https://crocs.fi.muni.cz @CRoCS_MUNI
PV204 Security technologies
Bitcoin mining, privacy, multisignatures and other topics
Petr Švenda svenda@fi.muni.cz @rngsec
Centre for Research on Cryptography and Security, Masaryk University
Please provide any corrections and comments here (thank you!):
https://drive.google.com/file/d/1DH1rooFx6ZXNflaHRHqvfOAHXc_qikc3/view?usp=sharing
https://crocs.fi.muni.cz @CRoCS_MUNI
MINING
2 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Mining in Proof of Work chains
• Crucial for security of blockchain (no rewrite)
• Initially on CPU (Satoshi: everyone can participate 1 CPU 1 vote)
• Initially solo mining
• CPU→GPU →FPGA →ASIC
• First mining pool: SlushPool in Prague
– Miners join their hashrate, fraction of reward based on number of partial solutions
• Cambridge university centre for alternative finance (CBECI)
– Where are miners? https://cbeci.org/mining_map/
– More mining details: https://cbeci.org/cbeci/methodology
3 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Bitcoin mining map in April 2020
4 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
China mining dominance (09/2019→04/2020: 75.6%->65%)
5 | PV204 Bitcoin II.
09/2019
04/2020
https://crocs.fi.muni.cz @CRoCS_MUNI
Bitcoin mining map (August 2021)
6 | PV204 Bitcoin II.
• China evicted “all” miners
• Strong increase in:
– US 35%
– Kazachstan 18.1
– Canada 9.5%
https://crocs.fi.muni.cz @CRoCS_MUNI
Miner reward – coinbase output: block + fees
7 | PV204 Bitcoin II.
https://transactionfee.info/charts/block-coinbase-amount/?start=2009-01-09&end=2021-02-02
https://crocs.fi.muni.cz @CRoCS_MUNI
Coin mining algorithm https://coin360.com/
8 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Coin mining algorithm https://coin360.com/
9 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Heatmap distribution of UTXOs in time and value
10 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Who can include next block to blockchain?
• Proof of Work (PoW, Bitcoin, Ethereum, Zcash…)
– Solver of computationally hard puzzle can include new block
• Proof of Stake (PoS, Zcoin, Cardano, BNB, Ethereum 2.0…)
– More coins you own, higher the probability you will be selected to include next block
– Various variants, Stake pools…
• Merged Mining (Namecoin…)
– Hash of block from other chain is included in coinbase data of Bitcoin
– Other chain is not performing own mining, Bitcoin miners are getting reward for included other chains
• Proof of Proof (PoP)
– Hash of block from other chain is included in Bitcoin transaction (OP_RETURN)
– Security of other chain is improved by security of Bitcoin blockchain
• Proof of Authority (PoA)
– Small number of trusted actors create new blocks
11 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Interesting stats about mined transactions
• https://forkmonitor.info/nodes/btc
• https://transactionfee.info/
• https://cryptobriefing.com/unpacking-bitcoins-recent-double-spend-
event
12 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
BITCOIN PRIVACY
13 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Risks
• Risk of lost coins
– Lost wallet keys, forgotten access credentials
• Risk of stolen coins
– Malware on computer (wallet keys), phishing/scam (recovery phrase)
– Compromised trusted third party (exchange, web wallet…)
– Random burglary (don’t know you have btc)
– Targeted burglary (know you have btc), with(-out) you present
• Risk of traced coins
– blockchain analysis, additional metadata correlation analysis (KYC/AML, scans, tx
propagation, wallet peeling…)
– Crooks, governments, wife…
14 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Attacker models
• Blockchain-only analysis
• Malware, phishing
• Active network analysis, metadata
• Cryptographic analysis of used algorithms
• Side-channel analysis
15 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Improving privacy
• Hold your private keys (no custodial service like exchange…)
– Cannot steal, cannot observe, cannot “vote” on your behalf
• Store private key in hardware wallet (Trezor, ColdCard, Ledger…)
– Keys in “hot” software wallets are prone to malware attack
• Run own full node over Tor and connect your wallet to it
• Make on-chain analysis harder: https://en.bitcoin.it/wiki/Privacy
• Use manual coin selection, label coins by its origin
• Use CoinJoin, PayJoin (multiple users mix their inputs in single transaction)
• Have good opsec (no posting of own btc addresses, use Tor to broadcast tx,
delink via CoinJoin after KYC…)
16 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
CoinJoin
• Multiple users collaborates trustlessly in creating large transaction
• Outputs are all the same value => cannot be attributed to one of
senders based on the value
• Supported by more advanced wallets
– Wasabi wallet, Samurai wallet
17 | PV204 Bitcoin II.
https://en.bitcoinwiki.org/wiki/CoinJoin
https://cryptotesters.com/blog/what-are-coinjoins-and-how-do-they-improve-bitcoin-privacy
https://crocs.fi.muni.cz @CRoCS_MUNI
CoinJoin implementations
• Wasabi wallet https://github.com/zkSNACKs/WalletWasabi/
– Centralized trustless coordinator, Tor, selected number of rounds executed within hours
• https://docs.wasabiwallet.io/using-wasabi/CoinJoin.html
– Wasabi 2.0 (beta) will offer non-equal output coinjoin https://blog.wasabiwallet.io/privacy-guarantees-of-wasabi-wallet-2-0/
– Anonymity set decrease over the time as people send their outputs to KYC exchanges
• Samourai Whirpool https://docs.samourai.io/en/whirlpool
– CoinJoin with variable number of rounds, centralized trustless coordinator
– CoinJoin runs until output is send away from Whirpool (days/months)
– If not fullnode then xpub must be provided => privacy risk, decreased anonymity set
• e.g., Samurai RoninDojo https://ronindojo.io/
– Clients: Samourai wallet / Whirpool cli, SparrowWallet (using Samourai code)
• JoinMarket
– No central coordinator, market Maker(s) run own fullnode and provide liquidity
– Coinjoin transaction creation is coordinated by Taker who is paying also fee (on-chain and to the Maker)
– JoininBox - JoinMarket cmdline-focused distribution https://github.com/openoms/joininbox
18 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI19 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
PayJoin
• PayJoin is special case of CoinJoin, but with less participants
(typically only two: sender, receiver) and without equal UTXO sizes
• Faster than CoinJoin, done during a normal payment
• https://cryptotesters.com/blog/what-are-coinjoins-and-how-do-they-improve-bitcoin-privacy
20 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
LOCK AND UNLOCK SCRIPTS
21 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Types of receiving “addresses”
• There is no ”address” defined in Bitcoin network
• Standard patterns how to construct lock script emerged over the time
– e.g., unlock if signature is verifiable with the public key stored in lock script (P2PK)
– “Address” is the variable part of the lock script differing between different receivers and transactions
• Notation warning: scriptSig (script + signature), scriptPubKey (initial meaning script + public key == P2PK)
• Well-known standard types of lock scripts
– Pay-to-public-key (P2PK)
– Pay-to-public-key-hash (P2PKH, starts with 1)
– Pay-to-script-hash (P2SH, BIP16, starts with 3)
– OP_RETURN (any data 40B)
– P2WSH-nested-in-P2SH
– P2SH-P2WPKH, P2SH-P2WSH
– Native P2WPK, P2WSH (Bech32, starts with bc1)
– Pay-to-Taproot (P2TR, Schnorr signature, starts bc1p)
22 | PV204 Bitcoin II.
https://transactionfee.info/charts/output-type-distribution-count/
https://crocs.fi.muni.cz @CRoCS_MUNI
Pay-to-public-key (P2PK)
• Lock script contains direct value of public key and instructions to push
signature and verify with the public key
• Used initially by Satoshi and others, now infrequent
• Disadvantage: if practical dlog attack against secp256k1 is found,
private key can be computed
23 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
P2PKH - script execution (https://nioctib.tech/)
24 | PV204 Bitcoin II.
https://nioctib.tech/#/transaction/f2f398dace996dab12e0cfb02fb0b59de0ef0398be393d90ebc8ab397550370b
https://nioctib.tech/#/transaction/feff813f13340060f641c11ab1307bb1b8cabcdcc3af1aed8a089e38c8407aef
https://crocs.fi.muni.cz @CRoCS_MUNI25 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
OP_RETURN
• If OP_RETURN is encountered during execution of
unlock+lock script, it is FALSE
– Such output is provably unspendable
• Somewhat controversial instruction
– Some feels, that blockchain shall not be used for nonfinancial
data (USDT was initially on Bitcoin via
OP_RETURN)
– But there were already ways how to store arbitrary data into
blockchain anyway (e.g., bytes of value, invalid address)
• Analysis of OP_RETURN data
– https://www.blockchainresearchlab.org/2020/03/13/how-do-
op-return-transactions-impact-bitcoin/
– https://opreturn.org/
26 | PV204 Bitcoin II.
charley loves heidi
https://nioctib.tech/#/transaction/f2f398dace996dab12e0cf
b02fb0b59de0ef0398be393d90ebc8ab397550370b
https://crocs.fi.muni.cz @CRoCS_MUNI
THRESHOLD SIGNATURES VS. MULTISIG
VS. MULTI-PARTY COMPUTATION
27 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Shamir secret sharing scheme
• Private key is recovered from multiple shares
– Then used at single place
– An attacker can compromise private key after its recovery from shares
• Network is unaware of key split, single public key used in lock script
• Can be used to backup wallet seed (e.g., Trezor wallet
https://trezor.io/shamir/)
– n-out-of-n or k-out-of-n
28 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Multisignatures
• Lock script constructed to require multiple signatures
(OP_CHECKMULTISIG)
– transaction valid only if multiple signers provide signatures for unlock script
• n-out-of-n or k-out-of-n, https://en.bitcoin.it/wiki/Multisignature
• P2MS, P2MS wrapped in P2SH
– https://learnmeabitcoin.com/technical/p2ms
29 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Secure multi-party computation (MPC)
• Single signature computed using multiple separated signers
– Each signer has own private key
– An attacker must comprise more than one entity
• Communication between signers
– During initial key generation
– Optionally during signing
• Legacy compatible schemes (produces valid ECDSA signature)
– 2-party ECDSA, n-out-of-n or k-out-of-n ECDSA (only since 2016)
• Taproot-compatible schemes (activated since Nov 2021)
– Schorr signatures, MuSig2
• https://academy.binance.com/en/articles/threshold-signatures-explained
30 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Frequency of different multisignature scripts
• Cannot tell for Shamir, MPC ECDSA and Schnorr (e.g., MuSig)!
– Resulting signature is standard signature, no change to lock/unlock scripts
• Can tell for P2MS
– Threshold and allowed public keys inside lock script
• Can tell for P2SH (if spent)
– Multisig script and used keys inside unlock script
• (analogically for Segwit variants)
31 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Frequency of different multisignature scripts
32 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
ON-CHAIN BITCOIN ALTERNATIVES
33 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Why search for other options (L2/sidechain/altcoins)
• Why something else than on-chain Bitcoin? List of typical “arguments”
1. Cost of sending transaction
– Peak was tens of dollars (for every transfer), variable (now 1sat/vB), but has to increase in future
2. Time to confirm transaction (+ limited block size)
– 4 blocks inside chain commonly required, ~10 minutes per block => ~40 min
3. Traceability of transactions
– Source, destination and amount is on public ledger
4. Limited scripting language (lock script)
– For more complicated smart contracts
5. Mining requirements
– Specialized mining equipment required (ASICs) => may cause centralization if not enough
– Proof of Work is energy intensive
• …
34 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
ALTCOINS
35 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Why other cryptocurrencies (altcoins)
• Why something else than Bitcoin?
1. Cost of sending transaction
– Peak was tens of dollars (for every transfer), variable (now 1sat/vB), but has to increase in future
2. Time to confirm transaction (+ limited block size)
– 4 blocks inside chain commonly required, ~10 minutes per block => ~40 min
3. Traceability of transactions
– Source, destination and amount is on public ledger
4. Limited scripting language
– For more complicated smart contracts
5. Specialized mining equipment required
– Bitcoin mining only possible via ASICs => may cause centralization
– Proof of Work is energy intensive
• …
36 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI37 | PV204 Bitcoin II.
April 2021
https://crocs.fi.muni.cz @CRoCS_MUNI
Coin mining algorithm https://coin360.com/
38 | PV204 Bitcoin II.
March 2022
https://crocs.fi.muni.cz @CRoCS_MUNI
Other cryptocurrencies (altcoins)
• Copycats (huge number of them)
– Take Bitcoin’s source code, change name and basic params (mining alg, time and size of block…)
– E.g., Litecoin
• Bitcoin-style, but adding some distinct features
– Ethereum: Turing-complete scripting for smart contracts, (EthHash mining alg), Eth2.0 move to PoS
– Zcash: zero-knowledge proof for sender/receiver/amount (shielded transactions), aim to have GPUfriendly
mining (Equihash, large memory required)
– Monero: private transactions via mixing (Ring Confidential Transactions, CryptoNote)
• More traditional styles (Ripple, Stellar…)
– Somewhat decentralized network of verification nodes (=> faster and cheaper txs)
– Typically, less privacy and overall resilience against central control
• Stable coins (USDT, USDC…)
– Idea: digital equivalent to real dollars stored in “safe”
– New 1 USDT is created when someone deposits $1 to company, destroyed when $1 is cashed back
39 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Tokens, ICO, DeFi, CBDC…
• Initial Coin Offerings (ICO), boom in 2017
– Kind of crowdfunding campaign - often via Ethereum smart contracts, ERC-20 contracts
– Frequently scam, frequently large pre-allocation to founders and investors
• Decentralized Finance (DeFi)
– Smart contract with defined (financial-related) behavior – e.g., lending…
• Non-fungible tokens
– Representation of physical item on the blockchain
– Allows to pass ownership by “sending” token to another person
– Possible on almost any chain (colored coins at Bitcoin)
– Some chains build for it intentionally
• Central bank digital currency (CBDC)
– Permissioned ledger by central banks
40 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Ethereum basics
• Basic idea: Make script Turing complete
– Executed by Ethereum Virtual Machine
– 256-bit register stack
• Ether (ETH) is native currency rewarded to miners (PoW, Ethash)
• Gas is transaction fee payed to miners for new tx
• Block time is 13 seconds on average
– But Difficulty bomb to force periodic protocol updates
• Two types of accounts: users and contracts
• See some example eth scripts https://remix.ethereum.org/
• Mastering Ethereum, A. Antonopoulos,
https://github.com/ethereumbook/ethereumbook
41 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
ERC-20 tokens
• Defined in EIP20 (Eth. Improvements Proposals):
– https://ethereum.org/en/developers/docs/standards/tokens/erc-20/
• API for tokens within Smart Contracts
– template contract implementations exists
• https://academy.binance.com/en/articles/an-introduction-to-erc-20-tokens
– you need to have ETH on your balance to send/exchange ERC20 ETH tokens (for GAS)
– to move ERC-20 tokens, user creates and send (ethereum) transaction to the contract
asking it to allocate some of the balance elsewhere
• No sending of ether, but Gas required for inclusion of transaction with script or
interaction with script into blockchain
42 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
STARTING NEW COIN
43 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Create own ERC-20 token
• Create own ERC-20 token: https://vittominacori.github.io/erc20-generator/
• As a result, creating token with no value is very easy
– https://medium.com/blocktoken/how-to-launch-your-very-own-useless-erc-20-
token-cfdb4100fc1d
44 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Starting new cryptocoin?
• Own chain or atop existing (e.g., ERC-20)?
• Consensus algorithm, cryptography used (e.g., ECDSA vs. Ed25519)
• Parameters of blockchain (fixed size vs. larger vs. flexible)
• Monetary policy
– Total coins cap (fixed cap, fixed inflation, variable, stablecoins)
– Starting conditions: bitcoin-like, premine, hidden premine, fixed mining fraction for development
foundation…
• Community (serious vs. friendly), promotions
• Level of centralization
– also influenced by other parameters – size of chain, type of consensus…
• Attitude towards hardforks vs. softforks (fixed policy vs. changing)
• Transactions on-chain or support for second-layer networks?
45 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
RUNNING OWN FULL NODE
46 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
https://mynodebtc.com
47 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Mempool statistics https://jochen-hoenicke.de/queue
48 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Operating own Bitcoin full node with Lighting
• Download presync part of blockchain from other mynodes (2 days)
• Download the rest of blocks from Bitcoin P2P network (1-2 days)
• Enable Lighting, create new wallet, send some sats to it (on-chain)
• Download Lighting wallet (e.g., BlueWallet, Zap)
• Pair Lighting wallet with your node
• Open channel to some other node
– E.g., Lightning Node Suggestions at https://store.blockstream.com/
– Opening channel performs one on-chain transaction
• Analyze all other options in mynodebtc web GUI!
• Enable Electrum Server, Enable BTC RPC Explorer, Browse transactions…
49 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
IF YOU LIKE TO DIG DEEPER (AND
LIGHTER)
50 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Lighting network https://explorer.acinq.co/
51 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Opening channel
52 | PV204 Bitcoin II.
https://blog.usejournal.com/the-bitcoin-lightning-network-a-technical-primer-d8e073f2a82f
https://crocs.fi.muni.cz @CRoCS_MUNI
Some Lighting topics I.
• Custodial Lighting wallet (e.g., Wallet of Satoshi)
– Service hold your private key, full trust in service
• Semi-custodial Lighting wallet (e.g., default BlueWallet, Zap…)
– own key, but trust in 3rd party providing blockchain info
• Non-custodial (e.g., BlueWallet collected to own full node)
– own key, blockchain info and monitoring by own full node
• Inbound, outbound capacity of channel between A and B
– Initial value is given by initial on-chain 2-2 multisig transaction (x:0, x:y, 0:y)
– Changes with every off-chain transaction executed (between A and B)
53 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Some Lighting topics II.
• Sentinel service
– trustless blockchain observer, broadcasts justice transaction in case of old state
detected
– No need for your full node to be always online
• Privacy considerations
– Most of the transactions are NOT recorded on the blockchain
• Good for speed as well as privacy
– Doesn’t mean that payments are not traceable
• Same as with internet connection => need to use Tor, ideally mixes…
– Taproot introduced ability to open channel indistinguishable from normal P2TR
54 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Lightning network – study more
• Description of Lighting Network basic principles
– https://blog.usejournal.com/the-bitcoin-lightning-network-a-technical-primer-
d8e073f2a82f
• Presentation by original Lighting creators
– https://lightning.network/lightning-network.pdf
• List of Lighting nodes ready for channel opening
– Bottom of the https://store.blockstream.com/
55 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI
Further reading
• Mastering Bitcoin (Andreas M. Antonopoulos and others)
– https://github.com/bitcoinbook/bitcoinbook
• List of interesting resources
– https://blockonomi.com/bitcoin-educational-resources/
– https://learnmeabitcoin.com/, https://learnmeabitcoin.com/technical/
56 | PV204 Bitcoin II.
https://crocs.fi.muni.cz @CRoCS_MUNI57 | PV204 Bitcoin II.
• Place/upvote questions in slido
while listening to lecture video#pv204_2022