BLOCKCHAINThe foundation behind Bitcoin

Sourav Sen GuptaIndian Statistical Institute, Kolkata

CRYPTOGRAPHYBackbone of Blockchain Technology

Component 1 : Cryptographic Hash Functions

Map variable-length input to constant-length output.

HASH FUNCTIONS

h yx101011101011001…0010110100101 101110101001000110111100010101

Finding the pre-image of a given output is not easy.

HASH FUNCTIONS

h y?101011101011001…0010110100101 101110101001000110111100010101

Finding a colliding twin of a given input is not easy.

HASH FUNCTIONS

h yx1101011101011001…0010110100101

101110101001000110111100010101

x21100101001011001…110010100110

Finding any colliding pair of inputs is not easy.

It is of course possible, but not easy.

HASH FUNCTIONS

h yx1101011101011001…0010110100101

x21100101001011001…110010100110

101110101001000110111100010101

Minor input-mismatch to major output-mismatch.

HASH FUNCTIONS

hy1x1101011101011001…0010110100101 101110101001000110111100010101

x2101010101011001…0010110100101 y2 110010100101100100110010100110

Merkle-Damgard Construction Example : SHA 256 — used in Bitcoin

CONSTRUCTIONS

f

m1

IV f

m2

f

mn

h

Sponge Construction Example : SHA 3 — used in Ethereum

CONSTRUCTIONS

f

m1

f

m2

f

mn

f

h1

c

r

Provably secure scheme for tamper-detection

APPLICATION

h yx

record(x) : c = h(x)

verify(c,x) : h(x) == c

Tamper-evident data pointer = Hash Pointer

Hash Pointer

DATA STRUCTURES

h hash(data)data

addr(data)

Tamper-evident linked data structure = Block

DATA STRUCTURES

h

Block

HP(block)

data

timestamp

Block

HP(block)

data

timestamp

Tamper-evident linked-list = Blockchain

DATA STRUCTURES

Block

HP(block)

data

timestamp

Block

HP(block)

data

timestamp

Block

HP(block)

data

timestamp

Block

HP(block)

data

timestamp

Block

HP(block)

data

timestamp

Tamper-evident linked-list = Blockchain

DATA STRUCTURES

Block

HP(block)

data

timestamp

Block

HP(block)

data

timestamp

Block

HP(block)

data

timestamp

Block

HP(block)

data

timestamp

Block

HP(block)

data

timestamp

Block

HP(block)

data

timestamp

Block

HP(block)

data

timestamp

Block

HP(block)

data

timestamp

Block

HP(block)

data

timestamp

Block

HP(block)

data

timestamp

DATA STRUCTURESProperties Blockchain Merkle Tree Merkle Trie

Size of Commitment O(1) O(1) O(1)

Append a Block/Node O(1) O(log n) O(k)

Update a Block/Node O(n) O(log n) O(k)

Proof of Membership O(n) O(log n) O(k)

Structural Abstraction List of Objects Set of Objects Set of (key, value)

Used for Construction Bitcoin Bitcoin Ethereum

Component 2 : Digital Signature Schemes

(sk, pk) = keygen(n) verify(pk,m,sign(sk,m)) = True

DIGITAL SIGNATURE

pksk

?

s = sign(sk,m) verify(pk,m,s)keygen(n)

Given pk and access to sign(mi) as an oracle, an adversary should not be able to create a valid fresh message-signature pair (m,s)

DIGITAL SIGNATURE

pksk

?

s = sign(sk,m) verify(pk,m,s)keygen(n)

Elliptic Curve Digital Signature Algorithm (ECDSA)

ECDSA on curve E(Fp) : { (x,y) in Fp x Fp | y2 = x3 + 7 } with base prime p = 2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1

CONSTRUCTIONFpQ

Elliptic Curve group of size |E(Fp)| = q ~ p ~ 2256

ECDSA on curve E(Fp) : { (x,y) in Fp x Fp | y2 = x3 + 7 } with base prime p = 2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1

CONSTRUCTION

Parameters Format Range Bit-sizesk random Zq 256pk sk x G E(Fp) 512m hash(M) Zq 256

Signature (r, s) Zq x Zq 512

Publish the public key pk as your Identity Use the secret key sk to prove your identity

APPLICATIONpk

sksk

verify(pk,m,sign(sk,m))

sk?

BITCOINBlockchain in Practice

ANONYMOUS E-CASH

35624

Zero-Knowledge Proof and Blind Signature

35624

35624

35624 35624

35624

BLIND SIGNATURE

First Concept of Untraceable e-Payments and e-Cash

David Chaum, 1984

CYPHERPUNKS

De-Centralize e-Cash

Anonymity is not Enough!

?!

CYPHERPUNKS

DavidChaum

PhilZimmermann

DigiCash PGP RPOW

HalFinney

HashCash

AdamBack

B-Money

WeiDai

BitGold

NickSzabo

1990 1991 20041997 1998 1998

BITCOINSatoshi Nakamoto31 October 2008

BITCOINLedger of Transactions

between Pseudonymous Identities

Semi-Decentralised Publicly-Verifiable Tamper-Resistant Eventually-Consistent

Economic Transaction that we are familiar with

NOT BITCOIN

Tx

NOT BITCOIN

Tx

Centralised Account-based Ledger

NOT BITCOIN

Tx

Decentralised Account-based Ledger

Tx

NOT BITCOIN YET

Tx

Decentralised Transaction-based Ledger

Tx Tx Tx Tx TxTx

TRANSACTION

Tx

Network verifies the Signature

TxSigned by

TRANSACTION

Tx

Network verifies the Signature

TxSigned by

pk

sk

pk

Input : Array of previous Transactions | Output : Array of recipient Addresses

R1

TRANSACTION

TxTxpk2

sk1

Txpk1

Txpk3

sk2 sk3

pk

R2pk

R3pk

Send

er(s)

Recipient(s)

Network verifies the Signature(s)

Input : Array of previous Transactions | Output : Array of recipient Addresses

R1

TRANSACTION

Txpk2

sk1

Txpk1

Txpk3

sk2 sk3

pk

R2

pk

R3

pk

Tx

Recipients

SignaturesInpu

t Tra

nsac

tions

Network verifies the Signature(s)

TRAN

SACT

ION

Metadata

Input(s)

Output(s)

Data obtained from blockchain.info

LEDGER

Tx

Decentralised Transaction-based Ledger

Tx Tx TxTx Tx Tx Tx

Tx Tx Tx TxTx Tx Tx Tx Tx Tx Tx Tx

BLOCK

Data obtained from blockchain.info

BITCOIN

Tx

Tx

Tx

Tx

MiningTransaction

MINING

Tx

Tx

Tx

Tx

Computational Lottery (Puzzle)

Transaction

Winner writes the next block

Existing blocks at a given time

Find r such thathash(r || m) < C

BITCOIN

Tx

Tx

Tx

Tx

MiningTransaction

BITCOINFramework — Decentralised peer-to-peer collaborative networkGoal : All peers should agree on a sequence of transactions

BITCOINPublicly-Verifiable

as the complete ledger and the hash function is public

BITCOINTamper-Evident / Tamper-Resistant

as the ledger is connected through a chain of hash pointers

X X X

X

X X X

BITCOINEventually-Consistent

as the longest chain eventually sustains as the main chain

BITCOINSemi-Decentralised

as the mining is dominated by computational power

BITCOINSemi-Decentralised Publicly-Verifiable Tamper-Resistant Eventually-Consistent

BEYOND BITCOINExploiting the power of Blockchain Ecosystem

Proof-of-Work Proof-of-Space Computation-hard challenge Memory-hard challenge

Proof-of-Stake Proof-of-Importance Depends on holdings Depends on involvement

MINING

PermaCoin, SpaceMint

OmiseGo, EOS

De-Centralized Semi-Centralized Without any Authority With Trusted Authority

Almost all active Currency RSCoin (Bank of England)

NETWORK

Pseudonymity Pure Anonymity Not easily Traceable Provably not Traceable

Mixing Services provide some guarantee of anonymity otherwise.

ANONYMITY

Abstraction of Bitcointo the backbone protocol of blockchain

APPLICATION