Cryptocurrency Cabalcs4501 Fall 2015David Evans and Samee ZahurUniversity of Virginia

Class 7:The

Blockchain

2

3

Plan for TodayTrustDistributed ConsensusProof-of-WorkBlockchain

Next Wednesday: Checkup 2Classes through next MondayCheckup 1, PS1Readings:

Satoshi paperAntonopoulos book: Ch 6 and 7Princeton book: Ch 2 and 5

4

Where does trust come from?

5http://www.jdsurvey.net/jds/jdsurveyMaps.jsp

6Image credit: https://howveryromanian.wordpress.com/2013/09/15/bag-wrapping/

Queuing for cooking oil (Bucharest, 1986) Scott Edelman

7Image: Queerbubbles CC BY-SA

8

9

Sources of TrustYourself (super trustworthy!)Mathematics and Science

Trustworthy because of logic, verified experimentsOrganizations and People

Trustworthy because of what they have to lose (reputation)Trustworthy because of trusted oversight (law, police)Trustworthy because incentives are alignedTrustworthy because of processes they follow

10

Bitcoin’s solution: a public ledgerTrust in resources

11

Public Ledger

Node A Node B Node C

M = transfer X to BobSignKRA[H(M)] Bob wants to verify:1. Alice hasn’t already transferred X2. The coin will be valuable for Bob

12

Public Ledger: Distributed Trust (?)

Node A Node B Node C

M = transfer X to Bob Bob wants to verify:1. Alice hasn’t already transferred X2. The coin will be valuable for Bobtb

tb tb tb

SignKRA[H(M)]

13

Node A Node B Node C

M = transfer X to Bob Bob wants to verify:1. Alice hasn’t already transferred X2. The coin will be valuable for Bobtb

tb tb tbok!

ok!

t

Transactions

1 tb (X->Bob)Transactions

1 tb (X->Bob)

SignKRA[H(M)]

14

Node A Node B Node C

Bob wants to verify:1. Alice hasn’t already transferred X2. The coin will be valuable for Bob

tb

tb tb tbok!

ok!

t

Transactions

1 tb (X->Bob)Transactions

1 tb (X->Bob)

15

Node A Node B Node C

M = transfer X to Cathytc

tc tc tcBAD!

t

Transactions

1 tb (X->Bob)Transactions

1 tb (X->Bob)Transactions

1 tc (X->Cathy)

SignKRA[H(M)]

16

Scaling the Network

Node A Node B Node C

ta

tb tb

Node D Node E Node F Node G

17

Blockchain

Public ledger without fixed set of nodes – decentralized, distributed trustRequires coalition with majority of computing power to collude to cheat

18

Blockchain

B0H(B0) Nonce

Transactions

H(B1) Nonce

Transactions

H(B2) Nonce

Transactions

19

Inconsistent Blockchains

Node A Node B Node C

Node D Node E Node F Node G

How do we know which blockchain is “correct”?

20

CRYPTO 1992

Cynthia Dwork(now at MSR)

Moni Naor(Weizmann Institute)

21

22

Idea: Proof-of-WorkPricing Function: (f)

- moderately easy to compute- cannot be amortized computing f(m1),…, f(ml) costs l times asmuch as computing f(mi). - easily verified: given x, y easy to check y = f(x)

23

Proposed Pricing Function

Extracting Square Rootsindex: pfind x, y such that y2 = x mod p

Dwork and Naor proposed two other pricing functions, designed to have “shortcuts” (backdoors) to allow administrators to compute them efficiently.

24

Hashcash

Adam Back 1997

25

Interactive Hashcash

mail sender mail recipient’s server

Hello

Challenge: rr random nonce

Everyone agrees on one-way function f

26

Interactive Hashcash

mail sender mail recipient’s server

Hello

Challenge: rr random nonce

search for x such thatf(x) = r

Everyone agrees on one-way function f

(x, Mail)

27

Interactive Hashcash

mail sender mail recipient’s server

Hello

Challenge: rr random nonce

search for x such thatf(x) = r

Everyone agrees on one-way function f

(x, Mail) Verify f(x) = r

28

Interactive Hashcash

mail sender mail recipient’s server

Hello

Challenge: rr random nonce

search for x such thatf(x) = r

Everyone agrees on one-way function f

(x, Mail) Verify f(x) = r

Can we make this non-interactive?

29

Non-Interactive Hashcash

mail sender mail recipient’s server

Everyone agrees on one-way function f

Verify

30

Non-Interactive Hashcash

mail sender mail recipient’s server, s

Everyone agrees on one-way function f

How well would this work if f is SHA-256?

msg || x

Verify f(msg || x) = s

31

Pre-image Attack on SHA-256search for x such thatf(msg || x) = s

32

Estimated hash rate of entire bitcoin network:441,695,290 GH/s

33

34

Variable-Difficulty fChallenge: r, Difficulty: d

Find an x such that: SHA-256(msg || x) < T/d T is some set “target”.

If the difficulty doubles, how much more work is expected?

35

Bitcoin’s Proof-of-Work

Find an x such that: SHA-256(SHA-256(r + x)) < T/d

Why use double SHA-256?

36http://crypto.stackexchange.com/questions/779/hashing-or-encrypting-twice-to-increase-security

37

https://bitcointalk.org/index.php?topic=45456.0;all

38https://bitcoinwisdom.com/bitcoin/difficulty

Difficulty adjusts (every 2016 blocks) to keep block-finding time around 10 minutes

39https://bitcoinwisdom.com/bitcoin/difficulty

40

Finding the Next Block

B0H(B0) Nonce

Transactions

H(B1) Nonce

Transactions

H(B2) Nonce

Transactions

Find a nonce x such that: SHA-256(SHA-256(r + x)) < T/d

41

Finding the Next Block

B0H(B0) Nonce

Transactions

H(B1) Nonce

Transactions

H(B2) Nonce

Transactions

Find a nonce x such that: SHA-256(SHA-256(r + x)) < T/dr = header + transactions (including mining fee)header = H(previous block)

42

Actual Bitcoin Block

https://en.bitcoin.it/wiki/Protocol_documentation#Block_Headers

43

Inconsistent Blockchains

Node A Node B Node C

Node D Node E Node F Node G

The longest blockchain is the “right” one.

44

45

46

What happened to proof-of-work for sending email?

47

Instead of making computers do inane, repetitive work to prevent mass automation, we make humans do inane, soul-killing work!

48

ChargeReadings:

Satoshi paperAntonopoulos book: Chapters 6 and 7Princeton book: Chapters 2 and 5

Wednesday: Checkup 2