https://crocs.fi.muni.cz @CRoCS_MUNI PV204 Security technologies Bitcoin basics I. Petr Švenda svenda@fi.muni.cz @rngsec Centre for Research on Cryptography and Security, Masaryk University Please comment on slides with anything unclear, incorrect or suggestions for improvement https://drive.google.com/file/d/16zVbDqjxpEgUEAweWTCrijpjvTsONW8h/view?usp=sharing https://crocs.fi.muni.cz @CRoCS_MUNI WHY BITCOIN? Especially if you are not interested in Bitcoin. 2 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI “Bitcoin fixes everything” meme Bitcoin basics I. https://twitter.com/DominicFrisby/status/1388448025970884609 https://crocs.fi.muni.cz @CRoCS_MUNI Goals for the lecture • Bitcoin does not fix everything, but is on a frontline – No safety net, no chargeback, attacker anonymous => security technique must really work, great for battle-testing security ideas, natural “bug bounty program” • 6 main tech pieces we will cover (also usable outside Bitcoin world) 1. How to backup key(s) (single seed, BIP39, Shamir) 2. How to make always fresh keys (derivation via BIP32, also address privacy) 3. How to protect signing key against malware • (multisig, hardware wallet, airgap pc + tx broadcast, mpc sig) 4. How to introduce restricted signing policy (time, limit… lockscript/multisig) 5. How to protect your financial privacy (CoinJoin, Tor) 6. How to use hardware wallet with secure element 4 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI6 Bitcoin basics I. What is your previous exposure to the cryptocurrencies? Please check all items which applies to you. ⓘ Start presenting to display the poll results on this slide. https://crocs.fi.muni.cz @CRoCS_MUNI BASICS 7 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI8 Bitcoin basics I. https://livebitnews.com/wp-content/uploads/2017/09/bitcoin-transaction-life-cycle-high-resolution-1.png • Wallet • Address • Fee • Transaction • Signing • Network nodes • Block • Mining • Proof of Work • Verification • Block reward • Tx confirmation • And many more… https://crocs.fi.muni.cz @CRoCS_MUNI Main design goals of the Bitcoin 1. Decentralization – No central authority or intermediary (=> no single point of failure), possibility of self-custody – No limitation on network participants (no permission to join is required) – Applies to executing a transaction, but also development, infrastructure, mining… 2. Transparency – All transactions recorded on public ledger; validity of every “bitcoin” easy to verify – Total number of bitcoins in circulation easy to assess (monetary policy, fixed supply) 3. Security based on cryptography (mainly signature, hash functions) – Ownership of bitcoins proved only cryptographically (no “chargeback” based on human decision) – Protection of bitcoins reduced to protection of private key(s) 4. Pseudonymity of participants – bitcoins connected to public keys, not usernames (does not automatically mean anonymity!) 9 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI Problems to tackle • How to prevent double spending? • How to allow for permissionless participation? • Who will store authoritative copy of public ledger? • How to prevent modification of ledger history? • Who will include next block in blockchain? • How to maintain decentralization in distant future? • … 10 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI Double-spending problem and Bitcoin’s solution • Digital data are inherently easy to copy perfectly – If used as monetary coins, how to prevent double/triple… spending the same coin? – Previous proposals (eCash, B-money, Bit Gold..) required central party for prevention • Digital coin X is “spent” by a transaction between users A and B – Double spend is another transaction from A to C using same coin X • If all transactions are ordered strictly in time, double spend is not possible – Later transaction with same coin X is invalid – Decentralized ordering is costly as all participants need to agree on global state • If ordered after every transaction => costly and slow • Bitcoin orders in batches of transaction every 10 minutes on average – User needs to wait one (or more blocks) for ordering (longer => higher certainty) 11 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI Where are my bitcoins? • Public ledger of all transactions (blockchain) – Replicated between all Bitcoin fullnodes (P2P network) • “Bitcoin holdings” - sum of values of not-yet-spent transactions control – Unspent Transaction Output (UTXO) • “Bitcoin receive” operation – generate variable part of lockscript (public) and share with sender + monitor blockchain for my transaction • “Bitcoin send” operation – take “your” UTXO and use it as input to new one – Specify recipient by script specifying what must be done int future send (lockscript) – Typical lockscript is “prove that you can sign with private key corresponding to THIS public key” • Protection and handling of private keys is paramount – “Not your keys, not your bitcoin!“ 12 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI UTXO set = all currently valid “bitcoins” 13 Bitcoin basics I. https://statoshi.info/d/000000009/unspent-transaction-output-set?orgId=1&refresh=10m&from=1483225200000&to=now https://crocs.fi.muni.cz @CRoCS_MUNI Heatmap distribution of UTXOs in time and value 14 Bitcoin basics I. https://utxo.live/ https://github.com/martinus/BitcoinUtxoVisualizer https://crocs.fi.muni.cz @CRoCS_MUNI BITCOIN NETWORK Problem: How to allow for permissionless participation? 16 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI17 Bitcoin basics I. fullnode Bitcoin P2P network fullnode SW-only wallet With hardware wallet Blockchain https://crocs.fi.muni.cz @CRoCS_MUNI P2P Bitcoin network map https://bitnodes.io/ Bitcoi n 18 https://crocs.fi.muni.cz @CRoCS_MUNI What is Bitcoin “fullnode” • Software capable to connect and interact with P2P network • Downloads whole blockchain, fully verifies all blocks (PoW) and transactions starting from the Genesis block (or trusted checkpoint) – Dynamically builds own UTXO set (unspent txs) and Mempool (unconfirmed txs) • Propagates new incoming blocks and transactions • No formal specification of Bitcoin consensus exists – Bitcoin Core software is defacto specification (https://github.com/bitcoin/bitcoin) – Other implementations also exists (but large majority of nodes are Bitcoin Core) • Currently several days to fully synchronize (CPU/bandwith), ~465GB • Can be run over Tor to protect user privacy • Bitcoin wallet needs to connect to some fullnode (your = better privacy) 19 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI Networks in Bitcoin (Mainnet, Testnet, Regtest, Signet) • Mainnet – main, global production network (“real” bitcoins) • Testnet – testing network (global, some mining happens…) – Restarted from time to time, contains many different types and versions of TXs • Regtest – local instance of Bitcoin network – Used for local testing (integration, regression,debugging) – Blockchain started from block 0, you are the only miner – (mined bitcoins unusable on Mainnet) – You can insert own transactions, decide on mining new blocks, debug… • Signet – testing network like Testnet, but with features not yet active on Mainnet – Initially for testing Taproot, now for future possible softforks • (Lighting – second layer network of payment channels atop of mainnet) – Practically instant and very low fees independently from mainnet Bitcoin basics I.20 https://crocs.fi.muni.cz @CRoCS_MUNI Mempool – unconfirmed transactions • Every fullnode maintains own list of unconfirmed transactions (mempool) – No single global mempool! But local mempools tend to synchronize quickly • Miners construct next block from transactions maximizing profit (mostly) • What if tx is in a mempool, but with too low fee (not getting confirmed)? 1. Child pays for parent –additional transaction spending output of previous (high fee) 2. Replace By Fee (RBF) flag – new tx, but with higher fee, replaced by nodes 3. (Wait for purge, pay miner out of band…) • If too many unconfirmed txs present, some existing are purged (removed) – Default size of mempool (for Bitcoin Core) is ~300MB – Selection depends on configuration (low-fee tx, large tx, old tx) – If discarded, it can be re-inserted later from other nodes or resubmitted (by owner) 21 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI Popular mempool explorer – https://mempool.space • Can be run on your own fullnode (privacy improvement) • Testnet version https://mempool.space/testnet 22 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI Mempool size in time 23 Bitcoin basics I. Blocksize wars in 2017, blockchain “spamming”, bullrun Dec 2017 (~$20k) Bullrun towards May 2021 (~$69k) Ordinals/Inscription Feb 2023 https://crocs.fi.muni.cz @CRoCS_MUNI DEMO: LOOK AND COMMENT THE CURRENT MEMPOOL STATE 24 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI TRANSACTION 25 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI Transaction components • Binary structure optimized for small size (further decreased over time) – Version – Inputs (bitcoins spent, points to some previous tx outpt + unlock script) – Outputs (bitcoins received, description of lock script) – Locktime (when starts to be valid, absolute or relative, time or block height) • Can be created offline, broadcasted immediately or later (Lighting) 26 Bitcoin basics I. Outputs Version, Locktime Inputs https://crocs.fi.muni.cz @CRoCS_MUNI Various transactions can be created 27 Bitcoin basics I. One input, two outputs + fee (possibly classic pay) Two inputs, one output + fee (possibly consolidation) One input, many outputs, fee (CoinJoin premixing) Many inputs, many outputs, fee… https://crocs.fi.muni.cz @CRoCS_MUNI28 Bitcoin basics I. Standard pay (change likely bc1) Standard pay (0.04) with consolidation Multisig pay (3.87) from multiple inputs Consolidation (even annotated OP_RETURN) https://crocs.fi.muni.cz @CRoCS_MUNI DEMO: LOOK AT CURRENT MEMPOOL TRANSACTIONS (CONFIRMED, UNCORFIRMED) 29 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI LOCK AND UNLOCK SCRIPTS 30 Bitcoin basics I. Outputs Version, Locktime Inputs https://crocs.fi.muni.cz @CRoCS_MUNI Types of receiving “addresses” • There is no ”address” defined in Bitcoin network • Standard patterns how to construct lock script emerged over the time – e.g., unlock if signature is verifiable with the public key stored in lock script (P2PK) – “Address” is the variable part of the lock script differing between (different receivers / transactions) • Notation warning: scriptSig (script + signature), scriptPubKey (initial meaning script + public key == P2PK) • Well-known standard types of lock scripts – Pay-to-public-key (P2PK) – Pay-to-public-key-hash (P2PKH, starts with 1) – Pay-to-script-hash (P2SH, BIP16) – OP_RETURN (any data 40B) – Native Pay-to-witness-script-hash (P2WSH, starts with 3) – P2WSH-nested-in-P2SH – P2SH-P2WPKH, P2SH-P2WSH – Native P2WPK, P2WSH (Bech32, starts with bc1) – Pay-to-Taproot (P2TR, Schnorr signature, starts bc1p) 31 Bitcoin basics I. https://transactionfee.info/charts/output-type-distribution-count/ Outputs Inputs https://crocs.fi.muni.cz @CRoCS_MUNI Pay-to-public-key (P2PK), Pay-to-public-key-hash (P2PKH) • Pay-to-public-key (P2PK) – Lock script contains direct value of public key and instructions to push signature and verify with the public key – Used initially by Satoshi and others, now infrequent – Disadvantage: if practical dlog attack against secp256k1 is found, private key can be computed • Pay-to-public-key-hash (P2PKH), starts with ‘1’ – Lock script contains hash of public key later used for signature verification – Advantage: smaller lockscript, attacker does not know public key until spent 32 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI P2PKH - script execution (https://nioctib.tech/) 33 Bitcoin basics I. https://nioctib.tech/#/transaction/f2f398dace996dab12e0cfb02fb0b59de0ef0398be393d90ebc8ab397550370b https://nioctib.tech/#/transaction/feff813f13340060f641c11ab1307bb1b8cabcdcc3af1aed8a089e38c8407aef https://crocs.fi.muni.cz @CRoCS_MUNI34 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI Pay to script hash (P2SH), BIP16, starts with ‘3’ • Lock script separated into two parts – 1) commitment to the script (hash value, checked later) – 2) actual lock script (hash value must match the commitment) • Sending tx sets output’s ScriptPub to the commitment – Shorter as only hash is posted, not whole lock script – Lock script is provided only later when spending (privacy, fee to be paid) – Lock script can have multiple spending paths (Merkle tree) and only the one used is posted (better for privacy) • Redeeming tx provides actual lock script + unlock script 35 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI36 Bitcoin basics I. Commitment to script Check script hash If initial script structure was commitment and value on stack is true, special code branch of code is executed, using original witness script Witness script is executed (here 2-of-3 multisig) OP_FALSE is used to push 0 on stack (multisig bug) … Script https://crocs.fi.muni.cz @CRoCS_MUNI Interesting, non-standard scripts • SHA1 collision bounty – Bitcoins locked to script requiring two different inputs hashed to same SHA1 hash – Redeemed shortly after Google published SHA1 collision blocks • https://blockstream.info/tx/8d31992805518fd62daa3bdd2a5c4fd2cd3054c9b3d ca1d78055e9528cff6adc • https://nioctib.tech/#/transaction/f2f398dace996dab12e0cfb02fb0b59de0ef039 8be393d90ebc8ab397550370b – More details: https://bitcoinjs-guide.bitcoin-studio.com/bitcoinjs-guide/v5/part- three-pay-to-script-hash/puzzles/computational_puzzle_sha1_collision_p2sh.html – Similar bounties for 37 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI OP_RETURN • If OP_RETURN is encountered during execution of unlock+lock script, it is FALSE – Such output is provably unspendable • Somewhat controversial instruction – Some feels, that blockchain shall not be used for nonfinancial data (USDT was initially on Bitcoin via OP_RETURN) – But there were already ways how to store arbitrary data into blockchain anyway (e.g., bytes of value, invalid address) • Analysis of OP_RETURN data – https://www.blockchainresearchlab.org/2020/03/13/how-do- op-return-transactions-impact-bitcoin/ – https://opreturn.org/ 38 Bitcoin basics I. charley loves heidi https://nioctib.tech/#/transaction/f2f398dace996dab12e0cf b02fb0b59de0ef0398be393d90ebc8ab397550370b https://crocs.fi.muni.cz @CRoCS_MUNI Miniscript (A. Poelstra, P. Wuille, S. Kanjalkar, 2019) • Language for easier and error-prone creation of Bitcoin scripts – Subset of Bitcoin script language – Human-readable, easy to express complex locking conditions – https://bitcoin.sipa.be/miniscript/ • Simple building blocks (policies) – Single-key, Multi-key, – Time-locks, Check-sequence, – Hash-lock… • Compiler creates optimal script – And cost analysis 39 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI Miniscript examples 40 Bitcoin basics I. A 3-of-3 that turns into a 2-of-3 after 90 days A single key https://crocs.fi.muni.cz @CRoCS_MUNI Warning: Why not put “blockchain” everywhere? • “Blockchain not Bitcoin”, “Blockchainize everything”… claims • Permissionless distributed consensus on global state is very expensive – Confirmation time, storage space, energy expenditure (PoW)… – Most applications does not need it! – Especially when other components of application are centralized (development, governance decisions, data storage…) 42 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI Study materials • Mandatory reading – Bitcoin's academic pedigree (Arvind Narayanan, Jeremy Clark) • https://dl.acm.org/doi/10.1145/3132259 (copy in IS) • Explanation of roots of Bitcoin key components • If you were not familiar with basics of Bitcoin before – Watch ‘But how does bitcoin actually work?’ by 3Blue1Brown (26min) • https://www.youtube.com/watch?v=bBC-nXj3Ng4 – Read slides Hello Bitcoin (including notes under every slide) • From https://www.hellobitco.in/, copy of slides in IS 43 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI Further reading • Mastering Bitcoin (Andreas M. Antonopoulos and others) – https://github.com/bitcoinbook/bitcoinbook • Programming Bitcoin (Jimmy Song) – https://github.com/jimmysong/programmingbitcoin • List of interesting resources – https://blockonomi.com/bitcoin-educational-resources/ – https://learnmeabitcoin.com/, https://learnmeabitcoin.com/technical/ 44 Bitcoin basics I. https://crocs.fi.muni.cz @CRoCS_MUNI THANK YOU FOR COMING, SEE YOU NEXT WEEK 45 Bitcoin basics I.