sen-material: handouts/ho08.tex@250fd40211c7 (annotated)

318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	1	\documentclass{article}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	2	\usepackage{../style}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	3	\usepackage{../graphics}
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	4	\usepackage{../langs}
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	5
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	6	\begin{document}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	7
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	8	\section*{Handout 7 (Bitcoins)}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	9
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	10	In my opinion Bitcoins are an elaborate Ponzi
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	11	scheme\footnote{\url{http://en.wikipedia.org/wiki/Ponzi_scheme}}---still
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	12	the ideas behind them are really beautiful and not too
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	13	difficult to understand. Since many colourful claims about
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	14	Bitcoins float around in the mainstream and not-so-mainstream
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	15	media, it will be instructive to re-examine such claims from a
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	16	more technically informed vantage point. For example, it is
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	17	often claimed that Bitcoins are anonymous and free from any
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	18	potential government meddling. It turns out that the first
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	19	claim ignores a lot of research in de-anonymising social
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	20	networks, and the second underestimates the persuasive means a
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	21	government has at its disposal.
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	22
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	23	There are a lot of articles, blogposts, research papers
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	24	etc.~available about Bitcoins. Below I will follow closely the
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	25	very readable explanations from
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	26
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	27	\begin{center}
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	28	\url{http://www.michaelnielsen.org/ddi/how-the-bitcoin-protocol-actually-works/} \;\;and\smallskip\\
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	29	\url{http://www.imponderablethings.com/2013/07/how-bitcoin-works-under-hood.html}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	30	\end{center}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	31
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	32	\noindent The latter also contains a link to a nice youtube
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	33	video about the technical details behind Bitcoins.
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	34
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	35	Let us start with the question who invented Bitcoins? You
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	36	could not make up the answer, but we actually do not know who
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	37	the inventor is. All we know is that the first paper
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	38
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	39	\begin{center}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	40	\url{https://bitcoin.org/bitcoin.pdf}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	41	\end{center}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	42
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	43	\noindent is signed by Satoshi Nakamoto, which however is
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	44	likely only a pen name. There is a lot of speculation who
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	45	could be the inventor, or inventors, but we simply do not
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	46	know. This part of Bitcoins is definitely anonymous. The paper
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	47	above is from the end of 2008; the first Bitcoin transaction
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	48	was made in January 2009. The rules in Bitcoin are set up so
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	49	that there will only ever be 21 Million Bitcoins with the
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	50	maximum reached around the year 2140. Currently there are
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	51	already 11 Million Bitcoins in `existence'. Contrast this with
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	52	traditional fiat currencies where money can be printed almost
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	53	at will. The smallest unit of a Bitcoin is called a Satoshi,
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	54	which is the $10^{-8}$th part of a Bitcoin. Remember a Penny
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	55	is the $10^{-2}$th part of a Pound.
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	56
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	57	The two main cryptographic building blocks of Bitcoins are
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	58	cryptographic hashing functions (SHA-256) and public-private
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	59	keys using the elliptic-curve encryption scheme for digital
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	60	signatures. Hashes are used to generate `fingerprints' of data
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	61	that ensure integrity (absence of tampering). Public-private
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	62	keys are used for signatures. For example sending a message,
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	63	say $msg$, together with the encrypted version
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	64
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	65	\[
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	66	msg, \{msg\}_{K^{priv}}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	67	\]
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	68
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	69	\noindent allows everybody with access to the corresponding
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	70	public key $K^{pub}$ to verify the message came from the
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	71	person who knew the private key. Signatures are used in
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	72	Bitcoins for verifying the addresses where the Bitcoins are
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	73	sent from. Addresses in Bitcoins are essentially the public
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	74	keys. There are $2^{160}$ possible addresses, which is such a
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	75	vast amount that there is not even a check for duplicates, or
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	76	already used addresses. If you start with a random number to
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	77	generate a public-private key pair it is very unlikely that
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	78	you step on somebody else's shoes. Compare this with the
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	79	email-addresses you always wanted to register with, say
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	80	Googlemail, but which are already taken.
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	81
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	82	One main difference between Bitcoins and traditional banking
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	83	is that you do not have a place, or places, that record the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	84	balance on your account. Traditional banking involves a
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	85	central ledger which specifies the current balance in each
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	86	account, for example
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	87
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	88	\begin{center}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	89	\begin{tabular}{l\|r}
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	90	account owner & balance\\\hline
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	91	Alice & \pounds{10.01}\\
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	92	Bob & \pounds{4.99}\\
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	93	Charlie & -\pounds{1.23}\\
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	94	Eve & \pounds{0.00}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	95	\end{tabular}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	96	\end{center}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	97
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	98	\noindent Bitcoins work differently in that there is no such
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	99	central ledger, but instead a public record of all
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	100	transactions ever made. This means spending money corresponds
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	101	to sending messages of the (oversimplified) form
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	102
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	103	\begin{equation}
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	104	\{\text{I, Alice, am giving Bob one Bitcoin.}\}_{K^{priv}_{Alice}}
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	105	\end{equation}
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	106
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	107	\noindent These messages, called transactions, are the only
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	108	data that is ever stored in the Bitcoin system (we will come
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	109	to the precise details later on). The transactions are
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	110	encrypted with Alice's private key so that everybody,
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	111	including Bob, can use Alice's public key $K^{pub}_{Alice}$
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	112	for verifying that this message came really from Alice, or
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	113	more precisely from the person who knows $K^{priv}_{Alice}$.
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	114
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	115	The problem with such messages in a distributed system is that
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	116	what happens if Bob receives 10, say, of these transactions.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	117	Did Alice intend to send him 10 Bitcoins, or did the message
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	118	get duplicated by for example an attacker re-playing a sniffed
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	119	message? What is needed is a kind of serial number for such
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	120	transactions. This means transaction messages look more like
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	121
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	122	\begin{center}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	123	$\{\text{I, Alice, am giving Bob Bitcoin \#1234567.}\}_{K^{priv}_{Alice}}$
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	124	\end{center}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	125
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	126	\noindent There are two difficulties, however, that need to be
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	127	solved with serial numbers. One is who is assigning serial
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	128	numbers to Bitcoins and also how can Bob verify that Alice
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	129	actually owns this Bitcoin to pay him? In a system with a bank
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	130	as trusted third-party, Bob could do the following:
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	131
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	132	\begin{itemize}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	133	\item Bob asks the bank whether the Bitcoin with that serial
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	134	number belongs to Alice and Alice hasn’t already spent
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	135	this Bitcoin.
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	136	\item If yes, then Bob tells the bank he accepts this Bitcoin.
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	137	The bank updates the records to show that the Bitcoin
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	138	with that serial number is now in Bob’s possession and
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	139	no longer belongs to Alice.
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	140	\end{itemize}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	141
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	142	\noindent But for this banks would need to be trusted and
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	143	would also be an easy target for any government interference,
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	144	for example. Think of the early days of music sharing where
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	145	the company Napster was the single point of ``failure'' which
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	146	was taken offline by law enforcement. Bitcoins is more a
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	147	system like BitTorrent without a single central entity that
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	148	can be taken offline.
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	149
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	150	Bitcoin solves the problem of not being able to rely on a bank
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	151	by making everybody the ``bank''. Everybody who cares can have
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	152	the entire transactions history starting with the first
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	153	transaction made in January 2009. This history of transactions
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	154	is called \emph{blockchain}. Bob, for example, can use his
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	155	copy of the blockchain for determining whether Alice owned the
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	156	Bitcoin he received, and if she did, he transmits the message
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	157	that he owns it now to every other participant on the Bitcoin
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	158	network. An illustration of a three-block segment of the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	159	blockchain is (simplified) as follows
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	160
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	161	\begin{equation}
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	162	\includegraphics[scale=0.4]{../pics/bitcoinblockchain0.png}
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	163	\label{segment}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	164	\end{equation}
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	165
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	166	\noindent The chain grows with time. Each block contains a
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	167	list of individual transactions, written txn in the picture
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	168	above, and also a reference to the previous block, written
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	169	prev. The data in a block (txn's and prev) is hashed so that
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	170	the reference and transactions in them cannot be tampered
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	171	with. This hash is the unique serial number of each block.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	172	Since this previous-block-reference is also part of the hash,
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	173	the whole chain is robust against tampering. I let you think
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	174	why this is the case?\ldots{}But does it actually eliminate
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	175	all possibilities of fraud?
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	176
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	177	We can check the consistency of the blockchain by checking
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	178	whether all the references and hashes are correctly recorded.
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	179	I have not tried it myself, but it is said that with the
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	180	current amount of data (appr.~12GB) it takes roughly a day to
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	181	check the consistency of the blockchain on a normal computer.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	182	Fortunately this ``extended'' consistency check usually only
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	183	needs to be done once. Afterwards the blockchain only needs to
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	184	be updated consistently.
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	185
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	186	Recall I wrote earlier that Bitcoins do not maintain a ledger,
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	187	which lists all the current balances in each account. Instead
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	188	only transactions are recorded. While a current balance of an
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	189	account is not immediately available, it is possible to
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	190	extract from the blockchain a transaction graph that looks
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	191	like the picture shown in Figure~\ref{txngraph}. Each
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	192	rectangle represents a single transaction. Take for example
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	193	the rightmost lower transaction from Charles to Emily. This
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	194	transaction has as receiver the address of Emily and as the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	195	sender the address of Charles. In this way no Bitcoins can
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	196	appear out of thin air (we will discuss later how Bitcoins are
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	197	actually generated). If Charles did not have a transaction of
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	198	at least the amount he wants to give Emily to his name
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	199	(i.e.~send to an address with his public-private key) then
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	200	there is no way he can make a payment to Emily. Equally, if
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	201	now Emily wants to pay for a coffee, say, with the Bitcoin she
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	202	received from Charles she can essentially only forward the
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	203	message she received. The only slight complication with this
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	204	setup in Bitcoins is that ``incoming'' Bitcoins can be
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	205	combined in a transaction and ``outgoing'' Bitcoins can be
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	206	split. For example in the leftmost upper transactions in
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	207	Figure~\ref{txngraph}, Fred makes a payment to Alice. But this
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	208	payment (or transaction) combines the Bitcoins that were send
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	209	by Jane to Fred and also by Juan to Fred. This allows you to
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	210	``consolidate'' your funds: if it were only possible to split
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	211	transactions, then the amounts would get smaller and smaller.
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	212
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	213	But in Bitcoins it is also important to have the ability to
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	214	split the money from one or more incoming transaction to
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	215	potentially more than one receiver. Consider again the
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	216	rightmost transactions in Figure~\ref{txngraph} and suppose
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	217	Alice is a coffeeshop owner selling coffees for 1 Bitcoin.
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	218	Charles received a transaction from Zack over 5 Bitcoins, say.
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	219	How does he pay for the coffee? There is no explicit notion of
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	220	\emph{change} in the Bitcoin system. What Charles has to do
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	221	instead is to make one single transaction with 1 Bitcoin to
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	222	Alice and with 4 Bitcoins going back to himself, which then
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	223	Charles can use to give to Emily, for example.
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	224
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	225	\begin{figure}[t]
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	226	\begin{center}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	227	\includegraphics[scale=0.4]{../pics/blockchain.png}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	228	\end{center}
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	229	\caption{Transaction graph that is implicitly recorded in the
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	230	public blockchain.\label{txngraph}}
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	231	\end{figure}
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	232
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	233	Let us consider another example. Suppose Emily received 4
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	234	Bitcoins from Charles and independently received another
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	235	transaction (not shown in the picture) that sends 6 Bitcoins
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	236	to her. If she now wants to buy a coffee from Alice for 1
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	237	Bitcoin, she has two possibilities: She could just forward the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	238	transaction from Charles over 4 Bitcoins to Alice split in
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	239	such a way that Alice receives 1 Bitcoin and Emily sends the
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	240	remaining 3 Bitcoins ``back'' to herself. In this case she
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	241	would now be in the ``posession'' of two unspend Bitcoin
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	242	transactions, one over 3 Bitcoins and the independent one over
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	243	6 Bitcoins. Or, Emily could combine both transactions (one
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	244	over 4 Bitcoins from Charles and the independent one over 6
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	245	Bitcoins) and then split this amount with 1 Bitcoin going to
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	246	Alice and 9 Bitcoins going back to herself.
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	247
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	248	I think this is a good time for you to pause to let this
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	249	concept of transactions really sink in\ldots{}You should see
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	250	that there is really no need for a central ledger and no need
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	251	for an account balance as familiar from traditional banking.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	252	The closest what Bitcoin has to offer for the notion of a
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	253	balance in a bank account are the unspend transactions that a
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	254	person (more precisely a public-private key address) received.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	255	That means transactions that can still be forwarded.
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	256
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	257	After the pause also consider the fact that whatever
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	258	transaction is recorded in the blockchain will be in the
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	259	``historical record'' for the Bitcoin system. If a transaction
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	260	says 1 Bitcoin goes from address $A$ to address $B$, then this
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	261	is what will be---$B$ has then the possibility to spend the
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	262	corresponding Bitcoins, whether the transaction was done
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	263	fraudulently or not. There is no exception to this rule.
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	264	Interestingly this is also how Bitcoins can get lost: One
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	265	possibility is that you send Bitcoins to an address for which
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	266	nobody has generated a private key, for example because of a
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	267	typo in the address field---bad luck for fat
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	268	fingers\footnote{\url{http://en.wikipedia.org/wiki/Typographical_error}}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	269	in the Bitcoin system. The reason is that nobody has a private
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	270	key for this erroneous address and consequently cannot forward
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	271	the transaction anymore. Another possibility is that you
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	272	forget your private key and you had messages forwarded to the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	273	corresponding public key. Also in this case bad luck: you will
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	274	never be able to forward this message again, because you will
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	275	not be able to form a valid message that sends this to
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	276	somebody else (we will see the details of this later). But
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	277	this is also a way how you can get robbed of your Bitcoins. By
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	278	old-fashioned hacking-into-a-computer crime, for example, an
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	279	attacker might get hold of your private key and then quickly
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	280	forward the Bitcoins that are in your name to an address the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	281	attacker controls. You will never again have access to these
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	282	Bitcoins, because for the Bitcoin system they are assumed to
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	283	be spent. And remember with Bitcoins you cannot appeal to any
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	284	higher authority. Once the Bitcoins are gone, they are gone.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	285	This is much different in traditional banking where at least
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	286	you can try to harass the bank to roll back the transaction.
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	287
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	288	This brings us to back to problem of double spend. Suppose Bob
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	289	is a merchant. How can he make sure that Alice does not cheat
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	290	him? She could for example send a transaction to Bob. But also
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	291	forward the ``same'' transaction to Charlie, or even herself.
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	292	If Alice manages to get the second transaction into the
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	293	blockchain, Bob will be cheated out of his money. The problem
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	294	in such conflicting situations is how should the network
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	295	update their blockchain? You might end up with a picture like
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	296	this
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	297
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	298	\begin{center}
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	299	\includegraphics[scale=0.4]{../pics/bitcoindisagreement.png}
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	300	\end{center}
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	301
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	302	\noindent where Alice convinced some part of the ``world''
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	303	that she is still the owner of the Bitcoin and some other part
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	304	of the ``world'' thinks it's Bob's. How should such a
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	305	disagreement be resolved? This is actually the main hurdle
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	306	where Bitcoin really innovated. The answer is that Bob needs
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	307	to convince ``enough'' people on the network that the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	308	transaction from Alice to him is legit.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	309
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	310	What does, however, ``enough'' mean in a distributed system?
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	311	If Alice sets up a network of a billion, say, puppy identities
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	312	and whenever Bob tries to convince, or validate, that he is
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	313	the rightful owner of the Bitcoin, then the puppy identities
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	314	agree. Bob would then have no reason to not give Alice her
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	315	coffee. But behind his back, however, she has convinced
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	316	everybody else on the network that she is still the rightful
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	317	owner of the Bitcoin. After being outvoted, Bob would be a tad
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	318	peeved.
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	319
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	320	The reflex reaction to such a situation would be to make the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	321	process of validating a transaction as cheap as possible. The
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	322	intention is that Bob will get enough peers to agree with him
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	323	that he is the rightful owner. But such a solution has always
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	324	the limitation of Alice setting up an even bigger network of
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	325	puppy identities. The really cool idea of Bitcoin is to go
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	326	into the other direction of making the process of transaction
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	327	validation (artificially) as expensive as possible, but reward
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	328	people for helping with the validation. This is really a novel
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	329	and counterintuitive idea that makes the whole system of
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	330	Bitcoins work so beautifully.
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	331
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	332	\subsubsection*{Proof-of-Work Puzzles}
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	333
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	334	In order to make the process of transaction validation
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	335	difficult, Bitcoin uses a kind of puzzles. Solving the puzzles
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	336	is called \emph{Bitcoin mining}, where whoever solves a puzzle
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	337	will be awarded some Bitcoins. At the beginning this was 50
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	338	Bitcoins, but the rules of Bitcoin are set up such that this
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	339	amount halves every 210,000 transactions or so. Currently you
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	340	will be awarded 25 Bitcoins for solving a puzzle. Because the
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	341	amount will halve again and then later again and again, around
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	342	the year 2140 it will go below the level of 1 Satoshi. In that
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	343	event no new Bitcoins will ever be created again and the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	344	amount of Bitcoins stays fixed. There will be still an
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	345	incentive to help with validating transactions, because there
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	346	is the possibility in Bitcoins to offer a transaction fee to
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	347	whoever solves a puzzle. At the moment this fee is usually set
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	348	to 0, since the incentive for miners is the 25 Bitcoins that
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	349	are currently awarded for solving puzzles.
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	350
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	351	What do the puzzles that miners have to solve look like? The
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	352	puzzles can be illustrated roughly as follows: Given a string,
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	353	say \code{"Hello, world!"}, what is the salt so that the hash
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	354	starts with a long run of zeros? Let us look at a concrete
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	355	example. Recall that Bitcoins use the hash-function SHA-256.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	356	Suppose we call this hash function \code{h}, then we could try
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	357	the salt \code{0} as follows:
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	358
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	359	\begin{quote}
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	360	\code{h("Hello, world!0") =}\\
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	361	\mbox{}\quad\footnotesize\pcode{1312af178c253f84028d480a6adc1e25e81caa44c749ec81976192e2ec934c64}
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	362	\end{quote}
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	363
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	364	\noindent OK this does not have any zeros at all. We could
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	365	next try the salt \code{1}:
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	366
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	367	\begin{quote}
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	368	\code{h("Hello, world!1") =}\\
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	369	\mbox{}\quad\footnotesize\pcode{e9afc424b79e4f6ab42d99c81156d3a17228d6e1eef4139be78e948a9332a7d8}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	370	\end{quote}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	371
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	372	\noindent Again this hash value does not contain any leading
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	373	zeros. We could now try out every salt until we reach
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	374
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	375	\begin{quote}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	376	\code{h("Hello, world!4250") =}\\
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	377	\mbox{}\quad\footnotesize\pcode{0000c3af42fc31103f1fdc0151fa747ff87349a4714df7cc52ea464e12dcd4e9}
320 bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	378	\end{quote}
bd5775cc8a45 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 319 diff changeset	379
321 250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	380	\noindent where we have four leading zeros. If four zeros are
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	381	enough, then the puzzle would be solved with this salt. The
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	382	point is that we can very quickly check whether a salt solves
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	383	a puzzle, but it is hard to find one. Latest research suggest
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	384	it is an NP-problem. If we want the output hash value to begin
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	385	with 10 zeroes, say, then we will, on average, need to try
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	386	$16^{10} \approx 10^{12}$ different salts before we find a
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	387	suitable one. In Bitcoins the puzzles are not solved according
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	388	to how many leading zeros a has-value has, but rather whether
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	389	it is below a \emph{target}. The hardness of the puzzle can
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	390	actually be controlled by changing the target according to the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	391	available computational power available. I think the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	392	adjustment of the hardness of the problems is done every two
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	393	weeks. I am not sure whether this is an automatic process. The
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	394	aim of the adjustment is that on average the Bitcoin network
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	395	will most likely solve a puzzle within 10 Minutes.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	396
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	397	\begin{center}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	398	\includegraphics[scale=0.37]{../pics/blockchainsolving.png}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	399	\end{center}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	400
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	401	\noindent It could be solved quicker, but equally it could
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	402	take longer, but on average after 10 Minutes somebody on the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	403	network will have found a solution.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	404
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	405	Remember that the puzzles are a kind of proof-of-work that
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	406	make the validation of transactions artificially expensive.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	407	The validation and the derivation of the puzzle is done as
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	408	follows:
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	409
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	410	\begin{equation}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	411	\includegraphics[scale=0.38]{../pics/bitcoin_unconfirmed.png}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	412	\label{unconfirmed}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	413	\end{equation}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	414
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	415	\noindent There are some unconfirmed transactions. Choosing
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	416	some of them, the miner (i.e.~the person/computer that tries
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	417	to solve a puzzle) will form a putative block to be added to
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	418	the blockchain. This putative block will contain the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	419	transactions and the reference to the previous block. The
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	420	serial number of such a block is simply the hash of all the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	421	data. The puzzle can then be stated as the ``string''
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	422	corresponding to the block and which salt is needed in order
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	423	to have the hashed value being below the target. Other miners
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	424	will choose different transactions and therefore work on a
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	425	slightly different putative block and puzzle.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	426
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	427	The intention of the proof-of-work puzzle is that the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	428	blockchain is at every given moment nicely linearly ordered,
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	429	see the picture shown in \eqref{unconfirmed}. If we don’t have
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	430	such a linear ordering at any given moment then it may not be
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	431	clear who owns which Bitcoins. Assume a miner David is lucky
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	432	and finds a suitable salt to confirm the transactions. Should
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	433	he celebrate? Not yet. Typically the blockchain will look as
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	434	follows
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	435
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	436	\begin{center}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	437	\includegraphics[scale=0.65]{../pics/block_chain1.png}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	438	\end{center}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	439
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	440	\noindent But every so often there will be a fork
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	441
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	442	\begin{center}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	443	\includegraphics[scale=0.65]{../pics/block_chain_fork.png}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	444	\end{center}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	445
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	446	\noindent What should be done in this case? The tie is broken
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	447	if another block is solved, like so:
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	448
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	449	\begin{center}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	450	\includegraphics[scale=0.4]{../pics/bitcoin_blockchain_branches.png}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	451	\end{center}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	452
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	453	\noindent The rule in Bitcoins is: If a fork occurs, people on
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	454	the network keep track of all forks. But at any given time,
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	455	miners only work to extend whichever fork is longest in their
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	456	copy of the block chain. Why should miners work on the longest
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	457	fork? Well their incentive is to mine Bitcoins. If somebody
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	458	else already solved a puzzle, then it makes more sense to work
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	459	on a new puzzle and obtain the Bitcoins for solving that
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	460	puzzle. Note that whoever solved a puzzle on the ``loosing''
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	461	fork will actually not get any Bitcoins as reward. Tough luck.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	462
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	463	\subsubsection*{Alice against the Rest of the World}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	464
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	465	Let is see how the blockchain and the proof-of-work puzzles
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	466	avoid the problem of double spend. If Alice wants to cheat
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	467	Bob she would need to pull off the following ploy:
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	468
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	469	\begin{center}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	470	\includegraphics[scale=0.4]{../pics/bitcoin_blockchain_double_spend.png}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	471	\end{center}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	472
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	473	\noindent Alice makes a transaction to Bob for paying, for
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	474	example, for an online order. This transaction is confirmed,
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	475	or validated, in block 2. Bob ships the goods around block 4.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	476	In this moment, Alice needs to get into action and try to
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	477	validate the fraudulent transaction to herself instead.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	478
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	479	\begin{center}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	480	\includegraphics[scale=0.4]{../pics/bitcoin_doublespend_blockchain_race.png}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	481	\end{center}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	482
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	483	\noindent At this moment she is in a race against all the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	484	computing power of the ``rest of the world''. She has to solve
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	485	the puzzles one by one, because the hash of a block is
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	486	determined by all the data in the previous has. She might be
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	487	very lucky to solve one puzzle for a block before the rest of
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	488	the world, but to be lucky many times is very unlikely. In
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	489	order to raise the bar for Alice, merchants accepting Bitcoin
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	490	use the following rule of thumb: A transaction is
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	491	``confirmed'' if (1) it is part of a block in the longest
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	492	fork, and (2) at least 5 blocks follow it in the longest fork.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	493	In this case we say that the transaction has ``6
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	494	confirmations''. A simple calculation shows that these number
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	495	of confirmations can take up to 1 hour and more. While this
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	496	seems excessively long, from the merchant's point of view it
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	497	is not long at all. For this recall that ordinary credit cards
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	498	can have their transactions been rolled-back for 6 months or
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	499	so. The point however is that the odds for Alice being able to
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	500	cheat are very low.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	501
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	502	Connected with the 6-confirmation rule is an interesting
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	503	phenomenon. On average, it would take several years for a
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	504	typical computer to solve a proof-of-work puzzle, so an
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	505	individual’s chance of ever solving one before the rest of the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	506	world, which typically takes 10 minutes, is negligibly low.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	507	Therefore many people join groups called \emph{mining pools}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	508	that collectively work to solve blocks, and distribute rewards
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	509	based on work contributed. These mining pools act somewhat
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	510	like lottery pools among co-workers, except that some of these
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	511	pools are quite large, and comprise more than 20\% of all the
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	512	computers in the network. It is said that BTC, the largest
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	513	mining pool, has limited its members to not solve more than 6
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	514	blocks in a row. Otherwise this would undermine the trust in
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	515	Bitcoins, which is also not in the interest of BTC, I guess.
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	516
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	517	\subsubsection*{Bitcoins for Real}
250fd40211c7 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 320 diff changeset	518
319 e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	519
e6afcdabd3ea updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 318 diff changeset	520
318 f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	521
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	522	\end{document}
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	523
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	524	bit coin
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	525	https://bitcoin.org/bitcoin.pdf
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	526	https://bitcoin.org/bitcoin.pdf
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	527
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	528	A fistful of bitcoins
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	529	http://cseweb.ucsd.edu/~smeiklejohn/files/imc13.pdf
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	530	http://cseweb.ucsd.edu/~smeiklejohn/files/imc13.pdf
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	531
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	532	Ross Anderson & Co (no dispute resolution; co-ercion)
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	533	http://www.cl.cam.ac.uk/~sjm217/papers/fc14evidence.pdf
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	534
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	535	http://www.michaelnielsen.org/ddi/how-the-bitcoin-protocol-actually-works/
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	536	http://www.imponderablethings.com/2013/07/how-bitcoin-works-under-hood.html
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	537
f376d16470e0 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	538	http://randomwalker.info/bitcoin/

author	Christian Urban <christian dot urban at kcl dot ac dot uk>
	Fri, 21 Nov 2014 01:20:51 +0000
changeset 321	250fd40211c7
parent 320	bd5775cc8a45
child 322	8c07340af3b9
permissions	-rw-r--r--