blockchain - indian statistical institutercbose/blockchain2017/... · blockchain the foundation...
TRANSCRIPT
BLOCKCHAINThe foundation behind Bitcoin
Sourav Sen GuptaIndian Statistical Institute, Kolkata
CRYPTOGRAPHYBackbone of Blockchain Technology
Component 1 : Cryptographic Hash Functions
Map variable-length input to constant-length output.
HASH FUNCTIONS
h yx101011101011001…0010110100101 101110101001000110111100010101
Finding the pre-image of a given output is not easy.
HASH FUNCTIONS
h y?101011101011001…0010110100101 101110101001000110111100010101
Finding a colliding twin of a given input is not easy.
HASH FUNCTIONS
h yx1101011101011001…0010110100101
101110101001000110111100010101
x21100101001011001…110010100110
Finding any colliding pair of inputs is not easy.
It is of course possible, but not easy.
HASH FUNCTIONS
h yx1101011101011001…0010110100101
x21100101001011001…110010100110
101110101001000110111100010101
Minor input-mismatch to major output-mismatch.
HASH FUNCTIONS
hy1x1101011101011001…0010110100101 101110101001000110111100010101
x2101010101011001…0010110100101 y2 110010100101100100110010100110
Merkle-Damgard Construction Example : SHA 256 — used in Bitcoin
CONSTRUCTIONS
f
m1
IV f
m2
f
mn
h
Sponge Construction Example : SHA 3 — used in Ethereum
CONSTRUCTIONS
f
m1
f
m2
f
mn
f
h1
c
r
Provably secure scheme for tamper-detection
APPLICATION
h yx
record(x) : c = h(x)
verify(c,x) : h(x) == c
Tamper-evident data pointer = Hash Pointer
Hash Pointer
DATA STRUCTURES
h hash(data)data
addr(data)
Tamper-evident linked data structure = Block
DATA STRUCTURES
h
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Tamper-evident linked-list = Blockchain
DATA STRUCTURES
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Tamper-evident linked-list = Blockchain
DATA STRUCTURES
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
DATA STRUCTURESProperties Blockchain Merkle Tree Merkle Trie
Size of Commitment O(1) O(1) O(1)
Append a Block/Node O(1) O(log n) O(k)
Update a Block/Node O(n) O(log n) O(k)
Proof of Membership O(n) O(log n) O(k)
Structural Abstraction List of Objects Set of Objects Set of (key, value)
Used for Construction Bitcoin Bitcoin Ethereum
Component 2 : Digital Signature Schemes
(sk, pk) = keygen(n) verify(pk,m,sign(sk,m)) = True
DIGITAL SIGNATURE
pksk
?
s = sign(sk,m) verify(pk,m,s)keygen(n)
Given pk and access to sign(mi) as an oracle, an adversary should not be able to create a valid fresh message-signature pair (m,s)
DIGITAL SIGNATURE
pksk
?
s = sign(sk,m) verify(pk,m,s)keygen(n)
Elliptic Curve Digital Signature Algorithm (ECDSA)
ECDSA on curve E(Fp) : { (x,y) in Fp x Fp | y2 = x3 + 7 } with base prime p = 2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1
CONSTRUCTIONFpQ
Elliptic Curve group of size |E(Fp)| = q ~ p ~ 2256
ECDSA on curve E(Fp) : { (x,y) in Fp x Fp | y2 = x3 + 7 } with base prime p = 2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1
CONSTRUCTION
Parameters Format Range Bit-sizesk random Zq 256pk sk x G E(Fp) 512m hash(M) Zq 256
Signature (r, s) Zq x Zq 512
Publish the public key pk as your Identity Use the secret key sk to prove your identity
APPLICATIONpk
sksk
verify(pk,m,sign(sk,m))
sk?
BITCOINBlockchain in Practice
ANONYMOUS E-CASH
35624
Zero-Knowledge Proof and Blind Signature
35624
35624
35624 35624
35624
BLIND SIGNATURE
First Concept of Untraceable e-Payments and e-Cash
David Chaum, 1984
CYPHERPUNKS
De-Centralize e-Cash
Anonymity is not Enough!
?!
CYPHERPUNKS
DavidChaum
PhilZimmermann
DigiCash PGP RPOW
HalFinney
HashCash
AdamBack
B-Money
WeiDai
BitGold
NickSzabo
1990 1991 20041997 1998 1998
BITCOINSatoshi Nakamoto31 October 2008
BITCOINLedger of Transactions
between Pseudonymous Identities
Semi-Decentralised Publicly-Verifiable Tamper-Resistant Eventually-Consistent
Economic Transaction that we are familiar with
NOT BITCOIN
Tx
NOT BITCOIN
Tx
Centralised Account-based Ledger
NOT BITCOIN
Tx
Decentralised Account-based Ledger
Tx
NOT BITCOIN YET
Tx
Decentralised Transaction-based Ledger
Tx Tx Tx Tx TxTx
TRANSACTION
Tx
Network verifies the Signature
TxSigned by
TRANSACTION
Tx
Network verifies the Signature
TxSigned by
pk
sk
pk
Input : Array of previous Transactions | Output : Array of recipient Addresses
R1
TRANSACTION
TxTxpk2
sk1
Txpk1
Txpk3
sk2 sk3
pk
R2pk
R3pk
Send
er(s)
Recipient(s)
Network verifies the Signature(s)
Input : Array of previous Transactions | Output : Array of recipient Addresses
R1
TRANSACTION
Txpk2
sk1
Txpk1
Txpk3
sk2 sk3
pk
R2
pk
R3
pk
Tx
Recipients
SignaturesInpu
t Tra
nsac
tions
Network verifies the Signature(s)
LEDGER
Tx
Decentralised Transaction-based Ledger
Tx Tx TxTx Tx Tx Tx
Tx Tx Tx TxTx Tx Tx Tx Tx Tx Tx Tx
BITCOIN
Tx
Tx
Tx
Tx
MiningTransaction
MINING
Tx
Tx
Tx
Tx
Computational Lottery (Puzzle)
Transaction
Winner writes the next block
Existing blocks at a given time
Find r such thathash(r || m) < C
BITCOIN
Tx
Tx
Tx
Tx
MiningTransaction
BITCOINFramework — Decentralised peer-to-peer collaborative networkGoal : All peers should agree on a sequence of transactions
BITCOINPublicly-Verifiable
as the complete ledger and the hash function is public
BITCOINTamper-Evident / Tamper-Resistant
as the ledger is connected through a chain of hash pointers
X X X
X
X X X
BITCOINEventually-Consistent
as the longest chain eventually sustains as the main chain
BITCOINSemi-Decentralised
as the mining is dominated by computational power
BITCOINSemi-Decentralised Publicly-Verifiable Tamper-Resistant Eventually-Consistent
BEYOND BITCOINExploiting the power of Blockchain Ecosystem
Proof-of-Work Proof-of-Space Computation-hard challenge Memory-hard challenge
Proof-of-Stake Proof-of-Importance Depends on holdings Depends on involvement
MINING
PermaCoin, SpaceMint
OmiseGo, EOS
De-Centralized Semi-Centralized Without any Authority With Trusted Authority
Almost all active Currency RSCoin (Bank of England)
NETWORK
Pseudonymity Pure Anonymity Not easily Traceable Provably not Traceable
Mixing Services provide some guarantee of anonymity otherwise.
ANONYMITY
Abstraction of Bitcointo the backbone protocol of blockchain
APPLICATION