mas.s62 lecture 2 - mit opencourseware · 2020-01-04 · work. pset01 (how's that going) needs...
TRANSCRIPT
![Page 1: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/1.jpg)
mas.s62 lecture 2
2018-02-12 Tadge Dryja
1
![Page 2: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/2.jpg)
cost How to prevent sybil attacks?
Hard problem! Arms race; Twitter / FB / etc have tons of bots
Also, don't want anyone in charge
rules out SSN, phone num, captchas
2
![Page 3: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/3.jpg)
work pset01 (how's that going) needs many attempts to forge a signature
if hash functions have random output, then there's no shortcut. We know what we want, but only way to get it is to keep trying.
3
![Page 4: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/4.jpg)
what do you want out of work? time consuming - like homework, but hw has problems. Trusted setup
deterministic verification
scalable - O(1) to verify
memoryless - everyone gets a chance
4
![Page 5: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/5.jpg)
homework work in this case, 5 bits of 8 are constrained need to try 25 messages to find a forgery must match:
x x 1 0 1 x 1 0
5
![Page 6: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/6.jpg)
homework work in this case, 5 bits of 8 are constrained need to try 25 messages to find a forgery must match:
1 1 0 0 1 1 0 0
6
![Page 7: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/7.jpg)
homework work in this case, 5 bits of 8 are constrained need to try 25 messages to find a forgery must match:
0 1 1 0 1 0 1 0
7
![Page 8: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/8.jpg)
collisions are work "Tadge forge 1 154262107" is a message that can be forged given the 4 signatures in the pset
Did I do 154M attempts (work)?
Maybe I did more
Maybe I got lucky and started at 150M 8
![Page 9: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/9.jpg)
"proof" of work Maybe not quite a proof; for one proof, lots of chance
For many proofs, averages out
Must estimate collision difficulty;
in this case 231 = 2GH
in this case, the "1" is thread number; 8 threads, so 1.2G, which is pretty good luck but within 2X
9
![Page 10: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/10.jpg)
simpler proof of work Signature collision is complex
Has specific target
Some kind of "universal" work
Collide with a fixed string
Collide with… zero?
10
![Page 11: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/11.jpg)
hashcash 1997, idea was to stop e-mail spam
put a nonce (that's the 154262107 number) in the mail header, try to get a *low* hash output
partial collision with 0
11
![Page 12: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/12.jpg)
simpler proof of work
$ echo "Tadge 4233964024" | sha256sum
000000007e9f5bb5a25b6a0d1512095bd415840a94e2f2fe93386898947dcb07
That's 8 zeros! 4 bytes. 232
I'm a hard worker. Will put this on my resume.
12
![Page 13: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/13.jpg)
partial collision work increased costs of equivocation / sybil resistance
scalable:
O(n) work takes O(1) space to prove and O(1) time to verify
13
![Page 14: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/14.jpg)
why work? to keep time Big new idea in Bitcoin 9+ years ago:
Use chained proof of work as distributed time-stamping
Achieves consensus on message sequence
Solves double spend problem
14
![Page 15: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/15.jpg)
block chain message m, nonce r, target t
hash(m, r) = h; h < t
15
![Page 16: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/16.jpg)
block chain message m, nonce r, target t
hash(m, r) = h; h < t
m n = (data, hn-1)
e.g m2 = (data2, hash(data1, r))
16
![Page 17: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/17.jpg)
block chain flip any bit in any block . . .
prev: 00ce msg: hi nonce: 5ffc
hash: 00db
hash: 002c
hash: 0094
hash: 008a
prev: 00db msg: oh hi nonce: 8c90
prev: 002c msg: how ru nonce: 10ba
prev: 0094 msg: good nonce: 562e
17
![Page 18: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/18.jpg)
hash: 97b2
block chain flip any bit in any block
and the chain is broken
prev: 00ce msg: hi nonce: 5ffc
hash: 00db
hash: 0094
hash: 008a
prev: 00db msg: oh hey nonce: 8c90
prev: 002c msg: how ru nonce: 10ba
prev: 0094 msg: good nonce: 562e
18
![Page 19: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/19.jpg)
chain forks can have two branches at a given height (number of blocks from origin)
hash: 0061
hash: 00f2
hash: 00db
hash: 002c
hash: 0094
hash: 008a
19
![Page 20: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/20.jpg)
chain forks Highest (most work) wins
Everyone uses chain with most work
hash: 00db
hash: 002c
hash: 0094
hash: 008a
hash: 0061
hash: 00f2
hash: 00a3
20
![Page 21: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/21.jpg)
chain forks Less work chains can be discarded after the fact. "Reorg"
hash: 00db
hash: 002c
hash: 0094
hash: 008a
hash: 0061
hash: 00f2
hash: 00a3
21
![Page 22: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/22.jpg)
pro: anonymous memoryless scalable non-interactive tied to real world
con: ~all nonces fail uses watts uses chips 51% attacks people hate it
pros & cons of PoW
22
![Page 23: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/23.jpg)
pros: anonymous no pre-known key / signature
anyone can go for it
all attempts equally likely
not limited to humans
23
![Page 24: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/24.jpg)
pros: memoryless no progress. 10T failed nonces, next nonce just as likely to fail
Poisson process: always expect next block in 10 min
2X attempts / sec means 2X chance of finding next block (linear)
24
![Page 25: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/25.jpg)
pros: scalable 0000000000000000003bd84b989235a304590bc9a127c97a2c2226ee51302258
Look at those 0s! 18 of em! 9 bytes!
(Seriously, that is 1022 attempts. Almost a mole.)
Takes just as long to check as with the 4 bytes of my name & nonce
But it's 240 times more work!
(that's 1 trillion times more) 25
![Page 26: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/26.jpg)
pros: non-interactive 1000 chips all trying once
or 1 chip trying 1000 times
equal chances; only communication is when a block is found
26
![Page 27: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/27.jpg)
pros: real world resources Like a captcha (turing test)
Prove usage of real world resource
Can't get that time / energy back
27
![Page 28: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/28.jpg)
272
cons: ~all nonces fail "inefficient" - almost all attempts fail. That's no fun.
attempts needed? You will ~never find a valid proof.
Granularity is high; small players pushed out of the game
28
![Page 29: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/29.jpg)
cons: uses watts & chips Lots of electricity
Could use that to charge your car
Uses fabs, which could make more CPUs
Affects markets: GPU prices
Someday could affect electric prices
29
![Page 30: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/30.jpg)
cons: irregular Poisson process means sometimes a solution is found in a few seconds
Sometimes it takes an hour
Can deal with it but annoying; Precludes some use cases
30
![Page 31: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/31.jpg)
cons: 51% attacks Anonymous: don't know who's got hash power. Maybe an attacker!
Attacker with 51% of total network power can write a chain faster than everyone else
Attacker can potentially rewrite history! 31
![Page 32: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/32.jpg)
cons: people hate it Not a quantitative / objective reason, but lots of people really don't like proof of work.
"The whole point of sha256 is you can't find collisions!" "Wastes so much electricity" "Totally pointless computation!"
32
![Page 33: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/33.jpg)
Proof of Work: it Works It's been working for 9 years Blocks keep coming In practice, infeasible to re-write old messages; tons of work on top Bitcoin: very few block reorgs (rewrites), most 1 or 2 blocks deep Next: build on it!
33
![Page 34: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/34.jpg)
Fun facts How to estimate total work done in the network? Just look at lowest hash Can prove total work ever with 1 hash
Can prove close calls as well to other people and show you're working
34
![Page 35: mas.s62 lecture 2 - MIT OpenCourseWare · 2020-01-04 · work. pset01 (how's that going) needs many attempts to forge a signature. if hash functions have random output, then there's](https://reader033.vdocument.in/reader033/viewer/2022042805/5f5dbf69075e8a2d35041e0c/html5/thumbnails/35.jpg)
MIT OpenCourseWare https://ocw.mit.edu/
MAS.S62 Cryptocurrency Engineering and Design Spring 2018
For information about citing these materials or our Terms of Use, visit: https://ocw.mit.edu/terms.