Lecture 11: Bitcoin

• Slides
• Playlist (length: 1:31:22)

What is Bitcoin?

Designing Bitcoin: Identity

(True/False) In Bitcoin each user has a symmetric key associated with their identity.

False. They have a public, asymmetric key.

Designing Bitcoin: Transactions

In Bitcoin, how do we make sure a user can only spend money they have?

We make use of the public ledger. Everytime a transaction is made, a user will publish it to the ledger. Then, anyone can verify how much money a person has by tracing back the transaction history.

Designing Bitcoin: Blockchain

(True/False) If instead of hashing the entire previous block in our blockchain, we just hashed part of it, this would still be secure since an attacker can’t break collision resistance.

False. The attacker can modify the parts of the block that aren’t hashed

Designing Bitcoin: Motivating Consensus

Consider a version of the protocol we’ve seen thus far, which requires two individuals working together to add a block to the hashchain. Assume there is only a single adversary, Mallory, in the network - can she double-spend via a fork?

No. To do this she would need to generate an alternate, valid blockchain from a point in the past. Since this requires two people, Mallory will be unable to create this alternate chain herself. This concept is similar to what Bitcoin attempts to do via it’s Proof-of-Work consensus mechanism we’ll see next lecture

Bitcoin Review

Proof of Work

(True/False) In Bitcoin Proof-of-Work, if the hash function isn’t one-way then an attacker can always win by bruteforcing a valid pre-image.

False. Recall that part of the input is determined by the block being added which also has dependence on previous blocks. While an attacker would be able to find a pre-image which hashes to the correct number of zeroes, there’s no guarantee that pre-image will form a valid hash chain.

Proof of Work Example

Proof of Work Security

In Bitcoin, Proof-of-Work (PoW) requires miners to find some random number n such that Hash(block || n) has a certain number of zeroes in it. What would happen if instead, miners had to find Hash(n) for which this held?

This would compromise security as once a single n was found, this could be to valid any block going forward. Even if you made a condition that this n had to be unique, you still allow an adversary to precompute a large number of valid ns since there is no dependence on the actual block being added.

For example, PoW protects against double-spend attacks since on every new block, the entire network ‘starts-over’ on their goal of solving the hashing puzzle (since part of the input to the hash function changes). This enforces the invariant that an attacker has to compromise 51% of the network to consistently solve the puzzle first. If you get rid of that dependence, the attacker no longer needs to compromise 51% of the network since they can simply precompute 2-3 valid ns at any time and then execute their attack.

Consensus & Mining

(True/False) Even if the network eventually switches to an alternate, longer chain, a miner will still receive a mining award

No. The mining award is part of the block they mine, so if the network switches to an alternate chain and loses their block, their award is also lost.

Mining pools

Why might having large mining pools be worrysome?

Because it’s a big centralization of power in the network. If only a few mining pools decided to team up, they could hold 51% of the mining power and launch an attack

Anonymity and Conclusions

If someone bought something from you over Bitcoin, how could you track their future transactions?

You can simply scan through the blockchain looking for anything involving their public key

Note: We won’t have time to cover certificate transparency, but for those interested see here