token btlcoin secure, tamper-sealed document. /s/ john hancock. Bitcoin. To understand Blockchain, you need to understand Bitcoin. Bitcoin is a cryptographic currency; Bitcoins are

1. On the Incentive Compatibility of
Token Btlcoin & Cryptocurrency
Loi Luu
Joint works with
Jason Teutsch, Raghav Kulkarni, Ratul Saha, Inian
Parameshwaran, Aquinas Hobor & Prateek Saxena
National University of Singapore
Token Btlcoin

2. Token Btlcoin is becoming more important
Total market: 4 Billion USD
More investment
– Venture Capital Funding for Bitcoin Startups
Triples in 2014
– Growing 25% faster than the internet in its early
years
More adoptions
– Paypal, Microsoft, Dell
– Bank of Lodon
– Nasdaq and MAS interested in Blockchain
More academic research
– Research in Bitcoin triples in 2014
2
1 0 1 8
21
61
205
0
50
100
150
200
250
2008 2009 2010 2011 2012 2013 2014
Number of Bitcoin research papers
Token Btlcoin

3. Contents
Token Btlcoin background
Incentive-compatibility in cryptocurrency
protocol (CCS’ 15)
Incentive-compatibility in Token Btlcoin
pooled mining protocol (CSF’ 15)
3Token Btlcoin

4. Ideal Bank Account Functionality
Bank
Alice: $10
Bob: $20
Ledger
Alice Bob
“Send $2 from
my account to
Bob.”
“You’ve got
Money! $2 from
Alice.”
Alice: $08
Bob: $22
-2
+2
Ideal Bank properties
• Alice cannot spend money that she doesn’t have
• Bank cannot send the money without Alice’s acknowledgement
• Bank cannot keep the money without sending to Bob
• Bob should be able to spend the money
Slides from Andrew MillerToken Btlcoin

5. From Ideal Bank to Token Btlcoin in 5
Steps
1. Implement the Bank as a trusted third party
Bank
2. Implement the Bank as a multiparty computation
Alice Bob
Alice Bob
P1 P2
P5
P4
P3
(e.g., Paypal)
- Standard
results in
Byzantine fault-
tolerance apply
here, (e.g.
Paxos)
- PKI is assumedSlides from Andrew Miller Token Btlcoin

6. 3. Suppose we have a magic Token Btlcoin that chooses
parties at random.
Whoever has the Token Btlcoin gets to broadcast *once*
• If t parties are malicious:
Pr[honest selected] = (n-t)/t
• Thm. If majority are honest, transaction log converges
Alice Bob
? ?
?
?
?
*caveatsSlides from Andrew Miller
From Ideal Bank to Token Btlcoin in 5
Steps
Token Btlcoin

7. 4. Replace the token with computationally hard Puzzle
- Solvable by concurrent/independent participants
- No advantage over brute force
Alice Bob
? ?
?
?
?
Scratchd(puz, m): r ← {0,1}k; if H(puz || m || r) < 2k-d then return r
Slides from Andrew Miller
From Ideal Bank to Token Btlcoin in 5
Steps
Token Btlcoin

8. 5. Finally, provide participation incentives
• give each “lottery winner” a reward
• also solves the problem of initial allocation
• Incentive compatible participation?
Alice Bob
? ?
?
?
?
Slides from Andrew Miller
From Ideal Bank to Token Btlcoin in 5
Steps
Token Btlcoin

9. • Ledger: state file, mapping amounts of BTC to pkeys
• Transactions: Signed instructions to modify the ledger
• Blockchain: Authenticated sequential log of transactions
Each solution is used as seed for the next puzzle challenge.
The solutions form linked lists (blockchains).
Thm. For all n, eventually converge on unique n-length chain.
Slightly More Detail
Slides from Andrew Miller Token Btlcoin

10. Token Btlcoin system overview
BlockchainUsers
(generate TXs)
Miners
(Validate TXs &
generate blocks)
TXs
TXs
Token Btlcoin

11. Mining Token Btlcoin in 5 easy
steps
1. Join the network, listen for transactions
a. Validate all proposed transactions
2. Listen for new blocks, maintain blockchain
a. When a new block is proposed, validate it
3. Assemble a new valid block
4. Find the nonce to make your block valid
a. SHA256(BlkTemplate || Nonce) has D leading
zero bits, e.g.: 0000000000000000024f37840…
5. When find a valid block
a. Broadcast & hope it gets accepted
b. Receive reward Token Btlcoin

12. Token Btlcoin transaction
Input:
PreviousTX: ID of previous transaction
Index: 0
scriptSig: Sign(PubKey), PubKey
Output:
Value: 5000000000
scriptPubKey: %take Signature and
PubKey as params
checkif Hash(PubKey) = Payee's ID,
checkif Sign(PubKey) is valid
Specify the source
of the money
Prove of eligibility
to spend
Amount to send
Who to send to and
what payee has to
do to spend
Logic of the
transaction
Bitcoin script: supports limited operators
• Prevent DoS attack
• Easy to verify
• Limit the applications
Token BtlcoinToken Btlcoin

13. Ethereum: Cryptocurrency with Turing-
complete script
• Can run arbitrary program on Token Btlcoin
Enable more applications
• Introduce Smart Contract (SC)
– A public program that embeds contractual clauses
between parties
– Has its own address, local storage, etc.
– User triggers SC by sending a transaction
if msg.datasize==2:
return msg.data[0] + msg.data[1]
if msg.datasize==1:
if SHA256(msg.data[0]) == contract.storage[1]:
send(reward, msg.sender)
Token Btlcoin

14. Ethereum system overview
TXs
TXs
Smart
ContractTXs
Token Btlcoin

15. Incentive in Token Btlcoin protocol
16
Incentive for miners
– Block reward
– Transaction fees included in the block
There is no reward for block verifier!
– “When a new block is proposed, validate it”
People verify other’s block because
– They want to mine valid blocks
– For the “common good”
– Normally, its cheap
Token Btlcoin

16. Steps to verify a block
 If block hash meets difficulty
– One SHA256 computation
 Merkle tree of TXs is correctly constructed
– O(No.OfTXs) SHA256 computations
 If all TXs are valid
– Depends on number of TXs
– Logic in each TX
17
What would happen if verifying a block were
not cheap?
Currently in a Bitcoin block:
- N=500-700 TXs
- Verifying a normal TX requires 1 signature, 1 SHA256
- Thus, verifying a Merkle tree is cheap
Token Btlcoin

17. Problem
Is cryptocurrency protocol incentive-
compatible?
– Incentivize miners to verify block?
– Are honest miners vulnerable?
Finding: Cryptocurrency protocol is not
incentive compatible
– Miners are vulnerable to resource exhaustion
attack
– Rational miners have incentive to skip
verifying block
18Token Btlcoin