SLIDE 1
BLOCKCHAIN
The foundation behind Bitcoin
Sourav Sen Gupta
Indian Statistical Institute, Kolkata
BLOCKCHAIN The foundation behind Bitcoin Sourav Sen Gupta Indian - - PowerPoint PPT Presentation
BLOCKCHAIN The foundation behind Bitcoin Sourav Sen Gupta Indian - - PowerPoint PPT Presentation
BLOCKCHAIN The foundation behind Bitcoin Sourav Sen Gupta Indian Statistical Institute, Kolkata CRYPTOGRAPHY Backbone of Blockchain Technology Component 1 : Cryptographic Hash Functions HASH FUNCTIONS Map variable-length input to
SLIDE 2
SLIDE 3
Component 1 : Cryptographic Hash Functions
SLIDE 4
Map variable-length input to constant-length output.
HASH FUNCTIONS
h
y x
101011101011001…0010110100101 101110101001000110111100010101
SLIDE 5
Finding the pre-image of a given output is not easy.
HASH FUNCTIONS
h
y ?
101011101011001…0010110100101 101110101001000110111100010101
SLIDE 6
Finding a colliding twin of a given input is not easy.
HASH FUNCTIONS
h
y x1
101011101011001…0010110100101 101110101001000110111100010101
x2
1100101001011001…110010100110
SLIDE 7
Finding any colliding pair of inputs is not easy.
It is of course possible, but not easy.
HASH FUNCTIONS
h
y x1
101011101011001…0010110100101
x2
1100101001011001…110010100110 101110101001000110111100010101
SLIDE 8
Minor input-mismatch to major output-mismatch.
HASH FUNCTIONS
h
y1 x1
101011101011001…0010110100101 101110101001000110111100010101
x2
101010101011001…0010110100101
y2
110010100101100100110010100110
SLIDE 9
Merkle-Damgard Construction
Example : SHA 256 — used in Bitcoin
CONSTRUCTIONS
f
m1 IV
f
m2
f
mn h
SLIDE 10
Sponge Construction
Example : SHA 3 — used in Ethereum
CONSTRUCTIONS
f
m1
f
m2
f
mn
f
h1
c r
SLIDE 11
Provably secure scheme for Commitment
Random nonce r must have a high min-entropy for this scheme to be secure.
APPLICATIONS
h
y x r commit(x) : c = h(r || x) verify(c,r,x) : h(r || x) == c
SLIDE 12
Provably secure scheme for tamper-detection
APPLICATIONS
h
y x record(x) : c = h(x) verify(c,x) : h(x) == c
SLIDE 13
Tamper-evident data pointer = Hash Pointer
Hash Pointer
DATA STRUCTURES
h
hash(data) data addr(data)
SLIDE 14
Tamper-evident linked data structure = Block
DATA STRUCTURES
h
Block
HP(block) data timestamp
Block
HP(block) data timestamp
SLIDE 15
Tamper-evident linked-list = Blockchain
DATA STRUCTURES
Block
HP(block) data timestamp
Block
HP(block) data timestamp
Block
HP(block) data timestamp
Block
HP(block) data timestamp
Block
HP(block) data timestamp
SLIDE 16
Tamper-evident linked-list = Blockchain
DATA STRUCTURES
Block
HP(block) data timestamp
Block
HP(block) data timestamp
Block
HP(block) data timestamp
Block
HP(block) data timestamp
Block
HP(block) data timestamp
Block
HP(block) data timestamp
Block
HP(block) data timestamp
Block
HP(block) data timestamp
Block
HP(block) data timestamp
Block
HP(block) data timestamp
SLIDE 17
Tamper-evident binary-tree = Merkle Tree
DATA STRUCTURES
Node
HP(left) data timestamp HP(right)
Node
HP(left) data timestamp HP(right)
Node
HP(left) data timestamp HP(right)
Node
HP(left) data timestamp HP(right)
Node
HP(left) data timestamp HP(right)
HP(root)
SLIDE 18
Tamper-evident binary-tree = Merkle Tree
DATA STRUCTURES
Node
HP(left) data timestamp HP(right)
Node
HP(left) data timestamp HP(right)
Node
HP(left) data timestamp HP(right)
Node
HP(left) data timestamp HP(right)
Node
HP(left) data timestamp HP(right)
HP(root)
SLIDE 19
DATA STRUCTURES
Properties Blockchain Merkle Tree Merkle Trie
Size of Commitment
O(1) O(1) O(1)
Append a Block/Node
O(1) O(log n) O(k)
Update a Block/Node
O(n) O(log n) O(k)
Proof of Membership
O(n) O(log n) O(k)
Structural Abstraction
List of Objects Set of Objects Set of (key, value)
Used for Construction
Bitcoin Bitcoin Ethereum
SLIDE 20
QUESTIONS
Can any pointer-based data structure be efficiently converted into a Hash-Pointer based data structure? Will such an exercise be at all useful in any use case? Do these structures provide any additional advantage?
SLIDE 21
Component 2 : Digital Signature Schemes
SLIDE 22
Digital signature as a set of three algorithms
DIGITAL SIGNATURE
s = sign(sk,m) verify(pk,m,s) pk sk
?
keygen(n)
1 2 3
SLIDE 23
(sk, pk) = keygen(n) verify(pk,m,sign(sk,m)) = True
DIGITAL SIGNATURE
pk sk
?
s = sign(sk,m) verify(pk,m,s) keygen(n)
SLIDE 24
Given pk and access to sign(mi) as an oracle, an adversary should not be able to create a valid fresh message-signature pair (m,s)
DIGITAL SIGNATURE
pk sk
?
s = sign(sk,m) verify(pk,m,s) keygen(n)
SLIDE 25
Elliptic Curve Digital Signature Algorithm (ECDSA)
ECDSA on curve E(Fp) : { (x,y) in Fp x Fp | y2 = x3 + 7 } with base prime p = 2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1
CONSTRUCTION
Fp Q
SLIDE 26
Elliptic Curve group of size |E(Fp)| = q ~ p ~ 2256
ECDSA on curve E(Fp) : { (x,y) in Fp x Fp | y2 = x3 + 7 } with base prime p = 2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1
CONSTRUCTION
Parameters Format Range Bit-size sk random Zq 256 pk sk x G E(Fp) 512 m hash(M) Zq 256 Signature (r, s) Zq x Zq 512
SLIDE 27
Publish the public key pk as your Identity Use the secret key sk to prove your identity
APPLICATION
pk sk
sk
verify(pk,m,sign(sk,m))
sk
?
SLIDE 28
BITCOIN
Blockchain in Practice
SLIDE 29
BITCOIN
Ledger of Transactions between Pseudonymous Identities Semi-Decentralised Publicly-Verifiable Tamper-Resistant Eventually-Consistent
SLIDE 30
Economic Transaction that we are familiar with
NOT BITCOIN
Tx
SLIDE 31
NOT BITCOIN
Tx Centralised Account-based Ledger
SLIDE 32
NOT BITCOIN
Tx Decentralised Account-based Ledger
SLIDE 33
Tx
NOT BITCOIN YET
Tx Decentralised Transaction-based Ledger Tx Tx Tx Tx Tx Tx
SLIDE 34
TRANSACTION
Tx Network verifies the Signature Tx
Signed by
SLIDE 35
TRANSACTION
Tx Network verifies the Signature Tx
Signed by
pk sk pk
SLIDE 36
Input : Array of previous Transactions | Output : Array of recipient Addresses
R1
TRANSACTION
Tx Tx
pk2 sk1
Tx
pk1
Tx
pk3 sk2 sk3 pk
R2
pk
R3
pk
Sender(s) Recipient(s) Network verifies the Signature(s)
SLIDE 37
Input : Array of previous Transactions | Output : Array of recipient Addresses R1
TRANSACTION
Tx
pk2 sk1
Tx
pk1
Tx
pk3 sk2 sk3 pk
R2
pk
R3
pk
Tx Recipients Signatures Input Transactions Network verifies the Signature(s)
SLIDE 38
TRANSACTION
Metadata Input(s) Output(s)
Data obtained from blockchain.info
SLIDE 39
LEDGER
Tx
Decentralised Transaction-based Ledger
Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx
SLIDE 40
BLOCK
Data obtained from blockchain.info
SLIDE 41
BLOCK
Data obtained from blockchain.info
SLIDE 42
BLOCK
Data obtained from blockchain.info
SLIDE 43
BLOCK
Data obtained from blockchain.info
SLIDE 44
BLOCK
Data obtained from blockchain.info
SLIDE 45
BITCOIN
Tx Tx Tx
Tx
Mining Transaction
SLIDE 46
MINING
Tx Tx Tx
Tx
Computational Lottery (Puzzle) Transaction Winner writes the next block Existing blocks at a given time Find r such that hash(r || m) < C
SLIDE 47
MINING
Data obtained from blockchain.info
SLIDE 48
MINING
Data obtained from blockchain.info
SLIDE 49
MINING
Data obtained from blockchain.info
SLIDE 50
MINING
Data obtained from blockchain.info
SLIDE 51
MINING
Data obtained from blockchain.info
SLIDE 52
BITCOIN
Tx Tx Tx
Tx
Mining Transaction
SLIDE 53
BITCOIN
Framework — Decentralised peer-to-peer collaborative network Goal : All peers should agree on a sequence of transactions
SLIDE 54
BITCOIN
Publicly-Verifiable
as the complete ledger and the hash function is public
SLIDE 55
BITCOIN
Tamper-Evident / Tamper-Resistant
as the ledger is connected through a chain of hash pointers
X X X X X X X
SLIDE 56
BITCOIN
Eventually-Consistent
as the longest chain eventually sustains as the main chain
SLIDE 57
BITCOIN
Data obtained from blockchain.info
SLIDE 58
BITCOIN
Data obtained from blockchain.info
SLIDE 59
BITCOIN
Data obtained from blockchain.info
SLIDE 60
BITCOIN
Semi-Decentralised
as the mining is dominated by computational power
SLIDE 61
BITCOIN
Data obtained from blockchain.info
SLIDE 62
BITCOIN
Data obtained from blockchain.info
SLIDE 63
Robin Yao (BW), Wang Chun (F2Pool), Marshall Long (FinalHash), Pan Zhibiao (Bitmain) Liu Xiang Fu (Avalon), Sam Cole (KnCMiner) and Alex Petrov (BitFury)
SLIDE 64
BITCOIN
Semi-Decentralised Publicly-Verifiable Tamper-Resistant Eventually-Consistent
SLIDE 65
ECONOMICS
The success story of Bitcoin
SLIDE 66
BITCOIN
Data obtained from blockchain.info
SLIDE 67
BITCOIN
Data obtained from blockchain.info
SLIDE 68
BITCOIN
Data obtained from blockchain.info
SLIDE 69
BITCOIN
Data obtained from blockchain.info
SLIDE 70
BITCOIN
Data obtained from blockchain.info
SLIDE 71
BITCOIN
Data obtained from blockchain.info
SLIDE 72
SECURITY
The threat from Bitcoin
SLIDE 73
BITCOIN
Transactions : Completely transparent and public Identities : Opaque and pseudonymous addresses ~ 170 Million bitcoin addresses ~ 150 Million bitcoin transactions ~ 80 GB of compressed raw data ~ 80% of transactions have < 2 inputs ~ 90% of transactions have < 3 outputs
SLIDE 74
BITCOIN
SLIDE 75
BITCOIN
Identities : Opaque and pseudonymous addresses Anyone can create arbitrarily many identities All identities “look” the same on the network ~ 170 Million bitcoin addresses ~ 150 Million bitcoin transactions
Provides “anonymity” of Bitcoin transactions.
SLIDE 76
BITCOIN
Data obtained from blockchain.info
SLIDE 77
BITCOIN
Data obtained from blockchain.info
SLIDE 78
BITCOIN
Data obtained from blockchain.info
SLIDE 79
Dark Marketplaces to buy-and-sell Drugs
SLIDE 80
Dark Marketplaces to buy-and-sell Guns and Fake ID
SLIDE 81
BITCOIN
Identities : Opaque and pseudonymous addresses Anyone can create arbitrarily many identities All identities “look” the same on the network ~ 170 Million bitcoin addresses ~ 150 Million bitcoin transactions
Is it still possible to trace transactions and identities?
SLIDE 82
DE-ANONYMIZATION
Potential solution to the threat from Anonymity
SLIDE 83
R1
TRANSACTION
Tx
R2 Rm S1 S2 Sn
SLIDE 84
EXAMPLE #1
Tx
R1 S1
1FLa9NcXJPA2XvF34LRuB4zbXX4Ws32dpL 18rdKmjrg1EawxgiVT3ikLExj6GWS2MNCk
Note : Single recipient with an exact match of input to output — highly unlikely.
SLIDE 85
R1
EXAMPLE #2
Tx
R2 S1
1Ao6mKMEXxCVNVAuGjfLXZ3Zf43hd3yAEq 16pDB5bvoqRGvoH32GaJLfsEcaMc2T9xDr 1H3bY2Cv1pmn8ffTdyeRvZAUjNJC1giQHm
Note : Nice complete denomination along with a random change.
SLIDE 86
R1
EXAMPLE #3
Tx
R2 S1
1PXzMrz8KBNEkTt3Wnuqy4axiWszbyQKyE 1AASWBCGveXH6H5yTCZW2x7uZrawDiqp4U 19onWuLmjXGVfc7oUAEVuy9Yd3jxqhsUbK
Note : 0.01121504 BTC = 6.50 USD at the time of transaction.
SLIDE 87
EXAMPLE #4
Tx
R1 S1
19SZcQ2CzJacQZE9rYwQjsfcBKMWDNwBWD 1PLjv1VzGEKxtM2FnRzg2FmDjen9trUBrh
Note : Two arbitrary inputs exactly match up to a desired output — highly unlikely. S2
13Zjnzx8VxtLUEiYcrVXKp5sLucLMvBqaG
SLIDE 88
R1
EXAMPLE #5
Tx
R2 S1
1Djvb34FNpNXtrbbjaQeERZf68cyUdWyzd 1Nq612zwhEZDBNz2AeWKZxD6LvwiLm6cQU 1AffmSG4tcNRjcgTWTnS6TM3cWPeeA9EVd
Note : Two input transactions coupled for a payment plus some random change. S2
17atn5sagYRBUvzgFLd9bUjWF4yStkdokW
6.13 USD 6.03 USD 4.10 USD 7.95 USD
SLIDE 89
CLUSTERING
1FLa9NcXJPA2XvF34LRuB4zbXX4Ws32dpL 18rdKmjrg1EawxgiVT3ikLExj6GWS2MNCk 1Ao6mKMEXxCVNVAuGjfLXZ3Zf43hd3yAEq 16pDB5bvoqRGvoH32GaJLfsEcaMc2T9xDr 1H3bY2Cv1pmn8ffTdyeRvZAUjNJC1giQHm 1PXzMrz8KBNEkTt3Wnuqy4axiWszbyQKyE 1AASWBCGveXH6H5yTCZW2x7uZrawDiqp4U 19onWuLmjXGVfc7oUAEVuy9Yd3jxqhsUbK 19SZcQ2CzJacQZE9rYwQjsfcBKMWDNwBWD 1PLjv1VzGEKxtM2FnRzg2FmDjen9trUBrh 13Zjnzx8VxtLUEiYcrVXKp5sLucLMvBqaG 1Djvb34FNpNXtrbbjaQeERZf68cyUdWyzd 1Nq612zwhEZDBNz2AeWKZxD6LvwiLm6cQU 1AffmSG4tcNRjcgTWTnS6TM3cWPeeA9EVd 17atn5sagYRBUvzgFLd9bUjWF4yStkdokW
SLIDE 90
IDENTIFICATION
1FLa9NcXJPA2XvF34LRuB4zbXX4Ws32dpL 18rdKmjrg1EawxgiVT3ikLExj6GWS2MNCk 1Ao6mKMEXxCVNVAuGjfLXZ3Zf43hd3yAEq 16pDB5bvoqRGvoH32GaJLfsEcaMc2T9xDr 1H3bY2Cv1pmn8ffTdyeRvZAUjNJC1giQHm 1PXzMrz8KBNEkTt3Wnuqy4axiWszbyQKyE 1AASWBCGveXH6H5yTCZW2x7uZrawDiqp4U 19onWuLmjXGVfc7oUAEVuy9Yd3jxqhsUbK 19SZcQ2CzJacQZE9rYwQjsfcBKMWDNwBWD 1PLjv1VzGEKxtM2FnRzg2FmDjen9trUBrh 13Zjnzx8VxtLUEiYcrVXKp5sLucLMvBqaG 1Djvb34FNpNXtrbbjaQeERZf68cyUdWyzd 1Nq612zwhEZDBNz2AeWKZxD6LvwiLm6cQU 1AffmSG4tcNRjcgTWTnS6TM3cWPeeA9EVd 17atn5sagYRBUvzgFLd9bUjWF4yStkdokW
SLIDE 91
CLUSTERING
The Unreasonable Effectiveness of Address Clustering — Harrigan and Fretter, May 2016
SLIDE 92
DE-ANONYMIZATION
Passive : Analytics on 80 GB of Bitcoin blockchain data
— Clustering of Bitcoin Addresses with suitable definition of Metrics — Identification of the Clusters using known and/or leaked Addresses
Active : Injecting and tracking marked Bitcoin transactions
— Registering on Dark Marketplaces, Exchanges, and Mining Pools — Using Addresses leaked from all these sources for Identification
Elliptic (https://www.elliptic.co/) does something similar in the UK. We should try to build our own tool for de-anonymization.
SLIDE 93
BLOCKCHAIN
Versatile Toolkit for Protocols
SLIDE 94
Input : Array of previous Transactions | Output : Array of recipient Addresses R1
TRANSACTION
Tx
pk2 sk1
Tx
pk1
Tx
pk3 sk2 sk3 pk
R2
pk
R3
pk
Tx Recipients Signatures Input Transactions Network verifies the Signature(s)
SLIDE 95
TRANSACTION
Metadata Input(s) Output(s)
Data obtained from blockchain.info
SLIDE 96
BITCOIN SCRIPT
Data obtained from blockchain.info
SLIDE 97
POTENTIAL
With a powerful Scripting Language
SLIDE 98
Developing “Smart Contracts” on Blockchain
SLIDE 99
Ethereum Smart Contracts
Proof of Space
Retricoin Namecoin
Proof of Retrievability
Proof of Stake
Proof of Commitment
Bitcoin-NG Perma-Coin
RSCoin
SpaceMint GHOST ZeroCoin Zcash
Smart Properties Proof of Existence
ADePT Ripple BitShares Factom BigchainDB OneName OpenBazaar BitGold
BitNation
BitHealth
SLIDE 100
Thank you for listening!