Open ZhangCheng-zh opened 2 years ago
Step 1: Establish a secure communications channel using asymmetric encryption Step 2: Share a symmetric encryption key Step 3: Use symmetric encryption for further communication
y = f(x)
where, given y
, it is computationally infeasible to calculate x, but given x, it it possible to calculate y
y= f(x)
is (relatively) easy to calculate, its inverse x=f'(y)
, is much more difficult, perhaps impossible, to calculatey=f(27)
is relatively simple, even by hand: 27 * 27 = 729x = f'(729)
is much more difficultShould have the following properties:
com := commit(m, nonce)
verify(com, msg, nonce)
A nonce is random value that can be used only once. Nonces will come up very often in our exploration of Bitcoin.
Assumes the commit function is hiding and binding
Binding = collision - resistant Given two pairs
m / nonce
andm' / nonce'
, it is infeasible to findm != m'
andcommit(m, nonce) == commit(m', nonce')
com = commit(msg, nonce)
Publishcom
publicly
Publish
nonce
andmsg
publicly Anyone can useverify(com, msg, nonce)
function to verifymsg
com = commit(msg, nonce)
For every possible n-bit output value y
, if k
chosen from a distribution with high min-entropy, then it is infeasible to find x such that H(k || x) == y
in time significantly less than Math.pow(2, n)
In other words, if someone wants the hash value result H(x) to be a particular value y, if H(x) produces a result of size n bits, then finding some value x such that H(x) == y should require at least pow(2, n) attempts(O(pow(2,n))
In other other words, the best way to find the result of a hash function is to just do the hash with different inputs, and brute force it.
many fields
Collision-resistant Hiding Puzzle-friendly
Hash Pointers and Related Data Structures
A pointer to some object or data set A cryptographic hash of that data or representation of that object
Hash pointer of previous data includes both data in node and hash of preceding node.
Merkle Tree:
And thus incentivizes miners to add more transactions, so they get transaction fee
Cyclic structures = no starting point for hashes
More Hashing, Digital Signatures and Centralized Legers
Covert each character into a corresponding value, sum them up modulo size of output Variety of problems with this scheme
compression algorithm accepts two arguments: current block (size m) and previous result (size n) outputs result of size n (where n < m)
Example:
(sk, pk) = generateKeys(keysize)
Given a key size keysize, return a 'keypair' - a public key used for verification and a secret key for signing
sig = sig(sk, message)
Given a secret key sk and a message, return a signature for that message
isValid = verify(pk, message, sig)
Given a public key pk, a message, and a signature, return a Boolean value indicating whether or not the message was properly signed
But be careful! Could use other ways to link your real identity to a generated keypair
u
s
with his secret keyu || s
(u concatenated with s) is a coinverify(pk, u, s)
to determine if a coin is valid (i.e., has been signed by Goofy)this
to Alice
", where this
is a hash pointer to a coin and Alice
is Alice's public keyBlacklist users or coins Create new coins for himself Stop updating the blockchain (holding the entire system hostage)
For users to agree on a single, published, authoritative blockchain For users to agree on what transactions are valid and which occurred IDs to be assigned in a decentralized way Minting of coins to be done in a decentralized way
He generated all coin He could punish users by not adding transactions to his blockchain He could hold the entire system ransom by refusing to update
"Abstract. A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution, but the main benefits are lost if a trusted third party is still required to prevent double-spending"
Bitcoin network itself
= Very decentralized - easy to spin up a fully-validating nodeMining
= Somewhat centralized - Open to anyone, but hard to do profitably and large economies of scaleUpdating protocol/rules
= Very centralized in practice - Vast majority of nodes use Bitcoin Core. Anyone can write their own node software (or use an alternative such as BitcoinJ), but the VAST majority use CoreDistributed Consensus protocol:
There are n nodes that each have an input value. Some of these nodes are faulty or malicious. A distributed consensus protocol has the following properties:
Alice want to pay Bob one bitcoin:
Every Node(circle) has: 1 The blockchain up to that point in time 2 A list of outstanding transactions which have been broadcast but are not yet in the blockchain (the transaction pool or mempool)
Different nodes may have different transaction lists Every 10 minutes, nodes use some consensus mechanism (e.g. voting) to determine which transactions are put in blockchain. If a transaction is missed, no problem, wait for the next block!
unspent transaction outputs
, that is, transactions that have been input to an address but not yet output to anotherH(nonce || prev_hash || tx1 || tx2 || ... txn) < target
H(id || x) ( Y
better than trying possible values of id
H(nonce || rest_of_block) < target
hash rate
or hash power
of the Bitcoin networkH(nonce || rest_of_block) < target
Failure - H(nonce || rest_of_block) >= target
Poisson process
H(nonce || rest_of_block) < target
?H(nonce || rest_of_block) < target
?
all are ten minutesmean time to my next block = 10 m / fraction of hash power I control
H(nonce || rest_of_block) < target
, block is valid// Should I mine Bitcoin?
mining_reward = block_reward + tx_fees
mining_cost = hardware_cost + operating_costs
if (mining_reward > mining_cost)
return true
else
return false
H(block) < target
, or generate a different candidate blockexample:https://blockchair.com/bitcoin/block/741014
Once it does, broadcast it ASAP to the network
mining rigs
mining pool
is a collective of miners generally run by a pool manager (who takes a small cut).hash laundering
chainsplits
)?punitive forking
Feather forking
- You'll attempt to fork, but eventually give up if you can't do it. Probability of success is pow(a, 2) (where a = your percentage of hash power of entire network)Remember: Bitcoin transactions are immutable once they are completed and on the blockchain! third-party arbiter: Judy buyer: Alice legitimate businessman: Bob need to be signatured by 2 of 3
A(pk)
, where A()
is a rather convoluted multi-hashing process (will briefly cover this in a few slides)Base58Check
format-Just like mining, we can just keep trying with different inputs For each character we want, there is a 1 / 58 chance we will get the correct one, ergo chances are 1 / pow(58,k) for a k-character pattern -Luckily, programs can do this for us... do this locally! keys have been stolen from "online vanity generations!" Also note that there are some possible efficiency optimizations sheer random guesses, see book for details
-Sofeware on your computer or phone which keeps track of your keys, coins, makes transactions, etc.
you need have 3 or more points on the parabola
-Problem with previous schemes - they all generate the actual secret key, which is a point of weakness (key can be stolen after reconstruction and used on its own)
Is Bitcoin anonymous?
the anonymity set
- the set of transactions an adversary not distinguish from your own transaction
Properties of Money
Credit vs Cash
Credit: Debt-based system Cash: 'External' medium of exchange Benefits and drawbacks to each - no perfect solution
FirstVirtual
SET Architecture
Digital Credit to Digital Cash
Cash needs to be boostrapped, but
Chaumian Ecash
The Double-Spend Issue
How can we prevent a 'double-spend'.
Anonymity
Scarcity
Computational Backing
"Bitcoin is Hashcash extended with inflation control" - Adam Back
Ledgers
Use Linked Timestamps
Efficiency of Linked Timestamps
Bitcion-style Blockciain
Bitcoin
Resolving the double-spend issue