Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Some Thoughts On Bitcoin

Wird geladen in …3
×

Hier ansehen

1 von 22
1 von 22

Weitere Verwandte Inhalte

Ähnliche Bücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen

Ähnliche Hörbücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen

Some Thoughts On Bitcoin

  1. 1. Some Thoughts On Bitcoin<br />Dan Kaminsky<br />
  2. 2. If You’re Smart<br />Leave the room right now<br />“Bitcoin turns nerd forums into libertarian forums”<br />This is true<br />Bitcoin is a particularly effective DoS against security professionals<br />Why?<br />
  3. 3. Security Inversion<br />Normal Code<br />Looks like it might be OK up front<br />Scratch the surface, it’s actually really bad<br />BitCoin<br />Looks really bad up front<br />Scratch the surface, it’s actually surprisingly good<br />We aren’t used to systems with these characteristics<br />This code has the mark of having been audited by People Like Us<br />And quants<br />
  4. 4. The basic summary<br />BitCoin is absolutely not anonymous<br />BitCoin clearly does not scale<br />In the long term<br />It does work for now though<br />This isn’t 0day stuff, this is basically declared almost entirely up front<br />
  5. 5. What Is BitCoin<br />A really strange use of cryptography<br />“Strange” is not a sufficient, interesting, or even vaguely competent way to mark a system as insecure<br />It’s a decent way to say “this is not the normal way things are put together”<br />Two systems mated together<br />A peer to peer network that does a best case effort to synchronize data (loose “transactions” and solved “blocks”) across as many nodes as possible<br />A Chinese Lottery that canonicalizes subsets of synchronized data, using the difficulty of finding partial hash collisions<br />
  6. 6. The Basic Idea (In A Nutshell)<br />1) I’m hearing about all these transactions going on – Alice is paying Bob, Bob is paying Charlie, etc<br />2) I hash all the transactions I’ve heard about, with some random information, and the hash of the last time someone did that, until there’s a partial collision<br />First n bits equals 0<br />N is automatically determined based on how hard it has to be for one block to be found about every 10 minutes<br />This is a block<br />3) I send everyone my “block” – transactions plus hash of previous block plus random data. This gives me 50 bitcoins (for now).<br />4) I can now “sign over” those bitcoins, from my private key, to other people’s (or my) public key.<br />5) Repeat until there’s lots of people with lots of BitCoins<br />Possibly purchased instead of “mined”<br />
  7. 7. Interesting Traits<br />The basic concept is actually relatively solid<br />Assuming partial collisions are predictably hard to find<br />Assuming ECDSA works<br />Basic Idea 1: Money can’t be created from nothing – hashing is needed<br />Basic Idea 2: Transactions can’t be blocked or reversed by a central entity – “is none”<br />It makes security engineers talk like monetary scientists<br />That’s sort of OK, economists pretend to do that too…<br />Seriously, that’s silly– lets just talk tech, OK?<br />
  8. 8. Epic Scalability Quote 1(https://en.bitcoin.it/wiki/Scalability)<br />“The core BitCoin network can scale to very high transaction rates assuming a distributed version of the node software is built. This would not be very complicated.”<br />Because there’s nothing easier to do, than make a system distributed<br />This is totally not one of the Hard Problems Of Computer Science<br />By “Distributed” they mean “Centralized”<br />WhyBitCoin is uniquely hard to audit<br />It claims the advantages of its present architecture, and its future architecture, while rebutting the disadvantages of one with the advantages of the other<br />Instead of saying, “We don’t do that”, they say “Something else could do that”<br />
  9. 9. Scalability Costs: Network Bandwidth<br />“Let's assume an average rate of 2000tps, so just VISA…. Shifting 60 gigabytes of data in, say, 60 seconds means an average rate of 1 gigabyte per second, or 8 gigabits per second.”<br />:O<br />
  10. 10. Up and Down<br />Going up<br />“Let's take 4,000 tps as starting goal. Obviously if we want BitCoin to scale to all economic transactions worldwide, including cash, it'd be a lot higher than that, perhaps more in the region of a few hundred thousand transactions/sec.”<br /> And the need to be able to withstand DoS attacks (which VISA does not have to deal with) implies we would want to scale far beyond the standard peak rates.<br />TB/sec<br />Going down<br />Even at 1/100th of VISA, that’s still 10MB/sec<br />
  11. 11. Are There Future Optimizations?<br />“Because nodes are very likely to have already seen a transaction when it was first broadcast, this means the size of a block to download would be trivial (80 bytes + 32 bytes per transaction). If a node didn't see a transaction broadcast, it can ask the connected node to provide it.”<br />Potential 50% savings!<br />Could go from 1GB to 500MB/sec<br />
  12. 12. What About Storage?<br />In order to validate a transaction, you need all blocks up to the present one<br />Joining BitCoin today == downloading 200+MB history all the way to the start of time<br />That only increases<br />“ A 3 terabyte hard disk costs less than $200 today and will be cheaper still in future, so you'd need one such disk for every 21 days of operation (at 1gb per block).”<br />So you get to participate directly in BitCoin, at the low low cost of $200 a month<br />Assuming zero costs of running a storage array<br />
  13. 13. CPU?<br /> ”A network node capable of keeping up with VISA would need roughly 50 cores + whatever is used for mining (done by separate machines/GPUs).”<br />In the long run, that’s what it takes to participate (assuming no DoS, which would take 5000 cores)<br />(You actually need to validate all historical transactions too)<br />
  14. 14. OK, so you end up with supernodes and normal nodes<br />What are the characteristics of supernodes?<br />They’re banks<br />“Welcome to the new boss, who looks suspiciously like the old boss”<br />I’m not saying banks are bad or anything<br />The “peer to peer” model of BitCoin eventually goes away; as soon as the thing gets big, the entire thing switches to a banking model<br />
  15. 15. Reality of Banking<br />As the network gets bigger, fewer and fewer nodes can be banks<br />Only so many parties can exchange a gigabyte a second.<br />The 50% threshold is inevitable<br />BitCoin banks still can’t gin up money<br />BitCoin banks can’t forcibly take money<br />Unless they hold the private keys for the user, which they might<br />BitCoin banks can refuse to accept blocks with “undesirable” transactions<br />Don’t need 50% -- just need enough to inconvenience 50% to accept your opinion<br />Can block undesirable transactions<br />Can recompute blocks w/o certain transactions (reversal)<br />This offers a host of ugly semantics<br />
  16. 16. Already Suffering This<br />BitCoin’s security model is base on the idea that nobody can control more than 50% of the network<br />Exact PetaFlop count unclear, but >40 and <200<br />Weird metric, given that crypto uses integer operations when FLOPS are floating point<br />Several times more than largest supercomputer<br />Pools are breaking this<br />#1 pool has 41%<br />#2 pool has 30%<br />“Security through ostracism” to Pitchfork Security<br />DDoS against #1 pool<br />
  17. 17. Bad Choice Of Hash Standard<br />Existing model can be accelerated massively with GPUs<br />Just 2x SHA-256<br />Could have been bcrypt or the like, in which performance does not scale with pure processing speed<br />Basically adds memory and serialization dependencies<br />Wasn’t implemented, so now we have shortages of GPUs…<br />
  18. 18. What About Anonymity?<br />The full worldwide transaction history is stored and shared, forever and ever<br />Everyone has names like:<br />1MQbbWUi2scKdZ4KtMMSUSvVmxi6XtEeaC<br />How do you know who you’re paying? You don’t<br />Everyone is encouraged to make up new names for every transaction<br />Actually how you can tell why someone is paying you<br />Out of band, you tell someone “to pay me, pay this address”<br />When that address is paid, you can dereference to your own private transaction<br />Do lots of random names equal anonymity?<br />
  19. 19. Names Are Linkable (see blockexplorer.com)<br />All FROM sources are effectively the same person (or linked IDs)<br />Almost all TO destinations are payee and payor<br />
  20. 20. Reality of Anonymity<br />As BitCoin “fights fragmentation”, it merges identities<br />As it merges identities, it…well, merges identities<br />There are other models of using BitCoin in which money goes in, stays, and then presumably goes back out<br />Again, it’s amazing how much this looks like a bank.<br />Not saying banks are bad, just don’t tell me BitCoin doesn’t morph into the banking system<br />
  21. 21. So, with this all being said<br />BitCoin is working, today<br />That counts for a lot<br />It will not work this way forever<br />It will not have today’s security properties forever<br />If you define the loss of today’s properties a serious loss of value, then there are Ponzi-ish characteristics in plain view<br />I’m not going to make that claim, however<br />
  22. 22. Conclusion<br />This was just a quick summary<br />BitCoin is actually well designed, if you accept that anonymity and scaling forces the entire present model to be shifted into something that effectively looks like banking<br />I’ll talk about more another time<br />

×