sen-material: comparison handouts/ho08.tex

equal deleted inserted replaced

-:e6afcdabd3ea
+:bd5775cc8a45
 \documentclass{article}
 \usepackage{../style}
 \usepackage{../graphics}
+\usepackage{../langs}
 \begin{document}
 \section*{Handout 7 (Bitcoins)}
 In my opinion Bitcoins are an elaborate Ponzi
 scheme\footnote{\url{http://en.wikipedia.org/wiki/Ponzi_scheme}}---still
 the ideas behind them are really beautiful and not too
 difficult to understand. Since many colourful claims about
-Bitcoins float around in the mainstream media, it will be
+Bitcoins float around in the mainstream and not-so-mainstream
-instructive to re-examine such claims from a more technically
+media, it will be instructive to re-examine such claims from a
-informed vantage point. For example, it is often claimed that
+more technically informed vantage point. For example, it is
-Bitcoins are anonymous and free from any potential government
+often claimed that Bitcoins are anonymous and free from any
-meddling. It turns out that the first claim ignores a lot of
+potential government meddling. It turns out that the first
-research in de-anonymising social networks, and the second
+claim ignores a lot of research in de-anonymising social
-underestimates the persuasive means a government has at their
+networks, and the second underestimates the persuasive means a
-disposal.
+government has at its disposal.
-There are a lot of articles, blogposts and so on available
+There are a lot of articles, blogposts, research papers
-about Bitcoins. Below I will follow closely the very readable
+etc.~available about Bitcoins. Below I will follow closely the
-explanations from
+very readable explanations from
 \begin{center}
 \url{http://www.michaelnielsen.org/ddi/how-the-bitcoin-protocol-actually-works/} \;\;and\smallskip\\
 \url{http://www.imponderablethings.com/2013/07/how-bitcoin-works-under-hood.html}
 \end{center}
-\noindent
+\noindent The latter also contains a link to a nice youtube
-The latter also contains a link to a nice youtube video.
+video about the technical details behind Bitcoins.
 Let us start with the question who invented Bitcoins? You
 could not make up the answer, but we actually do not know who
 the inventor is. All we know is that the first paper
 \end{center}
 \noindent is signed by Satoshi Nakamoto, which however is
 likely only a pen name. There is a lot of speculation who
 could be the inventor, or inventors, but we simply do not
-know. This part of Bitcoins is definitely anonymous. The first
+know. This part of Bitcoins is definitely anonymous. The paper
-Bitcoin transaction was made in January 2009. The rules in
+above is from the end of 2008; the first Bitcoin transaction
-Bitcoin are set up so that there will ever only be 21 Million
+was made in January 2009. The rules in Bitcoin are set up so
-Bitcoins with the maximum reached around the year 2140.
+that there will ever only be 21 Million Bitcoins with the
-Contrast this with traditional fiat currencies where money can
+maximum reached around the year 2140. Currently there are
-be printed almost at will. The smallest unit of a Bitcoin is
+already 11 Million Bitcoins mined. Contrast this with
-called a Satoshi which is the $10^{-8}$th part of a Bitcoin.
+traditional fiat currencies where money can be printed almost
-Remember a Penny is the $10^{-2}$th part of a Pound.
+at will. The smallest unit of a Bitcoin is called a Satoshi
+which is the $10^{-8}$th part of a Bitcoin. Remember a Penny
+is the $10^{-2}$th part of a Pound.
 The two main cryptographic building blocks of Bitcoins are
 cryptographic hashing (SHA-256) and public-private keys using
 the elliptic-curve encryption scheme for digital signatures.
 Hashes are used to generate `fingerprints' of data that ensure
-integrity. Public-private keys are used for signatures. For
+integrity (absence of tampering). Public-private keys are used
-example sending a message, say $msg$, together with the
+for signatures. For example sending a message, say $msg$,
-encrypted version
+together with the encrypted version
 \[
 msg, \{msg\}_{K^{priv}}
 \]
-\noindent allows everybody with access to the public key to
+\noindent allows everybody with access to the corresponding
-verify the message came from the person who knew the private
+public key $K^{pub}$ to verify the message came from the
-key. Signatures are used in Bitcoins for verifying the
+person who knew the private key. Signatures are used in
-addresses where the Bitcoins are sent from. Addresses in
+Bitcoins for verifying the addresses where the Bitcoins are
-Bitcoins are essentially the public keys. There are $2^{160}$
+sent from. Addresses in Bitcoins are essentially the public
-possible addresses, which is such a vast amount that there is
+keys. There are $2^{160}$ possible addresses, which is such a
-not even a check for duplicates, or already used addresses. If
+vast amount that there is not even a check for duplicates, or
-you start with a random number to generate a public-private
+already used addresses. If you start with a random number to
-key pair it is very unlikely that you step on somebody else's
+generate a public-private key pair it is very unlikely that
-shoes. Compare this with email-addresses you ever wanted to
+you step on somebody else's shoes. Compare this with the
-register with, say, Googlemail, but which were always already
+email-addresses you always wanted to register with, say
-taken.
+Googlemail, but which are already taken.
-One main difference between Bitcoins and, say, traditional
+One main difference between Bitcoins and traditional banking
-banking is that you do not have a place that records the
+is that you do not have a place that records the balance on
-balance on your account. Traditional banking involves a
+your account. Traditional banking involves a central ledger
-central ledger which specifies the current balance in each
+which specifies the current balance in each account, for
-account, for example
+example
 \begin{center}
 \begin{tabular}{l|r}
 account & balance\\\hline
 Alice   & \pounds{10.01}\\
 \end{center}
 \noindent Bitcoins work differently in that there is no such
 central ledger, but instead a public record of all
 transactions ever made. This means spending money corresponds
-to sending messages of the (rough) form
+to sending messages of the (oversimplified) form
 \begin{equation}
 \{\text{I, Alice, am giving Bob one Bitcoin.}\}_{K^{priv}_{Alice}}
 \end{equation}
-\noindent These are the transactions that are the only data
+\noindent These messages, called transactions, are the only
-that is ever stored (we will come to the precise details later
+data that is ever stored in the Bitcoin system (we will come
-on). The transactions are encrypted with Alice's private key
+to the precise details later on). The transactions are
-such that everybody, including Bob, can use Alice's public key
+encrypted with Alice's private key such that everybody,
-$K^{pub}_{Alice}$ for verifying that this message came really
+including Bob, can use Alice's public key $K^{pub}_{Alice}$
-from Alice, or more precisely from the person who knows
+for verifying that this message came really from Alice, or
-$K^{priv}_{Alice}$.
+more precisely from the person who knows $K^{priv}_{Alice}$.
 The problem with such messages in a distributed system is what
 happens if Bob receives 10, say, of these transactions. Did
 Alice intend to send him 10 Bitcoins, or did the message get
 duplicated by for example an attacker re-playing a sniffed
 \noindent But for this banks would need to be trusted and
 would also be an easy target for any government interference,
 for example. Think of the early days of music sharing where
 the company Napster was the single point of ``failure'' which
-was taken offline by law enforcement.
+was taken offline by law enforcement. Bitcoins is more a
+system like BitTorrent without a single central entity that
-Bitcoin solves the problem of not wanting to rely on a bank by
+can be taken offline.
-making everybody the ``bank''. Everybody who cares can have
+Bitcoin solves the problem of not being able to rely on a bank
+by making everybody the ``bank''. Everybody who cares can have
 the entire transactions history starting with the first
 transaction made in January 2009. This history of transactions
 is called \emph{blockchain}. Bob, for example, can use his
 copy of the blockchain for determining whether Alice owned the
-Bitcoin and if yes transmits the message to every other
+Bitcoin he received, and if yes transmits the message to every
-participant on the Bitcoin network. The blockchain looks
+other participant on the Bitcoin network. The blockchain looks
 roughly like a very long chain of individual blocks
 \begin{center}
 \includegraphics[scale=0.4]{../pics/bitcoinblockchain0.png}
 \end{center}
 block (txn's and prev) is hashed so that the reference and
 transactions in them cannot be tampered with. This hash is the
 unique serial number of each block. Since this
 previous-block-reference is also part of the hash, the whole
 chain is robust against tampering. I let you think why this is
-the case. \ldots{}But does it eliminate all possibilities of
+the case?\ldots{}But does it actually eliminate all
-fraud?
+possibilities of fraud?
-We can check the consistency of the blockchain by checking the
+We can check the consistency of the blockchain by checking
-entire block\-chain whether the references and hashes are
+whether all the references and hashes are correctly recorded.
-correctly recorded. I have not tried it myself, but it is said
+I have not tried it myself, but it is said that with the
-that with the current amount of data (appr.~12GB) it takes
+current amount of data (appr.~12GB) it takes roughly a day to
-roughly a day to check the consistency of the blockchain on a
+check the consistency of the blockchain on a ``normal''
-``normal'' computer. Fortunately this ``extended'' consistency
+computer. Fortunately this ``extended'' consistency check
-check usually only needs to be done once.
+usually only needs to be done once. After that it only needs
+to be updated consistently.
 Recall I wrote earlier that Bitcoins do not maintain a ledger
 listing all the current balances in each account. Instead they
-record only transactions. Therefore it is possible to extract
+record only transactions. While a current balance of an
-from the blockchain a transaction graph that looks like the
+account is not immediately available, it is possible to
-picture shown in Figure~\ref{txngraph}. Take for example the
+extract from the blockchain a transaction graph that looks
-rightmost lower transaction from Charles to Emily. This
+like the picture shown in Figure~\ref{txngraph}. Take for
-transaction has as receiver the address of Emily and as the
+example the rightmost lower transaction from Charles to Emily.
-sender the address of Charles. In this way no Bitcoins can
+This transaction has as receiver the address of Emily and as
+the sender the address of Charles. In this way no Bitcoins can
 appear out of thin air (we will discuss later how Bitcoins are
 actually generated). If Charles did not have a transaction of
 at least the amount he wants to give Emily to his name
 (i.e.~send to an address with his public-private key) then
 there is no way he can make a payment to Emily. Equally, if
 now Emily wants to pay for a coffee, say, with the Bitcoin she
-received from Charles she can only make a transaction to
+received from Charles she can essentially only forward the
-forward the message she received. The only slight complication
+message she received. The only slight complication with this
-with is that incoming transactions can be combined in a
+setup in Bitcoins is that ``incoming'' Bitcoins can be
-transaction and ``outgoing'' Bitcoins can be split. For
+combined in a transaction and ``outgoing'' Bitcoins can be
-example in the leftmost upper transactions in
+split. For example in the leftmost upper transactions in
 Figure~\ref{txngraph} Fred makes a payment to Alice. But this
 payment (or transaction) combines the Bitcoins that were send
 by Jane to Fred and also by Juan to Fred. This allows you to
 ``consolidate'' your funds: if there was always only a way to
 split transactions, then the amounts would get smaller and
-smaller. But it is also important to be able to split the
+smaller.
-money from one or more incoming transaction to more than one
-receiver. Consider again the rightmost transactions in
+But in Bitcoins it is also important to have the ability to
-Figure~\ref{txngraph} and suppose Alice is a coffeeshop owner
+split the money from one or more incoming transaction to
-selling coffees for 1 Bitcoin. Charles received a transaction
+potentially more than one receiver. Consider again the
-from Zack over 5 Bitcoins. How does he pay for the coffee?
+rightmost transactions in Figure~\ref{txngraph} and suppose
-There is no real notion of change in the Bitcoin system. What
+Alice is a coffeeshop owner selling coffees for 1 Bitcoin.
-Charles has to do instead is to make one single transaction
+Charles received a transaction from Zack over 5 Bitcoins, say.
-with 1 Bitcoin to Alice and with 4 Bitcoins going back to
+How does he pay for the coffee? There is no real notion of
-himself. Which Charles can then use to give to Emily.
+change in the Bitcoin system. What Charles has to do instead
+is to make one single transaction with 1 Bitcoin to Alice and
+with 4 Bitcoins going back to himself, which then Charles can
+use to give to Emily, for example.
 \begin{figure}[t]
 \begin{center}
 \includegraphics[scale=0.4]{../pics/blockchain.png}
 \end{center}
 Let us make another example. Let us assume Emily received 4
 Bitcoins from Charles and independently has another
 transaction (not shown in the picture) that sends 6 Bitcoins
 to her. If she now wants to buy a coffee from Alice for 1
-Bitcoin she has two possibilities. She could just forward the
+Bitcoin, she has two possibilities. She could just forward the
 transaction from Charles over 4 Bitcoins to Alice splitted in
 such a way that Alice receives 1 Bitcoin and Emily sends the
-remaining 3 Bitcoins `back' to herself. In this case she would
+remaining 3 Bitcoins ``back'' to herself. In this case she would
 now be in the ``posession'' of two unspend Bitcoin
 transactions, one over 3 Bitcoins and the independent one over
 6 Bitcoins. Or, Emily could combine both transactions (one
 over 4 Bitcoins from Charles and the independent one over 6
 Bitcoins) and then split this amount with 1 Bitcoin going to
 Alice and 9 Bitcoins going back to herself.
-I let you have time to let this concept of transactions sink
+I think this is a good time for you to pause to let this
-in\ldots{}in the words of a famous 60ies Band: ``All you need
+concept of transactions really sink in\ldots{}abusing the
-is transactions''. There is no need for a central ledger and
+words of a famous 60ies Band: With Bitcoins ``all you need is
-no need for an account balance from traditional banking. The
+transactions''. There is really no need for a central ledger
-closest what Bitcoin has to offer for a notion of a balance in
+and no need for an account balance as familiar from
-a bank account are the unspend transaction that a person (that
+traditional banking. The closest what Bitcoin has to offer for
-is public-private key address) received. That means
+the notion of a balance in a bank account are the unspend
-transactions that can still be forwarded.
+transaction that a person (more precisely a public-private key
+address) received. That means transactions that can still be
-Also consider the fact that whatever transaction is recorded
+forwarded.
-in the blockchain is what will set the ``historical record''.
-If a transaction says 1 Bitcoin from address $A$ to address
+After the pause also consider the fact that whatever
-$B$, then this is what will be recorded. This is also how
+transaction is recorded in the blockchain will be in the
-Bitcoins can actually get lost: if you forget your private key
+``historical record'' for the Bitcoin system. If a transaction
-and you had just a message forwarded to you address of the
+says 1 Bitcoin goes from address $A$ to address $B$, then this
-public key, then bad luck: you will never be able to forward
+is what will be---$B$ has then the possibility to spend the
-this message again, because you will not be able to form a
+corresponding Bitcoins, whether the transaction was done
-valid message that sends this to somebody else (we will see
+fraudulently or not. There is no exception to this rule.
-the details of this later). But this is also a way how you can
+Interestingly this is also how Bitcoins can get lost: One
-get robbed of your Bitcoins. An attacker might get hold of
+possibility is that you send Bitcoins to an address for which
-your private key and then quickly forward the Bitcoins in your
+nobody has generated a private key. For example by a typo in
-name to an address the attacker controls. You have never again
+the address field---bad luck for fat
+fingers.\footnote{\url{http://en.wikipedia.org/wiki/Typographical_error}}
+The reason is that nobody has a private key for this erroneous
+address and consequently cannot forward the transaction
+anymore. Another possibility is that you forget your private
+key and you had messages forwarded to your address
+corresponding to your the public key. In this case also bad
+luck: you will never be able to forward this message again,
+because you will not be able to form a valid message that
+sends this to somebody else (we will see the details of this
+later). But this is also a way how you can get robbed of your
+Bitcoins. By old-fashioned hacking-into-a-computer crime, for
+example, an attacker might get hold of your private key and
+then quickly forward the Bitcoins that are in your name to an
+address the attacker controls. You will never have again
 access to these Bitcoins, because for the Bitcoin system they
-are assumed to be spend. And remember with Bitcoins you cannot
+are assumed to be spent. And remember with Bitcoins you cannot
 appeal to any higher authority. Once it is gone, it is gone.
 This is different with traditional banking where at least you
-can try to harass the bank to rollback the transaction.
+can try to harass the bank to roll back the transaction.
 This brings us to back to problem of double spend. Say Bob is
-a merchant. How can he make sure that Alice does not cheat.
+a merchant. How can he make sure that Alice does not cheat?
-She could for example send a transaction to Bob. But also to
+She could for example send a transaction to Bob. But also
-Charlie, or even herself. If Bob is also in the coffee
+forward the ``same'' transaction to Charlie, or even herself.
-business, he would potentially be cheated out of his money.
+If Alice manages to get the second transaction into the
-The problem is how should people update their blockchain?
+blockchain, Bob will be cheated out of his money. The problem
-You might end up with a picture like this
+in such conflicting situations is how should the network
+update their blockchain? You might end up with a picture like
-\begin{center}
+this
-\includegraphics[scale=0.3]{../pics/bitcoindisagreement.png}
-\end{center}
+\begin{center}
+\includegraphics[scale=0.4]{../pics/bitcoindisagreement.png}
-\noindent Alice convinced some part of the ``world'' that she
+\end{center}
-is still owner of the bitcoin and some other part of the
-``world'' thinks its Bob's. How should such a disagreement be
+\noindent Alice convinced some part of the ``world'' that she
-resolved? This is actually the main hurdle where Bitcoin
+is still owner of the bitcoin and some other part of the
-really innovated. The answer is that Bob needs to convince
+``world'' thinks its Bob's. How should such a disagreement be
-``enough'' people on the network that the transaction from
+resolved? This is actually the main hurdle where Bitcoin
-Alice to him is legit. But what means enough in a distributed
+really innovated. The answer is that Bob needs to convince
-system? If Alice sets up network of a billion puppy identidies
+``enough'' people on the network that the transaction from
-and whenever Bob tries to ask whether Alice is the rightful
+Alice to him is legit. However what does ``enough'' mean in a
-owner of the Bitcoin and Alice just send a transaction to him,
+distributed system? If Alice sets up network of a billion
-the puppy network of identities just says yes. Bob would then
+puppy identities and whenever Bob tries to convince, or
-give the coffee to Alice, but then for everybody else the
+validate, that he is the rightful owner of the Bitcoin, the
+puppy identities agree. Bob would then have no reason to not
+give Alice her coffee. But behind his back she has convinced
+everybody else on the network that she is still the rightful
+owner of the Bitcoin. After being outvoted, Bob would be a tad
+peeved.
+The reflex action of a security engineer would be to make the
+process of validating as cheap as possible. The idea is that
+Bob will get enough peers to agree with him that he is the
+rightful owner. But such a solution has always the limitation
+of that Alice could set up an even bigger network of puppy
+identities. So the really cool idea of Bitcoin is to go into
+the other direction of making the process of transaction
+validation (artificially) as expensive as possible, but reward
+people for helping with the validation. This is really a novel
+and counterintuitive idea that makes the whole system work so
+beautifully.
+\subsubsection*{Proof-of-Work}
+In order to make the process of transaction validation
+difficult, Bitcoin uses a kind of puzzles. Solving the puzzles
+is called mining where whoever solves a puzzle will be awarded
+some bitcoins. At the beginning of Bitcoins this was 50
+Bitcoins, but the rules of Bitcoin are set up such that this
+amount halves every 210,000 transactions or so. Currently you
+will be awarded 25 Bitcoins for solving a puzzle. Because the
+amount will halve again and then later again and again, around
+2140 it will go below the level of 1 Satoshi. In that event no
+new Bitcoins will ever be created again and the amount stays
+fixed. There will be still an incentive to help with
+validating transactions, because there is the possibility in
+Bitcoins to award a transaction fee to whoever solves a
+puzzle. At the moment this fee is usually set to 0, since the
+incentive for miners is the currently 25 Bitcoins that are
+awarded for solving puzzles.
+What are the puzzles that miners have to solve? Recall that
+Bitcoins uses the hash-function SHA-256. The puzzle is roughly
+as follows: Given a string, say \code{"Hello, world!"}, what
+is the salt so the hash starts with a long run of zeros?
+Suppose we call the hash function \code{h}, then we could try
+the salt \code{0} as follows:
+\begin{quote}
+\code{h("Hello, world!0") =}\\
+\mbox{}\quad\footnotesize\pcode{1312af178c253f84028d480a6adc1e25e81caa44c749ec81976192e2ec934c64}\\
+\end{quote}
+\noindent OK this does not have any zeros at all. We could
+next try the salt \code{1}:
+\begin{quote}
+\code{h("Hello, world!1") =}\\
+\mbox{}\quad\footnotesize\pcode{e9afc424b79e4f6ab42d99c81156d3a17228d6e1eef4139be78e948a9332a7d8}\\
+\end{quote}
+%\begin{center}
+%\begin{tabular}{@{}l@{}}
+%\footnotesize\code{h("Hllo, world!1")}\\
+%\;\;\scriptsize\code{%\ldots\\
+%\footnotesize\code{h("Hello, world!4250")}\\
+%\;\;\scriptsize\code{0000c3af42fc31103f1fdc0151fa747ff87349a4714df7cc52ea464e12dcd4e9}
+%\end{tabular}
+%\end{center}
 \end{document}

changeset 320	bd5775cc8a45
parent 319	e6afcdabd3ea
child 321	250fd40211c7