http://bitcoin-class.org Introduction to Cryptocurrency University of Virginia cs4501 Fall 2015

1. Cryptocurrency Cabal
cs4501 Fall 2015
David Evans and Samee Zahur
University of Virginia
Class 7:
The
Blockchain

2. 1

3. Plan for Today
Trust
Distributed
Consensus
Proof-of-Work
Blockchain
2
Next Wednesday: Checkup 2
Classes through next Monday
Checkup 1, PS1
Readings:
Satoshi paper
Antonopoulos book: Ch 6 and
7
Princeton book: Ch 2 and 5

4. Where does trust come from?
3

5. 4
http://www.jdsurvey.net/jds/jdsurveyMaps.jsp

6. 5
Image credit:
https://howveryromanian.wordpress.com/2013/09/15/ba
Queuing for cooking oil (Bucharest, 1986)
Scott Edelman

7. 6Image: Queerbubbles CC BY-SA

8. 7

9. Sources of Trust
Yourself (super trustworthy!)
Mathematics and Science
Trustworthy because of logic, verified experiments
Organizations and People
Trustworthy because of what they have to lose (reputation)
Trustworthy because of trusted oversight (law, police)
Trustworthy because incentives are aligned
Trustworthy because of processes they follow
8

10. 9
Bitcoin’s solution: a public ledger
Trust in resources

11. Public Ledger
10
Node A Node B Node C
M = transfer X to Bob SignKRA
[H(M)]
Bob wants to verify:
1. Alice hasn’t already transferred X
2. The coin will be valuable for Bob

12. Public Ledger: Distributed Trust (?)
11
Node A Node B Node C
M = transfer X to Bob
Bob wants to verify:
1. Alice hasn’t already transferred X
2. The coin will be valuable for Bob
tb
tb
tb tb
SignKRA
[H(M)]

13. 12
Node A Node B Node C
M = transfer X to Bob
Bob wants to verify:
1. Alice hasn’t already transferred X
2. The coin will be valuable for Bob
tb
tb
tb tb
ok!
ok!
t
Transactions
1 tb (X->Bob)
Transactions
1 tb (X->Bob)
SignKRA
[H(M)]

14. 13
Node A Node B Node C
Bob wants to verify:
1. Alice hasn’t already transferred X
2. The coin will be valuable for Bob
tb
tb
tb tb
ok!
ok!
t
Transactions
1 tb (X->Bob)
Transactions
1 tb (X->Bob)

15. 14
Node A Node B Node C
M = transfer X to Cathy
tc
tc
tc tc
BAD!
t
Transactions
1 tb (X->Bob)
Transactions
1 tb (X->Bob)
Transactions
1 tc (X->Cathy)
SignKRA
[H(M)]

16. Scaling the Network
15
Node A Node B Node C
ta
tb
tb
Node D Node E Node F Node G

17. Blockchain
16
Public ledger without fixed set of nodes – decentralized, distributed trust
Requires coalition with majority of computing power to collude to cheat

18. Blockchain
17
B0
H(B0) Nonce
Transactions
H(B1) Nonce
Transactions
H(B2) Nonce
Transactions

19. Inconsistent Blockchains
18
Node A Node B Node C
Node D Node E Node F Node G
How do we know
which blockchain is
“correct”?

20. 19
CRYPTO 1992
Cynthia Dwork
(now at MSR)
Moni Naor
(Weizmann Institute)

21. 20

22. Idea: Proof-of-Work
Pricing Function: (f)
- moderately easy to compute
- cannot be amortized
computing f(m1),…, f(ml) costs l times as
much as computing f(mi).
- easily verified: given x, y easy to check y = f(x)
21

23. Proposed Pricing Function
22
Extracting Square Roots
index: p
find x, y such that y2 = x mod p
Dwork and Naor proposed two other pricing
functions, designed to have “shortcuts” (backdoors)
to allow administrators to compute them efficiently.

24. Hashcash
Adam Back
1997
23

25. Interactive Hashcash
24
mail sender
mail recipient’s
server
Hello
Challenge: r
r  random nonce
Everyone agrees on one-way function f

26. Interactive Hashcash
25
mail sender
mail recipient’s
server
Hello
Challenge: r
r  random nonce
search for x such that
f(x) = r
Everyone agrees on one-way function f
(x, Mail)

27. Interactive Hashcash
26
mail sender
mail recipient’s
server
Hello
Challenge: r
r  random nonce
search for x such that
f(x) = r
Everyone agrees on one-way function f
(x, Mail) Verify f(x) = r

28. Interactive Hashcash
27
mail sender
mail recipient’s
server
Hello
Challenge: r
r  random nonce
search for x such that
f(x) = r
Everyone agrees on one-way function f
(x, Mail) Verify f(x) = r
Can we make this non-interactive?

29. Non-Interactive Hashcash
28
mail sender
mail recipient’s
server
Everyone agrees on one-way function f
Verify

30. Non-Interactive Hashcash
29
mail sender
mail recipient’s
server, s
Everyone agrees on one-way function f
How well would this work if f is SHA-256?
msg || x
Verify f(msg || x) = s

31. Pre-image Attack on SHA-256
30
search for x such that
f(msg || x) = s

32. 31
Estimated hash rate of entire bitcoin network:
441,695,290 GH/s

33. 32

34. Variable-Difficulty f
33
Challenge: r, Difficulty: d
Find an x such that:
SHA-256(msg || x) < T/d T is some set “target”.
If the difficulty doubles, how much more work is expected?

35. Bitcoin’s Proof-of-Work
34
Find an x such that:
SHA-256(SHA-256(r + x)) < T/d
Why use double SHA-256?

36. 35
http://crypto.stackexchange.com/questions/779/hashing-or-encrypting-twice-to-increase-security

37. 36
https://bitcointalk.org/index.php?topic=45456.0;all

38. 37https://bitcoinwisdom.com/bitcoin/difficulty
Difficulty adjusts (every 2016
blocks) to keep block-finding
time around 10 minutes

39. 38https://bitcoinwisdom.com/bitcoin/difficulty

40. Finding the Next Block
39
B0
H(B0) Nonce
Transactions
H(B1) Nonce
Transactions
H(B2) Nonce
Transactions
Find a nonce x such that:
SHA-256(SHA-256(r + x)) < T/d

41. Finding the Next Block
40
B0
H(B0) Nonce
Transactions
H(B1) Nonce
Transactions
H(B2) Nonce
Transactions
Find a nonce x such that:
SHA-256(SHA-256(r + x)) < T/d
r = header + transactions (including mining fee)
header = H(previous block)

42. Actual Bitcoin Block
41
https://en.bitcoin.it/wiki/Protocol_documentation#Block_Headers

43. Inconsistent Blockchains
42
Node A Node B Node C
Node D Node E Node F Node G
The longest blockchain
is the “right” one.

44. 43

45. 44

46. What happened to proof-of-work
for sending email?
45

47. 46
Instead of making computers
do inane, repetitive work to
prevent mass automation, we
make humans do inane, soul-
killing work!

48. Charge
Readings:
Satoshi paper
Antonopoulos book: Chapters 6 and 7
Princeton book: Chapters 2 and 5
Wednesday: Checkup 2
47