7s3jDDqmggoxacbk37 • "satoshi": 1ADJqstUMBB5zFquWg19UqZ7Zc6ePCpzLE • Bots are running 24/7 ready to take any bitcoin sent to brain wallets • Bots use massive hash tables of pre-computed brain wallets
  • 208.
    Key Guessing Attack •If you can successfully guess somebody's private key, you can take all their bitcoin • Individual addresses have 256-bit security • Assuming a good RNG was used, the chance of correctly guessing are virtually zero • Not the case if you use "brain wallets" which are insecure • Don't use brain wallets! • Famous brain wallets: • "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD • "hello": 1HoSFymoqteYrmmr7s3jDDqmggoxacbk37 • "satoshi": 1ADJqstUMBB5zFquWg19UqZ7Zc6ePCpzLE • Bots are running 24/7 ready to take any bitcoin sent to brain wallets • Bots use massive hash tables of pre-computed brain wallets • I lost about 500 euros to one such bot
  • 209.
    Key Guessing Attack •If you can successfully guess somebody's private key, you can take all their bitcoin • Individual addresses have 256-bit security • Assuming a good RNG was used, the chance of correctly guessing are virtually zero • Not the case if you use "brain wallets" which are insecure • Don't use brain wallets! • Famous brain wallets: • "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD • "hello": 1HoSFymoqteYrmmr7s3jDDqmggoxacbk37 • "satoshi": 1ADJqstUMBB5zFquWg19UqZ7Zc6ePCpzLE • Bots are running 24/7 ready to take any bitcoin sent to brain wallets • Bots use massive hash tables of pre-computed brain wallets • I lost about 500 euros to one such bot • Best kind of wallet is a hardware wallet
  • 210.
    Key Guessing Attack •If you can successfully guess somebody's private key, you can take all their bitcoin • Individual addresses have 256-bit security • Assuming a good RNG was used, the chance of correctly guessing are virtually zero • Not the case if you use "brain wallets" which are insecure • Don't use brain wallets! • Famous brain wallets: • "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD • "hello": 1HoSFymoqteYrmmr7s3jDDqmggoxacbk37 • "satoshi": 1ADJqstUMBB5zFquWg19UqZ7Zc6ePCpzLE • Bots are running 24/7 ready to take any bitcoin sent to brain wallets • Bots use massive hash tables of pre-computed brain wallets • I lost about 500 euros to one such bot • Best kind of wallet is a hardware wallet • Hardware wallets are resistant to any intrusion on your computer including viruses, remote attackers, etc
  • 211.
    Key Guessing Attack •If you can successfully guess somebody's private key, you can take all their bitcoin • Individual addresses have 256-bit security • Assuming a good RNG was used, the chance of correctly guessing are virtually zero • Not the case if you use "brain wallets" which are insecure • Don't use brain wallets! • Famous brain wallets: • "bitcoin": 1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD • "hello": 1HoSFymoqteYrmmr7s3jDDqmggoxacbk37 • "satoshi": 1ADJqstUMBB5zFquWg19UqZ7Zc6ePCpzLE • Bots are running 24/7 ready to take any bitcoin sent to brain wallets • Bots use massive hash tables of pre-computed brain wallets • I lost about 500 euros to one such bot • Best kind of wallet is a hardware wallet • Hardware wallets are resistant to any intrusion on your computer including viruses, remote attackers, etc • Hardware wallet stores private key and signs transactions on behalf of the user
  • 212.
  • 213.
  • 214.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power
  • 215.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient)
  • 216.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself)
  • 217.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain
  • 218.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize
  • 219.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$)
  • 220.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised
  • 221.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible
  • 222.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible • Can be used for:
  • 223.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible • Can be used for: • Preventing certain transactions from being confirmed
  • 224.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible • Can be used for: • Preventing certain transactions from being confirmed • Double-spending
  • 225.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible • Can be used for: • Preventing certain transactions from being confirmed • Double-spending • Network interruption
  • 226.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible • Can be used for: • Preventing certain transactions from being confirmed • Double-spending • Network interruption • Cannot be used to:
  • 227.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible • Can be used for: • Preventing certain transactions from being confirmed • Double-spending • Network interruption • Cannot be used to: • Steal coins
  • 228.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible • Can be used for: • Preventing certain transactions from being confirmed • Double-spending • Network interruption • Cannot be used to: • Steal coins • Best protected against with:
  • 229.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible • Can be used for: • Preventing certain transactions from being confirmed • Double-spending • Network interruption • Cannot be used to: • Steal coins • Best protected against with: • Many miners
  • 230.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible • Can be used for: • Preventing certain transactions from being confirmed • Double-spending • Network interruption • Cannot be used to: • Steal coins • Best protected against with: • Many miners • Incentivizing mining pools (where individual miners are free to choose transactions)
  • 231.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible • Can be used for: • Preventing certain transactions from being confirmed • Double-spending • Network interruption • Cannot be used to: • Steal coins • Best protected against with: • Many miners • Incentivizing mining pools (where individual miners are free to choose transactions) • Competition
  • 232.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible • Can be used for: • Preventing certain transactions from being confirmed • Double-spending • Network interruption • Cannot be used to: • Steal coins • Best protected against with: • Many miners • Incentivizing mining pools (where individual miners are free to choose transactions) • Competition • Real-life examples:
  • 233.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible • Can be used for: • Preventing certain transactions from being confirmed • Double-spending • Network interruption • Cannot be used to: • Steal coins • Best protected against with: • Many miners • Incentivizing mining pools (where individual miners are free to choose transactions) • Competition • Real-life examples: • May 2018: Bitcoin Gold was 51% attacked - $18,000,000 stolen
  • 234.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible • Can be used for: • Preventing certain transactions from being confirmed • Double-spending • Network interruption • Cannot be used to: • Steal coins • Best protected against with: • Many miners • Incentivizing mining pools (where individual miners are free to choose transactions) • Competition • Real-life examples: • May 2018: Bitcoin Gold was 51% attacked - $18,000,000 stolen • December 2018: Vertcoin was 51% attacked - $100,000 stolen
  • 235.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible • Can be used for: • Preventing certain transactions from being confirmed • Double-spending • Network interruption • Cannot be used to: • Steal coins • Best protected against with: • Many miners • Incentivizing mining pools (where individual miners are free to choose transactions) • Competition • Real-life examples: • May 2018: Bitcoin Gold was 51% attacked - $18,000,000 stolen • December 2018: Vertcoin was 51% attacked - $100,000 stolen • Unlikely to happen to Bitcoin because:
  • 236.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible • Can be used for: • Preventing certain transactions from being confirmed • Double-spending • Network interruption • Cannot be used to: • Steal coins • Best protected against with: • Many miners • Incentivizing mining pools (where individual miners are free to choose transactions) • Competition • Real-life examples: • May 2018: Bitcoin Gold was 51% attacked - $18,000,000 stolen • December 2018: Vertcoin was 51% attacked - $100,000 stolen • Unlikely to happen to Bitcoin because: • Hash-power is massive and well-diversified
  • 237.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible • Can be used for: • Preventing certain transactions from being confirmed • Double-spending • Network interruption • Cannot be used to: • Steal coins • Best protected against with: • Many miners • Incentivizing mining pools (where individual miners are free to choose transactions) • Competition • Real-life examples: • May 2018: Bitcoin Gold was 51% attacked - $18,000,000 stolen • December 2018: Vertcoin was 51% attacked - $100,000 stolen • Unlikely to happen to Bitcoin because: • Hash-power is massive and well-diversified • Hash-power distribution is well known
  • 238.
    51% Attack • Toperform this attack, attacker must possess over 50% of the hashing power 1. Attacker pays somebody in bitcoin for goods or services in transaction T, spending coin C to address A (recipient) 2. Attacker begins privately mining alternative blockchain which contains transaction T' instead, spending coin C to address A' (himself) 3. Once goods/services have arrived, attacker broadcasts alternative blockchain 4. Since attacker's private blockchain will have higher height, network will be forced to accept it and re-organize 5. Attacker will still have his bitcoin in alternative address, plus goods or services ("goods" are usually $$$) • Any blockchain where one entity controls over 50% of hashing power should be considered compromised • Small blockchains are susceptible • Can be used for: • Preventing certain transactions from being confirmed • Double-spending • Network interruption • Cannot be used to: • Steal coins • Best protected against with: • Many miners • Incentivizing mining pools (where individual miners are free to choose transactions) • Competition • Real-life examples: • May 2018: Bitcoin Gold was 51% attacked - $18,000,000 stolen • December 2018: Vertcoin was 51% attacked - $100,000 stolen • Unlikely to happen to Bitcoin because: • Hash-power is massive and well-diversified • Hash-power distribution is well known • Miners want Bitcoin to succeed and price to go up. 51% attack would cause price crash
  • 239.
    Quantum Computing Threats ? BITCOINFUNDAMENTALS N. P. O'DONNELL, MAYNOOTH UNIVERSITY
  • 240.
  • 241.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography
  • 242.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3)
  • 243.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits
  • 244.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required
  • 245.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment
  • 246.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits
  • 247.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system
  • 248.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system • Breaking bitcoin requires a QC that can run Shor's algorithm
  • 249.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system • Breaking bitcoin requires a QC that can run Shor's algorithm • Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5)
  • 250.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system • Breaking bitcoin requires a QC that can run Shor's algorithm • Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5) • Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012).
  • 251.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system • Breaking bitcoin requires a QC that can run Shor's algorithm • Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5) • Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012). • Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm)
  • 252.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system • Breaking bitcoin requires a QC that can run Shor's algorithm • Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5) • Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012). • Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm) • How could a 22-bit number be factored on a 5-bit QC?
  • 253.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system • Breaking bitcoin requires a QC that can run Shor's algorithm • Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5) • Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012). • Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm) • How could a 22-bit number be factored on a 5-bit QC? • Answer: 2088459 = 2017 × 2027
  • 254.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system • Breaking bitcoin requires a QC that can run Shor's algorithm • Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5) • Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012). • Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm) • How could a 22-bit number be factored on a 5-bit QC? • Answer: 2088459 = 2017 × 2027 • 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used.
  • 255.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system • Breaking bitcoin requires a QC that can run Shor's algorithm • Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5) • Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012). • Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm) • How could a 22-bit number be factored on a 5-bit QC? • Answer: 2088459 = 2017 × 2027 • 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used. • Numbers were cherry-picked.
  • 256.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system • Breaking bitcoin requires a QC that can run Shor's algorithm • Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5) • Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012). • Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm) • How could a 22-bit number be factored on a 5-bit QC? • Answer: 2088459 = 2017 × 2027 • 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used. • Numbers were cherry-picked. • More promising results with quantum annealing:
  • 257.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system • Breaking bitcoin requires a QC that can run Shor's algorithm • Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5) • Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012). • Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm) • How could a 22-bit number be factored on a 5-bit QC? • Answer: 2088459 = 2017 × 2027 • 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used. • Numbers were cherry-picked. • More promising results with quantum annealing: • 376,289 = 571 × 659 was factored on D-wave 2000Q quantum annealer by Shuxian Jiang, Keith A. Britt, Travis S. Humble, and Sabre Kais (2018)
  • 258.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system • Breaking bitcoin requires a QC that can run Shor's algorithm • Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5) • Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012). • Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm) • How could a 22-bit number be factored on a 5-bit QC? • Answer: 2088459 = 2017 × 2027 • 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used. • Numbers were cherry-picked. • More promising results with quantum annealing: • 376,289 = 571 × 659 was factored on D-wave 2000Q quantum annealer by Shuxian Jiang, Keith A. Britt, Travis S. Humble, and Sabre Kais (2018) • Not cherry-picked, but these are still tiny numbers
  • 259.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system • Breaking bitcoin requires a QC that can run Shor's algorithm • Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5) • Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012). • Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm) • How could a 22-bit number be factored on a 5-bit QC? • Answer: 2088459 = 2017 × 2027 • 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used. • Numbers were cherry-picked. • More promising results with quantum annealing: • 376,289 = 571 × 659 was factored on D-wave 2000Q quantum annealer by Shuxian Jiang, Keith A. Britt, Travis S. Humble, and Sabre Kais (2018) • Not cherry-picked, but these are still tiny numbers • Does not use Shor's algorithm, but variant of Grover's algorithm. Doubtful if the method used can scale to large numbers
  • 260.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system • Breaking bitcoin requires a QC that can run Shor's algorithm • Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5) • Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012). • Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm) • How could a 22-bit number be factored on a 5-bit QC? • Answer: 2088459 = 2017 × 2027 • 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used. • Numbers were cherry-picked. • More promising results with quantum annealing: • 376,289 = 571 × 659 was factored on D-wave 2000Q quantum annealer by Shuxian Jiang, Keith A. Britt, Travis S. Humble, and Sabre Kais (2018) • Not cherry-picked, but these are still tiny numbers • Does not use Shor's algorithm, but variant of Grover's algorithm. Doubtful if the method used can scale to large numbers • If QC does break Bitcoin tomorrow, it will break everything else too. Banks, Governments, Hospitals, Airlines, Military, Big Tech...
  • 261.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system • Breaking bitcoin requires a QC that can run Shor's algorithm • Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5) • Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012). • Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm) • How could a 22-bit number be factored on a 5-bit QC? • Answer: 2088459 = 2017 × 2027 • 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used. • Numbers were cherry-picked. • More promising results with quantum annealing: • 376,289 = 571 × 659 was factored on D-wave 2000Q quantum annealer by Shuxian Jiang, Keith A. Britt, Travis S. Humble, and Sabre Kais (2018) • Not cherry-picked, but these are still tiny numbers • Does not use Shor's algorithm, but variant of Grover's algorithm. Doubtful if the method used can scale to large numbers • If QC does break Bitcoin tomorrow, it will break everything else too. Banks, Governments, Hospitals, Airlines, Military, Big Tech... • Such a QC would be the greatest weapon imaginable in information warfare
  • 262.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system • Breaking bitcoin requires a QC that can run Shor's algorithm • Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5) • Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012). • Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm) • How could a 22-bit number be factored on a 5-bit QC? • Answer: 2088459 = 2017 × 2027 • 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used. • Numbers were cherry-picked. • More promising results with quantum annealing: • 376,289 = 571 × 659 was factored on D-wave 2000Q quantum annealer by Shuxian Jiang, Keith A. Britt, Travis S. Humble, and Sabre Kais (2018) • Not cherry-picked, but these are still tiny numbers • Does not use Shor's algorithm, but variant of Grover's algorithm. Doubtful if the method used can scale to large numbers • If QC does break Bitcoin tomorrow, it will break everything else too. Banks, Governments, Hospitals, Airlines, Military, Big Tech... • Such a QC would be the greatest weapon imaginable in information warfare • No palpable sense of urgency from these entities to upgrade to post-quantum cryptography
  • 263.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system • Breaking bitcoin requires a QC that can run Shor's algorithm • Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5) • Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012). • Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm) • How could a 22-bit number be factored on a 5-bit QC? • Answer: 2088459 = 2017 × 2027 • 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used. • Numbers were cherry-picked. • More promising results with quantum annealing: • 376,289 = 571 × 659 was factored on D-wave 2000Q quantum annealer by Shuxian Jiang, Keith A. Britt, Travis S. Humble, and Sabre Kais (2018) • Not cherry-picked, but these are still tiny numbers • Does not use Shor's algorithm, but variant of Grover's algorithm. Doubtful if the method used can scale to large numbers • If QC does break Bitcoin tomorrow, it will break everything else too. Banks, Governments, Hospitals, Airlines, Military, Big Tech... • Such a QC would be the greatest weapon imaginable in information warfare • No palpable sense of urgency from these entities to upgrade to post-quantum cryptography • As things stand – a tiny computer such as an Apple watch is far better at breaking crypto and prime factorization than today's multi-million dollar QCs
  • 264.
    Quantum Computing Threats? • Bitcoin uses 256-bit EC cryptography • To break a n-bit EC key a QC with 9n + 2 log2(n) + 10 qubits are needed (arXiv:1706.06752v3) • These need to be stable qubits • To "break bitcoin", this means 2,000 stable qubits are required • It's very difficult to build QCs with stable qubits, this is due to decoherence when entangled qubits interact with their environment • It's much easier to go from 1 to 2 qubits than to go from 100 to 101 qubits • Adding qubit n introduces n – 1 new interactions to the system • Breaking bitcoin requires a QC that can run Shor's algorithm • Most QCs can't run Shor's Algorithm except with a tiny number of qubits (like 5) • Largest number ever factored on a real QC using Shor's is 21 (5 bits, 2012). • Largest number ever factored on a real QC is 4,088,459 (22 bits) using IBM's 5-qubit processor (Grover's algorithm) • How could a 22-bit number be factored on a 5-bit QC? • Answer: 2088459 = 2017 × 2027 • 2017 and 2027 differ by 2 bits; only 2 qubits of the 5 were used. • Numbers were cherry-picked. • More promising results with quantum annealing: • 376,289 = 571 × 659 was factored on D-wave 2000Q quantum annealer by Shuxian Jiang, Keith A. Britt, Travis S. Humble, and Sabre Kais (2018) • Not cherry-picked, but these are still tiny numbers • Does not use Shor's algorithm, but variant of Grover's algorithm. Doubtful if the method used can scale to large numbers • If QC does break Bitcoin tomorrow, it will break everything else too. Banks, Governments, Hospitals, Airlines, Military, Big Tech... • Such a QC would be the greatest weapon imaginable in information warfare • No palpable sense of urgency from these entities to upgrade to post-quantum cryptography • As things stand – a tiny computer such as an Apple watch is far better at breaking crypto and prime factorization than today's multi-million dollar QCs • Basically there's nothing to worry about.
  • 265.
    The End BITCOIN FUNDAMENTALS N.P. O'DONNELL, MAYNOOTH UNIVERSITY
  • 266.
    Questions? BITCOIN FUNDAMENTALS N. P.O'DONNELL, MAYNOOTH UNIVERSITY