Introduction to Cryptocurrencies∗Stefan Dziembowski†University of WarsawS.Dziembowski@.plABSTRACTWe provide a research-oriented introduction to the crypto-graphic currencies.We start with a description of Bitcoin and its main design principles.We then discuss some of its weaknesses,and show some ideas for dealing with them.We also talk about the mechanics of the mining pools and ideas for discouraging the mining pool creation.We provide an introduction to the smart contracts,and give some examples of them,including the multiparty lotteries.We then present alternative currencies that were designed to remedy some of the problems of Bitcoin.In particular, we talk about the Litecoin,the Primecoin,the Permacoin, the Zerocoin,the Proofs of Stake and the Proofs of Space. We also discuss the most important research challenges in this area.Categories and Subject DescriptorsK.4.4[Computing Milieux]:Computers and Society–Payment schemes;Distributed commercial transactions;Cy-bercash,digital cashKeywordscryptocurrencies;distributed cryptography1.INTRODUCTIONThe cryptographic currencies(also dubbed the cryptocur-rencies)are a fascinating recent concept whose popularity exploded in the past few years.Their main distinguishing feature is that they are not controlled by any single entity.∗A longer version of this document is available at .pl/Dziembowski/talks/bitcoin-tutorial.pdf.Slides from this tutorial are available at.pl/Dziembowski/talks.†Supported by the Foundation for Polish Science WELCOME/2010-4/2grant founded within the frame-work of the EU Innovative Economy(National Cohesion Strategy)Operational ProgrammePermission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full cita-tion on thefirst page.Copyrights for third-party components of this work must be honored.For all other uses,contact the Owner/Author(s).Copyright is held by the owner/author(s).CCS’15,October12–16,2015,Denver,Colorado,USA.ACM978-1-4503-3832-5/15/10.Instead,they are jointly maintained by their anonymous users connected via peer-to-peer networks.Their security is based purely on the security of the underlying crypto-graphic primitives,and on some global assumptions about the behavior of their users(like,e.g.,an assumption that a large fraction of the computing power is controlled by the honest participants).Historically thefirst,and the most prominent cryptocur-rency is the Bitcoin,introduced in2008by Satoshi Naka-moto[9].Probably the most intriguing technical innovations of Bitcoin are:the mechanism for reaching consensus in fully distributed peer-to-peer networks(the so-called blockchain technology),and the transaction syntax that allows to ex-ecute distributedfinancial operations that are much more complex than simple money transfers.Even the sheerfinancial importance of the cryptocurencies makes them an interesting research area.In our opinion, however,what makes this topic even more fascinating are the conceptual ideas behind it.These aspects will be the main focus of this tutorial.Goal of this tutorial.The goal of this tutorial is to provide a research-oriented introduction to the cryptocur-rencies.We will present the main principles of the Bitcoin design,discuss some of its weaknesses,show some ideas for its improvements and for other currencies,and discuss the most important research challenges in this area.Intended audience and prerequisite knowledge. This tutorial will be suitable for all the ACM CCS partic-ipants,both coming from the academia and from the in-dustry.We will assume familiarity with the basic crypto-graphic primitives,such as the hash functions,the signature schemes,and encryption.No prior knowledge of Bitcoin or other cryptographic currencies is required.2.OVERVIEW2.1IntroductionWe will start with a brief overview of the history of the cryptocurrencies.We will identify the mainfinancial and social aspects that contributed to the success of Bitcoin,and mention some opinions of prominent economists about the cryptocurrencies,both those supporting this idea,and those that are skeptical about it.We will show how the popularity of Bitcoin grew over time,and how its pricefluctuated.We will also mention some important events in the history of the Bitcoin community(like the MtGox collapase).DOI: /10.1145/2810103.2812704.We will introduce the transaction ledger(the blockchain), as a technique that can be used to prevent double-spending of electronic cash.We will point out that the Sybil attacks should be taken into account when designing a protocol that emulates such a ledger.We will explain what are the Proofs of Work(PoWs)and how to apply them to thwart the Sybil attacks.We will show how the Bitcoin ledger is maintained by the users called miners that solve the PoWs,in a process called mining.We will explain the concept of the hashrate and show how the total hashrate of Bitcoin users changed over the time.We will also describe how the hardness of Bitcoin’s PoW’s is adjusted to the changing hashrate.We will also talk about the Bitcoin transaction syntax.2.3Bitcoin mining poolsMining pools are coalitions of miners that share the re-ward from mining new blocks.We will discuss the economic reasons for joining the mining pools(reducing the variance of the mining reward).We will then talk about the mechan-ics of the mining pool reward systems and their weaknesses. We will also show how mining pools can be decentralized vie the so-called peer-to-peer mining technique.Discouraging the mining pool creation.We will ex-plain the risks behind the pooled miming.In particular,we will point out that it leads to the centralization of the control over mining.We will then discuss some ideas for the Bitcoin modifications that discourage the mining pool creation[8].2.4Security weaknesses of BitcoinWe will discuss the quality of the Bitcoin design.We will mention some incidents when programming errors lead to forks that needed to be resolved“manually”and we will explain the transaction malleability problem.We will then present more fundamental problems with the blockchain technology.In particular we will explain the self-ish mining attack introduced in the groundbreaking paper of Eyal and Sirer[6]and the difficulty raising attack of Lear Bahack[3]that exploits the way in which the miming dif-ficulty is adjusted in Bitcoin.We will also talk about the birbery attacks of[5].2.5Smart contractsOne of the most intriguing properties of Bitcoin is the pos-sibility of creating the so-called smart contracts(originally proposed in1990s by Nick Szabo).Such contracts can be viewed asfinancial agreements between a number of parties, whose implementations are enforced by the Bitcoin system. Simple examples of such agreements include the escrow and dispute mediation,and the assurance contracts.More ad-vanced types of contracts are the fair multiparty protocols, and in particular the decentralized lotteries[2,1,4].We will give an overview of this area.2.6Other cryptocurrenciesDiscouraging hardware mining.One of the problems of Bitcoin is that mining in hardware is much more efficient than mining in software,and hence it is completely infeasi-ble nowadays to be a miner without investing in specialized hardware.We will describe the Litecoin,which is a cur-rency that was supposed to have the property that it is not economical to mine in hardware.Less“wasteful”cryptocurrencies.Another problem with the Proofs of Work is that they require the miners to spend significant amounts of electricity on mining.There are essentially two approaches to create less“wasteful”cryp-tocurrencies.Thefirst one is to create a cryptocurrency where the work is spent on some“useful”task.We will give an overview of the currencies belonging to this class:the Permacoin,and the Primecoin.The second approach is to replace“work”by some other type of resource.This includes the Proofs of Stake,and the Proofs of Space,which is used in the recent Spacecoin proposal.We will give a short overview of these approaches.More anonymity.Since the Bitcoin’s transaction ledger is public,the only anonymity in this system comes from the fact that the users are using pseudonyms,instead if their real names.As recently shown in[7]this does not provide sufficient privacy protection.We will briefly talk about this result,and then we will explain(on a high level)the main design principles of Zerocash,which is a new proposal for a currency that provides true anonymity.2.7Research directionsWe will conclude with an overview of the open research problems in this area,like the need for better understand-ing of the Bitcoin security model,and improvement of the blockchain technology.We will also mention the open prob-lems concerning the distributed contracts,in particular we will discuss what obstacles need to be overcome to make them really practical.Finally,we will also describe the problems with securely storing the Bitcoin secret keys(in the so-called wallets).3.REFERENCES[1]M.Andrychowicz,S.Dziembowski,D.Malinowski,and L.Mazurek.Fair two-party computations viaBitcoin deposits.In BITCOIN workshop in association with the Financial Cryptography and Data Securityconference,2014.[2]M.Andrychowicz,S.Dziembowski,D.Malinowski,and L.Mazurek.Secure multiparty computations onBitcoin.In2014IEEE Symposium on Security andPrivacy[3]L.Bahack.Theoretical bitcoin attacks with less thanhalf of the computational power.arXiv,2013.[4]I.Bentov and R.Kumaresan.How to use bitcoin todesign fair protocols.In CRYPTO2014[5]J.Bonneau,E.W.Felten,S.Goldfeder,J.A.Kroll,and A.Narayanan.Why buy when you can rent?Bribery attacks on Bitcoin consensus,November2014.manuscript[6]I.Eyal and E.G¨u n Sirer.Majority is not enough:Bitcoin mining is vulnerable.In FinancialCryptography and Data Security,2014.[7]S.Meiklejohn,M.Pomarole,G.Jordan,K.Levchenko,D.McCoy,G.M.Voelker,and S.Savage.Afistful ofbitcoins:Characterizing payments among men withno names.In Proceedings of the2013Conference onInternet Measurement Conference.[8]ler,E.Shi,A.Kosba,and J.Katz.Preprint:Nonoutsourceable scratch-offpuzzles to discouragebitcoin mining coalitions.2015.[9]Satoshi Nakamoto.Bitcoin:A peer-to-peer electroniccash system,2008.2.2Bitcoin main design principles。
