the blockchain
TRANSCRIPT
Cryptocurrency Cabalcs4501 Fall 2015David Evans and Samee ZahurUniversity of Virginia
Class 7:The
Blockchain
2
3
Plan for TodayTrustDistributed ConsensusProof-of-WorkBlockchain
Next Wednesday: Checkup 2Classes through next MondayCheckup 1, PS1Readings:
Satoshi paperAntonopoulos book: Ch 6 and 7Princeton book: Ch 2 and 5
4
Where does trust come from?
5http://www.jdsurvey.net/jds/jdsurveyMaps.jsp
6Image credit: https://howveryromanian.wordpress.com/2013/09/15/bag-wrapping/
Queuing for cooking oil (Bucharest, 1986) Scott Edelman
7Image: Queerbubbles CC BY-SA
8
9
Sources of TrustYourself (super trustworthy!)Mathematics and Science
Trustworthy because of logic, verified experimentsOrganizations and People
Trustworthy because of what they have to lose (reputation)Trustworthy because of trusted oversight (law, police)Trustworthy because incentives are alignedTrustworthy because of processes they follow
10
Bitcoin’s solution: a public ledgerTrust in resources
11
Public Ledger
Node A Node B Node C
M = transfer X to BobSignKRA[H(M)] Bob wants to verify:1. Alice hasn’t already transferred X2. The coin will be valuable for Bob
12
Public Ledger: Distributed Trust (?)
Node A Node B Node C
M = transfer X to Bob Bob wants to verify:1. Alice hasn’t already transferred X2. The coin will be valuable for Bobtb
tb tb tb
SignKRA[H(M)]
13
Node A Node B Node C
M = transfer X to Bob Bob wants to verify:1. Alice hasn’t already transferred X2. The coin will be valuable for Bobtb
tb tb tbok!
ok!
t
Transactions
1 tb (X->Bob)Transactions
1 tb (X->Bob)
SignKRA[H(M)]
14
Node A Node B Node C
Bob wants to verify:1. Alice hasn’t already transferred X2. The coin will be valuable for Bob
tb
tb tb tbok!
ok!
t
Transactions
1 tb (X->Bob)Transactions
1 tb (X->Bob)
15
Node A Node B Node C
M = transfer X to Cathytc
tc tc tcBAD!
t
Transactions
1 tb (X->Bob)Transactions
1 tb (X->Bob)Transactions
1 tc (X->Cathy)
SignKRA[H(M)]
16
Scaling the Network
Node A Node B Node C
ta
tb tb
Node D Node E Node F Node G
17
Blockchain
Public ledger without fixed set of nodes – decentralized, distributed trustRequires coalition with majority of computing power to collude to cheat
18
Blockchain
B0H(B0) Nonce
Transactions
H(B1) Nonce
Transactions
H(B2) Nonce
Transactions
19
Inconsistent Blockchains
Node A Node B Node C
Node D Node E Node F Node G
How do we know which blockchain is “correct”?
20
CRYPTO 1992
Cynthia Dwork(now at MSR)
Moni Naor(Weizmann Institute)
21
22
Idea: Proof-of-WorkPricing Function: (f)
- moderately easy to compute- cannot be amortized computing f(m1),…, f(ml) costs l times asmuch as computing f(mi). - easily verified: given x, y easy to check y = f(x)
23
Proposed Pricing Function
Extracting Square Rootsindex: pfind x, y such that y2 = x mod p
Dwork and Naor proposed two other pricing functions, designed to have “shortcuts” (backdoors) to allow administrators to compute them efficiently.
24
Hashcash
Adam Back 1997
25
Interactive Hashcash
mail sender mail recipient’s server
Hello
Challenge: rr random nonce
Everyone agrees on one-way function f
26
Interactive Hashcash
mail sender mail recipient’s server
Hello
Challenge: rr random nonce
search for x such thatf(x) = r
Everyone agrees on one-way function f
(x, Mail)
27
Interactive Hashcash
mail sender mail recipient’s server
Hello
Challenge: rr random nonce
search for x such thatf(x) = r
Everyone agrees on one-way function f
(x, Mail) Verify f(x) = r
28
Interactive Hashcash
mail sender mail recipient’s server
Hello
Challenge: rr random nonce
search for x such thatf(x) = r
Everyone agrees on one-way function f
(x, Mail) Verify f(x) = r
Can we make this non-interactive?
29
Non-Interactive Hashcash
mail sender mail recipient’s server
Everyone agrees on one-way function f
Verify
30
Non-Interactive Hashcash
mail sender mail recipient’s server, s
Everyone agrees on one-way function f
How well would this work if f is SHA-256?
msg || x
Verify f(msg || x) = s
31
Pre-image Attack on SHA-256search for x such thatf(msg || x) = s
32
Estimated hash rate of entire bitcoin network:441,695,290 GH/s
33
34
Variable-Difficulty fChallenge: r, Difficulty: d
Find an x such that: SHA-256(msg || x) < T/d T is some set “target”.
If the difficulty doubles, how much more work is expected?
35
Bitcoin’s Proof-of-Work
Find an x such that: SHA-256(SHA-256(r + x)) < T/d
Why use double SHA-256?
36http://crypto.stackexchange.com/questions/779/hashing-or-encrypting-twice-to-increase-security
37
https://bitcointalk.org/index.php?topic=45456.0;all
38https://bitcoinwisdom.com/bitcoin/difficulty
Difficulty adjusts (every 2016 blocks) to keep block-finding time around 10 minutes
39https://bitcoinwisdom.com/bitcoin/difficulty
40
Finding the Next Block
B0H(B0) Nonce
Transactions
H(B1) Nonce
Transactions
H(B2) Nonce
Transactions
Find a nonce x such that: SHA-256(SHA-256(r + x)) < T/d
41
Finding the Next Block
B0H(B0) Nonce
Transactions
H(B1) Nonce
Transactions
H(B2) Nonce
Transactions
Find a nonce x such that: SHA-256(SHA-256(r + x)) < T/dr = header + transactions (including mining fee)header = H(previous block)
42
Actual Bitcoin Block
https://en.bitcoin.it/wiki/Protocol_documentation#Block_Headers
43
Inconsistent Blockchains
Node A Node B Node C
Node D Node E Node F Node G
The longest blockchain is the “right” one.
44
45
46
What happened to proof-of-work for sending email?
47
Instead of making computers do inane, repetitive work to prevent mass automation, we make humans do inane, soul-killing work!
48
ChargeReadings:
Satoshi paperAntonopoulos book: Chapters 6 and 7Princeton book: Chapters 2 and 5
Wednesday: Checkup 2