7. Triple entry booking (or enter the middleman)
• Alice is hungry
• Alice could eat a pig
• Bob gives Alice a pig and creates an IOU transaction receipt
• Alice owes Bob one pig
• To provide trust, Alice and Bob use Fred to notarise the transaction
• 3 copies of a transaction receipt, one for each party
From: Alice
To: Bob
Time: 12 Mar 2013
For: One pig
Signatories:
Alice
Fred Flintstone
Bob
8. Never trust the middleman
Bob loses his receipt
Fred colludes with Alice and claims Bob is mistaken - no pig was
provided...
Bob is smad.
Is there a way to get rid of a middleman and provide trust?
9. Maybe... let's take advantage of public key
cryptography
Public key: 28wOoK6Nq9bDExK…
Private key:9xl/K0veBBMtZ…
Public key: kL5SwAT6A3U7LAjd…
Private key:yaqmH9Z+nKD…
10. Story time! Private public key cryptography
Once upon a time there was encryption and decryption with a shared key. As long as anyone knew the key, and
how to use the key, then they could encrypt or they could decrypt. This is called symmetric encryption.
Some text
Move by n number of
characters in alphabet
Key (n) = 2
Then some smart people had an idea. They realised they could create an approach that involved two
different keys. One key is purposely kept private, the other is provided to the other party (or often the
public). If you use the private key to encrypt then the public key can decrypt. If you use the public key to
encrypt then you can use the private key to decrypt. This is called asymmetric encryption.
Some text Asymmetric algorithm
Private key
Public key
There are many asymmetric encryption algorithms. RSA is one of the most common.
11. This is how…
1. Alice and Bob generate public-private key pairs eg RSA
2. Alice encrypts the plain text version of the transaction receipt with
her private key
3. Alice prepends her name to the signed receipt (so we know which
public key to use when many people involved)
4. Alice and Bob (and any other members of the network) store the
result
12. Which means…
We’ve created a record of the transaction that we know can
only have been generated by Alice.
The contents can be decrypted by anyone so the transaction
record is visible to all.
13. The balance of what is owed at a point in time is the
sum of all signed transaction receipts.
From: Alice
To: Bob
Time: 12 Mar 2013
What: One pig
AT6A3U7LAjd…
From: Alice
To: Bob
Time: 15 Apr 2014
What: Two pig
B7F8U7LA92C…
From: Bob
To: Alice
Time: 2 Dec 2015
What: One pig
87AB2D9A1d…
Alice owes Bob one pig
14. Bartering is painful, let’s introduce money
• Bob is hot and dry so Alice provides two melons, how many melons to a pig?
• We introduce a currency reflecting value
• Add it to the transaction records to enable summation
15. From: Alice
To: Bob
Time: 12 Mar 2013
What: One pig
Value: $100
BT6A3U7LAjd…
From: Alice
To: Bob
Time: 15 Apr 2014
What: Two pig
Value: $200
C7F8U7LA92C…
From: Bob
To: Alice
Time: 2 Dec 2015
What: One pig
Value: $100
27AB2D9A1d…
From: Bob
To: Alice
Time: 2 Dec 2015
What: Two melons
Value: $50
BDA32E9ACd…
Alice owes Bob $150
17. • Bob likes John’s hat
• John say’s it’s $200
• Bob reckons why not transfer his $200 IOU from Alice to John
From: Alice
To: Bob
Time: 12 Mar 2013
What: One pig
Value: $100
From: Alice
To: Bob
Time: 15 Apr 2014
What: Two pig
Value: $200
From: Bob
To: Alice
Time: 2 Dec 2015
What: One pig
Value: $100
From: Bob
To: Alice
Time: 2 Dec 2015
What: Two melons
Value: $50
From: Bob
To: John
Time: 2 Dec 2015
What: V1jZUy…
Value: $200
SHA256 signature
calculated for the
transaction "V1jZUyLvPOxzZvKpuUwTCNzGmovoxHRzJ76FGXMN3JY="
18. Story time! SHA256 - what's that?
Once upon a time someone figured out that it was possible to calculate a short identifier for any given input. It’s like a
unique signature for the input (although in reality it’s not guaranteed to be unique at all – but for all intents and
purposes it is). It's called a hash because in the process the algorithm is effectively doing a lot of chopping and mixing.
There are lots of algorithms to do this task but some are better than others. SHA-2, often referred to as SHA256, was
designed by the NSA. The letters stand for Secure Hash Algorithm 2.
If you have a hash value, it's not at all easy to obtain the input, even small changes to the input have large
consequences on the output.
Don't confuse it with encryption - there's no key, for any given input you always get the same output.
Some text
SHA256
JDdigoW2OuYy8CkQV10XmyLnNnvD42tAta25RmOiIqI=
Some text1
SHA256
12E+SmrYMSTj6vlh51UdVDWgJQNGz35AOvesa2z3yAo=
19. Recap
• No middle man
• The summation of signed transaction receipts gives the outstanding
balance position across all parties
• Including value transfer between parties
21. Problem - double spending
If members fail to update their personal transaction registers quickly
enough, then a malicious member can replicate and use transaction
records by spending more than once.
From: Alice
To: Bob
Time: 12 Mar 2013
What: One pig
Value: $100
From: Alice
To: Bob
Time: 15 Apr 2014
What: Two pig
Value: $200
From: Bob
To: Alice
Time: 2 Dec 2015
What: One pig
Value: $100
From: Bob
To: Alice
Time: 2 Dec 2015
What: Two melons
Value: $50
From: Bob
To: John
Time: 2 Dec 2015
What: V1jZUy…
Value: $200
SHA256 signature
calculated for the
transaction "V1jZUyLvPOxzZvKpuUwTCNzGmovoxHRzJ76FGXMN3JY="
From: Bad Guy
To: John
Time: 2 Dec 2015
What: V1jZUy…
Value: $200
From: Bad Guy
To: John
Time: 2 Dec 2015
What: V1jZUy…
Value: $200
This will become obvious in time but
by then the damage is done
Question is: how do we ensure an action such as the creation of a
transaction record is valid?
22. We need some way to get transaction integrity
How about 2-phase commit?
A 3rd-party in the path?
Nope – grinds to a halt when scaling
Nope – then we’ve failed!
How about distributed consensus with member voting eg “Paxos”?
Story time! Paxos was created by Leslie Lamport and named after a fictional parliament
on the Greek island of Paxos.
Paxos is a 3-Phase Commit protocol with several versions – but idea is that majority
quorum results in eventual consistency.
Good start, but more required…
23. Consensus voting has a weakness: fake identities
• Distributed networks with voting systems are susceptible to the
creation of fake identities
• Fake identities can subvert the vote.
• Sometimes called a Sybil attack after the name of the novel of a
woman with identity disorder.
• When people are involved we can refer to sockpuppets
Somehow we need to make the creation of identities hard
enough to be not worth it
24. Proof of work: a cost to create identity & vote
At the moment our block chain suffers because
1. it’s easy to create public-private key pairs, and
2. It’s easy to sign a value transaction.
What’s something hard???? We’re talking computers here so
it has to be computationally hard…
How about the reverse of a signing operation?
SHA256(“Some simple text”) "AX+dClQgll/3QNCXacNn3q0O4lv2SKrjQ5C8vLMUcC0=“
Going in reverse you have to brute force which is hard but not impossible.
25. We can make this much harder though…
Look for a hash outcome that has some arbitrary substring eg 00 at the beginning.
SHA256(“I vote for Bob”) "wn8iR1xcp4JLpHC1WLkXSDS+wtNeF5TYCthCycGw1+c=“
Fail, so let’s modify the input in some way..
SHA256(“I vote for Bob - 2”) -> "O1ODEfjRTAgsbMuRSUnMPD84nAExphQ0zqQTpD3Omr8=“
Fail again, keep going…
open System.Security.Cryptography
open System.Text
let hasher = new SHA256Managed()
let bytesHash' (s:string) = hasher.ComputeHash((new UnicodeEncoding()).GetBytes(s))
let r = System.Random()
let rs = [0..10000] |> List.map (fun i -> i* r.Next(0,1000))
let hashes = rs |> List.map (fun i -> System.Convert.ToBase64String(bytesHash' (i.ToString()) ))
hashes |> List.filter (fun h -> h.StartsWith("00"))
… I typically get 2 to 4 hashes that work in 10,001 random choices
The more 0’s at the beginning, the harder work it is.
The idea is to make this expensive for the
member generating the vote.
26. Important point: the time taken to do a proof
of work varies widely
Likelihood of solving
Time taken to solve
Some times a node will calculate the
proof of work quickly, other times
very slowly. When many nodes try
and calculate the result
simultaneously the time to uncover
the result tends towards smaller
values. (In BitCoin’s case it’s about
10mins for all nodes but an
individual node might typically take
hours or days.)
Because of the broad distribution we don’t normally get two solutions found at the same time.
28. Recap
1. To stop malicious members double spending we needed better
transaction integrity but without the downsides of a 3rd party or full
2 phase commit – majority consensus seems a reasonable idea.
2. But consensus voting is susceptible to the creation of fake identities
3. It looks like we might have a way to make the vote signing process
sufficiently expensive to perform that we can stop members trying
to manipulate the consensus mechanism.
29. Let’s explore that proof of work cost aspect a bit more
• Let’s say we have a network of 1000 participants
• Alice transfers some value to Bob, let’s say $1
• We can set the computing cost (energy, hardware etc) to create a
transaction by making the proof of work harder or easier
$10
Bob now has a choice:
1. Trust that Alice won’t double spend, or
2. Ask some number of the network
participants to verify the transaction
If Bob asks for verification, then what’s a good number of the
total network to ask? 10, 100, 500, everyone????
30. Story time! Proof of work has an interesting history. The idea didn't start specifically with block chains or BitCoin. It came up
in the 1990s in the context of finding ways to hinder unwanted behaviour in electronic systems; a classic example being
Denial of Service.
Denial of Service is an a way to disrupt service by intentionally flooding a system with requests. But what if we made the
attacker's effort sufficiently large that it was no longer financially worth it? What about if the task to make a request was
computationally tough. The system offering the service might could ignore those requests not able to satisfy the proof of
work task.
Proof of work in the case of BitCoin is large which has lead to the creation of dedicated low energy BitCoin mining
hardware. Estimates for the electricity required to generate 1 BitCoin vary greatly depending upon the type of hardware
used (home PC versus laptop versus Raspberry PI versus dedicated ASIC).
BitCoin also makes the proof of work progressively harder over time. Currently it's calibrated so that on average the proof
of work completes in about 10mins across the whole of the network. With so many nodes on the bitcoin network that
means any individual node would usually take many hours or days to finish the proof of work.
1 BitCoin @ 5 Feb 2016 = $NZD 577
31. Let’s calculate a cost to be a criminal
Number of fake
verifications (aka “I
vote for Alice”)
from fake identities
Cost to verify
$0.001 $0.01 $0.1
10 $0.01 $0.1 $1
100 $0.1 $1 $10
500 $0.5 $5 $50
For a $1 trade there’s two options that look attract, particularly one of them.
32. Whoa! Hold it there. Cost to be a crim? Isn’t it
also the cost to do business?
If every transaction is going to involve proof of work to verify and it
equals or exceeds the value of the transaction, then what’s the point?
And just thinking about this – surely, Bob has to pay something for the effort to request verifications?
33. Let’s add an incentive, and make it more efficient
Transaction Fees
• Let’s give network members some recompense for transaction verification
• And, let’s make it efficient by pooling transactions into blocks
Blocks of transactions linked together ... doh,I get it: Block Chain!
Block ID: 3a4cb… Previous Block ID: 178dfe… Verified by: Fred Date: 21 Feb 2016
From: Alice To: Bob What: 1 Pig, $100 Fee: $0.1
From: Mickey To: Alice What: 2 Pigs, $220 Fee: $0.15
From: Bob To: Mickey What: 3 Cheeses, $50 Fee: $0.05
To: Fred What: transaction fees, value $0.3
34. Block verification
1. Participants generate transactions and announce them to the
network for verification
2. Members like Fred aggregate unconfirmed transactions and once
the total transaction fees are large enough…
a. Adds a transaction fee for verification to the block
b. Make the effort to verify transactions are valid and not doubled
c. Do the proof of work challenge to generate a block hash
3. Sends the block into the network to distribute to everyone else
35. What happens when Barney and Fred both
choose to verify a block?
Block ID: 3a4cb…
Previous Block ID: 178dfe…
Verified by: Fred
Date: 21 Feb 2016 09:56
From: Alice To: Bob What: 1 Pig, $100 Fee: $0.1
From: Mickey To: Alice What: 2 Pigs, $220 Fee: $0.15
From: Bob To: Mickey What: 3 Cheeses, $50 Fee: $0.05
To: Fred What: transaction fees, value $0.3
Block ID: 581b2…
Previous Block ID: 178dfe…
Verified by: Barney
Date: 21 Feb 2016 16:21
From: Alice To: Bob What: 1 Pig, $100 Fee: $0.1
From: Mickey To: Alice What: 2 Pigs, $220 Fee: $0.15
From: Bob To: Mickey What: 3 Cheeses, $50 Fee: $0.05
To: Barney What: transaction fees, value $0.3
We’ve created an incentive to
compete. The first to complete
get’s the benefit.
Someone will always be
ahead - Fred gets in first
this time
36. What if two blocks get submitted to the network at nearly the same
time?
Unlikely, but it could happen.
Can’t use timestamps because they can be maliciously
altered.
Block
Block A
Block B
Time
1. Barney’s node sees Block A first so it starts to build a new
block on top of Block A from unprocessed transactions.
2. Fred’s node sees Block B first so it starts to build a new
block from unprocessed transactions on top of Block B.
3. Block chains have a rule that you immediately switch to the
longest chain available.
4. If Barney get’s to publish his new block first, then Fred’s
node will discard Block B, use Block A and race to build a
new block on top of it.
Barney sees
block A first
Fred sees
block B first
It’s increasingly rare for blocks to be solved and
sent into the network near simultaneously. So
the network rapidly stabilizes.
37. Consequences are funky.
Solution: only follow the longest chain of blocks
Blocks fundamentally can’t ever be considered final – you might not yet have received all the
generated blocks. That means transactions are also never strictly final!
But it turns out that the odds the transaction isn’t correct decrease dramatically as blocks get created.
38. BitCoin as an example
BlockChain clients need to validate transactions and blocks right back to the beginning of BitCoin. It takes awhile:
On a laptop about two days worth of work…
39. What if I’m trying to subvert the network?
To create fraudulent transactions then I need to create fraudulent blocks. To modify a past block I would have
to redo the proof of work on that block, and then all following blocks.
But this is a really tall order – the probability of an attacker catching up diminishes exponentially as blocks are
added.
Block
Block
Block Block
Time
Block
The computing cost is just too hard for one attacker versus many
honest participants.
Block
40. Putting it all together
1. Transactional integrity is achieved with PKI
• Non-repudiation and transaction integrity (no modification after creation)
• But not really identity
2. Transactions exist in a peer 2 peer network
3. Transactions are aggregated into blocks
• Gives an efficient way to implement batched proof of work for transaction
fees
• Simplifies management of transactions over time (probability of correctness)
4. No middleman!
41. So is this BitCoin?
Mostly. We've created a chain of transactional blocks which we can use for a crypto-currency. BitCoin is a specific
implementation tuned to have some interesting properties.
BitCoin has 1Mb blocks and the proof of work is much harder - roughly 13 0s on the front of the hash which
means an individual miner might days on average to complete the proof of work, but with a big network BitCoin
have tuned difficulty to achieve 10min average block generation.
BitCoin currently limited to about 7 txns/sec by the 1Mb block size - that's not very much for a retail payment
system - moves afoot to increase block size and numbers of transactions processed per mining operation.
Fees are effectively near 0 for a user. Compare/contrast to credit card or international transaction fees which can
be >3%. Costs of conventional payment brokers are high due to operational overhead, especially fraud. BitCoin
avoids all fraud in the actual payment system itself.
BitCoin smallest unit 8 decimal places - micropayments become especially attractive.
All you need is the software and a QR code.
43. So, what does it all mean?
http://www.wired.com/insights/2015/01/block-chain-2-0/
This is what I think:
learn this stuff…
Block chains
+
Smart contracts
+
Internet of Things
Peer to peer transactional networks free from
reconciliation or 3rd-party costs with smart contracts and
very large numbers of interacting devices are going to
become very important to our future lives.