build your own block chain
TRANSCRIPT
Build your own BlockChain
http://www.finextra.com/news/fullstory.aspx?newsitemid=28395
http://www.pymnts.com/news/2015/ripple-effect-for-blockchain-and-banks/
http://www.finextra.com/news/fullstory.aspx?newsitemid=28400
https://ripple.com/
http://www.wired.com/insights/2015/01/block-chain-2-0/
https://www.ethereum.org/
http://www.coindesk.com/microsoft-hints-future-ripple-blockchain-toolkit/
http://www.finextra.com/news/fullstory.aspx?newsitemid=28405
http://www.cnbc.com/2016/01/28/
2016 looks to be the year of the Block Chain
OK, ok. So how does it work?
Lots of documentation and presentations…
https://bitcoin.org/bitcoin.pdf
…but here’s my attempt…
Triple entry booking (or enter the middleman)
• Alice is hungry• Alice could eat a pig
• Bob gives Alice a pig and creates an IOU transaction receipt• Alice owes Bob one pig
• To provide trust, Alice and Bob use Fred to notarise the transaction• 3 copies of a transaction receipt, one for each party
From: AliceTo: Bob Time: 12 Mar 2013For: One pigSignatories: Alice Fred Flintstone Bob
Never trust the middlemanBob loses his receipt
Fred colludes with Alice and claims Bob is mistaken - no pig was provided...
Bob is smad.
Is there a way to get rid of a middleman and provide trust?
Maybe... let's take advantage of public key cryptography
Public key: 28wOoK6Nq9bDExK…Private key:9xl/K0veBBMtZ…
Public key: kL5SwAT6A3U7LAjd…Private key:yaqmH9Z+nKD…
Story time! Private public key cryptography
Once upon a time there was encryption and decryption with a shared key. As long as anyone knew the key, and how to use the key, then they could encrypt or they could decrypt. This is called symmetric encryption.
Some text Move by n number of characters in alphabet Key (n) = 2 Uqog vgzv
Then some smart people had an idea. They realised they could create an approach that involved two different keys. One key is purposely kept private, the other is provided to the other party (or often the public). If you use the private key to encrypt then the public key can decrypt. If you use the public key to encrypt then you can use the private key to decrypt. This is called asymmetric encryption.
Some text Asymmetric algorithmPrivate key
6ab3d9f...
Public key
There are many asymmetric encryption algorithms. RSA is one of the most common.
This is how…1. Alice and Bob generate public-private key pairs eg RSA2. Alice encrypts the plain text version of the transaction receipt with
her private key3. Alice prepends her name to the signed receipt (so we know which
public key to use when many people involved)4. Alice and Bob (and any other members of the network) store the
result
Which means…We’ve created a record of the transaction that we know can only have been generated by Alice. The contents can be decrypted by anyone so the transaction record is visible to all.
The balance of what is owed at a point in time is the sum of all signed transaction receipts.
From: AliceTo: Bob Time: 12 Mar 2013What: One pig
AT6A3U7LAjd…
From: AliceTo: Bob Time: 15 Apr 2014What: Two pig
B7F8U7LA92C…
From: BobTo: AliceTime: 2 Dec 2015What: One pig
87AB2D9A1d…
Alice owes Bob one pig
Bartering is painful, let’s introduce money• Bob is hot and dry so Alice provides two melons, how many melons to a pig?
• We introduce a currency reflecting value• Add it to the transaction records to enable summation
From: AliceTo: Bob Time: 12 Mar 2013What: One pigValue: $100
BT6A3U7LAjd…
From: AliceTo: Bob Time: 15 Apr 2014What: Two pigValue: $200
C7F8U7LA92C…
From: BobTo: AliceTime: 2 Dec 2015What: One pigValue: $100
27AB2D9A1d…
From: BobTo: AliceTime: 2 Dec 2015What: Two melonsValue: $50
BDA32E9ACd…
Alice owes Bob $150
Sorted!?
Not quite, how do we transfer value?
• Bob likes John’s hat• John say’s it’s $200• Bob reckons why not transfer his $200 IOU from Alice to John
From: AliceTo: Bob Time: 12 Mar 2013What: One pigValue: $100
From: AliceTo: Bob Time: 15 Apr 2014What: Two pigValue: $200
From: BobTo: AliceTime: 2 Dec 2015What: One pigValue: $100
From: BobTo: AliceTime: 2 Dec 2015What: Two melonsValue: $50
From: BobTo: JohnTime: 2 Dec 2015What: V1jZUy…Value: $200
SHA256 signature calculated for the
transaction "V1jZUyLvPOxzZvKpuUwTCNzGmovoxHRzJ76FGXMN3JY="
Story time! SHA256 - what's that?
Once upon a time someone figured out that it was possible to calculate a short identifier for any given input. It’s like a unique signature for the input (although in reality it’s not guaranteed to be unique at all – but for all intents and purposes it is). It's called a hash because in the process the algorithm is effectively doing a lot of chopping and mixing.
There are lots of algorithms to do this task but some are better than others. SHA-2, often referred to as SHA256, was designed by the NSA. The letters stand for Secure Hash Algorithm 2.
If you have a hash value, it's not at all easy to obtain the input, even small changes to the input have large consequences on the output.
Don't confuse it with encryption - there's no key, for any given input you always get the same output.
Some text
SHA256
JDdigoW2OuYy8CkQV10XmyLnNnvD42tAta25RmOiIqI=
Some text1
SHA256
12E+SmrYMSTj6vlh51UdVDWgJQNGz35AOvesa2z3yAo=
Recap• No middle man• The summation of signed transaction receipts gives the outstanding
balance position across all parties• Including value transfer between parties
Sorted!?
Not quite, we need to stop double spending…
Problem - double spendingIf members fail to update their personal transaction registers quickly enough, then a malicious member can replicate and use transaction records by spending more than once.
From: AliceTo: Bob Time: 12 Mar 2013What: One pigValue: $100
From: AliceTo: Bob Time: 15 Apr 2014What: Two pigValue: $200
From: BobTo: AliceTime: 2 Dec 2015What: One pigValue: $100
From: BobTo: AliceTime: 2 Dec 2015What: Two melonsValue: $50
From: BobTo: JohnTime: 2 Dec 2015What: V1jZUy…Value: $200
SHA256 signature calculated for the
transaction "V1jZUyLvPOxzZvKpuUwTCNzGmovoxHRzJ76FGXMN3JY="
From: Bad GuyTo: JohnTime: 2 Dec 2015What: V1jZUy…Value: $200
From: Bad GuyTo: JohnTime: 2 Dec 2015What: V1jZUy…Value: $200
This will become obvious in time but by then the damage is done
Question is: how do we ensure an action such as the creation of a transaction record is valid?
We need some way to get transaction integrity
How about 2-phase commit? A 3rd-party in the path?
Nope – grinds to a halt when scaling
Nope – then we’ve failed!
How about distributed consensus with member voting eg “Paxos”?
Story time! Paxos was created by Leslie Lamport and named after a fictional parliament on the Greek island of Paxos.
Paxos is a 3-Phase Commit protocol with several versions – but idea is that majority quorum results in eventual consistency.
Good start, but more required…
Consensus voting has a weakness: fake identities• Distributed networks with voting systems are susceptible to the
creation of fake identities• Fake identities can subvert the vote.• Sometimes called a Sybil attack after the name of the novel of a
woman with identity disorder.• When people are involved we can refer to sockpuppets
Somehow we need to make the creation of identities hard enough to be not worth it
Proof of work: a cost to create identity & voteAt the moment our block chain suffers because
1. it’s easy to create public-private key pairs, and2. It’s easy to sign a value transaction.
What’s something hard???? We’re talking computers here so it has to be computationally hard…
How about the reverse of a signing operation?SHA256(“Some simple text”) "AX+dClQgll/3QNCXacNn3q0O4lv2SKrjQ5C8vLMUcC0=“
Going in reverse you have to brute force which is hard but not impossible.
We can make this much harder though…Look for a hash outcome that has some arbitrary substring eg 00 at the beginning.
SHA256(“I vote for Bob”) "wn8iR1xcp4JLpHC1WLkXSDS+wtNeF5TYCthCycGw1+c=“
Fail, so let’s modify the input in some way..
SHA256(“I vote for Bob - 2”) -> "O1ODEfjRTAgsbMuRSUnMPD84nAExphQ0zqQTpD3Omr8=“
Fail again, keep going…
open System.Security.Cryptographyopen System.Textlet hasher = new SHA256Managed()let bytesHash' (s:string) = hasher.ComputeHash((new UnicodeEncoding()).GetBytes(s))
let r = System.Random()let rs = [0..10000] |> List.map (fun i -> i* r.Next(0,1000))let hashes = rs |> List.map (fun i -> System.Convert.ToBase64String(bytesHash' (i.ToString()) ))hashes |> List.filter (fun h -> h.StartsWith("00"))
… I typically get 2 to 4 hashes that work in 10,001 random choices
The more 0’s at the beginning, the harder work it is.
The idea is to make this expensive for the member generating the vote.
Important point: the time taken to do a proof of work varies widely
Likelihood of solving
Time taken to solve
Some times a node will calculate the proof of work quickly, other times very slowly. When many nodes try and calculate the result simultaneously the time to uncover the result tends towards smaller values. (In BitCoin’s case it’s about 10mins for all nodes but an individual node might typically take hours or days.)
Because of the broad distribution we don’t normally get two solutions found at the same time.
Just what does harder work mean here?
Recap1. To stop malicious members double spending we needed better
transaction integrity but without the downsides of a 3rd party or full 2 phase commit – majority consensus seems a reasonable idea.
2. But consensus voting is susceptible to the creation of fake identities3. It looks like we might have a way to make the vote signing process
sufficiently expensive to perform that we can stop members trying to manipulate the consensus mechanism.
Let’s explore that proof of work cost aspect a bit more• Let’s say we have a network of 1000 participants• Alice transfers some value to Bob, let’s say $1• We can set the computing cost (energy, hardware etc) to create a
transaction by making the proof of work harder or easier
$10
Bob now has a choice:
1. Trust that Alice won’t double spend, or2. Ask some number of the network
participants to verify the transaction
If Bob asks for verification, then what’s a good number of the total network to ask? 10, 100, 500, everyone????
Story time! Proof of work has an interesting history. The idea didn't start specifically with block chains or BitCoin. It came up in the 1990s in the context of finding ways to hinder unwanted behaviour in electronic systems; a classic example being Denial of Service.
Denial of Service is an a way to disrupt service by intentionally flooding a system with requests. But what if we made the attacker's effort sufficiently large that it was no longer financially worth it? What about if the task to make a request was computationally tough. The system offering the service might could ignore those requests not able to satisfy the proof of work task.
Proof of work in the case of BitCoin is large which has lead to the creation of dedicated low energy BitCoin mining hardware. Estimates for the electricity required to generate 1 BitCoin vary greatly depending upon the type of hardware used (home PC versus laptop versus Raspberry PI versus dedicated ASIC).
BitCoin also makes the proof of work progressively harder over time. Currently it's calibrated so that on average the proof of work completes in about 10mins across the whole of the network. With so many nodes on the bitcoin network that means any individual node would usually take many hours or days to finish the proof of work.
1 BitCoin @ 5 Feb 2016 = $NZD 577
Let’s calculate a cost to be a criminal
Number of fake verifications (aka “I vote for Alice”) from fake identities
Cost to verify
$0.001 $0.01 $0.1
10 $0.01 $0.1 $1
100 $0.1 $1 $10
500 $0.5 $5 $50
For a $1 trade there’s two options that look attract, particularly one of them.
Whoa! Hold it there. Cost to be a crim? Isn’t it also the cost to do business?
If every transaction is going to involve proof of work to verify and it equals or exceeds the value of the transaction, then what’s the point?
And just thinking about this – surely, Bob has to pay something for the effort to request verifications?
Let’s add an incentive, and make it more efficient
Transaction Fees• Let’s give network members some recompense for transaction verification• And, let’s make it efficient by pooling transactions into blocks
Blocks of transactions linked together ... doh,I get it: Block Chain!
Block ID: 3a4cb… Previous Block ID: 178dfe… Verified by: Fred Date: 21 Feb 2016
From: Alice To: Bob What: 1 Pig, $100 Fee: $0.1
From: Mickey To: Alice What: 2 Pigs, $220 Fee: $0.15
From: Bob To: Mickey What: 3 Cheeses, $50 Fee: $0.05
To: Fred What: transaction fees, value $0.3
Block verification1. Participants generate transactions and announce them to the
network for verification2. Members like Fred aggregate unconfirmed transactions and once
the total transaction fees are large enough… a. Adds a transaction fee for verification to the blockb. Make the effort to verify transactions are valid and not doubledc. Do the proof of work challenge to generate a block hash
3. Sends the block into the network to distribute to everyone else
What happens when Barney and Fred both choose to verify a block?
Block ID: 3a4cb… Previous Block ID: 178dfe…
Verified by: Fred Date: 21 Feb 2016 09:56
From: Alice To: Bob What: 1 Pig, $100 Fee: $0.1
From: Mickey To: Alice What: 2 Pigs, $220 Fee: $0.15
From: Bob To: Mickey What: 3 Cheeses, $50 Fee: $0.05
To: Fred What: transaction fees, value $0.3
Block ID: 581b2… Previous Block ID: 178dfe…
Verified by: Barney Date: 21 Feb 2016 16:21
From: Alice To: Bob What: 1 Pig, $100 Fee: $0.1
From: Mickey To: Alice What: 2 Pigs, $220 Fee: $0.15
From: Bob To: Mickey What: 3 Cheeses, $50 Fee: $0.05
To: Barney What: transaction fees, value $0.3
We’ve created an incentive to compete. The first to complete
get’s the benefit.
Someone will always be ahead - Fred gets in first
this time
What if two blocks get submitted to the network at nearly the same time?Unlikely, but it could happen.
Can’t use timestamps because they can be maliciously altered.
BlockBlock A
Block BTime
1. Barney’s node sees Block A first so it starts to build a new block on top of Block A from unprocessed transactions.
2. Fred’s node sees Block B first so it starts to build a new block from unprocessed transactions on top of Block B.
3. Block chains have a rule that you immediately switch to the longest chain available.
4. If Barney get’s to publish his new block first, then Fred’s node will discard Block B, use Block A and race to build a new block on top of it.
Barney sees block A first
Fred sees block B first
It’s increasingly rare for blocks to be solved and sent into the network near simultaneously. So
the network rapidly stabilizes.
Consequences are funky.
Solution: only follow the longest chain of blocks
Blocks fundamentally can’t ever be considered final – you might not yet have received all the generated blocks. That means transactions are also never strictly final!
But it turns out that the odds the transaction isn’t correct decrease dramatically as blocks get created.
BitCoin as an example
BlockChain clients need to validate transactions and blocks right back to the beginning of BitCoin. It takes awhile:
On a laptop about two days worth of work…
What if I’m trying to subvert the network?
To create fraudulent transactions then I need to create fraudulent blocks. To modify a past block I would have to redo the proof of work on that block, and then all following blocks.
But this is a really tall order – the probability of an attacker catching up diminishes exponentially as blocks are added.
BlockBlock
Block BlockTime
Block
The computing cost is just too hard for one attacker versus many honest participants.
Block
Putting it all together1. Transactional integrity is achieved with PKI• Non-repudiation and transaction integrity (no modification after creation)• But not really identity
2. Transactions exist in a peer 2 peer network3. Transactions are aggregated into blocks• Gives an efficient way to implement batched proof of work for transaction
fees• Simplifies management of transactions over time (probability of correctness)
4. No middleman!
So is this BitCoin?Mostly. We've created a chain of transactional blocks which we can use for a crypto-currency. BitCoin is a specific implementation tuned to have some interesting properties.
BitCoin has 1Mb blocks and the proof of work is much harder - roughly 13 0s on the front of the hash which means an individual miner might days on average to complete the proof of work, but with a big network BitCoin have tuned difficulty to achieve 10min average block generation.
BitCoin currently limited to about 7 txns/sec by the 1Mb block size - that's not very much for a retail payment system - moves afoot to increase block size and numbers of transactions processed per mining operation.
Fees are effectively near 0 for a user. Compare/contrast to credit card or international transaction fees which can be >3%. Costs of conventional payment brokers are high due to operational overhead, especially fraud. BitCoin avoids all fraud in the actual payment system itself.
BitCoin smallest unit 8 decimal places - micropayments become especially attractive.
All you need is the software and a QR code.
http://www.digitalistmag.com/finance/2016/01/15/blockchain-poised-hot-tech-for-moving-money-2016-03941451
So, what does it all mean?
http://www.wired.com/insights/2015/01/block-chain-2-0/
This is what I think: learn this stuff…
Block chains+
Smart contracts+
Internet of Things
Peer to peer transactional networks free from reconciliation or 3rd-party costs with smart contracts and very large numbers of interacting devices are going to become very important to our future lives.
References• https://www.igvita.com/2014/05/05/minimum-viable-block-chain/• https://www.youtube.com/watch?v=Lx9zgZCMqXE• https://www.khanacademy.org/economics-finance-domain/core-fina
nce/money-and-banking/bitcoin/v/bitcoin-what-is-it • http://www.coindesk.com/math-behind-bitcoin/• http://scet.berkeley.edu/wp-content/uploads/BlockchainPaper.pdf• https://bitcoin.org/bitcoin.pdf