以比特幣為例的區塊鏈技術介紹 ( intro to blockchain using bitcoin as an example)
TRANSCRIPT
BLOCKCHAIN區塊鏈
CRYPTOGRAPHYHASH
ENCRYPTION
DECENTRALIZATION
ITCOIN
1. Decentralized2. Anonymous
3. Completely Transparent
4. Less Fees
5. Easy to use
• Block Structure• Key, Address and Wallet• Transaction• Mining and Consensus• Network
BLOCK
Chain of Blocks Inside a blockHASHMerkle Tree
Chain of BlocksGenesisBlock
prev #8FA
That is all you need!
Inside a block: Merkle Tree
What’s a Merkle Tree? Binary Hash Tree
Data
How to locate transactionAssume P transactions in the Merkle tree,
We need O(logN) hashes to construct a path to verify if a transaction exist here
authentication path : HL , HIJ , HMNOP ,
HABCDEFGH
How to locate transactionAssume P transactions in the Merkle tree,
We need O(logN) hashes to construct a path to verify if a transaction exist here
authentication path : HL , HIJ , HMNOP ,
HABCDEFGH
Efficient and Secure
Verification of the
content
Block Header?
• Block Structure• Key, Address and Wallet• Transaction• Mining and Consensus• Network
KEY
Private Key Public Key
≒ Address
PRIVATE KEY• SINGLE SHA256
BlockChainForTheWIN
5KjTnMMnFKd2rWZKejXXkWWkd1LJwhnHrKpBxXujRvr8nTjZwp6
PUBLIC KEYECDSA
• Curve : y2 mod p = x3+ 7 mod p• G : base point
• p : prime number
ADDRESS• HASH 160• BASE58 ENCODING
04f29a7f486c90281f9396945e99ab35e2ed732c008ada71e8e745da38dc63ac97b723fe731555dfba9dd60c0cc8fbc8f26c35739f10c068125e
6394839a47eb1e
7c4c8fc7afbf33660bef88460b8ef86bcc9d1134
1CLEWPDWRkTV2wEKZsDGPUWR1yXZwxsPQk
KEY(PUBLIC)• COMPRESSED • UNCOMPRESSED
(x, y)
k = 04xy k = 02x, if y is evenk = 03x, if y is odd
• 66 hex digits • 130 hex digits04f29a7f486c90281f9396945e99ab35e2ed732c008ada71e8e745da38dc63ac97b723fe731555dfba9dd60c0cc8fbc8f26c35739f10c068125e6
394839a47eb1e
02f29a7f486c90281f9396945e99ab35e2ed732c008ada71e8e745da38
dc63ac97
WALLET
WALLET
Non-deterministic Wallet : random generated
Deterministic Wallet(Seeded Wallet)
Mnemonic Code Word1. Create a random sequence (entropy) of 128 to 256
bits2. Create a checksum of the random sequence by taking
the first few bits of its SHA256 hash3. Add the checksum to the end of the random
sequence 4. Divide the sequence into sections of 11 bits, using
those to index a dictionary of 2048 pre-defined words5. Produce 12-24 words representing the mnemonic
code
Mnemonic Code Word1. Create a random sequence (entropy) of 128 to 256
bits2. Create a checksum of the random sequence by taking
the first few bits of its SHA256 hash3. Add the checksum to the end of the random
sequence 4. Divide the sequence into sections of 11 bits, using
those to index a dictionary of 2048 pre-defined words5. Produce 12-24 words representing the mnemonic
code
Hierarchical Deterministic Wallets
Each parent key can have 4 billion children keys
Hierarchical Deterministic Wallets• tree structure can be used to express additional
organizational meaning• users can create a sequence of public keys without
having access to the corresponding private keys• insecure server or in a receive-only capacity
Hierarchical Deterministic Wallets
Hierarchical Deterministic Wallets• parent private key and public key (256bit)• seed called a chain code (256bit)• index number (32bit)
Extended Keys : key + chain code
Hierarchical Deterministic Wallets• Potential problems
Hierarchical Deterministic Wallets• Solution : Hardened Child Key Derivation
• use parent private key to derive child chain code
• best practice, the level-1 children of the master keys are always derived through the hardened
derivation, to prevent compromise of the master keys
Hierarchical Deterministic Wallets
• Index numbers for normal and hardened derivation• Normal : 0 ~ 2^31 -1 , first one displayed as 0• Hardened : 2^31 ~ 2^32 -1 , first one displayed as
0’
• HD wallet key identifier (path)
FORMAT
Key Format
• Private Key• Wallet Import Format(WIF) : a way of encoding a
private key so as to make it easier to copy
• Public Key
Other Format
• Encrypted Private Key• private key(usually in WIF) + passphrase• => Base58Check encoded encrypted private
key with the prefix 6P• need passphrase to decrypt
• Block Structure• Key, Address and Wallet• Transaction• Mining and Consensus• Network
TRANSACTION
TRANSACTION
Life Cycle• Most important thing in Bitcoin network• All designs in Bitcoin are created for transaction’s
creation, broadcast and verification• Life cycle :
CREATED
SIGNED
BROADCASTED
VERIFIED AND
COLLECTED
Every node will send validated transaction to
its 3~4 neighbors.
UTXO• Unspent Transaction Output
• locked to specific owner• no balance of a bitcoin address account; only scattered UTXO• balance is the sum of UTXO of that address
Account-based ledgerAlice transfer $10 to me
Bob transfer $5 to metransfer $13 to David
transfer $10 to Alice
Transaction-based ledgerInput from a1,$10, to meInput from b1,$5, to me
Input from c1,c2,$13, to David Input from c3,$5, to Alice
only need to verify output from specific transaction
UTXO• Unspent Transaction Output
• locked to specific owner• no balance of a bitcoin address account; only scattered UTXO• balance is the sum of UTXO of that address
Account-based ledgerAlice transfer $10 to me
Bob transfer $5 to metransfer $13 to David
transfer $10 to Alice
Transaction-based ledgerInput from a1,$10, to meInput from b1,$5, to me
Input from c1,c2,$13, to David Input from c3,$5, to Alice
only need to verify output from specific transaction
• efficient verification• consolidating funds : merge my
own coins together to one address• joint payments : combine
payments from multiple person• change address : the change are
changed to another address
UTXO• Unspent Transaction Output
• locked to specific owner• no balance of a bitcoin address account; only scattered UTXO• balance is the sum of UTXO of that address
Account-based ledgerAlice transfer $10 to me
Bob transfer $5 to metransfer $13 to David
transfer $10 to Alice
Transaction-based ledgerInput from a1,$10, to meInput from b1,$5, to me
Input from c1,c2,$13, to David Input from c3,$5, to Alice
only need to verify output from specific transaction
• efficient verification• consolidating funds : merge my
own coins together to one address• joint payments : combine
payments from multiple person• change address : the change are
changed to another address
Structure• Metadata
• Locktime• the earliest time that a transaction is valid and can
be relayed on the network or added to the blockchain
• = 0 : no locktime limit• < 500 million : block height• > 500 million : Unix Epoch timestamp
Structure• Input : UTXO
Structure• Output
Script• Output
• How to unlock?• concatenate input with output
• Input
Script• Output
• How to unlock?• concatenate input with output
• Input
• 5 standard transaction• Pay-to-public-key-hash (P2PKH)
Majority• Public-key• Multi-Signature• Pay-to-Script-Hash(P2SH)• Data Output(OP_RETURN)
Script
Script
Script
• Pay-to-public-key-hash (P2PKH)• Majority
• Public-key• Public key is store in the locking script
rather than Public key hash• generated by older mining software
that has not been updated to use P2PKH
Script• Multi-Signature
• Locking script• M <Public Key 1> <Public Key 2> ...
<Public Key N> N OP_CHECKMULTISIG• Unlocking script
• OP_0 <Signature B> <Signature C>• Data Output(OP_RETURN)
• allows developers to add 40 bytes of non-payment data to a transaction output
• un-spendable output
Script• Pay-to-Script-Hash(P2SH)
• pay to a script matching this hash, a script which will be presented later when this output is spent
• P2SH addresses are Base58Check encodings of the 20 byte hash of a script
• use version prefix 5, which results in Base58Check encoded addresses starting with 3
• the redeem script can be invalid , which will result in un-spendable bitcoin
Script• Pay-to-Script-Hash(P2SH)
• pay to a script matching this hash, a script which will be presented later when this output is spent
• P2SH addresses are Base58Check encodings of the 20 byte hash of a script
• use version prefix 5, which results in Base58Check encoded addresses starting with 3
• the redeem script can be invalid , which will result in un-spendable bitcoin
Script• Pay-to-Script-Hash(P2SH)
• pay to a script matching this hash, a script which will be presented later when this output is spent
• P2SH addresses are Base58Check encodings of the 20 byte hash of a script
• use version prefix 5, which results in Base58Check encoded addresses starting with 3
• the redeem script can be invalid , which will result in un-spendable bitcoin
Script• Pay-to-Script-Hash(P2SH)
• pay to a script matching this hash, a script which will be presented later when this output is spent
• P2SH addresses are Base58Check encodings of the 20 byte hash of a script
• use version prefix 5, which results in Base58Check encoded addresses starting with 3
• the redeem script can be invalid , which will result in un-spendable bitcoin
advantage:nodes keep less record
Transaction Fee
• = sum of output - sum of input• independent of the transaction’s bitcoin
value, but generally determined by size of a transaction
• others are more willing to put a transaction into a block if it’s fee is high
• is used to stop spam transactions and DDoS
• Block Structure• Key, Address and Wallet• Transaction• Mining and Consensus• Network
MINING AND CONSENSUS
MINING AND CONSENSUS
MINING AND CONSENSUS
MINER
Task of Bitcoin Miners
• maintaining block chain and listen for new blocks
• listen for transactions : listen and validate
• assemble a new block• compute the answer(nonce) and
broadcast the block
Proof of Work• spam email check• difficult to produce but easy to verify• a base string + nonce -> hash
• nonce : number used only once• base string : Hello, world!• target : hash begins with certain zeros
Proof of Work• spam email check• difficult to produce but easy to verify• a base string + nonce -> hash
• nonce : number used only once• base string : Hello, world!• target : hash begins with certain zeros
Difficulty• averagely 10 mins per block generation• determine the difficulty
• adjust every 2 weeks• next_difficulty = previous_difficulty * (2
weeks) / (time to mine last 2016 blocks)
Coinbase Transaction• a null hash pointer• a parameter contain arbitrary data ,
usually used to signal support by miners for different new features (vote)• BIP , Bitcoin Improvement Proposal
• value contains block reward and all the transaction fees of the block
Coinbase Transaction only transaction fees left
Broadcast
• previous block hash value + nonce• put the nonce into block header• broadcast to network• easy verify by other miners
THREAT
Problem & Attack• steal bitcoin?
• protected by digital signature• steal private keys
• fork• P2P network latency• miner will go with the main(longest) chain• lose if not on the main chain
• double-spend attack?• a block is generated about every 10 minutes• should wait at least 6 blocks(confirmation)
Problem & Attack• Sybil attacks
• refuse to relay blocks and transactions, disconnecting you from the network
• open to double-spending attacks• 51% attack
• could change the main chain
Problem & Attack• Sybil attacks
• refuse to relay blocks and transactions, disconnecting you from the network
• open to double-spending attacks• 51% attack
• could change the main chain
APPLICATION
Application of Bitcoin• Escrow Application
• MULTISIG and a third party• green address
• bank-controlled address• bank guarantee it will not double-spend
(real world guarantee) , so recipient won’t have to worry about confirmations of the transaction which would take an hour
• trackable
Application of Bitcoin• micro-payment
• bond : broadcast by recipient in the beginning
• refund : MULTISIG , requires both sender and receiver to sign ; spend the money of bond , transfer them to both sender and recipient
• lock time : set the time t when recipient fail to broadcast the payment by t , sender can get the whole money back instead of money being hold hostage by recipient
Application of Bitcoin B A BBond refund
100
Ecosystem - a cyclic nature
ValueSecurity
Mining
Digital Signature
Tamper-resistent
Market Price
Massive Users
Mining History• CPU Mining
• while Loop• too slow
• GPU Mining• parallelism , overclocking• floating point units, power consuming,
cooling
Mining History• FPGA Mining
• Field Programmable Gate Array, Verilog• allowing the owner of the card to
customize it or reconfigure it• better performance, cooling• malfunction and errors, difficult to
optimize the 32bit addition step, less accessible
Mining History
Mining History• ASIC Mining
• Application Specific Integrated Circuits• chips designed, built, and optimized for
the sole purpose of mining Bitcoins• rapidly increasing network hash rate,
shipping speed is crucial• short lifetime
Mining History
Mining History• Today
• professional mining, not friendly to individual
Mining History• Where to set up?
• climate: cool• cost of electricity:
cheap• network position
• ideal place• Republic of Georgia• Iceland
Mining History
Mining Pool• Miner
• only one mission: computing• Pool Manager
• listen to transactions and verify• build blocks• update software
Mining Pool• Rewards
• based on work done
share
Mining Pool• Rewards
• based on work done
share
Mining Pool• pay-per-share
• flat fee on every share, even no valid block found
• manager absorb the risk• took advantage by competitors
• proportional
Mining Pool• started around 2010• 51% mining pools
2014/62014/8 2015/42016/3
Mining Pool• good for small miners, fast update• centralization, few fully-validating nodes
• Block Structure• Key, Address and Wallet• Transaction• Mining and Consensus• Network
Bitcoin Network• bitcoin P2P protocol • extended bitcoin network
• bitcoin P2P protocol• mining pool protocol• Stratum protocol
Bitcoin Network• Node Functions
Bitcoin Network• Node Types
Bitcoin Network• Node Types
SPV client• Simplified Payment Verification nodes
• retrieve only block headers, 1000 times smaller than full blockchain
• request for specific transaction from peers
• Sybil attack• double spending attack• privacy revealed
• Bloom Filter
Bloom Filter• probabilistic search filter, a way to describe
a desired pattern without specifying it exactly
• a variable-size array of N binary digits• a variable number of M hash functions,
output between 1 and N• varying the level of accuracy and therefore
privacy by picking different N & M
Bloom Filter
• To add a pattern to the bloom filter, the pattern is hashed by each hash function in turn
• corresponding bit of hash output is set to 1
Bloom Filter
collision
probabilistic :more collision, less accuracy
Bloom Filter Maybe YES, Definitely NO
Bitcoin Network
• Block Structure• Key, Address and Wallet• Transaction• Mining and Consensus• Network