Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Programming Distributed Systems13 Blockchains
Christian Weilbach & Annette Bieniusa
AG SoftechFB Informatik
TU Kaiserslautern
Summer Term 2018Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 1/ 65
Introduction
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 2/ 65
About me
functional programmer in Clojure/ScriptP2P enthusiastreplikativ.ioworking on “datopia”, datalog based blockchainmachine learning PhD
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 3/ 65
Blockchain?
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 4/ 65
What is a blockchain?
It is a chain of blocks :PActually just the transaction logWhat is the point actually???
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 5/ 65
The Bitcoin blockchain: the world’s worst database1
Would you use a database with these features?
Uses approximately the same amount of electricity as could poweran average American household for a day per transactionSupports 3 transactions / second across a global network withmillions of CPUs/purpose-built ASICsTakes over 10 minutes to “commit” a transactionDoesn’t acknowledge accepted writes [..]Can only be used as a transaction ledger denominated in a singlecurrency, or to store/timestamp a maximum of 80 bytes pertransaction
But it’s decentralized! (is it?)
1Kalra et al. ZEUS: Analyzing Safety of Smart ContractsChristian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 6/ 65
Political motivation
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 7/ 65
Satoshi Nakamotomysterious inventor of Bitcointhis is not Satoshi Nakamoto:
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 8/ 65
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 9/ 65
Anarchocapitalism
Strong form of free market ideologyIt is directed against (central) banks and statesMarket and money are holy (following Friedrich Hayek, Ayn Rand)affiliated to libertarian ideology prominent in Silicon Valleybut: can also be read as reaction to monopolisation andprivatisation
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 10/ 65
Platform economy
Examples: Facebook, Uber, Google, Amazon, AirBnB, . . .
Strategy:
1) get users on your platform and grow as fast as possible withvencture capital (VC) money
2) encourage network effects through open strategy and free products3) privatize platform and own data ⇒ profit
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 11/ 65
post-68 Internet vision
Platform economy focuses on individualism of consumerturned into vague, “Orwellian” Startup terminology: disruption,democratization, participation, openness, progress, communitybut: today it is threatening surveillance capitalism
Amazon Teams Up With Law Enforcement to Deploy DangerousNew Face Recognition TechnologyGoogle Is Quietly Providing AI Technology for Drone StrikeTargeting ProjectWe work for Google. Our employer shouldn’t be in the business ofwar
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 12/ 65
What now?
P2P systems & free/open source movementcypherpunks: cryptography, e.g. PGPpolitical ideologies against centralization:
left anti-state, right anti-stateexamples: BitTorrent, Bitcoin, Wikis, gitIdea: software emancipates from hardwareProblem: no economic systemAnswer: ICO-mania as response to VC funding??
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 13/ 65
Bitcoin
political argument as codegame theory as programmable economicstechnical design not from angle of DB architectdistributed system as answer to centralization of powerculture clash: think big megalomania vs. conservative DBarchitects
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 14/ 65
What is a blockchain technically?
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 15/ 65
Blockchain as DB
≈ strongly-consistent database:
⇒ total order of events (like atomic broadcast)
⇒ scalability ≤ any strongly consistent DB
Problem is permissionless environment: adversarial
needs to be decentral/neutral w.r.t. to peers running the network
cannot be privatized
historical outline
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 16/ 65
Byzantine generals
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 17/ 65
Byzantine Fault Tolerance
Paxos, Raft, etc. are supposed to run in trusted environmentadversarial environment: fake messages, drop messages, delaymessagesthreshold of honest peers (generals), e.g. > 2/3
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 18/ 65
Bitcoin
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 19/ 65
Design objectives
economics: game theoretic equilibriumstate: no censorship or seizing of moneymoney: no inflation through central bankspolitics: decentralized network
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 20/ 65
Nakamoto consensus[2]
Byzantine fault-tolerance (fake message, dropped messages,delayed messages)Technology existed 10-15 years before BitcoinRecombination is novelInteresting usage of cryptography
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 21/ 65
HashCash (1997)
Problem: spam flooding protectionIdea: To post on message board you have to do tiny amount ofcrypto work, but spammers have to pay proportional priceuse property of cryptographic hash functions like SHA-256
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 22/ 65
On cryptographic hash functions
Hash function H takes arbitrary string as input and produces fixed-sizeoutput (here: 256 bit)
Properties:
1) Efficient to compute2) Practically collision-free3) Given H(x), it is infeasible to find x4) Puzzle-friendly: For every possible output value y, it is infeasible to
find x such that H(k · x) = y if k is chosen from a distributionwhere every value is chosen with negligible probability (→ Nostrategy is much better than trying random values of x)
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 23/ 65
How can cryptographic hashing be useful
If we know H(x) == H(y), then it is safe to assume that x == yUse hash as a message digest (much smaller than message)Can commit to a message, but only reveal it laterSet up “search puzzle”: Given k and a target set Y , find asolution x such that H(k · x) ∈ Y
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 24/ 65
On hash pointers
A hash pointer is a pointer to some information plus the cryptographichash of the information.
Purpose:
Access to the informationVerification that information hasn’t changedBuild temper-evident data structures!
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 25/ 65
Blockchain: A temper-evident log
What happens if somebody tries to modify the data in one block?
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 26/ 65
Blockchain as DB
strongly-consistent database:
⇒ total order of events (like atomic broadcast)
⇒ scalability ≤ any strongly consistent DB
problem is permissionless environment: adversarial
needs to be decentral/neutral w.r.t. to peers running the network
cannot be privatised
historical outline
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 27/ 65
Bitcoin
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 28/ 65
Design objectives
economics: game theoretic equilibriumstate: no censorship or seizing of moneymoney: no inflation through central bankspolitics: decentralized network
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 29/ 65
Nakamoto consensus[2]
Byzantine fault-tolerance (fake message, dropped messages,delayed messages)technology existed 10-15 years before Bitcoinrecombination is novelsmart usage of cryptography
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 30/ 65
HashCash (1997)
spam protectionpost on message board + tiny amount of crypto work
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 31/ 65
Mining a block: Proof of Work
Difficulty target: hash must be smaller than this value (leadingzero bits, definesY )H(b · x) ∈ Y , b block bits, x chosen noncequadrillions of hash operations per secondtoday: mining pools with ASIC hardware
Source: https://www.buybitcoinworldwide.com/mining/hardware/
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 32/ 65
Bitcoin’s block chain
started with “genesis” block by Satoshi Nakamoto on Jan 3, 2009
blocks can join and leave at will
⇒ replay operations to obtain actual state
most difficult (≈ longest) chain wins
race between miners
gossiping P2P network
milliseconds matter
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 33/ 65
Block structure
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 34/ 65
Consensus specification
Rules: implementation is specification (including bugs)C++ codebase + dependencies (Ughh)“immutability” or “code as law”
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 35/ 65
Trust model
checked before a block is accepted30-40 rules for transactionImportantly: 0 sum changes, positive balance30-40 rules for each blockrules are specified in C++
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 36/ 65
Pseudo-algorithm
1) Take chain with most work behind it2) Take received transactions and build a block3) Try to brute-force a H(b · x) ∈ Y with current difficulty level4) Either find a block first and propagate it as quickly as possible or
receive a new block: Repeat with 1.
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 37/ 65
Transaction-based ledger
authorize txn by signing with owner’s keysimplification here: only one txn/blockvalidation check with hash pointers
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 38/ 65
Miners against users?
Idea: incur cost vs. expected rewardfixed amount of block reward: currently 12.5 BitcoinAssumption at least 50% of nodes are honest.corresponds to voting/betting on winning chainCheating: create invalid blocks or delay networkbut: does not pay to cheat
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 39/ 65
How high is the probability of a fork of length N?
pN , where p is the probability that both partitions mine a new block ineach step at approximately the same time.
⇒ astronomically small for larger N .
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 40/ 65
(Imaginary) Example of fork
Example: Germany blue ↔ Japan redpartition in network happensnext block either is created in blue or red or in blueorphan the blockred wins: Take transactions from orphaned block, replay blue txsother chain never happened
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 41/ 65
Convergence
Probabilistic convergenceA fork of size 1 happens dailyA fork of size 2 weekly. . .A fork of size 6 practically never happens. . .
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 42/ 65
Problems
currently consumes electricity like 2 Denmarks (!!!)high latency: 10− 60 minutes (6 blocks confirmation)low throughput (< 10 tx/sec)eventually consistent (always reversible)
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 43/ 65
Bitcoin bugs
April 2013: 7 blocks forkcause: switch to LevelDBblock with 1200 transactions⇒ crashed BerkelyDB (max. 1024 txs) (bug)
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 44/ 65
Ethereum
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 45/ 65
Ethereum
generalization of ledgercurrency: Etherattempt to make blockchain programmable: “world computer”driving force behind ICO boom through “ERC20 tokens”
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 46/ 65
I want you to write a program that has to run in a concurrent environmentunder Byzantine circumstances where any adversary can invoke your programwith any arguments of their choosing. The environment in which yourprogram executes (and hence any direct or indirect environmentaldependencies) is also under adversary control. If you make a single exploitablemistake or oversight in the implementation, or even in the logical design ofthe program, then either you personally or perhaps the users of your programcould lose a substantial amount of money. Where your program will run, thereis no legal recourse if things go wrong. Oh, and once you release the firstversion of your program, you can never change it. It has be right first time.
I don’t think there are many experienced programmers that would fancytaking on this challenge. But call it ‘writing a smart contract’ andprogrammers are lining up around the block to have a go! Most of them itseems, get it wrong.2
Source: The morning paper, Zeus: Analyzing safety of smart contracts MARCH 8,2018
2Kalra et al. ZEUS: Analyzing Safety of Smart ContractsChristian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 47/ 65
Ledger → Runtime
transactions are interpreter state transitionsTuring-complete, general purpose imperative environmentreplicate a deterministic state machinePrograms: so called Smart Contractsdeployed as immutable code
Low-Level Lisp (LLL)Solidity
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 48/ 65
Example solidity
pragma solidity ˆ0.4.0;contract C {
function isSix(uint8 num)returns (bool) {
return num == 6;}
}
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 49/ 65
Ethereum Virtual Machine (EVM)
stack machineno IO!ephemeral on-chain memory256 bit words65 logically distinct instructions [3]3
3Implementation in ClojureChristian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 50/ 65
Gas model
important innovationevery instruction has a gas price (in Ether)proportional to memory access costinvoker of smart contract has to provide ethersmart contracts can call each other
What happens if gas runs out?
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 51/ 65
Problems
still PoW (high energy cost)still high latency: 15 secs block time4
still low throughput: (˜ 100 txs/sec)
4https://ethstats.net/Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 52/ 65
Tendermint
Adapted from a traditional BFT style approach5
immediate finalitylow latency (˜ 2 secs)Fork Accountabilityno mining“verified” through Jepsen
5https://media.ccc.de/v/FWTYS3Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 53/ 65
Tendermint state machine
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 54/ 65
Proof of Stake (PoS)
Desire: get rid of wasteful miningIdea: Replace PoW leader election by stake based voting.Votes are weighted by their stake or the money you have inyour account.Hard Problem: What are economic incentives for convergence?
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 55/ 65
Delegated Proof of Stake
Idea: elect validator nodes who run traditional BFT consensus⇒ small and known subnetworkAdvantage: higher quality of service (QoS) is possible withknown network topologyProblem: easier to attack or less decentralizedBitshares, Steem.it, Lisk, EOS
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 56/ 65
Democracy
Accounts vote for delegatesProblem: cartels are formingUnfortunately voter’s are often bribedTypically the system has a democratic constitution
Is this (liquid) democracy?
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 57/ 65
Changes to the constitution
Consensus protocol itself can be changed non-monotonicallySystem Governance is institutionalized (EOS)but requires finality (atomic, synchronous swap)
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 58/ 65
Other properties
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 59/ 65
Anonymity
is Bitcoin anonymous? Nope, rather the opposite6
zero-knowledge proofs (zksnarks): ZCash
6https://media.ccc.de/v/FWTYS3Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 60/ 65
Composition
linearizable systems composesidechainscloud databasesstate channels
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 61/ 65
Integration with CRDTs
transactional context for CRDT-based P2P systemsConflict-Aware Replicated Data Types (CARD) [1]
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 62/ 65
Summary: Comparison
System Consensus Finality Network Fork-Acc. Program.
Bitcoin Nakamoto eventual open no no*Ethereum Nakamoto* eventual* open no yesTendermint PoS-based immediate closed yes optionalAvalanche PoS-based immediate open no optional
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 63/ 65
Outlook
similar to Dotcom bubblemajority of systems today will not survivebut: “Blockchains” will not go away!possibility for decentralized funding (ICO, . . . )possibility to build new forms of society with distributed databasetechnology!
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 64/ 65
Further reading I
[1] Nicholas V. Lewchenko, Arjun Radhakrishna und Pavol Cerny.“Conflict-Aware Replicated Data Types”. In: CoRRabs/1802.08733 (2018). arXiv: 1802.08733. url:http://arxiv.org/abs/1802.08733.
[2] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cashsystem”. 2009. url: http://bitcoin.org/bitcoin.pdf.
[3] Dr. Gavin Wood. “Ethereum Yellow Paper: a formal specificationof Ethereum, a programmable blockchain”. In: (2014). url:https://github.com/ethereum/yellowpaper.
Christian Weilbach & Annette Bieniusa Programming Distributed Systems Summer Term 2018 65/ 65