P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg PV204 Security technologies Bitcoin basics I. Petr Švenda svenda@fi.muni.cz @rngsec Centre for Research on Cryptography and Security, Masaryk University Please comment on slides with anything unclear, incorrect or suggestions for improvement https://drive.google.com/file/d/16zVbDqjxpEgUEAweWTCrijpjvTsONW8h/view?usp=sharing P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI WHY BITCOIN? •Especially if you are not interested in Bitcoin. 2 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI “Bitcoin fixes everything” meme A picture containing building, government building, colonnade Description automatically generated Bitcoin basics I. https://twitter.com/DominicFrisby/status/1388448025970884609 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Goals for the lecture •Bitcoin does not fix everything, but is on a frontline –No safety net, no chargeback, attacker anonymous => security technique must really work, great for battle-testing security ideas, natural “bug bounty program” •6 main tech pieces we will cover (also usable outside Bitcoin world) 1.How to backup key(s) (single seed, BIP39, Shamir) 2.How to make always fresh keys (derivation via BIP32, also address privacy) 3.How to protect signing key against malware •(multisig, hardware wallet, airgap pc + tx broadcast, mpc sig) 4.How to introduce restricted signing policy (time, limit… lockscript/multisig) 5.How to protect your financial privacy (CoinJoin, Tor) 6.How to use hardware wallet with secure element 4 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Motivation example – what are limitations of this example? •I have PayPal/Visa/Venmo… why something else, slower, energy intensive… –Scenario: Bank ledger, user accounts after KYC (ID), transfers between users –Complicated •Problems: –Central point of failure (maintenance, server compromise, transaction censorship, no ID, money freeze…) –Increasing number of “coins” in system (inflation) –Difficult auditability of complete current supply (Eurodollar system, dollar-denominated deposits at foreign banks, limited/no reserve requirements…) 5 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI 6 Bitcoin basics I. What is your previous exposure to the cryptocurrencies? Please check all items which applies to you. ⓘ Start presenting to display the poll results on this slide. > P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI BASICS • 7 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Timeline Description automatically generated 8 Bitcoin basics I. https://livebitnews.com/wp-content/uploads/2017/09/bitcoin-transaction-life-cycle-high-resolution-1 .png •Wallet •Address •Fee •Transaction •Signing •Network nodes •Block •Mining •Proof of Work •Verification •Block reward •Tx confirmation •And many more… P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Main design goals of the Bitcoin 1.Decentralization –No central authority or intermediary (=> no single point of failure), possibility of self-custody –No limitation on network participants (no permission to join is required) –Applies to executing a transaction, but also development, infrastructure, mining… 2.Transparency –All transactions recorded on public ledger; validity of every “bitcoin” easy to verify –Total number of bitcoins in circulation easy to assess (monetary policy, fixed supply) 3.Security based on cryptography (mainly signature, hash functions) –Ownership of bitcoins proved only cryptographically (no “chargeback” based on human decision) –Protection of bitcoins reduced to protection of private key(s) 4.Pseudonymity of participants –bitcoins connected to public keys, not usernames (does not automatically mean anonymity!) • 9 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Problems to tackle •How to prevent double spending? •How to allow for permissionless participation? •Who will store authoritative copy of public ledger? •How to prevent modification of ledger history? •Who will include next block in blockchain? •How to maintain decentralization in distant future? •… 10 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Double-spending problem and Bitcoin’s solution •Digital data are inherently easy to copy perfectly –If used as monetary coins, how to prevent double/triple… spending the same coin? –Previous proposals (eCash, B-money, Bit Gold..) required central party for prevention •Digital coin X is “spent” by a transaction between users A and B –Double spend is another transaction from A to C using same coin X •If all transactions are ordered strictly in time, double spend is not possible –Later transaction with same coin X is invalid –Decentralized ordering is costly as all participants need to agree on global state •If ordered after every transaction => costly and slow •Bitcoin orders in batches of transaction every 10 minutes on average –User needs to wait one (or more blocks) for ordering (longer => higher certainty) – 11 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Graphical user interface Description automatically generated Graphical user interface, text, application, website Description automatically generated Where are my bitcoins? •Public ledger of all transactions (blockchain) –Replicated between all Bitcoin fullnodes (P2P network) •“Bitcoin holdings” - sum of values of not-yet-spent transactions control –Unspent Transaction Output (UTXO) •“Bitcoin receive” operation – generate variable part of lockscript (public) and share with sender + monitor blockchain for my transaction •“Bitcoin send” operation – take “your” UTXO and use it as input to new one –Specify recipient by script specifying what must be done int future send (lockscript) –Typical lockscript is “prove that you can sign with private key corresponding to THIS public key” •Protection and handling of private keys is paramount –“Not your keys, not your bitcoin!“ 12 Bitcoin basics I. Graphical user interface Description automatically generated P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI UTXO set = all currently valid “bitcoins” • 13 Bitcoin basics I. A screenshot of a computer Description automatically generated with low confidence https://statoshi.info/d/000000009/unspent-transaction-output-set?orgId=1&refresh=10m&from=148322520 0000&to=now P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Timeline Description automatically generated with low confidence Heatmap distribution of UTXOs in time and value 14 Bitcoin basics I. • https://utxo.live/ https://github.com/martinus/BitcoinUtxoVisualizer P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Heatmap distribution of UTXOs in time and value A screenshot of a computer Description automatically generated with medium confidence 15 Bitcoin basics I. https://utxo.live/ https://github.com/martinus/BitcoinUtxoVisualizer P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI BITCOIN NETWORK •Problem: How to allow for permissionless participation? 16 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI A picture containing text, clock Description automatically generated 17 Bitcoin basics I. D:\Documents\Obrázky\is2\Computer_Icon.png D:\Documents\Obrázky\is2\Computer_Icon.png Graphical user interface, application Description automatically generated D:\Documents\Obrázky\is2\Key-icon.png D:\Documents\Obrázky\is2\Key-icon.png A picture containing text, clock Description automatically generated A picture containing text, clock Description automatically generated A picture containing text, clock Description automatically generated A picture containing text, clock Description automatically generated fullnode Bitcoin P2P network Graphical user interface, application Description automatically generated D:\Documents\Obrázky\is2\Key-icon.png A picture containing text, clock Description automatically generated fullnode A close up of a calculator Description automatically generated D:\Documents\Obrázky\is2\Key-icon.png SW-only wallet With hardware wallet Blockchain A close up of a device Description automatically generated P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI A picture containing graphical user interface Description automatically generated P2P Bitcoin network map https://bitnodes.io/ Bitcoin basics I. • 18 Chart, histogram Description automatically generated P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI What is Bitcoin “fullnode” •Software capable to connect and interact with P2P network •Downloads whole blockchain, fully verifies all blocks (PoW) and transactions starting from the Genesis block (or trusted checkpoint) –Dynamically builds own UTXO set (unspent txs) and Mempool (unconfirmed txs) •Propagates new incoming blocks and transactions •No formal specification of Bitcoin consensus exists –Bitcoin Core software is defacto specification (https://github.com/bitcoin/bitcoin) –Other implementations also exists (but large majority of nodes are Bitcoin Core) •Currently several days to fully synchronize (CPU/bandwith), ~465GB •Can be run over Tor to protect user privacy •Bitcoin wallet needs to connect to some fullnode (your = better privacy) 19 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Networks in Bitcoin (Mainnet, Testnet, Regtest, Signet) •Mainnet – main, global production network (“real” bitcoins) •Testnet – testing network (global, some mining happens…) –Restarted from time to time, contains many different types and versions of TXs •Regtest – local instance of Bitcoin network –Used for local testing (integration, regression,debugging) –Blockchain started from block 0, you are the only miner –(mined bitcoins unusable on Mainnet) –You can insert own transactions, decide on mining new blocks, debug… •Signet – testing network like Testnet, but with features not yet active on Mainnet –Initially for testing Taproot, now for future possible softforks •(Lighting – second layer network of payment channels atop of mainnet) –Practically instant and very low fees independently from mainnet Bitcoin basics I. 20 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Mempool – unconfirmed transactions •Every fullnode maintains own list of unconfirmed transactions (mempool) –No single global mempool! But local mempools tend to synchronize quickly •Miners construct next block from transactions maximizing profit (mostly) •What if tx is in a mempool, but with too low fee (not getting confirmed)? 1.Child pays for parent –additional transaction spending output of previous (high fee) 2.Replace By Fee (RBF) flag – new tx, but with higher fee, replaced by nodes 3.(Wait for purge, pay miner out of band…) •If too many unconfirmed txs present, some existing are purged (removed) –Default size of mempool (for Bitcoin Core) is ~300MB –Selection depends on configuration (low-fee tx, large tx, old tx) –If discarded, it can be re-inserted later from other nodes or resubmitted (by owner) • 21 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Popular mempool explorer – https://mempool.space • • • • • • • •Can be run on your own fullnode (privacy improvement) •Testnet version https://mempool.space/testnet • 22 Bitcoin basics I. Graphical user interface Description automatically generated A screenshot of a computer Description automatically generated with medium confidence P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Mempool size in time • 23 Bitcoin basics I. Chart Description automatically generated Blocksize wars in 2017, blockchain “spamming”, bullrun Dec 2017 (~$20k) Bullrun towards May 2021 (~$69k) Ordinals/Inscription Feb 2023 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI DEMO: LOOK AND COMMENT THE CURRENT MEMPOOL STATE • 24 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI TRANSACTION • 25 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Transaction components •Binary structure optimized for small size (further decreased over time) –Version –Inputs (bitcoins spent, points to some previous tx outpt + unlock script) –Outputs (bitcoins received, description of lock script) –Locktime (when starts to be valid, absolute or relative, time or block height) •Can be created offline, broadcasted immediately or later (Lighting) • 26 Bitcoin basics I. Graphical user interface Description automatically generated Graphical user interface, text, application, website Description automatically generated Graphical user interface Description automatically generated Version, Locktime P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Various transactions can be created • • • 27 Bitcoin basics I. Diagram Description automatically generated A picture containing diagram Description automatically generated Diagram Description automatically generated One input, two outputs + fee (possibly classic pay) Two inputs, one output + fee (possibly consolidation) One input, many outputs, fee (CoinJoin premixing) Many inputs, many outputs, fee… P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI 28 Bitcoin basics I. A screenshot of a computer Description automatically generated with medium confidence A screenshot of a computer Description automatically generated with medium confidence A screenshot of a computer Description automatically generated with medium confidence A screenshot of a computer Description automatically generated with medium confidence Standard pay (change likely bc1) Standard pay (0.04) with consolidation Multisig pay (3.87) from multiple inputs Consolidation (even annotated OP_RETURN) • P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI DEMO: LOOK AT CURRENT MEMPOOL TRANSACTIONS (CONFIRMED, UNCORFIRMED) • 29 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI LOCK AND UNLOCK SCRIPTS • 30 Bitcoin basics I. Graphical user interface Description automatically generated Graphical user interface, text, application, website Description automatically generated Graphical user interface Description automatically generated Version, Locktime P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Types of receiving “addresses” •There is no ”address” defined in Bitcoin network •Standard patterns how to construct lock script emerged over the time –e.g., unlock if signature is verifiable with the public key stored in lock script (P2PK) –“Address” is the variable part of the lock script differing between (different receivers / transactions) •Notation warning: scriptSig (script + signature), scriptPubKey (initial meaning script + public key == P2PK) •Well-known standard types of lock scripts –Pay-to-public-key (P2PK) –Pay-to-public-key-hash (P2PKH, starts with 1) –Pay-to-script-hash (P2SH, BIP16) –OP_RETURN (any data 40B) –Native Pay-to-witness-script-hash (P2WSH, starts with 3) –P2WSH-nested-in-P2SH –P2SH-P2WPKH, P2SH-P2WSH –Native P2WPK, P2WSH (Bech32, starts with bc1) –Pay-to-Taproot (P2TR, Schnorr signature, starts bc1p) • 31 Bitcoin basics I. https://transactionfee.info/charts/output-type-distribution-count/ Chart Description automatically generated with low confidence Graphical user interface Description automatically generated P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Pay-to-public-key (P2PK), Pay-to-public-key-hash (P2PKH) •Pay-to-public-key (P2PK) –Lock script contains direct value of public key and instructions to push signature and verify with the public key –Used initially by Satoshi and others, now infrequent –Disadvantage: if practical dlog attack against secp256k1 is found, private key can be computed •Pay-to-public-key-hash (P2PKH), starts with ‘1’ –Lock script contains hash of public key later used for signature verification –Advantage: smaller lockscript, attacker does not know public key until spent 32 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Graphical user interface, text, application, chat or text message Description automatically generated Graphical user interface, text, application, chat or text message Description automatically generated P2PKH - script execution (https://nioctib.tech/) – 33 Bitcoin basics I. https://nioctib.tech/#/transaction/f2f398dace996dab12e0cfb02fb0b59de0ef0398be393d90ebc8ab397550370b https://nioctib.tech/#/transaction/feff813f13340060f641c11ab1307bb1b8cabcdcc3af1aed8a089e38c8407aef P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Graphical user interface, text, application Description automatically generated 34 Bitcoin basics I. Text, application Description automatically generated Graphical user interface, text Description automatically generated Graphical user interface, text, application Description automatically generated Graphical user interface, text, application Description automatically generated Graphical user interface, text, application Description automatically generated Graphical user interface, text, application Description automatically generated A picture containing chart Description automatically generated Chart Description automatically generated with medium confidence Graphical user interface, text, application Description automatically generated Graphical user interface, text, application, chat or text message Description automatically generated P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Pay to script hash (P2SH), BIP16, starts with ‘3’ •Lock script separated into two parts –1) commitment to the script (hash value, checked later) –2) actual lock script (hash value must match the commitment) •Sending tx sets output’s ScriptPub to the commitment –Shorter as only hash is posted, not whole lock script –Lock script is provided only later when spending (privacy, fee to be paid) –Lock script can have multiple spending paths (Merkle tree) and only the one used is posted (better for privacy) •Redeeming tx provides actual lock script + unlock script – 35 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI 36 Bitcoin basics I. Graphical user interface, text, application, chat or text message, email Description automatically generated Graphical user interface, text, application, email Description automatically generated Graphical user interface Description automatically generated with low confidence Graphical user interface, text, application, chat or text message Description automatically generated Graphical user interface, text, application, chat or text message Description automatically generated Graphical user interface, text, application Description automatically generated Graphical user interface, text, application, chat or text message Description automatically generated Graphical user interface, text, application Description automatically generated Text, application Description automatically generated Graphical user interface, text, application Description automatically generated Commitment to script Check script hash If initial script structure was commitment and value on stack is true, special code branch of code is executed, using original witness script Witness script is executed (here 2-of-3 multisig) OP_FALSE is used to push 0 on stack (multisig bug) … Script P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Interesting, non-standard scripts •SHA1 collision bounty –Bitcoins locked to script requiring two different inputs hashed to same SHA1 hash –Redeemed shortly after Google published SHA1 collision blocks •https://blockstream.info/tx/8d31992805518fd62daa3bdd2a5c4fd2cd3054c9b3dca1d78055e9528cff6adc •https://nioctib.tech/#/transaction/f2f398dace996dab12e0cfb02fb0b59de0ef0398be393d90ebc8ab397550370 b –More details: https://bitcoinjs-guide.bitcoin-studio.com/bitcoinjs-guide/v5/part-three-pay-to-script-hash/puzzles /computational_puzzle_sha1_collision_p2sh.html –Similar bounties for 37 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Text Description automatically generated OP_RETURN •If OP_RETURN is encountered during execution of unlock+lock script, it is FALSE –Such output is provably unspendable •Somewhat controversial instruction –Some feels, that blockchain shall not be used for non-financial data (USDT was initially on Bitcoin via OP_RETURN) –But there were already ways how to store arbitrary data into blockchain anyway (e.g., bytes of value, invalid address) •Analysis of OP_RETURN data –https://www.blockchainresearchlab.org/2020/03/13/how-do-op-return-transactions-impact-bitcoin/ –https://opreturn.org/ – – • 38 Bitcoin basics I. charley loves heidi https://nioctib.tech/#/transaction/f2f398dace996dab12e0cfb02fb0b59de0ef0398be393d90ebc8ab397550370b Chart Description automatically generated P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Graphical user interface, text Description automatically generated Miniscript (A. Poelstra, P. Wuille, S. Kanjalkar, 2019) •Language for easier and error-prone creation of Bitcoin scripts –Subset of Bitcoin script language –Human-readable, easy to express complex locking conditions –https://bitcoin.sipa.be/miniscript/ •Simple building blocks (policies) –Single-key, Multi-key, –Time-locks, Check-sequence, –Hash-lock… •Compiler creates optimal script –And cost analysis 39 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Miniscript examples Graphical user interface, text, application, email Description automatically generated 40 Bitcoin basics I. Text Description automatically generated with low confidence Text Description automatically generated Graphical user interface, text, whiteboard Description automatically generated A 3-of-3 that turns into a 2-of-3 after 90 days A single key P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI BLOCKS AND MINING • 41 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Problem: Who will include next block in blockchain? •Transactions (state updates) has to be included somehow into block to be “permanently” valid •Entity including new block has special position and power –Can decide which transactions (state updates) will be included •May lead to censorship of certain transactions •May lead to transactions reordering impacting the financial value (e.g. MEV) –Can decide where new block is appended •Shall be last previous block, but can cause malicious forks abandoning part of previously extended blockchain (e.g., 51% attack to rewrite history) –Typically receive some reward (motivation for participation) •May cause long-term centralized accumulation of underlying token 42 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Who can include next block to blockchain? •Proof of Work (PoW, Bitcoin, Ethereum 1.0, Zcash…) –Solver of computationally hard puzzle can include new block •Proof of Stake (PoS, Zcoin, Cardano, BNB, Ethereum 2.0…) –More coins you own, higher the probability you will be selected to include next block –Various variants, Stake pools… •Merged Mining (Namecoin…) –Hash of block from the chain is included in coinbase tx of other chain (typically Bitcoin) –The chain is not performing own mining, Bitcoin miners are getting reward for inclusion of other chains •Proof of Proof (PoP) –Hash of block from other chain is included in Bitcoin transaction (typically OP_RETURN) –Security of other chain is improved by security of Bitcoin blockchain •Proof of Authority (PoA) –Small number of trusted actors create new blocks • 43 Bitcoin basics I. We will focus mainly on Proof Of Work used in Bitcoin P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI https://blockgeeks.com/ Bitcoin block •Header (80 B) + data (up to ~4MB) –Version –Previous block hash (linking to past blockchain) –Merkle root of all included transactions (Coinbase tx + others) –Timestamp (unix time) –Bits (specification of required mining difficulty) –Nonce (variable part to mine , now insufficient) •Coinbase transaction (reward for miners, emission of new bitcoins) –First transaction in every block (only one) –Only one input, previous TX ID = 0x0000..00, prev. TX index = 0xffffffff –(Typically) equal to block reward + all fees from included transactions 44 Bitcoin basics I. Text Description automatically generated P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Coin mining algorithm https://coin360.com/ 45 Bitcoin basics I. A screenshot of a computer Description automatically generated with low confidence P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Mining in Proof of Work chains •Crucial for security of blockchain (no rewrite of history) •Initially on CPU (Satoshi: everyone can participate 1 CPU 1 vote) •CPU→GPU →FPGA →ASIC •Initially solo mining, later collaborative mining (too little chance alone) •First mining pool: SlushPool in Prague (now Braiins Pool) –Miners join their hashrate, fraction of reward based on number of partial solutions •Cambridge university centre for alternative finance (CBECI) –Where are the miners? https://cbeci.org/mining_map/ –More mining details: https://cbeci.org/cbeci/methodology • • 46 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Chart, histogram Description automatically generated Miner reward – coinbase output: block + fees 47 Bitcoin basics I. https://transactionfee.info/charts/block-coinbase-amount/?start=2009-01-09 •Reward halving –Every ~4 years –Block reward drops to ½ –Last halving in year 2140 • P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Hashrate in time (~320EH/s = 3.2*1020 hash/sec = 266 /sec) Graphical user interface, chart Description automatically generated 48 Bitcoin basics I. https://mempool.space/graphs/mining/hashrate-difficulty#all P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Blockchain forks Graphical user interface, table Description automatically generated 49 Bitcoin basics I. •Occasional natural forks happen –(not to be confused with softforks) •Quickly resolved –usually, next block •Sometimes temporary double-spent can occur –Same input used in different txs •https://forkmonitor.info/nodes/btc P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI DEMO: SHOW DIFFICULTY ADJUSTMENT • 50 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Difficulty adjustment •Bitcoin shall have one block every ten minutes (on average) •Block must have overall hash with specific number of leading zeroes (March 2023 ~75 binary 0) –Miners change part of block header to try different hashes until required found •How to specify the number of leading zeroes for decades in future? –Speed of new blocks found depends on the overall speed of hashing –Overall speed of hashing depends on technology advancements (single chip) and number of chips deployed –Impossible to predict technology and interest into distant future –If # zeroes is too low => blocks are found too fast (and vice versa) •Idea of difficulty adjustment (part of consensus protocol), https://en.bitcoin.it/wiki/Difficulty –Check number of actually mined blocks every 2016 blocks (shall be ~14 days) •Increase/decrease difficulty for next period based on actual number of mined blocks –Every full node can deterministically compute expected difficulty (lower # zeroes rejected) •Block hash must be below the “Target” number (computed to avg keep 1 block / ~10 min) –“Target” is transformed to “Bits” (condensed 4 bytes number – coefficient (3B) + exponent (1B)) –Current difficulty is relative number of current Target with respect to Target of Genesis block 51 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI China mining dominance (09/2019→04/2020: 75.6%->65%) • 52 Bitcoin basics I. A picture containing graphical user interface Description automatically generated Graphical user interface, table Description automatically generated 09/2019 04/2020 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Map Description automatically generated Bitcoin mining map (January 2022) 53 Bitcoin basics I. Chart, histogram Description automatically generated •China used to be largest –>80% (till 2018, slow decrease) –Mining ASICS made in China •China evicted “all” miners in May 2021 –Officially 0% (unofficially still active) –Now coming back 21.11% •Resulted in strong increase in: –US 37.84%, Kazakhstan 13.22% –Canada 6.48%, other 9% … https://cbeci.org/mining_map/ P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Is Bitcoin mining wasteful? •Heavily discussed topic (“Bitcoin will boil the oceans by 2020”) •Some questions to ask (Do your own research!) –What value you are getting for the energy expended? (neutral decentralized monetary system) –Miners want the cheapest energy available to maximize profits => energy nobody wants => waste energy –What is the source of the energy used? (btc mining 60-70% “green” energy due to its low cost) –Can mining help to stabilize electrical grid with intermittent (solar, wind) sources? (instant turn on/off of mining ASICs, consumption of only cheap (= not demanded) energy) –How long is mining hardware profitable before dismantling? (depends on energy price, 5+ years) –Can miners finance construction of energy sources (hydro…) at places otherwise not viable financially (stranded energy)? –Can miners incentivize higher portion of intermittent (solar, wind) sources? (bigger source even when low sun/wind?) 54 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Interesting stats about mined transactions •https://forkmonitor.info/nodes/btc •https://transactionfee.info/ •https://cryptobriefing.com/unpacking-bitcoins-recent-double-spend-event • • 55 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Warning: Why not put “blockchain” everywhere? •“Blockchain not Bitcoin”, “Blockchainize everything”… claims •Permissionless distributed consensus on global state is very expensive –Confirmation time, storage space, energy expenditure (PoW)… –Most applications does not need it! –Especially when other components of application are centralized (development, governance decisions, data storage…) 56 Bitcoin basics I. Text Description automatically generated P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Study materials •Mandatory reading –Bitcoin's academic pedigree (Arvind Narayanan, Jeremy Clark) •https://dl.acm.org/doi/10.1145/3132259 (copy in IS) •Explanation of roots of Bitcoin key components •If you were not familiar with basics of Bitcoin before –Watch ‘But how does bitcoin actually work?’ by 3Blue1Brown (26min) •https://www.youtube.com/watch?v=bBC-nXj3Ng4 –Read slides Hello Bitcoin (including notes under every slide) •From https://www.hellobitco.in/, copy of slides in IS 57 Bitcoin basics I. P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI Further reading •Mastering Bitcoin (Andreas M. Antonopoulos and others) –https://github.com/bitcoinbook/bitcoinbook •Programming Bitcoin (Jimmy Song) –https://github.com/jimmysong/programmingbitcoin •List of interesting resources –https://blockonomi.com/bitcoin-educational-resources/ –https://learnmeabitcoin.com/, https://learnmeabitcoin.com/technical/ – – • • 58 Bitcoin basics I. A picture containing text, book Description automatically generated A picture containing text, mammal, cat, black Description automatically generated P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg https://crocs.fi.muni.cz @CRoCS_MUNI THANK YOU FOR COMING, SEE YOU NEXT WEEK 59 Bitcoin basics I.