Bitcoin Miner Optimization

Transcription

1 Bitcoin Miner Optimization Nicolas T. Courtois - University College London, UK

2 Bitcoin Mining Bottom Line Bitcoin Mining = a high tech race to determine who will own the currency of the 21 century 2 Nicolas T. Courtois 2013

3 Bitcoin Mining Roadmap What is Bitcoin Mining Improvements 3 Nicolas T. Courtois 2013

4 Crypto Research at UCL 1. cryptologist and codebreaker Dr. Nicolas T. Courtois 4

5 Crypto Currencies Mining Bitcoin In A Nutshell bitocoins are cryptographic tokens, strings of bits stored by people on their PCs or mobile phones ownership is achieved through digital signatures: you have a certain cryptographic key, you have the money. publicly verifiable, only one entity can sign consensus-driven, a distributed system which has no central authority but I will not claim it is decentralized, this is simply not true! a major innovation is that financial transactions CAN be executed and policed without trusted authorities. Bitcoin is a sort of financial cooperative or a distributed business. based on self-interest: a group of some 100 K people called bitcoin miners own the bitcoin infrastructure they make money from newly created bitcoins and fees at the same time they approve and check the transactions. a distributed electronic notary system 5 Nicolas T. Courtois

6 Crypto Currencies Mining In Practice 6 Nicolas T. Courtois

7 Crypto Currencies Mining Money Transfer 7 Nicolas T. Courtois

8 Crypto Currencies Mining Is Bitcoin Money? We will NOT claim it has all the characteristics of money. it definitely has some! they are traded against traditional currencies at a number of exchanges. bitcoins are legal by default, there were some attempts to regulate them and even ban them by governments. 8 Nicolas T. Courtois

9 Who Accepts Bitcoin? 9 Nicolas T. Courtois

10 Bitcoin Mining Bitcoin Bitcoin = the most popular peer-to-peer payment and virtual currency system as of today belongs to no one, anarchy => 10 Nicolas T. Courtois 2013

11 Crypto Currencies Mining Crypto Currencies Mining 11 Nicolas T. Courtois

12 Crypto Currencies Mining Bitcoin Based on cryptography and network effects. 12 Nicolas T. Courtois

13 Crypto Currencies Mining Jan 2013-Jan => 1000 USD April 2013 MtGox 24h shutdown 13 April 2013 Digital Gold The Economist 13 Nicolas T. Courtois

14 Crypto Currencies Mining Flash Crash 10 Feb 2014 before 6AM 600 => 102 USD in a blink of an eye 14 Nicolas T. Courtois

15 Crypto Currencies Mining P2P Payment 15 Nicolas T. Courtois

16 Crypto Currencies Mining Bitcoin Network Satoshi original idea: homogenous nodes: they do the same job everybody participates equally everybody is mining a random graph 16 Nicolas T. Courtois

17 Crypto Currencies Mining The Reality is VERY Different! In violation of the original idea of Satoshi Bitcoin network has now 4 sorts of VERY DIFFERENT ENTITIES only rich people are mining upfront investment of >3000 USD. 100K active miners as of today? some full nodes : they trust no one Satoshi client a.k.a. bitcoind, version for PC, 14 Gbytes of disk space, takes 1 day to synchronize many nodes do minimal work and minimal storage, they need to trust some other network nodes many network nodes are community services and/or businesses which we need to trust, e.g. analytic tools, exchanges, lotteries, mining pools, etc. 17 Nicolas T. Courtois

18 Crypto Currencies Mining Digital Currency 18 Nicolas T. Courtois

19 Crypto Currencies Mining Digital Currency in bitcoin bank account = a certain private ECDSA key =>PK-based Currency, an important modern application of Digital Signatures! 19 Nicolas T. Courtois

20 Crypto Currencies Mining Main Problem: Avoiding this Double Spending 20 Nicolas T. Courtois

21 Crypto Currencies Mining In the Press THIS IS WRONG: SHA-256 is a cipher and provides confidentiality. Not it is a hash function and provides integrity of everything [hard to modify./cheat] "Bitcoins are encrypted": WRONG ONLY if you encrypt your wallet, not everybody does. Also can use SSL in P2P connections communications are encrypted if you use TOR 21 Nicolas T. Courtois

22 Crypto Currencies Mining Block Chain and Mining 22 Nicolas T. Courtois

23 Crypto Currencies Mining Bitcoin Mining Minting: creation of new currency. Creation+re-confirmation of older transactions data from previous transactions miner s public key RNG Ownership: policed by majority of miners : only the owner can transfer [a part of] 25 BTC produced. HASH must start with 64 zeros 23 Nicolas T. Courtois

24 Crypto Currencies Mining Block Chain Def: A transaction database shared by everyone. Also a ledger. Every transaction since ever is public. Each bitcoin piece is a union of things uniquely traced to their origin in time (cf. same as for several banknotes due to SN) 24 Nicolas T. Courtois

25 Crypto Currencies Mining Can Sb. Cancel His Transaction? Yes if he produces a longer chain with another version of the history. Very expensive, race against the whole network (the whole planet). In practice transactions cannot be reversed. 25 Nicolas T. Courtois

26 Crypto Currencies Mining Bitcoin Address 26 Nicolas T. Courtois

27 Crypto Currencies Mining A Bitcoin Address = a sort of equivalent of a bank account. 27 Nicolas T. Courtois

28 Crypto Currencies Mining H(PublicKey) +checksum 28 Nicolas T. Courtois

29 Crypto Currencies Mining Bitcoin Ownership Amounts of money are attributed to public keys. Owner of a certain Attribution to PK can at any moment transfer it to some other PK addresses. Destructive, cannot spend twice: not spent

30 Crypto Currencies Mining Fees => Miner

31 What If / Answer My private key or password is lost. I have an older backup for my wallet Password is easy guess RNG is faulty. 31 Nicolas T. Courtois

32 What If / Answer My private key or password is lost. I have an older backup for my wallet Password is easy guess RNG is faulty All money is lost, NOBODY can recover it Some money will be recovered, not all. 32 Nicolas T. Courtois

33 What If / Answer My private key or password is lost. I have an older backup for my wallet All money is lost, NOBODY can recover it Some money will be recovered, not all. Password is easy guess RNG is faulty My money will be stolen by an anonymous thief 33 Nicolas T. Courtois

34 Bitcoin Mining 34 Nicolas T. Courtois

35 Bitcoin Mining Minting: creation of new currency. Creation+re-confirmation of older transactions data from previous transactions miner s public key RNG HASH must start with 60 zeros 35 Nicolas T. Courtois

36 Bitcoin Randomization Nonce = def? Which arrow? data from previous transactions miner s public key RNG HASH must start with 60 zeros 36 Nicolas T. Courtois

37 Bitcoin Mining Minting: creation of new currency. Creation+re-confirmation of older transactions data from previous transactions miner s public key RNG Random Oracle like mechanism. What???????????????? HASH must start with 60 zeros 37 Nicolas T. Courtois

38 Bitcoin Mining Minting: creation of new currency. Creation+re-confirmation of older transactions data from previous transactions miner s public key RNG Random Oracle like mechanism Means: treat as a DETERMINISTIC black box which answers at random. HASH YES it is must start with 60 zeros 38 Nicolas T. Courtois

39 Bitcoin Mining Minting: creation of new currency. Creation+re-confirmation of older transactions data from previous transactions miner s public key RNG Random Oracle like mechanism Means: treat as a DETERMINISTIC black box which answers at random. HASH YES it is, However now I m going to show it isn t. Marginal improvement (a constant factor). 39 Nicolas T. Courtois must start with 60 zeros

40 1. CPU Mining Five Generations of Miners Example: Core i5 2600K, 17.3 Mh/s, 8threads, 75W CPU = about 4000 W / Gh/s 40 Nicolas T. Courtois

41 2. GPU Mining Five Generations of Miners Example: NVIDIA Quadro NVS 3100M, 16 cores, 3.6 Mh/s, 14W CPU = about 4000 W / Gh/s, in this case GPU = about 4000 W / Gh/s, in this case Who said GPU was better than CPU? Not always. 41 Nicolas T. Courtois

42 3. FPGA Mining Five Generations of Miners Example: ModMiner Quad, 4 FPGA chips, 800 Mh/s, 40W CPU,GPU = about 4000 W / Gh/s FPGA = about 50 W / Gh/s, in this case 42 Nicolas T. Courtois

43 3. FPGA Mining Five Generations of Miners Example: ModMiner Quad, 4 FPGA chips, 800 Mh/s, 40W CPU,GPU = about 4000 W / Gh/s FPGA = about 50 W / Gh/s 100x less energy. 43 Nicolas T. Courtois

44 FPGA: 100x less energy. Five Generations of Miners Still much less with ASIC: Good points: asynchronous logic, arbitrary gates, etc.. Drawback: hard to update! Another times improvement. (100x is cheating: I was comparing one 28 nm ASIC to one 45 nm FPGA) 44 Nicolas T. Courtois

45 4. ASIC Miners Five Generations of Miners CPU,GPU = about 4000 W / Gh/s FPGA = about 50 W / Gh/s ASIC = now down to 0.35 W / Gh/s Overall we have improved the efficiency 10,000 times since Satoshi started mining in early Nicolas T. Courtois

46 5. Quantum Miners???? Five Generations of Miners? 46 Nicolas T. Courtois

47 ASICs Comparison 3.2 W By power / Gh/s 0.35 W low power mode 1 W cf. 47 Nicolas T. Courtois W

48 Criminal Scams See bitcoinscammers.com

49 Bitcoin And Hash Functions 49 Nicolas T. Courtois

50 Crypto Currencies Mining arxiv.org/abs/ Our Paper: 50

51 hashed data from previous transactions Mining Overview 3x SHA-256 compression Goal: find a valid pair (merkle_root, nonce) which gives 60 bits at 0 in H2 CISO Problem: Constrained Input Small Output 51 Nicolas T. Courtois

52 hashed data from previous transactions Mining Internals

53 Bitcoin Hash Functions And Block Ciphers (!) 53 Nicolas T. Courtois

54 SHA-256 Compression Function block cipher Davies-Meyer cf. Pieprzyk, Matusiewicz et al.

55 Fact: The process of BitCoin Mining is no different than a brute force attack on a block cipher: Apply the same box many times, with different keys Here the block cipher is a part of a hash function but it does NOT matter. 98% of computational effort is evaluating this block cipher box with various keys and various inputs Like a random oracle. PLAIN BLOCK KEY 55 Nicolas T. Courtois CIPHER

56 Davies-Meyer Transforms a block cipher into a hash function. In SHA-256 we have: block size=256, 64 rounds, key size=256 expanded 4x. IV or last hash message block M_i PLAIN CIPHER KEY 56 Nicolas T. Courtois HASH

57 ***One Round of SHA-256 cf. Pieprzyk, Matusiewicz et al.

58 Optimising Mining (38% gain) 58 Nicolas T. Courtois

59 Hashing Block of 300+ Bits padding added cf. Pieprzyk, Matusiewicz et al.

60 Hashing Block of 300+ Bits padding added cf. Pieprzyk, Matusiewicz et al.

61 Padding

62 + Second Hash

63 Inputs

64 Davies-Meyer

65 hashed data from previous transactions Mining Internals

66 Improvement 1 Amortized Cost(H0)=0

67 Improvement 2 Gains 3 Rounds At the End

68 Improvement 3 Gains 3 Rounds At the Beginning they do NOT depend on the nonce

69 Improvement 4 Incremental Computation

70 Improvement 4 - contd Incremental Computation 1 increment instead of 400 gates.

71 Improvement 5 Gains 18 Additions 3600 gates

72 Improvement 6 Saving 2 More Additions 400 gates with Hard Coding AND SAVE LIKE HALF of the next addition! (addition with a constant = cheaper, depends on the constant, needs a sort of compiler, slowly changing)

73 Crypto Currencies Mining Message Schedule => just copy for 16 R non-trivial part

74 Message Schedule

75 Improvement 7 - Fact: Some early values do NOT yet depend on the nonce. In H1 computation only (left column).

76 Improvement 7 3 more 2 more 32-bit additions are saved by hard coding, and more for the next addition (again, adding a constant, depends on the constant, average cost maybe saving another 1? addition). Some 600 extra gates saved.

77 Improvement 8 1 More Incremental nonce We have:

78 Optimising The Mining

79 Future Dan Kaminsky 79 Nicolas T. Courtois

80 San Diego Bitcoin Conference May 2013 Earlier he said that he has no stakes in this game. Then at minute 40 he claims that the current Bitcoin Proof of Work function based on SHA-256 will not survive the year (to be replaced before end of 2013). He says that assigns zero percent probability that we will continue with the present POW function. Back to CPU mining.

81 SHA-256 to be phased out? HOWEVER: NOBODY OWNS BITCOIN We claim the contrary: any attempt to change the POW is close to impossible to enforce AND if mandated by some group of people, it will lead to a SPLIT IN THE BITCOIN COMMUNITY. An organised divorce of people and software developers who will be running two separate block chain versions.

82 Crypto Currencies Mining Mining In Pools 82 Nicolas T. Courtois

83 Crypto Currencies Mining Why Pools? Reason 1. To smooth the gains: Instead of waiting 1 year to get 25 BTC, why not get a little money every day? Reason 2. Huge Incertitudes: Law Of Bitcoin Minining: It follows the Poisson Distribution. VERY STRESSFUL. Cannot sleep at night.

84 Crypto Currencies Mining Major Pools In Existence Miners tend to flock to the largest pools.

85 Crypto Currencies Mining Pools Operation Question: but is there a fair and secure implementation? Answer: Probably There Isn t. Typically miners with a private key not known to individual miners!. In theory the pool manager could steal the money. Must be trusted. risk is mitigated by frequent pay-outs

86 Crypto Currencies Mining Bitcoin Share A proof of effort: allows one to be paid. =def= A hash starting with 32 zeros (one in 2 32 hashes). B0 64 zeros 32 zeros reward paid

87 Crypto Currencies Mining Bitcoin Share A proof of effort: allows one to be paid. =def= A hash starting with 32 zeros (one in 2 32 hashes). B0 64 zeros 32 zeros reward paid much later, after 2 41 shares have been found B0 64 zeros B1 64 zeros new block

88 Crypto Currencies Mining Attacks: Pool Hopping Attack 88 Nicolas T. Courtois

89 Crypto Currencies Mining Pool Hopping Main Idea If a miner mines in a pool in which a lot of shares have already been submitted and no block has yet been found, he will gain less in expectation because the reward will be shared with the miners who have contributed to this pool. Therefore at a certain moment it may be profitable to stop Therefore at a certain moment it may be profitable to stop mining in this pool and contribute elsewhere (reward will be shared with less people).

90 Crypto Currencies Mining Selfish Mining and Block Discarding Attacks [2013] 90 Nicolas T. Courtois

91 Crypto Currencies Mining Selfish Mining Attacks Proposed independently by Eyal-Sirer [Cornell] and also by Bahack [Open Univ. of Israel] in Very famous, bitcoin is broken etc In fact this is a very theoretical attack, most probably without a lot of practical importance It relies entirely on rare events, most of the time there is no advantage to the attacker.

92 Crypto Currencies Mining Selfish Mining Attacks Assumption 1: If there is the longest chain in the bitcoin blockchain, everybody mines on it. Called consensus Doing otherwise would be really stupid.

93 Crypto Currencies Mining Assumption 2: Selfish Mining Attacks At any moment during the attack there are up to two competitive public branches one of which can have a secret extension. we have either just one branch (with possibly a secret extension by the attacker s) or a public fork with two branches of equal depth k in the case of a fork one branch is composed solely of honest miner's blocks and the other is composed solely of attacker's blocks (which at moments can have a secret extension).

94 Crypto Currencies Mining Selective Disclosure Attackers keep their blocks secret for some time, in order to make the honest majority lose energy mining on obsolete blocks. However when other find a block, subversive miners disclose their ASAP. Known to them A BIT earlier. Small advantage.

95 Crypto Currencies Mining Overall Result Subversive miners can earn a bit more. Not a big deal. later wasted e.g. Remark[Courtois] this attack is all about events which almost never happen in the current bitcoin network. Unlikely to get very significant

96 Crypto Currencies Mining Our New Paper [2014] 96 Nicolas T. Courtois

97 Crypto Currencies Mining Block Withholding Attacks Cf. Nicolas Courtois, Lear Bahack: On Subversive Miner Strategies and Block Withholding Attack in Bitcoin Digital Currency

98 Crypto Currencies Mining Main Result We revisit a known idea: block withholding. The miners mine in pools, they report shares but in (very rare) case when they find the winning tickets. We show that this attack cannot be detected, not even in theory. We show that for very large pools, it will be visible, but nobody can say who is responsible. This attack was known [Rosenfeld] and in the initial version the subversive miners gained nothing: everybody lost.

99 Crypto Currencies Mining Our Block Withholding Attack We propose a better version, in which subversive miners DO get more than their fair share. It is very simple: 50 % of subversive miners withhold blocks they fin 50 % mine solo normally (or in other pools). We show that: split maximizes the gain. We claim that this simple attack is by far more practical and more realistic than the Cornell attack [1000s of press reports].