sen-material: comparison handouts/ho08.tex

equal deleted inserted replaced

-:8c07340af3b9
+:0629590fd299
 \url{http://www.michaelnielsen.org/ddi/how-the-bitcoin-protocol-actually-works/} \;\;and\smallskip\\
 \url{http://www.imponderablethings.com/2013/07/how-bitcoin-works-under-hood.html}
 \end{center}
 \noindent The latter also contains a link to a nice youtube
-video about the technical details behind Bitcoins.
+video about the technical details behind Bitcoins. I will
+also use some of their pictures.
 Let us start with the question who invented Bitcoins? You
 could not make up the answer, but we actually do not know who
 the inventor is. All we know is that the first paper
 \[
 msg, \{msg\}_{K^{priv}}
 \]
 \noindent allows everybody with access to the corresponding
-public key $K^{pub}$ to verify the message came from the
+public key $K^{pub}$ to verify that the message came from the
 person who knew the private key. Signatures are used in
 Bitcoins for verifying the addresses where the Bitcoins are
 sent from. Addresses in Bitcoins are essentially the public
 keys. There are $2^{160}$ possible addresses, which is such a
 vast amount that there is not even a check for duplicates, or
 already used addresses. If you start with a random number to
 generate a public-private key pair it is very unlikely that
 you step on somebody else's shoes. Compare this with the
 email-addresses you always wanted to register with, say
-Googlemail, but which are already taken.
+Gmail, but which are already taken.
-One main difference between Bitcoins and traditional banking
+One major difference between Bitcoins and traditional banking
 is that you do not have a place, or places, that record the
 balance on your account. Traditional banking involves a
 central ledger which specifies the current balance in each
 account, for example
 \noindent These messages, called transactions, are the only
 data that is ever stored in the Bitcoin system (we will come
 to the precise details later on). The transactions are
 encrypted with Alice's private key so that everybody,
-including Bob, can use Alice's public key $K^{pub}_{Alice}$
+including Bob, can use Alice's public key $K^{pub}_{Alice}$ to
-for verifying that this message came really from Alice, or
+verify that this message came really from Alice, or more
-more precisely from the person who knows $K^{priv}_{Alice}$.
+precisely from the person who knows $K^{priv}_{Alice}$.
 The problem with such messages in a distributed system is that
-what happens if Bob receives 10, say, of these transactions.
+what happens if Bob receives 10, say, of these transactions?
 Did Alice intend to send him 10 Bitcoins, or did the message
 get duplicated by for example an attacker re-playing a sniffed
 message? What is needed is a kind of serial number for such
 transactions. This means transaction messages look more like
 \noindent But for this banks would need to be trusted and
 would also be an easy target for any government interference,
 for example. Think of the early days of music sharing where
 the company Napster was the single point of ``failure'' which
-was taken offline by law enforcement. Bitcoins is more a
+was taken offline by law enforcement. Bitcoins is more like a
-system like BitTorrent without a single central entity that
+system such as BitTorrent without a single central entity that
-can be taken offline.
+can be taken offline.\footnote{There is some Bitcoin
+infrastructure that is not so immune from being taken offline:
+for example Bitcoin exchanges, HQs of Bitcoin mining pools,
+Bitcoin developers and so on.}
 Bitcoin solves the problem of not being able to rely on a bank
 by making everybody the ``bank''. Everybody who cares can have
 the entire transactions history starting with the first
 transaction made in January 2009. This history of transactions
-is called \emph{blockchain}. Bob, for example, can use his
+is called the \emph{blockchain}. Bob, for example, can use his
 copy of the blockchain for determining whether Alice owned the
 Bitcoin he received, and if she did, he transmits the message
 that he owns it now to every other participant on the Bitcoin
 network. An illustration of a three-block segment of the
 blockchain is (simplified) as follows
 \noindent The chain grows with time. Each block contains a
 list of individual transactions, written txn in the picture
 above, and also a reference to the previous block, written
 prev. The data in a block (txn's and prev) is hashed so that
 the reference and transactions in them cannot be tampered
-with. This hash is the unique serial number of each block.
+with. This hash is also the unique serial number of each
-Since this previous-block-reference is also part of the hash,
+block. Since this previous-block-reference is also part of the
-the whole chain is robust against tampering. I let you think
+hash, the whole chain is robust against tampering. I let you
-why this is the case?\ldots{}But does it actually eliminate
+think why this is the case?\ldots{}But does it actually
-all possibilities of fraud?
+eliminate all possibilities of fraud?
 We can check the consistency of the blockchain by checking
 whether all the references and hashes are correctly recorded.
 I have not tried it myself, but it is said that with the
 current amount of data (appr.~12GB) it takes roughly a day to
 payment (or transaction) combines the Bitcoins that were send
 by Jane to Fred and also by Juan to Fred. This allows you to
 ``consolidate'' your funds: if it were only possible to split
 transactions, then the amounts would get smaller and smaller.
-But in Bitcoins it is also important to have the ability to
+In Bitcoins you have the ability to both combine incoming
-split the money from one or more incoming transaction to
+transactions, but also to split outgoing transactions to
-potentially more than one receiver. Consider again the
+potentially more than one receiver. The latter is needed.
-rightmost transactions in Figure~\ref{txngraph} and suppose
+Consider again the rightmost transactions in
-Alice is a coffeeshop owner selling coffees for 1 Bitcoin.
+Figure~\ref{txngraph} and suppose Alice is a coffeeshop owner
-Charles received a transaction from Zack over 5 Bitcoins, say.
+selling coffees for 1 Bitcoin. Charles received a transaction
-How does he pay for the coffee? There is no explicit notion of
+from Zack over 5 Bitcoins, say. How does he pay for the
-\emph{change} in the Bitcoin system. What Charles has to do
+coffee? There is no explicit notion of \emph{change} in the
-instead is to make one single transaction with 1 Bitcoin to
+Bitcoin system. What Charles has to do instead is to make one
-Alice and with 4 Bitcoins going back to himself, which then
+single transaction with 1 Bitcoin to Alice and with 4 Bitcoins
-Charles can use to give to Emily, for example.
+going back to himself, which then Charles can use to give to
+Emily, for example.
 \begin{figure}[t]
 \begin{center}
 \includegraphics[scale=0.4]{../pics/blockchain.png}
 \end{center}
 transaction (not shown in the picture) that sends 6 Bitcoins
 to her. If she now wants to buy a coffee from Alice for 1
 Bitcoin, she has two possibilities: She could just forward the
 transaction from Charles over 4 Bitcoins to Alice split in
 such a way that Alice receives 1 Bitcoin and Emily sends the
-remaining 3 Bitcoins ``back'' to herself. In this case she
+remaining 3 Bitcoins back to herself. In this case she would
-would now be in the ``possession'' of two unspend Bitcoin
+now be in the possession of two unspend Bitcoin transactions,
-transactions, one over 3 Bitcoins and the independent one over
+one over 3 Bitcoins and the independent one over 6 Bitcoins.
-6 Bitcoins. Or, Emily could combine both transactions (one
+Or, Emily could combine both transactions (one over 4 Bitcoins
-over 4 Bitcoins from Charles and the independent one over 6
+from Charles and the independent one over 6 Bitcoins) and then
-Bitcoins) and then split this amount with 1 Bitcoin going to
+split this amount with 1 Bitcoin going to Alice and 9 Bitcoins
-Alice and 9 Bitcoins going back to herself.
+going back to herself.
 I think this is a good time for you to pause to let this
-concept of transactions really sink in\ldots{}You should see
+concept of transactions to really sink in\ldots{}You should
-that there is really no need for a central ledger and no need
+see that there is really no need for a central ledger and no
-for an account balance as familiar from traditional banking.
+need for an account balance as familiar from traditional
-The closest what Bitcoin has to offer for the notion of a
+banking. The closest what Bitcoin has to offer for the notion
-balance in a bank account are the unspend transactions that a
+of a balance in a bank account are the unspend transactions
-person (more precisely a public-private key address) received.
+that a person (more precisely a public-private key address)
-That means transactions that can still be forwarded.
+received. That means transactions that can still be forwarded.
 After the pause also consider the fact that whatever
 transaction is recorded in the blockchain will be in the
 ``historical record'' for the Bitcoin system. If a transaction
 says 1 Bitcoin goes from address $A$ to address $B$, then this
 not be able to form a valid message that sends this to
 somebody else (we will see the details of this later). But
 this is also a way how you can get robbed of your Bitcoins. By
 old-fashioned hacking-into-a-computer crime, for example, an
 attacker might get hold of your private key and then quickly
-forward the Bitcoins that are in your name to an address the
+forwards the Bitcoins that are in your name to an address the
 attacker controls. You will never again have access to these
 Bitcoins, because for the Bitcoin system they are assumed to
 be spent. And remember with Bitcoins you cannot appeal to any
 higher authority. Once the Bitcoins are gone, they are gone.
 This is much different in traditional banking where at least
 What does, however, ``enough'' mean in a distributed system?
 If Alice sets up a network of a billion, say, puppy identities
 and whenever Bob tries to convince, or validate, that he is
 the rightful owner of the Bitcoin, then the puppy identities
 agree. Bob would then have no reason to not give Alice her
-coffee. But behind his back, however, she has convinced
+coffee. But behind his back she has convinced everybody else
-everybody else on the network that she is still the rightful
+on the network that she is still the rightful owner of the
-owner of the Bitcoin. After being outvoted, Bob would be a tad
+Bitcoin. After being outvoted, Bob would be a tad peeved.
-peeved.
 The reflex reaction to such a situation would be to make the
 process of validating a transaction as cheap as possible. The
 intention is that Bob will get enough peers to agree with him
 that he is the rightful owner. But such a solution has always
 Bitcoins work so beautifully.
 \subsubsection*{Proof-of-Work Puzzles}
 In order to make the process of transaction validation
-difficult, Bitcoin uses a kind of puzzles. Solving the puzzles
+difficult, Bitcoin uses a kind of puzzle. Solving the puzzles
 is called \emph{Bitcoin mining}, where whoever solves a puzzle
 will be awarded some Bitcoins. At the beginning this was 50
 Bitcoins, but the rules of Bitcoin are set up such that this
 amount halves every 210,000 transactions or so. Currently you
 will be awarded 25 Bitcoins for solving a puzzle. Because the
 point is that we can very quickly check whether a salt solves
 a puzzle, but it is hard to find one. Latest research suggest
 it is an NP-problem. If we want the output hash value to begin
 with 10 zeroes, say, then we will, on average, need to try
 $16^{10} \approx 10^{12}$ different salts before we find a
-suitable one. In Bitcoins the puzzles are not solved according
+suitable one.
-to how many leading zeros a has-value has, but rather whether
-it is below a \emph{target}. The hardness of the puzzle can
+In Bitcoins the puzzles are not solved according to how many
-actually be controlled by changing the target according to the
+leading zeros a hash-value has, but rather whether it is below
-available computational power available. I think the
+a \emph{target}. The hardness of the puzzle can actually be
-adjustment of the hardness of the problems is done every two
+controlled by changing the target according to the available
-weeks. I am not sure whether this is an automatic process. The
+computational power available. I think the adjustment of the
-aim of the adjustment is that on average the Bitcoin network
+hardness of the problems is done every 2060 blocks
-will most likely solve a puzzle within 10 Minutes.
+(appr.~every two weeks). I am not sure whether this is an
+automatic process. The aim of the adjustment is that on
+average the Bitcoin network will most likely solve a puzzle
+within 10 Minutes.
 \begin{center}
 \includegraphics[scale=0.37]{../pics/blockchainsolving.png}
 \end{center}
 take longer, but on average after 10 Minutes somebody on the
 network will have found a solution.
 Remember that the puzzles are a kind of proof-of-work that
 make the validation of transactions artificially expensive.
-The validation and the derivation of the puzzle is done as
+Consider the following picture with a blockchain and some
-follows:
+unconfirmed transactions.
 \begin{equation}
 \includegraphics[scale=0.38]{../pics/bitcoin_unconfirmed.png}
 \label{unconfirmed}
 \end{equation}
-\noindent There are some unconfirmed transactions. Choosing
+\noindent The puzzle is given as follows: There are some
-some of them, the miner (i.e.~the person/computer that tries
+unconfirmed transactions. Choosing some of them, the miner
-to solve a puzzle) will form a putative block to be added to
+(i.e.~the person/computer that tries to solve a puzzle) will
-the blockchain. This putative block will contain the
+form a putative block to be added to the blockchain. This
-transactions and the reference to the previous block. The
+putative block will contain the transactions and the reference
-serial number of such a block is simply the hash of all the
+to the previous block. The serial number of such a block is
-data. The puzzle can then be stated as the ``string''
+simply the hash of all the data. The puzzle can then be stated
-corresponding to the block and which salt is needed in order
+as the ``string'' corresponding to the block and which salt is
-to have the hashed value being below the target. Other miners
+needed in order to have the hashed value being below the
-will choose different transactions and therefore work on a
+target. Other miners will choose different transactions and
-slightly different putative block and puzzle.
+therefore work on a slightly different putative block and
+puzzle.
 The intention of the proof-of-work puzzle is that the
-blockchain is at every given moment nicely linearly ordered,
+blockchain is at every given moment linearly ordered, see the
-see the picture shown in \eqref{unconfirmed}. If we don’t have
+picture shown in \eqref{unconfirmed}. If we don’t have such a
-such a linear ordering at any given moment then it may not be
+linear ordering at any given moment then it may not be clear
-clear who owns which Bitcoins. Assume a miner David is lucky
+who owns which Bitcoins. Assume a miner David is lucky and
-and finds a suitable salt to confirm the transactions. Should
+finds a suitable salt to confirm the transactions. Should he
-he celebrate? Not yet. Typically the blockchain will look as
+celebrate? Not yet. Typically the blockchain will look as
 follows
 \begin{center}
 \includegraphics[scale=0.65]{../pics/block_chain1.png}
 \end{center}
 \begin{center}
 \includegraphics[scale=0.65]{../pics/block_chain_fork.png}
 \end{center}
-\noindent What should be done in this case? The tie is broken
+\noindent What should be done in this case? Well, the tie is
-if another block is solved, like so:
+broken if another block is solved, like so:
 \begin{center}
 \includegraphics[scale=0.4]{../pics/bitcoin_blockchain_branches.png}
 \end{center}
 \noindent The rule in Bitcoins is: If a fork occurs, people on
-the network keep track of all forks. But at any given time,
+the network keep track of all forks (they can see). But at any
-miners only work to extend whichever fork is longest in their
+given time, miners only work to extend whichever fork is
-copy of the block chain. Why should miners work on the longest
+longest in their copy of the block chain. Why should miners
-fork? Well their incentive is to mine Bitcoins. If somebody
+work on the longest fork? Well their incentive is to mine
-else already solved a puzzle, then it makes more sense to work
+Bitcoins. If somebody else already solved a puzzle, then it
-on a new puzzle and obtain the Bitcoins for solving that
+makes more sense to work on a new puzzle and obtain the
-puzzle. Note that whoever solved a puzzle on the ``loosing''
+Bitcoins for solving that puzzle, rather than wast efforts on
-fork will actually not get any Bitcoins as reward. Tough luck.
+a fork that is shorter and therefore less likely to be
+``accepted''. Note that whoever solved a puzzle on the
+``loosing'' fork will actually not get any Bitcoins as reward.
+Tough luck.
 \subsubsection*{Alice against the Rest of the World}
-Let is see how the blockchain and the proof-of-work puzzles
+Let us see how the blockchain and the proof-of-work puzzles
 avoid the problem of double spend. If Alice wants to cheat
-Bob she would need to pull off the following ploy:
+Bob, she would need to pull off the following ploy:
 \begin{center}
 \includegraphics[scale=0.4]{../pics/bitcoin_blockchain_double_spend.png}
 \end{center}
 \noindent Alice makes a transaction to Bob for paying, for
 example, for an online order. This transaction is confirmed,
 or validated, in block 2. Bob ships the goods around block 4.
 In this moment, Alice needs to get into action and try to
-validate the fraudulent transaction to herself instead.
+validate the fraudulent transaction to herself instead. At
+this moment she is in a race against all the computing power
+of the ``rest of the world''. Because the incentive of the
+rest of the world is to work on the longest chain, that is the
+one with the transaction from Alice to Bob:
 \begin{center}
 \includegraphics[scale=0.4]{../pics/bitcoin_doublespend_blockchain_race.png}
 \end{center}
-\noindent At this moment she is in a race against all the
+\noindent As shown in the picture she has to solve the puzzles
-computing power of the ``rest of the world''. She has to solve
+2a to 5a one after the other, because the hash of a block is
-the puzzles one by one, because the hash of a block is
+determined via the reference by all the data in the previous
-determined by all the data in the previous has. She might be
+block. She might be very lucky to solve one puzzle for a block
-very lucky to solve one puzzle for a block before the rest of
+before the rest of the world, but to be lucky many times is
-the world, but to be lucky many times is very unlikely. In
+very unlikely. This principle of having to race against the
-order to raise the bar for Alice, merchants accepting Bitcoin
+rest of the world avoids the ploy of double spend.
-use the following rule of thumb: A transaction is
-``confirmed'' if (1) it is part of a block in the longest
+In order to raise the bar for Alice even further, merchants
-fork, and (2) at least 5 blocks follow it in the longest fork.
+accepting Bitcoin use the following rule of thumb: A
-In this case we say that the transaction has ``6
+transaction is ``confirmed'' if
-confirmations''. A simple calculation shows that these number
-of confirmations can take up to 1 hour and more. While this
+\begin{itemize}
-seems excessively long, from the merchant's point of view it
+\item[(1)] it is part of a block in the longest fork, and
-is not long at all. For this recall that ordinary credit cards
+\item[(2)] at least 5 blocks follow it in the longest fork. In
+this case we say that the transaction has ``6
+confirmations''.
+\end{itemize}
+\noindent A simple calculation shows that this amount of
+confirmations can take up to 1 hour and more. While this seems
+excessively long, from the merchant's point of view it is not
+that long at all. For this recall that ordinary creditcards
 can have their transactions been rolled-back for 6 months or
 so. The point however is that the odds for Alice being able to
-cheat are very low.
+cheat are very low, unless she can muster more than 50\% of
+the world Bitcoin mining capacity.
 Connected with the 6-confirmation rule is an interesting
 phenomenon. On average, it would take several years for a
 typical computer to solve a proof-of-work puzzle, so an
 individual’s chance of ever solving one before the rest of the
-world, which typically takes 10 minutes, is negligibly low.
+world, which typically takes only 10 minutes, is negligibly
-Therefore many people join groups called \emph{mining pools}
+low. Therefore many people join groups called \emph{mining
-that collectively work to solve blocks, and distribute rewards
+pools} that collectively work to solve blocks, and distribute
-based on work contributed. These mining pools act somewhat
+rewards based on work contributed. These mining pools act
-like lottery pools among co-workers, except that some of these
+somewhat like lottery pools among co-workers, except that some
-pools are quite large, and comprise more than 20\% of all the
+of these pools are quite large, and comprise more than 20\% of
-computers in the network. It is said that BTC, the largest
+all the computers in the network. It is said that BTC, a large
 mining pool, has limited its members to not solve more than 6
 blocks in a row. Otherwise this would undermine the trust in
 Bitcoins, which is also not in the interest of BTC, I guess.
+Some statistics on mining pools can be seen at
+\begin{center}
+\url{https://blockchain.info/pools}
+\end{center}
 \subsubsection*{Bitcoins for Real}
-\ldots
+Let us now turn to the nitty gritty details. As a user you
+need to generate and store a public-private key pair. The
+public key you need to advertise in order to receive payments
+(transactions). The private key needs to be securely stored.
+For this there seem to be three possibilities
+\begin{itemize}
+\item an electronic wallet on your computer
+\item a cloud-based storage (offered by some Bitcoin service)
+\item paper-based
+\end{itemize}
+\noindent The first two options of course offer convenience
+for making and receiving transactions. But given the nature of
+the private key and how much security relies on them (recall
+if somebody gets hold of it, your Bitcoins are quickly lost
+forever) I would opt for the third option for anything except
+for trivial amounts of Bitcoins. As we have seen securing a
+computer system that it can withstand a breakin is still very
+much an unsolved problem.
+An interesting fact with Bitcoin keys is that there is no
+check for duplicate addresses. This means when generating a
+public-private key, you should really start with a carefully
+chosen random number such that there is really no chance to
+step on somebody's feet in the $2^{160}$ space of
+possibilities. Again if you share an address with somebody
+else, he or she has access to all your unspend transactions.
+The absence of such a check is easily explained: How would one
+do this in a distributed system? The answer you can't. It is
+possible to do some sanity check of addresses that are already
+used in the black chain, but this is not a fail-proof method.
+One really has to trust on the enormity of the $2^{160}$
+number.
+Let us now look at the data that is stored in an transaction
+message:
 \lstinputlisting[language=Scala]{../slides/msg}
-\noindent
+\noindent The hash in Line 1 is the hash of all the data that
-The hash in Line 1 is the has of all the data that follows. It
+follows. It is a kind of serial number for the transaction.
-is a kind of serial number for the transaction. Line 2
+Line 2 contains a version number in case there are some
-contains a version number. Line 3 and 4 specify how many
+incompatible changes to be made. Lines 3 and 4 specify how
-incoming transactions are combined and how many outgoing
+many incoming transactions are combined and how many outgoing
-transactions there are. In our example there are 1 each. Line
+transactions there are. In our example there are one for each.
-5 specifies a lock time for when the transaction is supposed
+Line 5 specifies a lock time for when the transaction is
-to become active---this is usually set to 0 to become active
+supposed to become active---this is usually set to 0 to become
-immediately. Line 6 specifies the size of the message; it has
+active immediately. Line 6 specifies the size of the message;
-nothing to do with the Bitcoins that are transferred. Lines 7
+it has nothing to do with the Bitcoins that are transferred.
-to 11 specify where the Bitcoins in the transaction are coming
+Lines 7 to 11 specify where the Bitcoins in the transaction
-from. The has in line 9 specifies the incoming transaction and
+are coming from. The has in line 9 specifies the incoming
-the \pcode{n} in Line 10 specifies which output of the
+transaction and the \pcode{n} in Line 10 specifies which
-transaction is referred to. The signature in line 11 specifies
+output of the transaction is referred to. The signature in
-the address (public key $K^{pub}$) from where the Bitcoins are
+line 11 specifies the address (public key $K^{pub}$) from
-taken and the digital signature of the address, that is
+where the Bitcoins are taken and the digital signature of the
-$\{K^{pub}\}_{K^{priv}}$. Lines 12 to 15 specify the value of
+address, that is $\{K^{pub}\}_{K^{priv}}$. Lines 12 to 15
-the first outgoing transaction. In this case 0.319 Bitcoins.
+specify the value of the first outgoing transaction. In this
-The hash in Line 14 specifies the address to where the
+case 0.319 Bitcoins. The hash in Line 14 specifies the address
-Bitcoins are transferred.
+to where the Bitcoins are transferred.
-\ldots
+As can be seen there is no need to issue serial numbers for
+transactions, the hash of the transaction data can do this
+job. The hash will contain the sender addresses and
+hash-references to the incoming transactions, as well as the
+public key of the incoming transaction. This uniquely
+identifies a transaction and the hash is the unique
+fingerprint of it. The in-field also contains the address to
+which a earlier transaction is made. The digital signature
+ensures everybody can check that the person who makes this
+transaction is in the possession of the private key. Otherwise
+the signature would not match up with the public-key address.
+When mining the blockchain it only needs to be ensured that
+the transactions are consistent (all hashes and signatures
+match up). Then we need to generate the correct previous-block
+link and solve the resulting puzzle. Once the block is
+accepted, everybody can check the integrity of the whole
+blockchain.
+A word of warning: The point of a lottery is that some people
+win. But equally, that most people lose. Mining Bitcoins has
+pretty much the same point. According to the article below, a
+very large machine (very, very large in terms of June 2014)
+could potentially mine \$40 worth of Bitcoins a day, but would
+require magnitudes more of electricity costs to do so.
+\begin{center}
+\url{http://bitcoinmagazine.com/13774/government-bans-professor-mining-bitcoin-supercomputer/}
+\end{center}
 \subsubsection*{Anonymity and Government Meddling}
 One question one often hears is how anonymous is it actually
-to pay with Bitcoins? Paying with paper money in the past was
+to pay with Bitcoins? Paying with paper money used to be a
-quite an anonymous act (unlike paying with creditcards), but
+quite anonymous act (unlike paying with creditcards, for
-this has changed nowadays. You cannot come to a bank anymore
+example). But this has changed nowadays: You cannot come to a
-with a suitcase full of money and try to open a bank account.
+bank anymore with a suitcase full of money and try to open a
-Strict money laundering and taxation laws mean that not even
+bank account. Strict money laundering and taxation laws mean
-Swiss banks are prepared to take such money and open a bank
+that not even Swiss banks are prepared to take such money and
-account. With Bitcoins the situation is different, but I fully
+open a bank account. That is why Bitcoins are touted as
-agree with the statement by Nielsen from the blog article I
+filling this niche again of anonymous payments.
-referenced at the beginning:
+While Bitcoins are intended to be anonymous, the reality is
+slightly different. I fully agree with the statement by
+Nielsen from the blog article I referenced at the beginning:
 \begin{quote}\it{}``Many people claim that Bitcoin can be used
 anonymously. This claim has led to the formation of
 marketplaces such as Silk Road (and various successors), which
 specialize in illegal goods. However, the claim that Bitcoin
 the great majority of Bitcoin users are not identified with
 relatively high confidence and ease in the near future.''
 \end{quote}
 \noindent The only thing I can add is that with Bitcoins we
-will have even more fun with many more confessions like the
+will have even more fun hearing confessions like the infamous
-infamous ``I did not
+``I did not
 inhale''.\footnote{\url{www.youtube.com/watch?v=Bktd_Pi4YJw}}
 The whole point of the blockchain is that it public and will
-always be. There are some precautions that are suggested, like
+always be.
-to use a new public-private key pair for every new transaction
-or access Bitcoin only through the Tor network. But the
+There are some precautions that are suggested, like to use a
+new public-private key pair for every new transaction, and to
+access Bitcoin only through the Tor network. But the
 transactions in Bitcoins are designed such that they allow one
 to combine incoming transactions. In such cases we know they
 must have been made by the single person who new the
 corresponding private keys. So using different public-private
-keys for each transaction, might not make the de-anonymisation
+keys for each transaction might not actually make the
-task much harder. And the point about de-anonymising
+de-anonymisation task much harder. And the point about
-`anonymous' social networks is that the information is
+de-ano\-nymising `anonymous' social networks is that the
-embedded into the structure of the transition graph. And this
+information is embedded into the structure of the transition
-cannot be erased with Bitcoins.
+graph. And this cannot be erased with Bitcoins.
 Finally, what are the options for a typical western government
 to meddle with Bitcoins? This is of course one feature the
-proponents of Bitcoins tout: namely that there aren't any
+proponents of Bitcoins also tout: namely that there aren't any
-options. In my opinion this is too naive and far from the
+options. In my opinion this is far too naive and far from the
 truth. Let us assume some law enforcement agencies would not
-have been able to uncover the baddies from Silk Road 2.0 (they
+have been able to uncover the baddies from Silk Road 1.0 and
-have done so by uncovering the Tor network, and incredible
+2.0 (they have done so by uncovering the Tor network, which is
-feat on its own). Would a government have stopped?
+an incredible feat on its own). Would a government have
+stopped? I think no. The next target would have been Bitcoin.
+If I were the government, this is what I would consider:
 \begin{itemize}
 \item The government could compel ``mayor players'' to
-blacklist Bitcoins (for example at exchanges). This
+blacklist Bitcoins (for example at Bitcoin exchanges).
-would impinge on what is called \emph{fungibility} of
+This would impinge on what is called \emph{fungibility}
-Bitcoins and make them much less attractive to baddies.
+of Bitcoins and make them much less attractive to
-This blacklisting can be easily done ``whole-sale'' and
+baddies. Suddenly their hard-earned Bitcoin money cannot
+be spent anymore.The attraction of this option is that
+this blacklisting can be easily done ``whole-sale'' and
 therefore be really be an attractive target for
 governments \& Co.
-\item They could attempt to coerce developer community of the
+\item The government could attempt to coerce the developer
-Bitcoin tools. While this might be a bit harder, we know
+community of the Bitcoin tools. While this might be a
-certain governments are ready to take such actions (we
+bit harder, we know certain governments are ready to
-have seen this with Lavabit, just that the developers
+take such actions (we have seen this with Lavabit, just
-there refused to play ball and shut down their complete
+that the developers there refused to play ball and shut
-operation).
+down their complete operation).
 \item The government could also put pressure on mining pools
-in order to blacklist transactions from baddies. Or be
+in order to blacklist transactions from baddies. Or be a
 big a miner itself. Given the gigantic facilities that
-are built for institutions like the NSA
+are built for institutions like the NSA (pictures from
+the Utah dessert)
 \begin{center}
 \includegraphics[scale=0.04]{../pics/nsautah1.jpg}
 \hspace{3mm}
 \includegraphics[scale=0.031]{../pics/nsautah2.jpg}
 \end{center}
-this would not be such a high bar to jump over.
+this would not be such a high bar to jump over. Remember
-\end{itemize}
+it ``only'' takes to temporarily be in control of 50\%+
+of the mining capacity in order to undermine the trust
-\noindent Finally the government would potentially not need to
+in the system. Given sophisticated stories like Stuxnet
-follow up with such threads. Just the rumour that it would,
+(where we still not know the precise details) maybe even
-could be enough to get the Bitcoin-house-of-cards to tumble.
+such large facilities are not really needed. What
-Because of all this I would not have too much hope that
+happens, for example, if a government starts DoS attacks
-Bitcoins are free from government \& Co interference when it
+on existing miners: They have complete control
-will stand in its way.
+(unfortunately) of all mayor connectivity providers,
+i.e.~ISPs.
+There are estimates that the Bitcoin mining capacity
+outperforms the top 500 supercomputers in the world,
+combined(!):
+\begin{center}\small
+\url{http://www.forbes.com/sites/reuvencohen/2013/11/28/global-bitcoin-computing-power-now-256-times-faster-than-top-500-supercomputers-combined/}
+\end{center}
+But my gut feeling is that these are too simplistic
+calculations. In security (and things like Bitcoins) the
+world is never just black and white. The point is once
+the trust is undermined, the Bitcoin system would need
+to be evolved to Bitcoins 2.0. But who says that Bitcoin
+2.0 will honour the Bitcoins from Version 1.0?
+\end{itemize}
+\noindent Finally, a government would potentially not really
+need to follow up with such threads. Just the rumour that it
+would, could be enough to get the Bitcoin-house-of-cards to
+tumble. Some governments have already such a ``impressive''
+trackrecord in this area, such a thread would be entirely
+credible. Because of all this, I would not have too much hope
+that Bitcoins are free from government \& Co interference when
+it will stand in its way, despite what everybody else is
+saying. To sum up, the technical details behind Bitcoins are
+simply cool. But still the entire Bitcoin ecosystem is in my
+humble opinion rather fragile.
+\subsubsection*{Further Reading}
+Finally, finally, the article
+\begin{center}\small
+\url{http://www.extremetech.com/extreme/155636-the-bitcoin-network-outperforms-the-top-500-supercomputers-combined}
+\end{center}
+\noindent makes an interesting point: If people are willing to
+solve meaningless puzzles for hard, cold cash and with this
+achieve rather impressive results, what could we achieve if
+the UN, say, would find the money and incentivise people to,
+for example, solve protein folding
+puzzles?\footnote{\url{http://en.wikipedia.org/wiki/Protein_folding}}
+There are projects like
+Folding@home\footnote{\url{http://folding.stanford.edu}} which have
+This might help with curing diseases such as Alzheimer or
+diabetes, which to a large portion baddies and goodies will
+suffer at some point. The same point is made in the article
+\begin{center}\small
+\url{http://gizmodo.com/the-worlds-most-powerful-computer-network-is-being-was-504503726}
+\end{center}
 \end{document}
 bit coin
 https://bitcoin.org/bitcoin.pdf

changeset 323	0629590fd299
parent 322	8c07340af3b9
child 336	3cb200fa6d6a