introduction - kriptogamacrypto.fmf.ktu.lt/lt/xdownload/ks pvz_ignas_ignatauskas... · web...
TRANSCRIPT
KAUNAS UNIVERSITY OF TECHNOLOGY
Faculty of mathematics and natural sciences
Department of applied mathematics
Course work
Cryptographic currency: BitcoinP170M100 – Cryptographic systems
Author: I. Ignatauskas IF-3.3 gr.
Supervisor: Prof. dr. E. Sakalauskas
Kaunas, 2013
1. Introduction..................................................................................................................................1
2. Network........................................................................................................................................32.1. The block chain......................................................................................................................32.2. Blocks....................................................................................................................................42.3. Mining (block hashing)..........................................................................................................52.4. SHA-256................................................................................................................................7
3. Transactions..................................................................................................................................8
3.1. Digital Signature Algorithm....................................................................................................8
3.2. Addresses and wallets.........................................................................................................10
3.3. Transaction messages..........................................................................................................11
3.4. Confirmation........................................................................................................................12
3.5. In-store transactions............................................................................................................13
Conclusion..........................................................................................................................................15
References..........................................................................................................................................16
1. Introduction
A concept called “crypto-currency” was first described in 1998 by Wei Dai. It was an idea of
new form of money that uses cryptography to control its creation and transactions instead of central
authority. The first successful implementation of the idea is Bitcoin which was introduced in 2009
by Satoshi Nakamoto [1]. Bitcoin is open source completely digital currency and peer-to-peer pay-
ment network which is powered by its users. Most commonly used unit in Bitcoin is also called
Bitcoin (BTC), while the smallest unit is satoshi (1 BTC = 100,000,000 satoshis).
Main problems with centralized currencies are that controllers can increase their supply at sub-
jective whims and impose arbitrary rules upon their user. Furthermore, systems can be destroyed or
disrupted by attacking central point of control. Being decentralized, Bitcoin solves these problems.
Currently most of the electronic payments rely on banks and payment system such as “PayPal”.
While it works well enough, such systems have several disadvantages. First of all, you have to pro-
vide your personal information to third parties, your accounts can be frozen or their balance par-
tially or completely confiscated, payments to certain legal entities may be refused. It also has high
costs. Credit card or payment system transaction fee may be several percent of the transaction. Elec-
tronic funds transfer from one bank account to another is also expensive (local transfers usually cost
about 1 euro while international 10-50 euros) and may take a few days in some cheap transfer cases.
Another problem for merchants is that completely non-reversible payments are not possible, which
leads to merchants asking for more information from their customers than they would otherwise
need. Despite their best efforts, certain percentage of fraud is still unavoidable. In comparison Bit-
coin is potentially anonymous, has very low or no transaction cost, transfer can be made worldwide
with average confirmation time of 10 minutes, no authority can freeze or deny payments to your ac-
counts and payments are non-reversible.
Payment systems based on a trusted third party use data encryption to protect user information.
In Bitcoins case, nothing is actually encrypted and all transactions are made public. The advantage
of this is that there is no database or accounts that can be hacked. However this puts a lot of respon-
sibility into the hands of the user, who has to keep his wallet (private keys) secure. Bitcoin transac-
tions are only tied to cryptographic keys, so privacy is also responsibility of the user.
By some people Bitcoin is also viewed as a viable alternative to traditional government con-
trolled fiat currencies. At first Bitcoin was mostly known and used by IT enthusiasts and criminals.
The huge impact on growing popularity of the Bitcoin was caused by global financial crisis, which
reduced people trust in banking systems and government controlled currencies. People started to
look for alternative ways to store they money and cryptographic currencies started to get more at-
tention. Investing in Bitcoin, however, seems to be risky because currently it is very unstable and
it’s not backed up by any government or institution.
Since introduction of Bitcoin, many similar crypto-currencies emerged, which shares most of
the source code with Bitcoin. For example, Litecoin (LTC) uses different hashing algorithm, has
higher maximum number of coins and shorter confirmation time. Nevertheless, Bitcoin remains the
most popular crypto-currency.
The aim of this paper is to analyze and describe how Bitcoin network and protocol operates.
2. Network
Bitcoin uses peer-to-peer model network to propagate transactions. All Bitcoin transactions are
combined into blocks that form the block chain. Nodes exchange information about blocks,
transactions and other node addresses that they know of. The network may be summarized by the
following points:
New transactions are broadcasted to all nodes.
Each full node (node which performs calculation to keep network secure) collects new
transactions into a block.
Each full node works on finding proof-of-work for its block.
When a full node finds a proof-of-work, it broadcasts the block to all nodes.
Nodes accept the block only if the block follows protocol rules.
Full nodes express their acceptance by working on creating a next block in the chain,
using the hash of the accepted block.
2.1. The block chain
The block chain is a public transaction database which is shared by all nodes on the Bitcoin
network. It is the main innovation of the Bitcoin. The full block chain contains every transaction
that ever occurred on the network and it is stored on a computer of anyone who chooses to do so.
Because of this, many users have complete records of every transaction in Bitcoins history readily
available to them at any point, and anyone who wants this information can obtain it with ease. This
makes Bitcoin very hard to fool.
Blocks in the chain are connected to each other by referring to the hash value of the previous
block (fig. 1). This works as a timestamp that proves that the referenced block existed at the time of
creation of the block which references it. Every new block added to the chain reinforces
chronological order and validity of previous blocks.
Figure 1: Chronological connection of blocks
Honest network nodes only generate new blocks by referencing blocks in the longest valid
chain (fig.2 black blocks). A chain is considered valid if all blocks and transactions within them are
valid, and only if it starts at genesis block (first block generated, fig.1 green block). Blocks in
invalid chains or shorter chains are not used. When client switches to another chain, all valid
transactions in invalid chain are returned to the pool of queued transactions and will be included in
another block. Once a block has been in a chain for a while it becomes
computationally impractical to modify because every block after it would
have to be regenerated. These properties make double spending of Bitcoins
very difficult.
As a block can only reference a single previous block, there can only be
one path from any block to genesis block. However, coming from genesis
block there may be forks (fig.1 purple blocks) which occur when two (or
more) blocks reference the same previous block. One-block forks are
created from time to time when two nodes generate a block only few
seconds apart. When that happens full nodes build onto the block which
they received first. The tie brakes when the next block is generated and one
of the branches becomes longer. More serious forks have occurred after fixing bugs that required
backward-incompatible changes.
2.2. Blocks
Bitcoin transactions are permanently recorded in the network through files called blocks.
Maximum size of the block is currently limited to 1 MB but it may be increased in the future. Each
block contains a UNIX time timestamp, which is used in block validity checks to make it more
difficult for adversary to manipulate the block chain. New blocks are added to the end of the record
(block chain) by referencing the hash of the previous block and once added are never changed. A
variable number of transactions is included into a block through the merkle tree (fig 3.).
Transactions in the merkle tree are hashed using double SHA256 (hash of the hash of the
transaction message).
Figure 3: Structure of a merkle tree
Transactions are included into the block’s hash indirectly through the merkle root (top hash of a
merkle tree). This allows removing old transactions (fig. 4) without modifying the hash of the
Figure 2: Block chain
block. Once the latest transaction is buried under enough blocks, previous transactions serve only as
a history of the ownership and can be discarded to save space.
Figure 4: Removing old transactions from the blocks
2.3. Mining (block hashing)
Mining is a process of including transactions into newly generated blocks. The primary purpose
of mining is validation of transactions but it also serves as a mechanism to create new Bitcoins.
Mining is designed to be resource intensive and its difficulty is adjusted by the network so that
number of blocks generated remains steady. When mining, a node is constantly trying to produce a
proof-of-work, which is required for the block to be accepted by the network as valid. Proof-of-
work algorithm is relatively simple. The basic idea is that hash (double SHA256) of the block
header (see table 1) must be smaller than a set target. Different hash values are produced mostly by
changing nonce (timestamp and accepting transaction into the block also changes hash, but those
change relatively slowly). When a node finds a hash that meets target requirement (solves a block)
it broadcasts the new block to the network and is entitled to the block generation reward. Once
proof-of-work is found other nodes can easily verify it and the block cannot be changed without
redoing the work. As blocks are chained, changing the block would also include redoing all the
blocks after it. So as long as honest nodes control most of the computing power of the network,
honest chain will outpace any other chain.
Table 1: Structure of a block header
Field Purpose Update conditions Size, bytes
Version Block version number Software update which specifies a new
version
4
hashPrevBlock 256-bit hash of the previous block header A new block comes in 32
hashMerkleRoot 256-bit hash based on all of the
transactions in the block
A transaction is accepted into a block 32
Time Current timestamp as seconds since
1970-01-01T00:00 UTC
Every few seconds 4
Bits Current target in compact format Difficulty is changed 4
Nonce 32-bit number (starts at 0) A hash is tried 4
Difficulty is changed by adjusting the current target (number which hash value must be lower
than). It’s done every 2016 blocks (about two weeks). The value is changed by evaluating network
hash rate based on how long it took to generate last 2016 blocks and then a new target value is set
so that average time to generate a block would be 10 minutes. Target is actually a 256 bit number
which is expressed in special floating-point format. Blocks with target values, which doesn’t fallow
protocol difficulty rules are considered invalid by honest network nodes.
The block generation reward consist of two parts. First part
is generation transaction, which creates a certain amount of
Bitcoins out of nothing. The number of Bitcoins created starts at
50 BTC and is reduced by half every 210,000 blocks (fig. 5).
The last block that will generate coins should be generated near
the year 2140, bringing the total number of Bitcoins to slightly
below 21 million. Second half of award is transaction fees of all
transactions included into the block. This fee is incentive for
miners to include transactions into the block (verify) and to
continue mining (and thus provide security to the network)
when a number of new Bitcoins generated greatly decreases.
2.4. SHA-256
Bitcoin uses SHA-256 hash function to for its proof-of-work algorithm. SHA-256 is
cryptographic hash function developed by United States National Security Agency (NSA). It
consists of the following steps:
Initialize starting hash values, and round constants Kt.
Break the message into 512-bit blocks, extend if necessary.
Produce 64 32-bit words Wt from each 512-bit block
Perform 64 iterations (fig. 6) on each block using different Kt and Wt.
Figure 5: Total number of Bitcoins over time
Add values of block hashes to produce the hash of the message
SHA-256 is very easy to parallelize and to implement in hardware. In comparison Litecoin uses
memory intensive Scrypt algorithm which makes it more difficult to parallelize because high
amount of fast memory would be required to run many cores in parallel. Arguably it makes Litecoin
less vulnerable to centralization of mining power, arising from limited ownership of specialized
hardware. But it is unclear because, SHA-256 is very simple so many individuals could implement
it in hardware solution. Conversely, as Scrypt is more difficult it can prove to be worse for
centralization if a well-funded entity comes up with fast but proprietary ASIC.
Figure 6: One iteration of SHA-256
3. Transactions
In a simplified way Bitcoin transaction is performed by doing the following steps. Suppose Alice
wants to send some Bitcoins to Bob:
Bob sends his address to Alice.
Alice adds Bob’s address and the amount of Bitcoins to transfer to a transaction message.
Alice signs the transaction with her private key and announces her public key for signature
verification.
Alice broadcasts the transaction on the Bitcoin network for all to see.
Network verifies transaction by including it into the block chain.
3.1. Digital Signature Algorithm
To sign transactions Bitcoin uses elliptic curve digital signature algorithm (ECDSA) [3]. The
elliptic curve over a prime finite field Fp, defined by equation:
y2≡ x3+ax+bmod p, where p > 3 and a,b ϵ Fp
is a set of all pairs (x,y) ϵ Fp, and also imaginary infinity as identity element O.
The group operator for the points on an elliptic curve is called addition, but its definition has
nothing to do with conventional arithmetic addition (fig. 7). To add point P to another point Q on
the same curve we first join P with Q with a straight line. The third point of the intersection of this
line with a curve is denoted R. The mirror of this point with respect to x axis is the point P+Q (and
P+Q= -R). If the third point of intersection does not exist, we say it is at infinity.
Figure 7: Elliptic curve point addition
Curve point multiplication by scalar is defined as: k×P = P + P +…+P (fig. 8). Point addition
with itself P+P means that we must draw a tangent at P (when another point approaches P, the
joining line becomes a tangent at P in the limit).
Figure 8: Elliptic curve point multiplication by scalar
For a digital signature based on an elliptic curve, we need to select a curve and a base point G of
high order n (meaning that n × G = O). Cryptographic signatures in Bitcoin use secp256k1 [6]
curve defined over Fp, where p=2256-232-29-28 -27-26-24-1 (256-bit prime order), a = 0, b = 7.
ECDSA can be described by following steps. Suppose Alice wants to send signed message. At
first Alice creates a key pair, consisting of a private key integer dA, randomly selected in the interval
[1, n-1] and a public key curve point QA=dA×G (elliptic curve point multiplication by a scalar).
For Alice to sign a transaction message m, she follows these steps:
1. Calculate hash of the message z=SHA256(m).
2. Select a random integer k from [1, n-1].
3. Calculate the curve point (x1, y1) = k×G.
4. Calculate r=x1 mod n. If r = 0, go back to step 3.
5. Calculate s=k-1(z+r·dA) mod n. If s=0, go back to step 3.
6. The signature is the pair (r, s).
For Bob to authenticate Alice's signature, he must have a copy of her public-key point QA. Bob
can verify QA is a valid curve point as follows:
1. Check that QA is not equal to the identity element O, and its coordinates are otherwise valid
2. Check that QA lies on the curve
3. Check that n*QA=O.
After that, Bob follows these steps:
1. Verify that r and s are integers in [1, n-1]. If not, the signature is invalid.
2. Calculate z=SHA256(m).
3. Calculate w=s-1 mod n.
4. Calculate u1=z·w mod n and u2=r·w mod n.
5. Calculate the curve point (x1, y1) = u1×G+ u2×QA.
6. The signature is valid if r ≡ x1(mod n), invalid otherwise.
3.2. Addresses and wallets
Bitcoin address is 160 bit hash of
ECDSA public key (fig. 9). A new ECDSA
key-pair is generated for each receiving
address. Hash values and the checksum data
are converted to an alpha-numeric
representation using a custom Base58Check
encoding scheme. Bitcoin allows you to
create as many addresses as you want (each
address takes up about 500 bytes), and each
one is completely separate.
All these addresses (public keys) and
their associated private keys are stored in a
wallet data file. A transaction to Bitcoin
address requires the associated private key
to exist in recipient’s wallet. Wallets can be
encrypted to protect the keys from being
stolen. It is also highly recommended to
make backups of your wallet because if you
completely lose your wallet file, all of your
coins are lost and cannot be recovered. To help managing back-ups wallet uses pre-generated key
queue. When you need a new address it actually isn’t freshly generated but taken from key queue.
This queue is saved into a back-up, so when you restore from a back-up, a certain amount of new
addresses (and Bitcoins which were sent to them) won’t be lost.
Since Bitcoin addresses are basically random numbers, it is possible, although extremely
unlikely, for two people to independently generate the same address (collision). If this happens, then
both the original owner of the address and the colliding owner could spend money sent to that
address. However intentionally generating a colliding address would currently take tens of orders of
magnitude longer than to generate a block, which earns you generation reward and transaction fees.
So it will likely always be more profitable to play by the rules and use your processing power for
block hashing (helping to keep network secure) than to try to create collisions.
3.3. Transaction messages
Figure 9: Elliptic-curve public key to Bitcoin address conversion
The basic idea behind Bitcoins is that a digital coin is a chain of signatures (fig. 10). When
transferring coins, the current owner must prove ownership of coins and specify the new owner of
coins. The new owner is indicated by his public key (Bitcoin address) and the ownership of coins is
proven by providing a signature, which is made with private key associated with Bitcoin address
(public key) of the previous transaction. Signature also protects transaction message from
modification.
Figure 10: Transaction of coins
The actual Bitcoin transaction is a little more complex. First of all, it can have multiple inputs
and outputs, which allows to split and/or to combine value of coins. Secondly, it uses scripting to set
conditions for redeeming coins, which enables to design more complex types of transactions and
link them together to cryptographically enforced agreements. Although, non-standard transactions
are extremely rare now, it can be used to integrate some third party services in the future (like
solving disputes between buyer and seller).
A principle example of standard pay-to-PubkeyHash transaction message with one input and
one output:
Input:
Previous tx: f5d8ee39a430901c91a5917b9f2dc19d6d1a0e9cea205b009ca73dd04470b9a6
Index: 0
scriptSig: 304502206e21798a42fae0e854281abd38bacd1aeed3ee3738d9e1446618c4571d10
90db022100e2ac980643b0b82c0e88ffdfec6b64e3e6ba35e7ba5fdd7d5d6cc8d25c6b241501
Output:
Value: 5000000000
scriptPubKey: OP_DUP OP_HASH160 404371705fa9bd789a2fcd52d2c580b65d35549d
OP_EQUALVERIFY OP_CHECKSIG
The input is a reference to an output in a different transaction. Previous tx is a hash of a
previous transaction and Index is the specific output of the referenced transaction. ScriptSig is the
first half of the script, which is used to authorize to collect coins from an output. In this case input
script contains two components, a signature and a public key (standard transaction). Because
ScriptSig is not included when creating signature, it can only contain data values and no actual
scripts.
The output contains instructions for sending coins. Value is an amount of coins expressed
satoshi (1 BTC = 100,000,000 satoshis), that this output will be worth when referenced.
ScriptPubKey is the second half of a script, which is used to authorize to collect coins from an
output. The sum of all inputs always has to be more or equal to the sum of all outputs (otherwise
transaction will not be accepted by the network). If you only want to spend part of the value of an
input the second output which sends “change” back to you is created. If the sum of inputs is more
than the sum of outputs, the difference is considered to be a transaction fee.
The authorization to collect coins from referenced outputs is done by evaluating scriptSig and
referenced output’s scriptPubKey (in this order). The input is authorized if script evaluates to true.
In this example standard condition are used. Hash of the public key provided in scriptSig is
calculated and then compared to value in scriptPubKey, if values are equal when signature
verification is performed (using signature and public key provided in scriptSig). However, scripting
allows the sender to create very complex conditions that people have to meet to claim output’s
value. For example, output may be redeemable by a password instead of a key or it may require
input to be signed by a lot of different keys. It is also possible to create an output, which can be
redeemed by anyone without any authorization.
3.4. Confirmation
Transaction message is broadcasted to the network and is considered confirmed when it is
included into a block. On average it takes about 10 minutes. However, one confirmation is not very
safe and it is recommended to wait for 2-6 confirmations. Additional confirmations are considered
to be blocks after the block which transaction was included in.
3.5. In-store transactions
Bitcoin is well suited for online stores. Merchants can accept Bitcoins directly or use third
party payment-processing service, which accepts them. Some payment services can automatically
convert Bitcoins to other currencies like USD or EUR.
As Bitcoin transactions can take tens of minutes to become confirmed, it seems that they are
not suitable for in-person transactions, like in supermarkets. However, retailers can accept uncon-
firmed transactions with very little risk by simply ‘listening’ on the Bitcoin network for a double-
spending transaction or using third party, which offers such services. The original transaction would
propagate through Bitcoin network so fast, that fraudulent double-spent transaction would have
very low chance of succeeding.
Theoretically, an attacker could avoid sending out a second fraudulent transaction to the net-
work by attempting to solo-mine a block containing an attack transaction, which sends coins to
himself, withholding the block from the rest of the network, quickly making a fraudulent purchase
and then releasing an attack block. However, costs of such activity would greatly outweigh the
value of anything that could be offered without confirmation and it is extremely hard to execute.
Some brick-and-mortar businesses are already accepting Bitcoins as a payment option. One of
the common methods is using smart phones and wallet addresses through QR codes (fig. 11). Seller
displays or prints QR code and customer pays by scanning it with his mobile phone. There are also
proposals to use Bluetooth or NFC instead of QR codes.
Figure 11: Using mobile phones and QR codes for payment
Another method is to only accept Bitcoins for the purchase of gift or pre-paid cards, which are
later used for actual purchases of goods or services. This is probably the easiest way to accept
Bitcoins if your business already processes gift cards.
Some companies are already creating point-of-sale terminal designed to works exclusively with
cypto-currencies such as Bitcoin and Litecoin (fig.11).
Conclusion
Bitcoin introduced a new payment system which relies on cryptographic proof-of-work instead
of trust. The network nodes reach consensus with little coordination by voting with their
processing power. They express their acceptance by working on valid blocks and transactions and
reject invalid ones by refusing to work on them. This makes network secure as long as honest
nodes control majority of processing power.
Because of its decentralized nature Bitcoin is neutral, highly predictable, gives users a lot of
control of their money and can offer very low transaction fees.
Ownership of coins is identified using public key cryptography and is only tied to cryptographic
keys, which gives a possibility of anonymity.
Bitcoin has been successfully operating for almost five years. The concept seems like a natural
step in evolution of digital payment systems. However, its future is still unclear because of small
degree of acceptance and mostly unknown legal status. Furthermore, Bitcoin is the first and
experimental realization of the concept, so later crypto-currencies which try to improve on Bitcoin
may take over in the future.
References
1. Satoshi Nakamoto. Bitcoin: A Peer-to-peer Electronic Cash System. Available at:
http://bitcoin.org/bitcoin.pdf
2. Yogesh Malhotra. Bitcoin Protocol: Model of ‘Cryptographic Proof’ Based Global Crypto-
Currency & Electronic Payments System. Available at:
http://yogeshmalhotra.com/BitcoinProtocolPaper_MalhotraYogesh.pdf
3. Bitcoin Wiki: Technical. Available at:
https://en.bitcoin.it/wiki/Category:Technical
4. Wikipedia. Elliptic Curve DSA. Available at:
http://en.wikipedia.org/wiki/Elliptic_Curve_DSA
5. Avi Kak. Lecture 14: Elliptic Curve Cryptography and Digital Rights Management. Available
at: https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture14.pdf
6. Standards for Efficient Cryptography. SEC 2: Recommended Elliptic Curve Domain
Parameters. Available at:
http://www.secg.org/collateral/sec2_final.pdf
7. Bitcoin.org. Frequently Asked Questions. Available at:
http://bitcoin.org/en/faq
8. Wikipedia. SHA-2. Available at:
http://en.wikipedia.org/wiki/SHA-2
9. Coinbase. Accept Bitcoin using mobile device:
https://coinbase.com/docs/merchant_tools/point_of_sale
10. Coinkite. Bitcoin Merchant Terminal.
https://coinkite.com/faq/terminal