2. If Youâre Smart Leave the room right now âBitcoin turns nerd forums into libertarian forumsâ This is true Bitcoin is a particularly effective DoS against security professionals Why?
3. Security Inversion Normal Code Looks like it might be OK up front Scratch the surface, itâs actually really bad BitCoin Looks really bad up front Scratch the surface, itâs actually surprisingly good We arenât used to systems with these characteristics This code has the mark of having been audited by People Like Us And quants
4. The basic summary BitCoin is absolutely not anonymous BitCoin clearly does not scale In the long term It does work for now though This isnât 0day stuff, this is basically declared almost entirely up front
5. What Is BitCoin A really strange use of cryptography âStrangeâ is not a sufficient, interesting, or even vaguely competent way to mark a system as insecure Itâs a decent way to say âthis is not the normal way things are put togetherâ Two systems mated together A peer to peer network that does a best case effort to synchronize data (loose âtransactionsâ and solved âblocksâ) across as many nodes as possible A Chinese Lottery that canonicalizes subsets of synchronized data, using the difficulty of finding partial hash collisions
6. The Basic Idea (In A Nutshell) 1) Iâm hearing about all these transactions going on â Alice is paying Bob, Bob is paying Charlie, etc 2) I hash all the transactions Iâve heard about, with some random information, and the hash of the last time someone did that, until thereâs a partial collision First n bits equals 0 N is automatically determined based on how hard it has to be for one block to be found about every 10 minutes This is a block 3) I send everyone my âblockâ â transactions plus hash of previous block plus random data. This gives me 50 bitcoins (for now). 4) I can now âsign overâ those bitcoins, from my private key, to other peopleâs (or my) public key. 5) Repeat until thereâs lots of people with lots of BitCoins Possibly purchased instead of âminedâ
7. Interesting Traits The basic concept is actually relatively solid Assuming partial collisions are predictably hard to find Assuming ECDSA works Basic Idea 1: Money canât be created from nothing â hashing is needed Basic Idea 2: Transactions canât be blocked or reversed by a central entity â âis noneâ It makes security engineers talk like monetary scientists Thatâs sort of OK, economists pretend to do that too⊠Seriously, thatâs sillyâ lets just talk tech, OK?
8. Epic Scalability Quote 1(https://en.bitcoin.it/wiki/Scalability) âThe core BitCoin network can scale to very high transaction rates assuming a distributed version of the node software is built. This would not be very complicated.â Because thereâs nothing easier to do, than make a system distributed This is totally not one of the Hard Problems Of Computer Science By âDistributedâ they mean âCentralizedâ WhyBitCoin is uniquely hard to audit It claims the advantages of its present architecture, and its future architecture, while rebutting the disadvantages of one with the advantages of the other Instead of saying, âWe donât do thatâ, they say âSomething else could do thatâ
9. Scalability Costs: Network Bandwidth âLet's assume an average rate of 2000tps, so just VISAâŠ. Shifting 60 gigabytes of data in, say, 60 seconds means an average rate of 1 gigabyte per second, or 8 gigabits per second.â :O
10. Up and Down Going up âLet's take 4,000 tps as starting goal. Obviously if we want BitCoin to scale to all economic transactions worldwide, including cash, it'd be a lot higher than that, perhaps more in the region of a few hundred thousand transactions/sec.â Â And the need to be able to withstand DoS attacks (which VISA does not have to deal with) implies we would want to scale far beyond the standard peak rates. TB/sec Going down Even at 1/100th of VISA, thatâs still 10MB/sec
11. Are There Future Optimizations? âBecause nodes are very likely to have already seen a transaction when it was first broadcast, this means the size of a block to download would be trivial (80 bytes + 32 bytes per transaction). If a node didn't see a transaction broadcast, it can ask the connected node to provide it.â Potential 50% savings! Could go from 1GB to 500MB/sec
12. What About Storage? In order to validate a transaction, you need all blocks up to the present one Joining BitCoin today == downloading 200+MB history all the way to the start of time That only increases â A 3 terabyte hard disk costs less than $200 today and will be cheaper still in future, so you'd need one such disk for every 21 days of operation (at 1gb per block).â So you get to participate directly in BitCoin, at the low low cost of $200 a month Assuming zero costs of running a storage array
13. CPU? Â âA network node capable of keeping up with VISA would need roughly 50 cores + whatever is used for mining (done by separate machines/GPUs).â In the long run, thatâs what it takes to participate (assuming no DoS, which would take 5000 cores) (You actually need to validate all historical transactions too)
14. OK, so you end up with supernodes and normal nodes What are the characteristics of supernodes? Theyâre banks âWelcome to the new boss, who looks suspiciously like the old bossâ Iâm not saying banks are bad or anything The âpeer to peerâ model of BitCoin eventually goes away; as soon as the thing gets big, the entire thing switches to a banking model
15. Reality of Banking As the network gets bigger, fewer and fewer nodes can be banks Only so many parties can exchange a gigabyte a second. The 50% threshold is inevitable BitCoin banks still canât gin up money BitCoin banks canât forcibly take money Unless they hold the private keys for the user, which they might BitCoin banks can refuse to accept blocks with âundesirableâ transactions Donât need 50% -- just need enough to inconvenience 50% to accept your opinion Can block undesirable transactions Can recompute blocks w/o certain transactions (reversal) This offers a host of ugly semantics
16. Already Suffering This BitCoinâs security model is base on the idea that nobody can control more than 50% of the network Exact PetaFlop count unclear, but >40 and <200 Weird metric, given that crypto uses integer operations when FLOPS are floating point Several times more than largest supercomputer Pools are breaking this #1 pool has 41% #2 pool has 30% âSecurity through ostracismâ to Pitchfork Security DDoS against #1 pool
17. Bad Choice Of Hash Standard Existing model can be accelerated massively with GPUs Just 2x SHA-256 Could have been bcrypt or the like, in which performance does not scale with pure processing speed Basically adds memory and serialization dependencies Wasnât implemented, so now we have shortages of GPUsâŠ
18. What About Anonymity? The full worldwide transaction history is stored and shared, forever and ever Everyone has names like: 1MQbbWUi2scKdZ4KtMMSUSvVmxi6XtEeaC How do you know who youâre paying? You donât Everyone is encouraged to make up new names for every transaction Actually how you can tell why someone is paying you Out of band, you tell someone âto pay me, pay this addressâ When that address is paid, you can dereference to your own private transaction Do lots of random names equal anonymity?
19. Names Are Linkable (see blockexplorer.com) All FROM sources are effectively the same person (or linked IDs) Almost all TO destinations are payee and payor
20. Reality of Anonymity As BitCoin âfights fragmentationâ, it merges identities As it merges identities, itâŠwell, merges identities There are other models of using BitCoin in which money goes in, stays, and then presumably goes back out Again, itâs amazing how much this looks like a bank. Not saying banks are bad, just donât tell me BitCoin doesnât morph into the banking system
21. So, with this all being said BitCoin is working, today That counts for a lot It will not work this way forever It will not have todayâs security properties forever If you define the loss of todayâs properties a serious loss of value, then there are Ponzi-ish characteristics in plain view Iâm not going to make that claim, however
22. Conclusion This was just a quick summary BitCoin is actually well designed, if you accept that anonymity and scaling forces the entire present model to be shifted into something that effectively looks like banking Iâll talk about more another time