Whirlwind tour of decentralized finance and blockchain

Whirlwind tour of decentralized ﬁnance and blockchain
Gus Gutoski
International Conference on Information & Communication Technologies
’Next Generation Technologies’
Institute of Business Administration (IBA)
Karachi, Pakistan
November 16, 2019
Gus Gutoski Whirlwind tour of decentralized ﬁnance and blockchain November 16, 2019 1 / 36

Bitcoin Basic design
Bitcoin’s UTXO model (Unspent TransaXion Output)
Each stash of bitcoin (UTXO) is
associated with a public key for
a signature scheme (ECDSA)
To spend a UTXO, need to
produce a signature valid for
that UTXO’s public key
A transaction consumes UTXOs
and creates new UTXOs

Bitcoin Basic design
The Bitcoin blockchain
Transactions are aggregated by miners into blocks
Peers on the network gossip new transactions, blocks
Each block contains the hash (SHA-256) of the previous block
Blocks form a blockchain
Can’t modify the contents of a block without breaking the hash chain

Bitcoin Proof-of-work consensus
Proof-of-work (PoW) consensus in Bitcoin
Q. How do peers decide which is the “correct” blockchain?
A. It’s the one with the most work embedded in it
Peers calculate the difficulty parameter based on past
observations of the blockchain
New blocks are not valid unless they solve a PoW puzzle of
sufficient difficulty
Nonce is a free parameter in the block header
Miners find a nonce such that the block’s hash meets the
difficulty condition
High difficulty −→ miners must do lots of work
Miners are compensated with new bitcoins, transaction fees

A recent Bitcoin block
[link]

Security of PoW consensus
Intuition:
An attacker who wishes to convince the network to switch to a different blockchain must
produce a blockchain with more embedded work than any other
Such an attacker must do more computational work than every other miner in the world
combined
Bitcoin’s original proposal did not include a formal proof of security
How does one even define security??
Security has been proven under optimistic assumptions: e.g. An altruistically-honest
majority of the computational power
Theoretical vulnerabilities are known: an attacker who controls x% of the computational
power can claim more than x% of the block rewards for certain values of x
This becomes a concern only when x > 25%
It seems that such an attack on Bitcoin has never occurred
“Seflish mining” [link]

Electricity consumption of proof-of-work
Diﬃculty is calibrated so that a new Bitcoin block is found every ∼10 minutes, regardless
of how much work was done to produce the block.
A computational arms race among miners
Computation consumes electricity
Current estimates: 6–8 GW
Comparable to the electricity usage of Austria (40th largest consumer country)
[digiconomist.net]
The Bitcoin network computes 91 quintillion (253) SHA-256 hashes per second
Computational cost of SHA-256 is ∼ 216
operations =⇒ the Bitcoin network performs 269
operations per second. Compare with 80-bit security...

Bitcoin Miscellaneous
Miscellaneous
10-minute blocks + 1MB block size = 7 transactions/second
Centralization forces: ASICs, mining pools, custodial exchanges
Social problem: users are in charge of their own security. Phishing, SIM hacks, custodial
(exchange) hacks
Underyling cryptography is ancient: hash functions, digital signatures

Intro to Ethereum
What is Ethereum?
Ethereum is a decentralized computer; anyone can write a “dapp.”
Compare: Bitcoin is a decentralized computer with exactly one dapp.
Proposed in 2013, crowd sale in 2014, mainnet launch on 2015-jul-30.
Crowd sale: users purchased ether using bitcoin at 1 BTC = 2000 ETH. Total dollar
value raised: $18M. (At the time bitcoin was $600.)

Intro to Ethereum
How does Ethereum work?
Cryptography is similar to Bitcoin:
Digital signatures: Users sign transactions
Hash functions: Miners compete via PoW to add transactions to the blockchain
Account model. (Compare Bitcoin’s UTXO model.)
Each account has an ether balance
Externally owned (EO): controlled by a person
Contract: controlled by code, storage
Contracts run their code each time they receive a message.
A user executes code by pushing a transaction containing a message from an EO account
she owns to a contract account. Contracts can send messages to other contracts.
Users pay for their computations with ether
Intended to protect against spam/DoS
These payments are called “gas”

Intro to Ethereum
How does gas work?
Code is compiled to Ethereum Virtual Machine (EVM) bytecode
Each EVM instruction has a price in gas units
The gas–ether price ﬂoats freely
15-second block time + per-block gas limit = maximum 15 transactions/second

What can be done with Ethereum-like platforms? Custom tokens
Even more cryptocurrencies! The ERC20 token standard
It is easy to write an Ethereum contract that implements a new cryptocurrency
There is an Ethereum dapp standard called ERC20
Analogy: Abstract class, interface in object-oriented programming
Contracts that conform to ERC20 can plug into a whole ecosystem of apps, dapps.
“A total of 223,123 Token Contracts found” as of 2019-nov-05. [etherscan.io]
16 of the top 20 all-time highest-funded crowdfunding projects were executed on
Ethereum. Many of these are ERC20 tokens. [Wikipedia]
Several of the 20 biggest cryptocurrencies are ERC20 tokens [coinmarketcap.com]
[etherscan.io]
Maker DAI BAT Augur 0x

What can be done with Ethereum-like platforms? Digital collectibles
Digital collectibles! The ERC721 non-fungible token standard
Non-fungible: unique, non-divisible tokens

ERC721 Example: Cryptokitties
Breed collectible kitty images on Ethereum [cryptokitties.co]
Buy, sell unique cryptokitties [Kitty Sales]
Several kitties have sold for $100k+
Total kitty sales to date is $27M+
Cryptokitties transactions bogged down the entire Ethereum network in December 2017
[BBC News]
Ethereum-wide gas price increased by 10x or more
10-20% of all Ethereum transactions were for Cryptokitties
Pending transaction pool grew by 6x

ERC721 Example: Gods Unchained
Collectible digital card game. Buy, sell cards on Ethereum. [godsunchained.com]
No one can alter, conﬁscate your cards.
Compare: Blizzard nerfs Hearthstone cards

ERC721 Example: Ethereum Name Service (ENS)
Map human-readable names (‘alice.eth’) to machine-readable identiﬁers
IP address ‘192.168.0.1’,
Ethereum public key ‘0xC48E11afA115DB88A8fb3EF5F4ed7c8219020871...’
Tor .onion address 3g2upl4pq6kufc4m.onion
anything you want!
Names can be bought, sold like any other ERC721 token

Holy grail: Decentralized DNS, PKI
Domain Name System (DNS), Public-key Infrastructure (PKI) are critical worldwide systems
In principle: decentralization promises greatness
Can’t be censored
Permissionless worldwide access
Reduced risk of monopoly rents
Arguably more secure than traditional DNS, PKI solutions
In practice: decentralized governance is tricky
Example: Who authorizes new top-level domains (.eth, .com, ...)?
How to protect against name-squatting, trademark violations?
Browser support for ENS:
Natively in Opera, Brave
Via browser extension (Metamask!) in major browsers Chrome, Firefox
Metamask in a Tor browser automatically resolves .onion addresses
(e.g. duckduckgotor.eth −→ 3g2upl4pq6kufc4m.onion)

What can be done with Ethereum-like platforms? Stable assets
The need for stable assets
Bitcon, ether, etc are highly volatile assets; their supplies are highly inelastic
More like crypto-gold than crypto-currency!
Normal people do not wish to hold volatile assets
There is demand for a cryptocurrency with stable value (e.g. relative to USD)

Stable asset: Tether
Controversial, centralized token backed by privately-held reserves of USD
Live in 2014 as a Bitcoin overlay, now avaiable as an ERC20 token on Ethereum
Controlled and promoted by Bitﬁnex—a large cryptocurrency exchange company
A full GAAP audit of reserves was promised but never delivered. Tether has a strained
relationship with accounting ﬁrms.
Accusations that Binance used Tether to manipulate the price of bitcoin.
Current price: ∼$1, current supply: >$4 billion

Stable asset: DAI
Mostly-decentralized ERC20 token on Ethereum pegged to USD
Backed by (volatile) ERC20 tokens held in reserve in an Ethereum
contract
Over-collateralized to protect against a decline in reserve value
Relies on an “oracle” for the current USD value of its collateral
Supply of DAI, reserves is automatically adjusted to maintain the USD
peg
Complicated governance
Launched in 2017; current price: ∼$1; current supply: >$100 million
A fascinating experiment, interesting economics questions:
What is the true value of an “over-collateralized” asset?
Peg could be (temporarily?) broken by a sudden, large drop in the USD
value of ether

What can be done with Ethereum-like platforms? Oracles
Contract for diﬀerence: a simple but powerful example
Suppose: Alice is a farmer who wishes to hedge against the lack of rainfall during the
growing season, Bob is a speculator
1 Alice, Bob each contribute some cyrptocurrency into a contract
2 At the end of the growing season, the contract pays to Alice inverseley based on rainfall, the
rest to Bob.
Replace “rainfall” with “USD price of ether” or anything you want!
Far-reaching applications: insurance against disaster, stablecoins, ﬁnancial derivatives,
prediction markets, gambling, ...
The big question: How to get accurate rainfall data into Ethereum?
A major open problem: the oracle problem

What can be done with Ethereum-like platforms? Smart property
Tokenization of real-world assets (“smart property”)
Let’s fantasize for a moment...
Create tokens that represent ownership of: equities, works of art, vehicles, real estate, . . .
Ownership can be transferred instantly, permissionlessly around the world
Imagine: Anyone in Karachi can own shares of Apple, receive dividends
Imagine: Buy, sell a house without lawyers or archaic government records
Reality check: governments won’t allow it in the foreseeable future
Reality check: what if my private keys are lost, stolen?
Smart property + smart contracts
Imagine: Car loan on Ethereum. If I miss a payment on my car loan then ownership of the
car automatically transfers to my creditor.
Ethereum-aware real assets?
Only the owner of a car’s token can open the door, start the car.
Science ﬁction: “self-owning” driverless cars have their own currency balance, pay for
their own maintenance from transit revenue

Privacy Most blockchains are not private
The ultimate surveillance dystopia
In Bitcoin, Ethereum, etc all transactions are publicly visible
If blockchain takes over the world then:
Every cup of coﬀee, rideshare trip, hand of poker, drug
prescription, pay cheque, WikiLeaks donation, ... is available
for all the world to see
For business: supply chain, payroll, ... all viewable by
competitors
“Bitcoin is Twitter for your bank account”, “Bitcoin is a
tracking cookie in real life” –Ian Miers
Bold claim: Blockchain cannot take over the world without
better privacy
Everyone is watching you

Privacy Most blockchains are not private
Currency, fungibility depend on privacy
Society might not accept tokens that have
passed through unpopular hands
eg. Silk Road, Pirate Bay, political dissidents,
sanctions violators, ...
Not all tokens are equal −→ fungibility is lost
−→ not a currency

Privacy Zero-knowledge proofs
Zero-knowledge proofs of knowledge
Given.
1 A function f (·) described, say, by a boolean circuit. (e.g. SHA-256.)
2 An output y. (e.g. A 32-byte output of SHA-256.)
Goal. Prove that I know an input x with y = f (x) without revealing anything about x.
x
(complicated proof)
−−−−−−−−−−−−−−−−→
y
Yes, I believe you know a
preimage of y!

Privacy Zero-knowledge proofs
Anonymous currency: Zcash
Designed in 2014 by academic cryptographers [eprint 2014/349]
Fork of Bitcoin with zero-knowledge proofs; independent blockchain
Deployed in 2016, current value of tokens: >$287 million
Implements the Groth16 proposal for a cryptographic primitive called zk-snark

Privacy Groth16
The Groth16 zk-snark
SNARK: Succinct Non-interactive ARgument of Knowledge
Scary maths! Quadratic arithmetic programs, elliptic curve pairings
Proof size is independent of the circuit. Wow!
288 bytes for any circuit
Veriﬁcation is fast: <10ms for the Zcash circuit
Proof creation time is (nearly) acceptable: 7 seconds, 40MB RAM for the Zcash circuit
Groth16 is by far the most practical zk-snark

Privacy Other zero-knowledge protocols
A bewildering array of zero-knowledge protocols
zk-snark is a very active area of academic research
Snark properties:
Universal setup—run setup once for a given circuit size s, use it for all circuits with size < s.
trustless setup—no need to trust a ceremony
Small proofs: logarithmic or even constant size
Fast veriﬁcation: logarithmic vs. sub-linear vs. linear time
Fast prover: linear vs. n log n vs. worse time
Quantum-safe vs. based on discrete log
Recent proposed schemes: GGPR13/Groth16, Pinocchio, Groth-Sahai, Sonic, Plonk,
BulletProofs, Hyrax, Ligero, Spartan, Aurora, SuperSonic, Stark, . . .
Curated list of zero-knowledge resources: https://zkp.science/

Privacy Private smart contracts
Private smart contracts?
Recall: Bitcoin = decentralized gold; Ethereum = decentralized computer
If Bitcoin is Twitter for your bank account then Ethereum is Twitter for everything you
do on a computer
Recall: Zcash = decentralized private gold
Q. What is the decentralized private computer?
A. We don’t have one yet. On the drawing board:
Zexe. “Enabling Decentralized Private Computation.” [eprint 2018/962]
Aztec. “The privacy engine on Ethereum.” [link]
Others...

Privacy Speculation
Fantasizing about our private future
Crazy ideas:
Supply chain
Don’t give away your data, sell it
Dark pool ﬁnancial markets
Smart metering
Income tax
Public accountability of secret law (?!) [eprint 2018/664]
Snark the whole blockchain
Credit score
Private health records (Mis-diagnosis resiliency!)

The future
Ethereum 2.0
Goals. Reduce/eliminate PoW, higher transaction throughput, reduce load on individual
nodes, . . .
Plan: [link to articles]
Phase 0: Beacon chain. New cryptography! Multi-signatures
Phase 1: Shard chains. 1024 blockchains!
Phase 2: Execution layer. Still under design. Different execution environments (WASM?
zero-knowledge?)
Multi-signatures: [Forum post], [eprint 2018/483]
Given. Many signatures σ1, . . . , σn under many public keys pk1, . . . , pkn for a message m
Aggregate. Compute aggregated signature, public key σ, pk.
Verify. Verifier is convinced that all signatures σ1, . . . , σn are correct by checking only
Verify(pk, σ, m).
Benefit. A much lighter computational load on Ethereum nodes

The future
Ethereum 2.0
[link]

The future
New platforms: alternatives to Ethereum
There are several well-funded, well-staﬀed initiatives for independent platforms
Algorand, Celo, Dﬁnity, Polkadot, Tendermint/Cosmos, Tezos, . . .

Challenges
Open problems in decentralized ﬁnance and blockchain
1 Reduce / eliminate proof-of-work
New platforms aim to replace PoW with more sophisticated consensus algorithms
2 Scalability
Currently, every node must process every transaction in the world!
3 Data availability
Any node that does not process every transaction in the world must be able to ﬁnd data if
needed
Hard problem! It is impossible to attribute fault in a data withholding attack
4 Decentralized, trustworthy oracles
A hard problem with no good answer
Proposals: [Astrea], [Augur], [DAI], [UMA]

Challenges
Open problems in decentralized ﬁnance and blockchain
5 Stablecoins
Each existing solution has its own problems
Crazy idea: the anti-bitcoin: perfectly elastic supply via PoW. [Meter.io] [Celerium]
6 Bug-resistant smart contracts
The DAO is a high-proﬁle example of pitfalls of bug-prone smart contract platforms. Solidity
is JavaScript inspired—boo! Tezos uses OCaml, a functional language with provable
guarantees
7 Identity, personhood
we could do so much more if we could protect against sock-puppet attacks
[ethereum wiki: problems]

Developing countries
Potential beneﬁts of DeFi for developing countries
Sound money. (Or, at least, sounder money.)
In places with high inﬂation, cryptocurrency is less volatile than the local currency
Access to USD-stable assets with no need for a US banking license
Send money across borders: inexpensive remittances, avoid capital controls
Financial services for the unbanked
Can’t get a loan to start your business? Get a DeFi loan collateralized with smart property!
Can’t get insurance against poor rainfall? Participate in a prediction market!
Documentation of property rights
If someone steals your home, at least you can now provide irrefutable cryptographic proof of
theft!
DeFi is not a panacea; it may never solve these problems. But I see no reason not to try.

Whirlwind tour of decentralized finance and blockchain

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Whirlwind tour of decentralized finance and blockchain

Ähnlich wie Whirlwind tour of decentralized finance and blockchain (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Whirlwind tour of decentralized finance and blockchain