Bitcoin.pdf

BLOCKCHAIN
The foundation behind Bitcoin
Sourav Sen Gupta
Indian Statistical Institute, Kolkata

CRYPTOGRAPHY
Backbone of Blockchain Technology

Component 1 : Cryptographic Hash Functions

Map variable-length input to constant-length output.
HASH FUNCTIONS
h y
x
101011101011001…0010110100101 101110101001000110111100010101

Finding the pre-image of a given output is not easy.
HASH FUNCTIONS
h y
?
101011101011001…0010110100101 101110101001000110111100010101

Finding a colliding twin of a given input is not easy.
HASH FUNCTIONS
h y
x1
101011101011001…0010110100101
101110101001000110111100010101
x2
1100101001011001…110010100110

Finding any colliding pair of inputs is not easy.
It is of course possible, but not easy.
HASH FUNCTIONS
h y
x1
101011101011001…0010110100101
x2
1100101001011001…110010100110
101110101001000110111100010101

Minor input-mismatch to major output-mismatch.
HASH FUNCTIONS
h
y1
x1
101011101011001…0010110100101 101110101001000110111100010101
x2
101010101011001…0010110100101 y2 110010100101100100110010100110

Merkle-Damgard Construction
Example : SHA 256 — used in Bitcoin
CONSTRUCTIONS
f
m1
IV f
m2
f
mn
h

Sponge Construction
Example : SHA 3 — used in Ethereum
CONSTRUCTIONS
f
m1
f
m2
f
mn
f
h1
c
r

Provably secure scheme for Commitment
Random nonce r must have a high min-entropy for this scheme to be secure.
APPLICATIONS
h y
x
r
commit(x) :
c = h(r || x)
verify(c,r,x) :
h(r || x) == c

Provably secure scheme for tamper-detection
APPLICATIONS
h y
x
record(x) :
c = h(x)
verify(c,x) :
h(x) == c

Tamper-evident data pointer = Hash Pointer
Hash Pointer
DATA STRUCTURES
h hash(data)
data
addr(data)

Tamper-evident linked data structure = Block
DATA STRUCTURES
h
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp

Tamper-evident linked-list = Blockchain
DATA STRUCTURES
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp

Tamper-evident linked-list = Blockchain
DATA STRUCTURES
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp

Tamper-evident binary-tree = MerkleTree
DATA STRUCTURES
Node
HP(left)
data
timestamp
HP(right)
Node
HP(left)
data
timestamp
HP(right)
Node
HP(left)
data
timestamp
HP(right)
Node
HP(left)
data
timestamp
HP(right)
Node
HP(left)
data
timestamp
HP(right)
HP(root)

DATA STRUCTURES
Properties Blockchain Merkle Tree Merkle Trie
Size of Commitment O(1) O(1) O(1)
Append a Block/Node O(1) O(log n) O(k)
Update a Block/Node O(n) O(log n) O(k)
Proof of Membership O(n) O(log n) O(k)
Structural Abstraction List of Objects Set of Objects Set of (key, value)
Used for Construction Bitcoin Bitcoin Ethereum

QUESTIONS
Can any pointer-based data structure
be efficiently converted into a
Hash-Pointer based data structure?
Will such an exercise be at all useful in any use case?
Do these structures provide any additional advantage?

Component 2 : Digital Signature Schemes

Digital signature as a set of three algorithms
DIGITAL SIGNATURE
s = sign(sk,m) verify(pk,m,s)
pk
sk
?
keygen(n)
1
2 3

(sk, pk) = keygen(n) verify(pk,m,sign(sk,m)) = True
DIGITAL SIGNATURE
pk
sk
?
keygen(n)

Given pk and access to sign(mi) as an oracle, an adversary should
not be able to create a valid fresh message-signature pair (m,s)
DIGITAL SIGNATURE
pk
sk
?
keygen(n)

Elliptic Curve Digital Signature Algorithm (ECDSA)
ECDSA on curve E(Fp) : { (x,y) in Fp x Fp | y2 = x3 + 7 }
with base prime p = 2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1
CONSTRUCTION
Fp
Q

Elliptic Curve group of size |E(Fp)| = q ~ p ~ 2256
ECDSA on curve E(Fp) : { (x,y) in Fp x Fp | y2 = x3 + 7 }
with base prime p = 2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1
CONSTRUCTION
Parameters Format Range Bit-size
sk random Zq 256
pk sk x G E(Fp) 512
m hash(M) Zq 256
Signature (r, s) Zq x Zq 512

Publish the public key pk as your Identity
Use the secret key sk to prove your identity
APPLICATION
pk
sk
sk
verify(pk,m,sign(sk,m))
sk
?

BITCOIN
Blockchain in Practice

BITCOIN
Ledger of Transactions
between
Pseudonymous Identities
Semi-Decentralised Publicly-Verifiable
Tamper-Resistant Eventually-Consistent

Economic Transaction
that we are familiar with
NOT BITCOIN
Tx

NOT BITCOIN
Tx
Centralised Account-based Ledger

NOT BITCOIN
Tx
Decentralised Account-based Ledger

Tx
NOT BITCOIN YET
Tx
Decentralised Transaction-based Ledger
Tx Tx Tx Tx Tx
Tx

TRANSACTION
Tx
Network verifies the Signature
Tx
Signed by

TRANSACTION
Tx
Network verifies the Signature
Tx
Signed by
pk
sk
pk

Input :Array of previousTransactions | Output :Array of recipient Addresses
R1
TRANSACTION
Tx
Tx
pk2
sk1
Tx
pk1
Tx
pk3
sk2 sk3
pk
R2
pk
R3
pk
Sender(s)
Recipient(s)
Network verifies the Signature(s)

Input :Array of previousTransactions | Output :Array of recipient Addresses
R1
TRANSACTION
Tx
pk2
sk1
Tx
pk1
Tx
pk3
sk2 sk3
pk
R2
pk
R3
pk
Tx
Recipients
Signatures
Input
Transactions
Network verifies the Signature(s)

TRANSACTION Metadata
Input(s)
Output(s)
Data obtained from blockchain.info

LEDGER
Tx
Decentralised Transaction-based Ledger
Tx Tx Tx
Tx Tx Tx Tx
Tx Tx Tx Tx
Tx Tx Tx Tx Tx Tx Tx Tx

BLOCK

BITCOIN
Tx
Tx
Tx
Tx
Mining
Transaction

MINING
Tx
Tx
Tx
Tx
Computational
Lottery (Puzzle)
Transaction
Winner writes
the next block
Existing blocks
at a given time
Find r such that
hash(r || m) < C

MINING

BITCOIN
Framework — Decentralised peer-to-peer collaborative network
Goal : All peers should agree on a sequence of transactions

BITCOIN
Publicly-Verifiable
as the complete ledger and the hash function is public

BITCOIN
Tamper-Evident / Tamper-Resistant
as the ledger is connected through a chain of hash pointers
X X X
X
X X X

BITCOIN
Eventually-Consistent
as the longest chain eventually sustains as the main chain

BITCOIN

BITCOIN
Semi-Decentralised
as the mining is dominated by computational power

Robin Yao (BW), Wang Chun (F2Pool), Marshall Long (FinalHash), Pan Zhibiao (Bitmain)
Liu Xiang Fu (Avalon), Sam Cole (KnCMiner) and Alex Petrov (BitFury)

BITCOIN
Semi-Decentralised Publicly-Verifiable
Tamper-Resistant Eventually-Consistent

ECONOMICS
The success story of Bitcoin

SECURITY
The threat from Bitcoin

BITCOIN
Transactions : Completely transparent and public
Identities : Opaque and pseudonymous addresses
~ 170 Million bitcoin addresses
~ 150 Million bitcoin transactions
~ 80 GB of compressed raw data
~ 80% of transactions have < 2 inputs
~ 90% of transactions have < 3 outputs

BITCOIN
Anyone can create arbitrarily many identities
All identities “look” the same on the network
Provides “anonymity” of Bitcoin transactions.

Dark Marketplaces to buy-and-sell Drugs

Dark Marketplaces to buy-and-sell Guns and Fake ID

BITCOIN
Anyone can create arbitrarily many identities
All identities “look” the same on the network
Is it still possible to trace transactions and identities?

DE-ANONYMIZATION
Potential solution to the threat from Anonymity

R1
TRANSACTION
Tx
R2
Rm
S1
S2
Sn

EXAMPLE #1
Tx R1
S1
1FLa9NcXJPA2XvF34LRuB4zbXX4Ws32dpL 18rdKmjrg1EawxgiVT3ikLExj6GWS2MNCk
Note : Single recipient with an exact match of input to output — highly unlikely.

R1
EXAMPLE #2
Tx
R2
S1
1Ao6mKMEXxCVNVAuGjfLXZ3Zf43hd3yAEq
16pDB5bvoqRGvoH32GaJLfsEcaMc2T9xDr
1H3bY2Cv1pmn8ffTdyeRvZAUjNJC1giQHm
Note : Nice complete denomination along with a random change.

R1
EXAMPLE #3
Tx
R2
S1
1PXzMrz8KBNEkTt3Wnuqy4axiWszbyQKyE
1AASWBCGveXH6H5yTCZW2x7uZrawDiqp4U
19onWuLmjXGVfc7oUAEVuy9Yd3jxqhsUbK
Note : 0.01121504 BTC = 6.50 USD at the time of transaction.

EXAMPLE #4
Tx R1
S1
19SZcQ2CzJacQZE9rYwQjsfcBKMWDNwBWD
1PLjv1VzGEKxtM2FnRzg2FmDjen9trUBrh
Note :Two arbitrary inputs exactly match up to a desired output — highly unlikely.
S2
13Zjnzx8VxtLUEiYcrVXKp5sLucLMvBqaG

R1
EXAMPLE #5
Tx
R2
S1
1Djvb34FNpNXtrbbjaQeERZf68cyUdWyzd
1Nq612zwhEZDBNz2AeWKZxD6LvwiLm6cQU
1AffmSG4tcNRjcgTWTnS6TM3cWPeeA9EVd
Note :Two input transactions coupled for a payment plus some random change.
S2
17atn5sagYRBUvzgFLd9bUjWF4yStkdokW
6.13 USD
6.03 USD
4.10 USD
7.95 USD

CLUSTERING
1FLa9NcXJPA2XvF34LRuB4zbXX4Ws32dpL
18rdKmjrg1EawxgiVT3ikLExj6GWS2MNCk
1Ao6mKMEXxCVNVAuGjfLXZ3Zf43hd3yAEq 16pDB5bvoqRGvoH32GaJLfsEcaMc2T9xDr

IDENTIFICATION
1FLa9NcXJPA2XvF34LRuB4zbXX4Ws32dpL
18rdKmjrg1EawxgiVT3ikLExj6GWS2MNCk
1Ao6mKMEXxCVNVAuGjfLXZ3Zf43hd3yAEq 16pDB5bvoqRGvoH32GaJLfsEcaMc2T9xDr

CLUSTERING
The Unreasonable Effectiveness of Address Clustering — Harrigan and Fretter, May 2016

DE-ANONYMIZATION
Passive :Analytics on 80 GB of Bitcoin blockchain data
— Clustering of Bitcoin Addresses with suitable definition of Metrics
— Identification of the Clusters using known and/or leaked Addresses
Active : Injecting and tracking marked Bitcoin transactions
— Registering on Dark Marketplaces, Exchanges, and Mining Pools
— Using Addresses leaked from all these sources for Identification
Elliptic (https://www.elliptic.co/) does something similar in the UK.
We should try to build our own tool for de-anonymization.

BLOCKCHAIN
Versatile Toolkit for Protocols

BITCOIN SCRIPT

POTENTIAL
With a powerful Scripting Language

Developing “Smart Contracts” on Blockchain

Ethereum
Smart Contracts
Proof of Space
Retricoin Namecoin
Proof of Retrievability
Proof of Stake
Proof of Commitment
Bitcoin-NG
Perma-Coin
RSCoin
SpaceMint
GHOST
ZeroCoin
Zcash
Smart Properties
Proof of Existence
ADePT
Ripple
BitShares
Factom
BigchainDB
OneName
OpenBazaar
BitGold
BitNation
BitHealth

Thank you for listening!
“Bitcoin is an idea with disruptive ramifications.”

Bitcoin.pdf

More Related Content

Similar to Bitcoin.pdf (20)

Recently uploaded (20)

Bitcoin.pdf