centrally banked cryptocurrencies · rolling hash chain of log acts as commitment to actions send...
TRANSCRIPT
Centrally Banked Cryptocurrencies
George Danezis (University College London)Sarah Meiklejohn (University College London)
2
who’s interested in ‘blockchain’?
2
who’s interested in ‘blockchain’?
2
who’s interested in ‘blockchain’?
2
who’s interested in ‘blockchain’?
2
who’s interested in ‘blockchain’?
2
who’s interested in ‘blockchain’?
2
who’s interested in ‘blockchain’?
3
fully decentralized cryptocurrencies
3
fully decentralized cryptocurrencies
3
fully decentralized cryptocurrencies
txtx(addrA→addrB)
3
fully decentralized cryptocurrencies
tx(generate transaction ledger)
“mining”
(generate monetary supply)tx(addrA→addrB)
3
fully decentralized cryptocurrencies
append-only
tx(generate transaction ledger)
“mining”
(generate monetary supply)tx(addrA→addrB)
3
fully decentralized cryptocurrencies
transparentappend-only
tx(generate transaction ledger)
“mining”
(generate monetary supply)tx(addrA→addrB)
3
fully decentralized cryptocurrencies
transparentpseudonyms
append-only
tx(generate transaction ledger)
“mining”
(generate monetary supply)tx(addrA→addrB)
4
issues with Bitcoin
hashing rates are out of controlincentive structure is messed up
attacks on mining
no control over monetary policy
4
issues with Bitcoin
hashing rates are out of controlincentive structure is messed up
attacks on mining
no control over monetary policy
not suitable for most applications!
RSCoin
5
RSCoin
5
monetary supply decentral centralcentral
RSCoin
5
monetary supplyledger centraldistributedecentral
decentral centralcentral
RSCoin
5
monetary supplyledger centraldistributedecentral
decentral centralcentral
transparent? y y (or n) n
RSCoin
5
monetary supplyledger centraldistributedecentral
decentral centralcentral
transparent? y y (or n) n
pseudonyms? y y (or n) n
RSCoin
5
monetary supplyledger centraldistributedecentral
decentral centralcentral
transparent? y y (or n) n
pseudonyms? y y (or n) n
computation high! low low
6
6
bank (generate monetary supply)
6
mintettemintette
mintette mintette
bank (generate monetary supply)
(generate transaction ledger)
6
mintettemintette
mintette mintette
bank
user
(generate monetary supply)
(generate transaction ledger)
6
mintettemintette
mintette mintette
bank
user
(generate monetary supply)
(generate transaction ledger)
6
mintettemintette
mintette mintette
bank
user
(generate monetary supply)
(generate transaction ledger)
7
mintettemintette
mintette mintette
bank
user
7
mintettemintette
mintette mintette
bank
user
consensus?
7
mintettemintette
mintette mintette
bank
user
what gets sent?
consensus?
7
mintettemintette
mintette mintette
bank
user
what gets sent?
consensus?
how do mintettes collect txs?
7
mintettemintette
mintette mintette
bank
user
what gets sent?
consensus?
how do mintettes collect txs?
consensus?
8
user
1 2tx:
consensus
8
user
1 2tx:
consensus
each address is owned by a set of mintettes
8
user
1 2tx:
consensus
each address is owned by a set of mintettes
a d d r e s s e smintettemintettemintette
mintettemintettemintettemintettemintettemintette
mintettemintettemintettemintettemintettemintette
mintettemintettemintette
9
mintette1
mintette1
user
1 2tx:
mintette1
1
consensus
9
mintette1
mintette1
user
1 2tx:
mintette1
1
mintettes check for double spending…
…using lists of unspent transaction outputs (utxo)
consensus
10
mintette1
mintette1
user
1 2tx:
✓ mintette1
✓
1
signed ‘yes’ vote (and head h)
consensus
11
mintette1
mintette1
user
1 2tx:
✓ mintette1
✓
mintette2
mintette2
mintette2
1tx ✓✓
“bundle of evidence” contains ‘yes’ votes from majority of mintettes in shard
consensus
11
mintette1
mintette1
user
1 2tx:
✓ mintette1
✓
mintette2
mintette2
mintette2
1tx ✓✓
mintettes check validity of bundle by checkingfor signatures from authorized mintettes…
consensus
12
mintette1
mintette1
user
1 2tx:
✓ mintette1
✓
mintette2
mintette2
mintette2
1tx ✓✓tx
tx
…and if satisfied they add transaction to be committed and send back receipt
consensus
13
consensus features
13
consensus features
simple (adaption of Two-Phase Commit)
13
consensus features
scalable!simple (adaption of Two-Phase Commit)
13
consensus features
scalable!T = set of txs generated per second
Q = # mintettes per shard M = # mintettes
simple (adaption of Two-Phase Commit)
13
consensus features
scalable!T = set of txs generated per second
Q = # mintettes per shard M = # mintettes
simple (adaption of Two-Phase Commit)
∑tx∈T 2(mtx+1)QMcomm. per mintette per sec =
13
consensus features
scalable!T = set of txs generated per second
Q = # mintettes per shard M = # mintettes
simple (adaption of Two-Phase Commit)
∑tx∈T 2(mtx+1)Q
scales infinitely as more mintettes are added!
Mcomm. per mintette per sec =
14
14
each new mintette adds≈ 75 tx/sec
14
each new mintette adds≈ 75 tx/sec
compared to Bitcoin’s 7
what gets sent?
15
mintettemintette
mintette mintette
bank
user
what gets sent?
how do mintettes collect txs?
(2PC)consensus?consensus?
what gets sent?
15
mintettemintette
mintette mintette
bank
user
what gets sent?
how do mintettes collect txs?
(2PC)
how do mintettes collect txs?
(contacted based on shard)
consensus?
what gets sent?
15
mintettemintette
mintette mintette
bank
user
what gets sent?
how do mintettes collect txs?
(2PC)
(contacted based on shard)
what gets sent?
consensus?
16
security properties
no double spending (only “good” transactions get included)
16
security properties
no double spending (only “good” transactions get included)
(if honest majority)
17
security properties
no double spending (only “good” transactions get included)non-repudiation (mintettes are held to their promises)
17
security properties
no double spending (only “good” transactions get included)non-repudiation (mintettes are held to their promises)
(because mintettes provide receipt uponcommitting transaction)
18
security properties
no double spending (only “good” transactions get included)non-repudiation (mintettes are held to their promises)auditability (mintettes can’t cheat without detection)
19
mintette logs
borrow ideas from Certificate Transparency to log actions
19
mintette logs
borrow ideas from Certificate Transparency to log actionsmintettes create log entry every time they:
-act as mintette in first phase (Query) -act as mintette in second phase (Commit) -publish head of hash chain (CloseEpoch)
rolling hash chain of log acts as commitment to actions
19
mintette logs
borrow ideas from Certificate Transparency to log actionsmintettes create log entry every time they:
-act as mintette in first phase (Query) -act as mintette in second phase (Commit) -publish head of hash chain (CloseEpoch)
rolling hash chain of log acts as commitment to actionsmintettes cross-hash chains to provide evidence of activity
19
mintette logs
borrow ideas from Certificate Transparency to log actionsmintettes create log entry every time they:
-act as mintette in first phase (Query) -act as mintette in second phase (Commit) -publish head of hash chain (CloseEpoch)
rolling hash chain of log acts as commitment to actions
send logs to bank at end of every periodmintettes cross-hash chains to provide evidence of activity
20
security properties
no double spending (only “good” transactions get included)non-repudiation (mintettes are held to their promises)auditability (mintettes can’t cheat without detection)
20
security properties
no double spending (only “good” transactions get included)non-repudiation (mintettes are held to their promises)auditability (mintettes can’t cheat without detection)
21
mintettemintette
mintette mintette
bank
user
what gets sent?
how do mintettes collect txs?
(2PC)
(contacted based on shard)
what gets sent?(cross-hashed chains)
consensus?
21
mintettemintette
mintette mintette
bank
user
what gets sent?
how do mintettes collect txs?
(2PC)
(contacted based on shard)
(cross-hashed chains)
-collate transactions
consensus?
21
mintettemintette
mintette mintette
bank
user
what gets sent?
how do mintettes collect txs?
(2PC)
(contacted based on shard)
(cross-hashed chains)
-collate transactions-allocate fees-audit mintettes
consensus?
21
mintettemintette
mintette mintette
bank
user
what gets sent?
how do mintettes collect txs?
(2PC)
(contacted based on shard)
(cross-hashed chains)
-collate transactions-allocate fees-audit mintettes(-add coin generation)-authorize mintettes
consensus?
RSCoin
22
monetary supplyledger centraldistributedecentral
decentral centralcentral
transparent? y y (or n) n
pseudonyms? y y (or n) n
computation high! low low
RSCoin
22
monetary supplyledger centraldistributedecentral
decentral centralcentral
transparent? y y (or n) n
pseudonyms? y y (or n) n
computation high! low low
Thanks! Any questions?