SlideShare une entreprise Scribd logo

A Segwit Coin is not a Bitcoin

Télécharger en tant que PPTX, PDF
P
peter_r

This presentation explains how segwit coin have a weaker security model than bitcoins.

Internet
1  sur  45
A Segwit Coin is not a Bitcoin 1 July 2017 Peter Rizun
“Cryptocurrency is more theology than science” Skepticism Fanaticism Alan Turing Medieval theologist Null hypothesis Divine scriptures
“Cryptocurrency is more theology than science” III Thou shalt download code from only the bitcoin core repo, for only it is divine IV Thou shalt mine no block larger than the holy number of 1 MB Passage from the Book of Blockstream/Core
I Bitcoin can move from place to place but cannot be created ex nihilo II In order for a bitcoin to move, the transfer must be authorized by the owner’s digital signature What rules do I consider unchallengeable?
What rules do I consider unchallengeable? I Bitcoin can move from place to place but cannot be created ex nihilo II In order for a bitcoin to move, the transfer must be authorized by the owner’s digital signature With Bitcoin, both rules are on equal footings; with Segwit, the private property rule is subordinate to the physical property rule. Physical property rule Private property rule Manifestations of our ideologies All rules could be seen as fanatical Debate will not be settled by science
A Segwit Coin is not a Bitcoin 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker security model than bitcoins. Claims:
Simplifying Assumptions • Miners are rational short-term profit-maximizing agents • No miner will knowingly be complicit in fraud • I.e., No miner will mine directly on top of a block that he knows to contain a fraudulent transfer
A Segwit Coin is not a Bitcoin: talk outline 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker private-property model than bitcoins.
What is the definition of a bitcoin? Good place to look
What is the definition of a bitcoin? Find it on page 2
What is the definition of a bitcoin?
What is the definition of a bitcoin?
What is the definition of a bitcoin?
What is the definition of a bitcoin?
What is the definition of a bitcoin?
What is the definition of a bitcoin?
What is the definition of a bitcoin?
How is a Segwit coin different? A bitcoin A segwit coin Signatures are an integral part of the chain Signatures are outside of the chain
How is a Segwit coin different? A bitcoin A segwit coin A bitcoin is a chain of digital signatures while a segwit coin is not How does this change the coin’s properties?
A Segwit Coin is not a Bitcoin: talk outline 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker security model than bitcoins.
Transferring Ownership Without Witnessing the Signatures • Each node maintains a ledger of which coins belong to which entities (UTXO set) • Upon receiving a new block, miner parses transactions, removing spent outputs from his UTXO set and adding newly-created outputs • For bitcoins, since outputs are identified by hash, miner cannot update his UTXO set without witnessing the signatures that authorize the transfer • For segwit coins, miners can update their UTXO set Hash Public key A46E Alice’s 58F1 David’s 88CE Ethyl's UTXO set
Transferring Ownership Without Witnessing the Signatures Hash Public key A46E Alice’s 58F1 David’s 88CE Ethyl's UTXO set ✓ • Each node maintains a ledger of which coins belong to which entities (UTXO set) • Upon receiving a new block, miner parses transactions, removing spent outputs from his UTXO set and adding newly-created outputs • For bitcoins, since outputs are identified by hash, miner cannot update his UTXO set without witnessing the signatures that authorize the transfer • For segwit coins, miners can update their UTXO set
Transferring Ownership Without Witnessing the Signatures Hash Public key A46E Alice’s 58F1 David’s 88CE Ethyl's B56A Bob’s UTXO set • Each node maintains a ledger of which coins belong to which entities (UTXO set) • Upon receiving a new block, miner parses transactions, removing spent outputs from his UTXO set and adding newly-created outputs • For bitcoins, since outputs are identified by hash, miner cannot update his UTXO set without witnessing the signatures that authorize the transfer • For segwit coins, miners can update their UTXO set B56A Must witness signature for bitcoins
Transferring Ownership Without Witnessing the Signatures Hash Public key A46E Alice’s 58F1 David’s 88CE Ethyl's F31A Bob’s UTXO set F31AWitnessing signature is not necessary for segwit coins Not part of hash • Each node maintains a ledger of which coins belong to which entities (UTXO set) • Upon receiving a new block, miner parses transactions, removing spent outputs from his UTXO set and adding newly-created outputs • For bitcoins, since outputs are identified by hash, miner cannot update his UTXO set without witnessing the signatures that authorize the transfer • For segwit coins, this does not hold
A Segwit Coin is not a Bitcoin: talk outline 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker security model than bitcoins.
Segwit signatures are less valuable Bitcoin Segwit Profit with sigs Reward + Fees – Cost Reward + Fees – Cost Profit without Reward x (1-P) – Cost (Reward + Fees)(1-P) – Cost Value of sigs P x Reward + Fees P x (Reward + Fees) As P → 0 Fees 0 - - Note: P is probability that previous block was invalid
A Segwit Coin is not a Bitcoin: talk outline 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker security model than bitcoins.
To witness or not to witness? A Nash equilibrium is stable if a small change for one player leads to a situation where two conditions hold: 1. the players who did not change have no better strategy in the new circumstance 2. the player who did change is now playing with a strictly worse strategy Bitcoins
To witness or not to witness? A Nash equilibrium is stable if a small change for one player leads to a situation where two conditions hold: 1. the players who did not change have no better strategy in the new circumstance 2. the player who did change is now playing with a strictly worse strategy Witnessing becomes more profitable Bitcoins: stable equilibrium
To witness or not to witness? A Nash equilibrium is stable if a small change for one player leads to a situation where two conditions hold: 1. the players who did not change have no better strategy in the new circumstance 2. the player who did change is now playing with a strictly worse strategy Segwit coins: multiple equilibriums
To witness or not to witness? A Nash equilibrium is stable if a small change for one player leads to a situation where two conditions hold: 1. the players who did not change have no better strategy in the new circumstance 2. the player who did change is now playing with a strictly worse strategy Segwit coins: multiple equilibriums
To witness or not to witness? A Nash equilibrium is stable if a small change for one player leads to a situation where two conditions hold: 1. the players who did not change have no better strategy in the new circumstance 2. the player who did change is now playing with a strictly worse strategy Segwit coins: multiple equilibriums
To witness or not to witness? Segwit coins: multiple equilibriums Only stable equilibrium
A Segwit Coin is not a Bitcoin: talk outline 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker security model than bitcoins.
Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of miners that mines on our block when we have a block race
Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of miners that mines on our block when we have a block race Keep private
Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of miners that mines on our block when we have a block race Now release
Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of hash power that mines on our block when we have a block race This block more likely to be orphaned. Punishes miners who wait for witness data.
Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of hash power that mines on our block when we have a block race γ = 1 Our strategy is always more profitable
Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of hash power that mines on our block when we have a block race γ =0.5 Our strategy is more profitable if defectors control more than 25% of the hash power
Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of hash power that mines on our block when we have a block race γ = 0 Our strategy is more profitable if defectors control more than 33% of the hash power
• When we’re confident that the majority of the network is no longer waiting for witness data then: • Begin re-routing segwit transactions to our own personal addresses • Never release the witness data (no valid witness exists) • Blocks get built above confirming our fraudulent transfer • No one has proof that a fraud occurred • “Everyone must have pruned the witness data” Kill Segwit and Earn a Profit
This wouldn’t work for the P2SH soft fork • Variation of this attack for P2SH: • Instead of withholding the segwit extension block, just withhold the signature for a P2SH transaction • Use same strategy to entice miners to mine on the block (missing only a single signature for a single transaction) • Doesn’t work! • There is no way the other miners can be sure that the transactions that make up the block actually correspond to the Merkle root in the block header. • Any third party could have proposed that a different block corresponded to the known block header! There’s no way to tell who is lying. • Miners would have to mine empty blocks instead and the entire system breaks down.
Thought Experiment Imagine that you have 100 BTC in a segwit address and a few days later you notice that they've been transferred to an address that you do NOT control. You try to find the signature that authorized the transfer to prove the theft (you're sure your private keys were secure so you think the signature must be bogus) but conveniently nobody seems to have it saved. Can you prove that your funds were stolen?
Thank you! Peter Rizun peter.rizun@gmail.com

Recommandé

Bitcoin101
Bitcoin101Bitcoin101
Bitcoin101
Ryan Milbourne
 
Bitcoin p2p money
Bitcoin p2p moneyBitcoin p2p money
Bitcoin p2p money
Roman Trukhin
 
Quick Understanding of Bitcoin/Cryptocurrency.
Quick Understanding of Bitcoin/Cryptocurrency.Quick Understanding of Bitcoin/Cryptocurrency.
Quick Understanding of Bitcoin/Cryptocurrency.
Satish Mudaliar
 
Bitcoin Breakthrough Training Guide.
Bitcoin Breakthrough Training Guide.Bitcoin Breakthrough Training Guide.
Bitcoin Breakthrough Training Guide.
KepharsKunda
 
Bitcoin and blockchain talk - Pavia
Bitcoin and blockchain talk - PaviaBitcoin and blockchain talk - Pavia
Bitcoin and blockchain talk - Pavia
Federico Tenga
 
Blockchain and ICO from a Developer’s Standpoint - Zymo.io
Blockchain and ICO from a Developer’s Standpoint - Zymo.ioBlockchain and ICO from a Developer’s Standpoint - Zymo.io
Blockchain and ICO from a Developer’s Standpoint - Zymo.io
Marissa Ryan
 
Mining with Coinomia Review
Mining with Coinomia ReviewMining with Coinomia Review
Mining with Coinomia Review
Coinomia Review
 
Cryptocurrencies 101
Cryptocurrencies 101Cryptocurrencies 101
Cryptocurrencies 101
Brett Colbert
 

Recommandé

Bitcoin101
Bitcoin101Bitcoin101
Bitcoin101
Ryan Milbourne
 
Bitcoin p2p money
Bitcoin p2p moneyBitcoin p2p money
Bitcoin p2p money
Roman Trukhin
 
Quick Understanding of Bitcoin/Cryptocurrency.
Quick Understanding of Bitcoin/Cryptocurrency.Quick Understanding of Bitcoin/Cryptocurrency.
Quick Understanding of Bitcoin/Cryptocurrency.
Satish Mudaliar
 
Bitcoin Breakthrough Training Guide.
Bitcoin Breakthrough Training Guide.Bitcoin Breakthrough Training Guide.
Bitcoin Breakthrough Training Guide.
KepharsKunda
 
Bitcoin and blockchain talk - Pavia
Bitcoin and blockchain talk - PaviaBitcoin and blockchain talk - Pavia
Bitcoin and blockchain talk - Pavia
Federico Tenga
 
Blockchain and ICO from a Developer’s Standpoint - Zymo.io
Blockchain and ICO from a Developer’s Standpoint - Zymo.ioBlockchain and ICO from a Developer’s Standpoint - Zymo.io
Blockchain and ICO from a Developer’s Standpoint - Zymo.io
Marissa Ryan
 
Mining with Coinomia Review
Mining with Coinomia ReviewMining with Coinomia Review
Mining with Coinomia Review
Coinomia Review
 
Cryptocurrencies 101
Cryptocurrencies 101Cryptocurrencies 101
Cryptocurrencies 101
Brett Colbert
 
Bitcoin - the basics
Bitcoin - the basicsBitcoin - the basics
Bitcoin - the basics
Uri Nativ
 
Bitcoin - YXE Barcamp 2012
Bitcoin - YXE Barcamp 2012Bitcoin - YXE Barcamp 2012
Bitcoin - YXE Barcamp 2012
Colin Bendell
 
Registro de Informações no Blockchain da rede Bitcoin
Registro de Informações no Blockchain da rede BitcoinRegistro de Informações no Blockchain da rede Bitcoin
Registro de Informações no Blockchain da rede Bitcoin
Edilson Osorio Junior
 
How Bitcoin will change the world.
How Bitcoin will change the world. How Bitcoin will change the world.
How Bitcoin will change the world.
Conner Brown
 
MINING HUB SUMIT
MINING HUB SUMITMINING HUB SUMIT
MINING HUB SUMIT
mining Hub corporation
 
Bitcoin powerpoint
Bitcoin powerpointBitcoin powerpoint
Bitcoin powerpoint
dcarro11
 
Bitcoin
BitcoinBitcoin
Bitcoin
Hitesh Kumar Singh
 
Math in the News: Issue 99
Math in the News: Issue 99Math in the News: Issue 99
Math in the News: Issue 99
Media4math
 
Bitcoin
BitcoinBitcoin
Bitcoin
Noopur Singh
 
Introduction to bitcoin
Introduction to bitcoinIntroduction to bitcoin
Introduction to bitcoin
CHETAN THAKRE
 
Drivechains sidechains and_hybrid_2-way_peg_designs_r9
Drivechains sidechains and_hybrid_2-way_peg_designs_r9Drivechains sidechains and_hybrid_2-way_peg_designs_r9
Drivechains sidechains and_hybrid_2-way_peg_designs_r9
Nguyen Joseph
 
Economic Aspects of Bitcoins : Report
Economic Aspects of Bitcoins : ReportEconomic Aspects of Bitcoins : Report
Economic Aspects of Bitcoins : Report
Shivek Khurana
 
Bitcoin price today BTC to USD market cap.pdf
Bitcoin price today BTC to USD market cap.pdfBitcoin price today BTC to USD market cap.pdf
Bitcoin price today BTC to USD market cap.pdf
Franck La Rocca
 
CRYPTO CURRENCY-2022OD205.pdf
CRYPTO CURRENCY-2022OD205.pdfCRYPTO CURRENCY-2022OD205.pdf
CRYPTO CURRENCY-2022OD205.pdf
JESUNPK
 
Blockchain Fundamentals - Day 3 - PoW consensus and ICOs (new style)
Blockchain Fundamentals - Day 3 - PoW consensus and ICOs (new style)Blockchain Fundamentals - Day 3 - PoW consensus and ICOs (new style)
Blockchain Fundamentals - Day 3 - PoW consensus and ICOs (new style)
Chhay Lin Lim
 
bitcoin
bitcoinbitcoin
bitcoin
AasimRasheed3
 
15-Bitcoin.pptx
15-Bitcoin.pptx15-Bitcoin.pptx
15-Bitcoin.pptx
ANKITKUMARNATH1
 
Blockchain and Bitcoin.pptx
Blockchain and Bitcoin.pptxBlockchain and Bitcoin.pptx
Blockchain and Bitcoin.pptx
ssuser3ab054
 
Cryptocurrency-Bitcoin
Cryptocurrency-BitcoinCryptocurrency-Bitcoin
Cryptocurrency-Bitcoin
SatwikaHotwani
 
Bitcoin
BitcoinBitcoin
Bitcoin
Suman Nayak
 
Blockchain
BlockchainBlockchain
Blockchain
Jaison Peter
 
An Investigator’s Guide to Blockchain, Bitcoin and Wallet Transactions
An Investigator’s Guide to Blockchain, Bitcoin and Wallet TransactionsAn Investigator’s Guide to Blockchain, Bitcoin and Wallet Transactions
An Investigator’s Guide to Blockchain, Bitcoin and Wallet Transactions
Case IQ
 

Contenu connexe

Tendances

Bitcoin - YXE Barcamp 2012
Bitcoin - YXE Barcamp 2012Bitcoin - YXE Barcamp 2012
Bitcoin - YXE Barcamp 2012
Colin Bendell
 

Tendances (6)

Bitcoin - the basics
Bitcoin - the basicsBitcoin - the basics
Bitcoin - the basics
 
Bitcoin - YXE Barcamp 2012
Bitcoin - YXE Barcamp 2012Bitcoin - YXE Barcamp 2012
Bitcoin - YXE Barcamp 2012
 
Registro de Informações no Blockchain da rede Bitcoin
Registro de Informações no Blockchain da rede BitcoinRegistro de Informações no Blockchain da rede Bitcoin
Registro de Informações no Blockchain da rede Bitcoin
 
How Bitcoin will change the world.
How Bitcoin will change the world. How Bitcoin will change the world.
How Bitcoin will change the world.
 
MINING HUB SUMIT
MINING HUB SUMITMINING HUB SUMIT
MINING HUB SUMIT
 
Bitcoin powerpoint
Bitcoin powerpointBitcoin powerpoint
Bitcoin powerpoint
 

Similaire à A Segwit Coin is not a Bitcoin

Drivechains sidechains and_hybrid_2-way_peg_designs_r9
Drivechains sidechains and_hybrid_2-way_peg_designs_r9Drivechains sidechains and_hybrid_2-way_peg_designs_r9
Drivechains sidechains and_hybrid_2-way_peg_designs_r9
Nguyen Joseph
 
CRYPTO CURRENCY-2022OD205.pdf
CRYPTO CURRENCY-2022OD205.pdfCRYPTO CURRENCY-2022OD205.pdf
CRYPTO CURRENCY-2022OD205.pdf
JESUNPK
 
An Investigator’s Guide to Blockchain, Bitcoin and Wallet Transactions
An Investigator’s Guide to Blockchain, Bitcoin and Wallet TransactionsAn Investigator’s Guide to Blockchain, Bitcoin and Wallet Transactions
An Investigator’s Guide to Blockchain, Bitcoin and Wallet Transactions
Case IQ
 

Similaire à A Segwit Coin is not a Bitcoin (20)

Bitcoin
BitcoinBitcoin
Bitcoin
 
Math in the News: Issue 99
Math in the News: Issue 99Math in the News: Issue 99
Math in the News: Issue 99
 
Bitcoin
BitcoinBitcoin
Bitcoin
 
Introduction to bitcoin
Introduction to bitcoinIntroduction to bitcoin
Introduction to bitcoin
 
Drivechains sidechains and_hybrid_2-way_peg_designs_r9
Drivechains sidechains and_hybrid_2-way_peg_designs_r9Drivechains sidechains and_hybrid_2-way_peg_designs_r9
Drivechains sidechains and_hybrid_2-way_peg_designs_r9
 
Economic Aspects of Bitcoins : Report
Economic Aspects of Bitcoins : ReportEconomic Aspects of Bitcoins : Report
Economic Aspects of Bitcoins : Report
 
Bitcoin price today BTC to USD market cap.pdf
Bitcoin price today BTC to USD market cap.pdfBitcoin price today BTC to USD market cap.pdf
Bitcoin price today BTC to USD market cap.pdf
 
CRYPTO CURRENCY-2022OD205.pdf
CRYPTO CURRENCY-2022OD205.pdfCRYPTO CURRENCY-2022OD205.pdf
CRYPTO CURRENCY-2022OD205.pdf
 
Blockchain Fundamentals - Day 3 - PoW consensus and ICOs (new style)
Blockchain Fundamentals - Day 3 - PoW consensus and ICOs (new style)Blockchain Fundamentals - Day 3 - PoW consensus and ICOs (new style)
Blockchain Fundamentals - Day 3 - PoW consensus and ICOs (new style)
 
bitcoin
bitcoinbitcoin
bitcoin
 
15-Bitcoin.pptx
15-Bitcoin.pptx15-Bitcoin.pptx
15-Bitcoin.pptx
 
Blockchain and Bitcoin.pptx
Blockchain and Bitcoin.pptxBlockchain and Bitcoin.pptx
Blockchain and Bitcoin.pptx
 
Cryptocurrency-Bitcoin
Cryptocurrency-BitcoinCryptocurrency-Bitcoin
Cryptocurrency-Bitcoin
 
Bitcoin
BitcoinBitcoin
Bitcoin
 
Blockchain
BlockchainBlockchain
Blockchain
 
An Investigator’s Guide to Blockchain, Bitcoin and Wallet Transactions
An Investigator’s Guide to Blockchain, Bitcoin and Wallet TransactionsAn Investigator’s Guide to Blockchain, Bitcoin and Wallet Transactions
An Investigator’s Guide to Blockchain, Bitcoin and Wallet Transactions
 
Blockchain mechanics
Blockchain mechanicsBlockchain mechanics
Blockchain mechanics
 
Blockchain mechanics
Blockchain mechanicsBlockchain mechanics
Blockchain mechanics
 
Blockchain & Cryptocurrencies Intro - July 2017
Blockchain & Cryptocurrencies Intro - July 2017Blockchain & Cryptocurrencies Intro - July 2017
Blockchain & Cryptocurrencies Intro - July 2017
 
Bitcoins: Application of blockchain technology
Bitcoins: Application of blockchain technologyBitcoins: Application of blockchain technology
Bitcoins: Application of blockchain technology
 

Dernier

一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
Asmae Rabhi
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
galaxypingy
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 

Dernier (20)

一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolino
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 

A Segwit Coin is not a Bitcoin

  • 1. A Segwit Coin is not a Bitcoin 1 July 2017 Peter Rizun
  • 2. “Cryptocurrency is more theology than science” Skepticism Fanaticism Alan Turing Medieval theologist Null hypothesis Divine scriptures
  • 3. “Cryptocurrency is more theology than science” III Thou shalt download code from only the bitcoin core repo, for only it is divine IV Thou shalt mine no block larger than the holy number of 1 MB Passage from the Book of Blockstream/Core
  • 4. I Bitcoin can move from place to place but cannot be created ex nihilo II In order for a bitcoin to move, the transfer must be authorized by the owner’s digital signature What rules do I consider unchallengeable?
  • 5. What rules do I consider unchallengeable? I Bitcoin can move from place to place but cannot be created ex nihilo II In order for a bitcoin to move, the transfer must be authorized by the owner’s digital signature With Bitcoin, both rules are on equal footings; with Segwit, the private property rule is subordinate to the physical property rule. Physical property rule Private property rule Manifestations of our ideologies All rules could be seen as fanatical Debate will not be settled by science
  • 6. A Segwit Coin is not a Bitcoin 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker security model than bitcoins. Claims:
  • 7. Simplifying Assumptions • Miners are rational short-term profit-maximizing agents • No miner will knowingly be complicit in fraud • I.e., No miner will mine directly on top of a block that he knows to contain a fraudulent transfer
  • 8. A Segwit Coin is not a Bitcoin: talk outline 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker private-property model than bitcoins.
  • 9. What is the definition of a bitcoin? Good place to look
  • 10. What is the definition of a bitcoin? Find it on page 2
  • 11. What is the definition of a bitcoin?
  • 12. What is the definition of a bitcoin?
  • 13. What is the definition of a bitcoin?
  • 14. What is the definition of a bitcoin?
  • 15. What is the definition of a bitcoin?
  • 16. What is the definition of a bitcoin?
  • 17. What is the definition of a bitcoin?
  • 18. How is a Segwit coin different? A bitcoin A segwit coin Signatures are an integral part of the chain Signatures are outside of the chain
  • 19. How is a Segwit coin different? A bitcoin A segwit coin A bitcoin is a chain of digital signatures while a segwit coin is not How does this change the coin’s properties?
  • 20. A Segwit Coin is not a Bitcoin: talk outline 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker security model than bitcoins.
  • 21. Transferring Ownership Without Witnessing the Signatures • Each node maintains a ledger of which coins belong to which entities (UTXO set) • Upon receiving a new block, miner parses transactions, removing spent outputs from his UTXO set and adding newly-created outputs • For bitcoins, since outputs are identified by hash, miner cannot update his UTXO set without witnessing the signatures that authorize the transfer • For segwit coins, miners can update their UTXO set Hash Public key A46E Alice’s 58F1 David’s 88CE Ethyl's UTXO set
  • 22. Transferring Ownership Without Witnessing the Signatures Hash Public key A46E Alice’s 58F1 David’s 88CE Ethyl's UTXO set ✓ • Each node maintains a ledger of which coins belong to which entities (UTXO set) • Upon receiving a new block, miner parses transactions, removing spent outputs from his UTXO set and adding newly-created outputs • For bitcoins, since outputs are identified by hash, miner cannot update his UTXO set without witnessing the signatures that authorize the transfer • For segwit coins, miners can update their UTXO set
  • 23. Transferring Ownership Without Witnessing the Signatures Hash Public key A46E Alice’s 58F1 David’s 88CE Ethyl's B56A Bob’s UTXO set • Each node maintains a ledger of which coins belong to which entities (UTXO set) • Upon receiving a new block, miner parses transactions, removing spent outputs from his UTXO set and adding newly-created outputs • For bitcoins, since outputs are identified by hash, miner cannot update his UTXO set without witnessing the signatures that authorize the transfer • For segwit coins, miners can update their UTXO set B56A Must witness signature for bitcoins
  • 24. Transferring Ownership Without Witnessing the Signatures Hash Public key A46E Alice’s 58F1 David’s 88CE Ethyl's F31A Bob’s UTXO set F31AWitnessing signature is not necessary for segwit coins Not part of hash • Each node maintains a ledger of which coins belong to which entities (UTXO set) • Upon receiving a new block, miner parses transactions, removing spent outputs from his UTXO set and adding newly-created outputs • For bitcoins, since outputs are identified by hash, miner cannot update his UTXO set without witnessing the signatures that authorize the transfer • For segwit coins, this does not hold
  • 25. A Segwit Coin is not a Bitcoin: talk outline 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker security model than bitcoins.
  • 26. Segwit signatures are less valuable Bitcoin Segwit Profit with sigs Reward + Fees – Cost Reward + Fees – Cost Profit without Reward x (1-P) – Cost (Reward + Fees)(1-P) – Cost Value of sigs P x Reward + Fees P x (Reward + Fees) As P → 0 Fees 0 - - Note: P is probability that previous block was invalid
  • 27. A Segwit Coin is not a Bitcoin: talk outline 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker security model than bitcoins.
  • 28. To witness or not to witness? A Nash equilibrium is stable if a small change for one player leads to a situation where two conditions hold: 1. the players who did not change have no better strategy in the new circumstance 2. the player who did change is now playing with a strictly worse strategy Bitcoins
  • 29. To witness or not to witness? A Nash equilibrium is stable if a small change for one player leads to a situation where two conditions hold: 1. the players who did not change have no better strategy in the new circumstance 2. the player who did change is now playing with a strictly worse strategy Witnessing becomes more profitable Bitcoins: stable equilibrium
  • 30. To witness or not to witness? A Nash equilibrium is stable if a small change for one player leads to a situation where two conditions hold: 1. the players who did not change have no better strategy in the new circumstance 2. the player who did change is now playing with a strictly worse strategy Segwit coins: multiple equilibriums
  • 31. To witness or not to witness? A Nash equilibrium is stable if a small change for one player leads to a situation where two conditions hold: 1. the players who did not change have no better strategy in the new circumstance 2. the player who did change is now playing with a strictly worse strategy Segwit coins: multiple equilibriums
  • 32. To witness or not to witness? A Nash equilibrium is stable if a small change for one player leads to a situation where two conditions hold: 1. the players who did not change have no better strategy in the new circumstance 2. the player who did change is now playing with a strictly worse strategy Segwit coins: multiple equilibriums
  • 33. To witness or not to witness? Segwit coins: multiple equilibriums Only stable equilibrium
  • 34. A Segwit Coin is not a Bitcoin: talk outline 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker security model than bitcoins.
  • 35. Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of miners that mines on our block when we have a block race
  • 36. Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of miners that mines on our block when we have a block race Keep private
  • 37. Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of miners that mines on our block when we have a block race Now release
  • 38. Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of hash power that mines on our block when we have a block race This block more likely to be orphaned. Punishes miners who wait for witness data.
  • 39. Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of hash power that mines on our block when we have a block race γ = 1 Our strategy is always more profitable
  • 40. Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of hash power that mines on our block when we have a block race γ =0.5 Our strategy is more profitable if defectors control more than 25% of the hash power
  • 41. Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of hash power that mines on our block when we have a block race γ = 0 Our strategy is more profitable if defectors control more than 33% of the hash power
  • 42. • When we’re confident that the majority of the network is no longer waiting for witness data then: • Begin re-routing segwit transactions to our own personal addresses • Never release the witness data (no valid witness exists) • Blocks get built above confirming our fraudulent transfer • No one has proof that a fraud occurred • “Everyone must have pruned the witness data” Kill Segwit and Earn a Profit
  • 43. This wouldn’t work for the P2SH soft fork • Variation of this attack for P2SH: • Instead of withholding the segwit extension block, just withhold the signature for a P2SH transaction • Use same strategy to entice miners to mine on the block (missing only a single signature for a single transaction) • Doesn’t work! • There is no way the other miners can be sure that the transactions that make up the block actually correspond to the Merkle root in the block header. • Any third party could have proposed that a different block corresponded to the known block header! There’s no way to tell who is lying. • Miners would have to mine empty blocks instead and the entire system breaks down.
  • 44. Thought Experiment Imagine that you have 100 BTC in a segwit address and a few days later you notice that they've been transferred to an address that you do NOT control. You try to find the signature that authorized the transfer to prove the theft (you're sure your private keys were secure so you think the signature must be bogus) but conveniently nobody seems to have it saved. Can you prove that your funds were stolen?

Notes de l'éditeur

  1. Good afternoon everyone. I’ll start my talk with an anecdote: