Lecture 2.1: Centralization vs Decentralization

Decentralization is not all-or-nothing

Email: decentralized protocol, but dominated by centralized webmail services.

Aspects of decentralization in Bitcoin

Who maintains the ledger?
Who has authority over which transactions are valid?
Who creates new bitcoins?
Who determines how the rules of the system change?
How do bitcoins acquire exchange value?

Beyond the protocol, we have exchanges, wallet software, service providers, etc.

Peer-to-peer network
- Open to anyone, low barrier to entry
Mining
- open to anyone, but inevitable concentration of power
- often seen as undesirable
Updates to software
- Core developers trusted by community, have great power

Lecture 2.2: Distributed Consensus

Bitcoin's key challenge

Key technical challenge of decentralized e-cash: distributed consensus

or: how to decentralize ScroogeCoin?

Why consensus protocol?

Traditional motivation: reliability in distributed systems

Distributed key-value store enables various applications: DNS, public key directory, stock trades, etc. These are good targets for Altcoins!

Defining distributed consensus

The protocol terminates and all correct nodes decide on the same value.
This value must have been proposed by some correct node.

Bitcoin is a peer-to-peer system

When Alice wants to pay Bob, she broadcasts the transaction to all Bitcoin nodes.
Bob's computer is not in the picture.
Bob could run a node to listen on the transactions being broadcast, but his listening is not necessary for him to recieve the funds.

How consensus could work in Bitcoin

At any given time:

All nodes have a sequence of blocks of transactions they've reached consensus on
Each node has a set of outstanding transactions it's heard about

Why consensus is hard

Nodes may crash
Nodes may be malicious
Network is imperfect
- Not all pairs of nodes connected
- Faults in network
- Latency: no notion of global time

Many impossibility results

Byzantine generals problem
Fischer-Lynch-Paterson (deterministic nodes): consensus impossible even with a single faulty node.

Some well-known protocols

Example: Paxos

Never produces inconsistent result, but can (rarely) get stuck.

Understanding impossibility results

These results say more about the model than about the proble.

The models were developed to study systems like distributed databases.

Bitcoin consensus: theory and practice

Bitcoin consensus works better in practice than in theory
Theory is still catching up
BUT theory is important, can help predict unforeseen attacks

Some things Bitcoin does differently

Introduces incentives
- Possible only because it's a currency!
Embraces randomess
- Does away with the notion of a specific end-point
- Consensus happens over long time scales - about 1 hour

Lecture 2.3: Consensus without identity: the block chain

Why identity?

Pragmatic: some protocols need node IDs
Security: assume less than 50% malicious

Why don't Bitcoin nodes have identities?

Identity is hard in P2P system - Sybil attack
The Sybil attack in computer security is an attack wherein a reputation system is subverted by forging identities in peer-to-peer networks.
Pseudonymity is a goal of Bitcoin

Weaker assumption: select random node

Analogy: lottery or raffle

When tracking and verifying identities is hard, we give prople tokens, tickets, etc.

Now we can pick a random ID and select that node.

Key idea: implicit consensus

In each round, random node is picked
This node proposes the next block in the chain
Other nodes implicitly accept/reject this block
- by either extending it
- or ignoring it and extending chain from earlier block
Every block contains hash of the block it extends

Consensus algorithm (simplified)

New transactions are broadcast to all nodes
Each node collects new transactions into a block
In each round a random node gets to broadcast its block
Other nodes accept the block only if all transactions in it are valid (unspent, valid signatures)
Nodes express their acceptance of the block by including its hash in the next block they create.

What can a malicious node do?

Steal bitcoins of another address that it doesn't control
- Not possible because digital signatures cannot be forged
Deny service to a particular user by not including any transaction from the user in the block proposed by the node
- Valid attack, but it's nothing more than a little annoyance. The user just has to wait for an honest node gets the chance to propose a block.
Double-spending attack

Double-spending attack

Honest nodes will extend the longest valid branch.

Merchant's point of view

Recap

Protection against invalid transactions is cryptographic, but enforeced by consensus.
Protection against double-spending is purely by consensus
You're never 100% sure a transaction is in consensus branch. Guarantee is probailistic.

Lecture 2.4: Incentives and proof of work

Assumption of honesty is problematic

Can we give nodes incentives for behaving honestly?

Giving honest nodes incentives

Note: Penalizing is problematic because there is no identity system, so there is no way to go after dishonest actors and penalize them.

Everything so far is just a distributed consensus protocol. But now we utilize the fact that the currency has value.

Incentive 1: block reward

Creator of block gets to
- include special coin-creation transaction in the block
- choose recipient address of this transaction
Value is fixed: currently 25 BTC, halves every 4 years.
Block creator gets to "collect" the reward only if the block ends up on long-term consensus branch!

There is a finite supply of bitcoins

Bitcoin supply

Incentive 1: transaction fees

Creator of transaction can choose to make output value less than input value
Remainder is a transaction fee and goes to block creator
Purely voluntary, like a tip

Remaining problems

How to pick a random node?
How to avoid a free-for-all due to rewards?
- Everyone will start running nodes and will claim free bitcoins
How to prevent Sybil attacks?

Proof of work

To approximate selecting a random node:

select nodes in proportion to a resource that no one can monopolize (we hope)
In proportion to computing power: proof-of-work
In proportion to ownership: proof-of-stake

Equivalent views of proof of work

Select nodes in proportion to computing power
Let nodes compete for right to create block
Make it moderately hard to create new identities

Hash puzzles

Bitcoin supply

PoW property 1: difficult to compute

As of Aug 2014: about $10^{20}$ hashes/block
Only some nodes bother to compete - miners

PoW property 2: parameterizable cost

Nodes automatically re-calculate the target every two weeks
Goal: average time between blocks = 10 minutes
Probability (miner wins next block) = fraction of global hash power controlled by the miner

Key security assumption

Attacks infeasible if majority of miners weighted by hash power follow the protocol.

Solving hash puzzles is probabilistic

Mean time to find block for individual miner

PoW property 3: trivial to verify

Nonce must be published as part of the block

Other miners simply verify that

  H(nonce | prev_hash | tx | ... | tx) < target

Lecture 2.5: Putting it all together

Mining economics

Complications

Fixed vs variable costs
Reward depends on global hash rate
Cost incurred in terms of dollars, but rewards are in bitcoins

Bitcoin has three types of consensus

Value
State
Rules

Bitcoin is bootstrapped

What can a "51% attacker" do?

Steal coins from existing address?
- No, because you need to subvert the cryptography by forging digital signatures.
- A 51% attacker could probably create the longest chain, but other honest actors can easily see that the signatures do not match.
Supress some transactions?
- From the blockchain => possible
- From the P2P network => not possible; transactions still find a way to reach the other (honest) nodes
Change the block reward?
- No, because attacker doesn't control the copies of Bitcoin software run by honest nodes.
Destroy confidence in Bitcoin?
- It can very well materialize. Even an unsuccessful 51% attack can damage bitcoin.