is bitcoin stable, secure and scalable? - tik...incident timeline feb 01 2014 feb 04 2014 feb 07...
Post on 08-Nov-2020
11 Views
Preview:
TRANSCRIPT
Is Bitcoin Stable,Secure and Scalable?
Roger Wattenhofer
ETH Zurich – Distributed Computing Group – www.disco.ethz.ch
20102011
20122013
20142015
0
200
400
600
800
1000
1200
Pri
ce [
USD
/BTC
]
Exchange Rate USD/BTC
What is Bitcoin?
+ + =
Bitcoin Basics
The Bank of Bitcoin
User BalanceA 2B 5C 8
TXB −→ A
User BalanceA 2 4B 5 3C 8
The Bank of Bitcoin
User BalanceA 2B 5C 8
TXB −→ A
User BalanceA 2 4B 5 3C 8
The Bank of Bitcoin
User BalanceA 2B 5C 8
TXB −→ A
User BalanceA 2 4B 5 3C 8
The Bank of Bitcoin
User BalanceA 2B 5C 8
TXB −→ A
User BalanceA 2 4B 5 3C 8
Opening an Account in Bitcoin
Private Key Public Key Address
Transferring Bitcoins
TX: 41b221
B0.1
A4.798
A4.899
Inputs OutputsFee
0.001
Prev. TX:a1a53743
4.899
0
C...
1
|Outputs
Transferring Bitcoins
TX: 41b221
B0.1
A4.798
A4.899
Inputs OutputsFee
0.001
Prev. TX:a1a53743
4.899
0
C...
1
|Outputs
Transferring Bitcoins
TX: 41b221
B0.1
A4.798
A4.899
Inputs OutputsFee
0.001
Prev. TX:a1a53743
4.899
0
C...
1
|Outputs
Transferring Bitcoins
TX: 41b221
B0.1
A4.798
A4.899
Inputs OutputsFee
0.001
Prev. TX:a1a53743
4.899
0
C...
1
|Outputs
Transferring Bitcoins
TX: 41b221
B0.1
A4.798
A4.899
Inputs Outputs
Fee
0.001
Prev. TX:a1a53743
4.899
0
C...
1
|Outputs
Transferring Bitcoins
TX: 41b221
B0.1
A4.798
A4.899
Inputs OutputsFee
0.001
Prev. TX:a1a53743
4.899
0
C...
1
|Outputs
Transferring Bitcoins
TX: 41b221
B0.1
A4.798
A4.899
Inputs OutputsFee
0.001
Prev. TX:a1a53743
4.899
0
C...
1
|Outputs
Distributing the Bank
User BalanceA 2B 5C 8
TX
TX
Distributing the Bank
TX
Distributing the Bank
TX
Distributing the Bank
TX
Distributing the Bank
TX
Distributing the Bank
TX
Let’s Buy a Snack
[Bamert, Decker, Elsen, W, Welten, 2013]
Doublespending
TX B1
A
1
1
Inputs
Outputs
TX’ A1
1
�
Doublespending
TX B1
A
1
1
Inputs
Outputs
TX’ A1
1
�
Doublespending
TX B1
A
1
1
Inputs
Outputs
TX’ A1
1
�
Transaction Conflicts
TX
TX
Transaction Conflicts
TX
TX
Transaction Conflicts
TX
TX
Transaction Conflicts
TX
TX
Resolving Conflicts
Green!
Resolving Conflicts
Green!
Resolving Conflicts
Green!
How to Choose a Leader?
Proof-of-Work
Block
H(Previous Block)
TX TX TX TX
I H(Block|0) → 094d66aa7c844a9dbb516a41259b5877. . .
I H(Block|1) → f2496854af8bf989171587a9259f634f. . .
I H(Block|2) → aec87c0ca2e5eb3f23111092f1089ada. . .
I H(Block|3) → 777f75b2a8ecfdc8026c236fc1d2ffa0. . ....
I H(Block|961127) → 0000014823419622d4c133672a7d657e. . .
Proof-of-Work
Block
H(Previous Block)
TX TX TX TX
I H(Block|0) → 094d66aa7c844a9dbb516a41259b5877. . .
I H(Block|1) → f2496854af8bf989171587a9259f634f. . .
I H(Block|2) → aec87c0ca2e5eb3f23111092f1089ada. . .
I H(Block|3) → 777f75b2a8ecfdc8026c236fc1d2ffa0. . ....
I H(Block|961127) → 0000014823419622d4c133672a7d657e. . .
Proof-of-Work
Block
H(Previous Block) TX TX TX TX
I H(Block|0) → 094d66aa7c844a9dbb516a41259b5877. . .
I H(Block|1) → f2496854af8bf989171587a9259f634f. . .
I H(Block|2) → aec87c0ca2e5eb3f23111092f1089ada. . .
I H(Block|3) → 777f75b2a8ecfdc8026c236fc1d2ffa0. . ....
I H(Block|961127) → 0000014823419622d4c133672a7d657e. . .
Proof-of-Work
Block
H(Previous Block) TX TX TX TX
I H(Block) → fd2e2055f117bfa261b5a6c7e11df367. . .
I H(Block|0) → 094d66aa7c844a9dbb516a41259b5877. . .
I H(Block|1) → f2496854af8bf989171587a9259f634f. . .
I H(Block|2) → aec87c0ca2e5eb3f23111092f1089ada. . .
I H(Block|3) → 777f75b2a8ecfdc8026c236fc1d2ffa0. . ....
I H(Block|961127) → 0000014823419622d4c133672a7d657e. . .
Proof-of-Work
Block
H(Previous Block) TX TX TX TX Nonce
I H(Block|0) → 094d66aa7c844a9dbb516a41259b5877. . .
I H(Block|1) → f2496854af8bf989171587a9259f634f. . .
I H(Block|2) → aec87c0ca2e5eb3f23111092f1089ada. . .
I H(Block|3) → 777f75b2a8ecfdc8026c236fc1d2ffa0. . ....
I H(Block|961127) → 0000014823419622d4c133672a7d657e. . .
Proof-of-Work
Block
H(Previous Block) TX TX TX TX Nonce
I H(Block|0) → 094d66aa7c844a9dbb516a41259b5877. . .
I H(Block|1) → f2496854af8bf989171587a9259f634f. . .
I H(Block|2) → aec87c0ca2e5eb3f23111092f1089ada. . .
I H(Block|3) → 777f75b2a8ecfdc8026c236fc1d2ffa0. . ....
I H(Block|961127) → 0000014823419622d4c133672a7d657e. . .
Proof-of-Work
Block
H(Previous Block) TX TX TX TX Nonce
I H(Block|0) → 094d66aa7c844a9dbb516a41259b5877. . .
I H(Block|1) → f2496854af8bf989171587a9259f634f. . .
I H(Block|2) → aec87c0ca2e5eb3f23111092f1089ada. . .
I H(Block|3) → 777f75b2a8ecfdc8026c236fc1d2ffa0. . ....
I H(Block|961127) → 0000014823419622d4c133672a7d657e. . .
Proof-of-Work
Block
H(Previous Block) TX TX TX TX Nonce
I H(Block|0) → 094d66aa7c844a9dbb516a41259b5877. . .
I H(Block|1) → f2496854af8bf989171587a9259f634f. . .
I H(Block|2) → aec87c0ca2e5eb3f23111092f1089ada. . .
I H(Block|3) → 777f75b2a8ecfdc8026c236fc1d2ffa0. . ....
I H(Block|961127) → 0000014823419622d4c133672a7d657e. . .
The Blockchain
Time
The Blockchain
Time
Is Bitcoin stable?
The Blockchain
Time
The Blockchain
Time
Propagation Speed
0 10 20 30 40 50 60Time since first observation [s]
0.00
0.02
0.04
0.06
0.08
0.10
0.12PD
FBlock propagation
[Decker, W, 2013]http://bitcoinstats.com
Propagation Speed
0 10 20 30 40 50 60Time since first observation [s]
0.00
0.02
0.04
0.06
0.08
0.10
0.12PD
FBlock propagation
50thp
erc.[Decker, W, 2013]http://bitcoinstats.com
Propagation Speed
0 10 20 30 40 50 60Time since first observation [s]
0.00
0.02
0.04
0.06
0.08
0.10
0.12PD
FBlock propagation
50thp
erc.
95thp
erc.
[Decker, W, 2013]http://bitcoinstats.com
Propagation Speed
0 10 20 30 40 50 60Time since first observation [s]
0.00
0.02
0.04
0.06
0.08
0.10
0.12PD
FBlock propagation
[Decker, W, 2013]http://bitcoinstats.com
Blockchain Forks
180000 182000 184000 186000 188000 190000Blockchain Height
0
2
4
6
8
10
12
Fork
sBlockchain forks
1.69%
[Decker, W, 2013]
Aside: Mining Evolution
20102011
20122013
20142015
10-10
10-9
10-8
10-7
10-6
10-5
10-4
10-3
10-2
10-1
100
101
102
103
Hash
rate
PH
/s
Hashrate evolution
Aside: Mining Evolution
20102011
20122013
20142015
10-10
10-9
10-8
10-7
10-6
10-5
10-4
10-3
10-2
10-1
100
101
102
103
Hash
rate
PH
/s
Hashrate evolution
Aside: Mining Evolution
20102011
20122013
20142015
10-10
10-9
10-8
10-7
10-6
10-5
10-4
10-3
10-2
10-1
100
101
102
103
Hash
rate
PH
/s
Hashrate evolution
Summary
TX
Green!
Block
H(Previous Block) TX TX TX TX Nonce
Time
How to Lose $500M
Addressing Transaction Malleability: MtGox has detectedunusual activity on its Bitcoin wallets and performedinvestigations during the past weeks.
The MtGox Incident
I July 2010: First trade on MtGox
I May 2011: Transaction malleability identified as low priority issue
I February 7, 2014: MtGox halts withdrawals
I February 10, 2014: MtGox announces loss of 850,000 bitcoins (620millio USD) and cites transaction malleability as root cause
I February 28, 2014: MtGox files for bankruptcy
I March 7 2014: MtGox finds 200,000 bitcoins
I August 2015: MtGox CEO is arrested
Signatures
00 00
61 af bb 4d e9 f8 b8 74 86 1e
There are multiple ways to serialize a signature:
I Multiple push operations (1 byte, 2 byte, 4 byte)
I Non-canonical DER encodings
I Padding
I . . .
Signatures
00 00 61 af bb 4d e9 f8 b8 74 86 1e
There are multiple ways to serialize a signature:
I Multiple push operations (1 byte, 2 byte, 4 byte)
I Non-canonical DER encodings
I Padding
I . . .
Transaction Malleability Attack
TX
TX
TX
TX
TX
Red!
TX?Refund
Transaction Malleability Attack
TX
TX
TX
TX
TX
Red!
TX?Refund
Transaction Malleability Attack
TX
TX
TX
TX
TX
Red!
TX?Refund
Transaction Malleability Attack
TX
TX
TX
TX
TX
Red!
TX?Refund
Transaction Malleability Attack
TX
TX
TX
TX
TX
Red!
TX?
Refund
Transaction Malleability Attack
TX
TX
TX
TX
TX
Red!
TX?
Refund
Incident Timeline
Feb 01 2014
Feb 04 2014
Feb 07 2014
Feb 10 2014
Feb 13 2014
Feb 16 2014
Feb 19 2014
Feb 22 2014
Feb 25 2014
Feb 28 20140
50000
100000
150000
200000
250000
300000
350000
bit
coin
s
0
5000
10000
15000
20000
25000
30000
transa
ctio
ns
1st
Pre
ss R
ele
ase
2nd P
ress
Rele
ase
Cumulative malleable doublespends
value
number
386 BTC
[Decker, W, 2014]
Incident Timeline
Feb 01 2014
Feb 04 2014
Feb 07 2014
Feb 10 2014
Feb 13 2014
Feb 16 2014
Feb 19 2014
Feb 22 2014
Feb 25 2014
Feb 28 20140
50000
100000
150000
200000
250000
300000
350000
bit
coin
s
0
5000
10000
15000
20000
25000
30000
transa
ctio
ns
1st
Pre
ss R
ele
ase
2nd P
ress
Rele
ase
Cumulative malleable doublespends
value
number
386 BTC
[Decker, W, 2014]
Is Bitcoin Secure?
Securing Your Bitcoins
[Bamert, Decker, W, 2013]
Does Bitcoin Scale?
The Bitcoin Ecosystem is Growing
20102011
20122013
20142015
0
20000
40000
60000
80000
100000
120000
140000
Tra
nsa
ctio
ns
Daily Transaction Volume
Scalability Limits
I Disk space: < 500 transactions per second
I Processing power: < 200 transactions per second
I Network bandwidth: < 100 transactions per second
I Artificial 1MB limit: < 3 transactions per second
Today:
I Bitcoin: 1 transaction per second
I Credit Cards: > 10, 000 transactions per second
Scalability Limits
I Disk space: < 500 transactions per second
I Processing power: < 200 transactions per second
I Network bandwidth: < 100 transactions per second
I Artificial 1MB limit: < 3 transactions per second
Today:
I Bitcoin: 1 transaction per second
I Credit Cards: > 10, 000 transactions per second
Scalability Limits
I Disk space: < 500 transactions per second
I Processing power: < 200 transactions per second
I Network bandwidth: < 100 transactions per second
I Artificial 1MB limit: < 3 transactions per second
Today:
I Bitcoin: 1 transaction per second
I Credit Cards: > 10, 000 transactions per second
Scalability Limits
I Disk space: < 500 transactions per second
I Processing power: < 200 transactions per second
I Network bandwidth: < 100 transactions per second
I Artificial 1MB limit: < 3 transactions per second
Today:
I Bitcoin: 1 transaction per second
I Credit Cards: > 10, 000 transactions per second
Scalability Limits
I Disk space: < 500 transactions per second
I Processing power: < 200 transactions per second
I Network bandwidth: < 100 transactions per second
I Artificial 1MB limit: < 3 transactions per second
Today:
I Bitcoin: 1 transaction per second
I Credit Cards: > 10, 000 transactions per second
Payment Network
Payment Network
Payment Network
Micropayment Channels
5
5
T=100 5
5
0
4
1
3
2
Micropayment Channels
5 5
T=100 5
5
0
4
1
3
2
Micropayment Channels
5 5
T=100 5
5
0
4
1
3
2
Micropayment Channels
5 5
T=100 5
5
0
4
1
3
2
Micropayment Channels
5 5
T=100 5
5
0
4
1
3
2
Micropayment Channels
5 5
T=100 5
5
0
4
1
3
2
Micropayment Channels
5 5
T=100 5
5
0
4
1
3
2
Micropayment Channels
5 5
T=100 5
5
0
4
1
3
2
Micropayment Channels
5 5
T=100 5
5
0
4
1
3
2
Atomic Multiparty Opt-In
Atomic Multiparty Opt-In
Atomic Multiparty Opt-In
Invalidating Transactions
T=100
T=99
Invalidating Transactions
T=100
T=99
Bidirectional Transfers
5 5
5
0
4 4
4
0
0
5
1
3
Bidirectional Transfers
5 5
5
0
4 4
4
0
0
5
1
3
Bidirectional Transfers
5 5
5
0
4 4
4
0
0
5
1
3
Duplex Micropayment Channels
Setup Invalidation Tree Micropayment Channels
T = 100 T = 100 T = 100
T = 99 T = 100 T = 100
T = 99 T = 100
T = 99
Duplex Micropayment Channels
Setup Invalidation Tree Micropayment Channels
T = 100 T = 100 T = 100
T = 99 T = 100 T = 100
T = 99 T = 100
T = 99
Duplex Micropayment Channels
Setup Invalidation Tree Micropayment Channels
T = 100 T = 100 T = 100
T = 99 T = 100 T = 100
T = 99 T = 100
T = 99
Duplex Micropayment Channels
Setup Invalidation Tree Micropayment Channels
T = 100 T = 100 T = 100
T = 99 T = 100 T = 100
T = 99 T = 100
T = 99
Duplex Micropayment Channels
Setup Invalidation Tree Micropayment Channels
T = 100 T = 100 T = 100
T = 99 T = 100 T = 100
T = 99 T = 100
T = 99
Summary
Red!
TX?Refund
T = 100 T = 100 T = 100
T = 99 T = 100 T = 100
T = 99 T = 100
T = 99
Thank you, questions?
Thanks to Christian Decker
ETH Zurich – Distributed Computing Group – www.disco.ethz.ch
Securing Fast Payments
Let’s Buy a Snack
[Bamert, Decker, Elsen, W, Welten, 2013]
Transaction Confidence
TX
confidence(TX ) =
Transaction Confidence
TX
confidence(TX ) =
Transaction Confidence
TX
confidence(TX ) =
Transaction Confidence
TX
confidence(TX ) =
Transaction Confidence
TX
confidence(TX ) =
Doublespend Detection
0 20 40 60 80 100Node sample size
0.0
0.2
0.4
0.6
0.8
1.0D
ete
ctio
n p
robabili
tyDoublespend detection
[Bamert, Decker, Elsen, W, Welten, 2013]
Time to Detection
20 40 60 80 100Node sample size
0
2
4
6
8
10
12
14
Tim
e [
s]Time until detection
Average time
Median time
95 percentile
99 percentile
[Bamert, Decker, Elsen, W, Welten, 2013]
Successful Doublespend
0 20 40 60 80 100Node sample size
0.00
0.05
0.10
0.15
0.20
0.25
0.30
0.35
0.40
0.45
Pro
babili
tyProbability of successful double spend
[Bamert, Decker, Elsen, W, Welten, 2013]
Successful Doublespend
0 20 40 60 80 100Node sample size
0.00
0.05
0.10
0.15
0.20
0.25
0.30
0.35
0.40
0.45
Pro
babili
tyProbability of successful double spend
0.088%
[Bamert, Decker, Elsen, W, Welten, 2013]
top related