以比特幣為例的區塊鏈技術介紹 ( intro to blockchain using bitcoin as an example)

BLOCKCHAIN區塊鏈

CRYPTOGRAPHYHASH

ENCRYPTION

DECENTRALIZATION

ITCOIN

1. Decentralized2. Anonymous

3. Completely Transparent

4. Less Fees

5. Easy to use

• Block Structure• Key, Address and Wallet• Transaction• Mining and Consensus• Network

BLOCK

Chain of Blocks Inside a blockHASHMerkle Tree

Chain of BlocksGenesisBlock

prev #8FA

That is all you need!

Inside a block: Merkle Tree

What’s a Merkle Tree? Binary Hash Tree

Data

How to locate transactionAssume P transactions in the Merkle tree,

We need O(logN) hashes to construct a path to verify if a transaction exist here

authentication path : HL , HIJ , HMNOP ,

HABCDEFGH

How to locate transactionAssume P transactions in the Merkle tree,

We need O(logN) hashes to construct a path to verify if a transaction exist here

authentication path : HL , HIJ , HMNOP ,

HABCDEFGH

Efficient and Secure

Verification of the

content

Block Header?

• Block Structure• Key, Address and Wallet• Transaction• Mining and Consensus• Network

KEY,ADDRESS AND WALLET

Password

Account

e-Wallet

KEY

Private Key Public Key

≒ Address

PRIVATE KEY• SINGLE SHA256

BlockChainForTheWIN

5KjTnMMnFKd2rWZKejXXkWWkd1LJwhnHrKpBxXujRvr8nTjZwp6

PUBLIC KEYECDSA

• Curve : y2 mod p = x3＋ 7 mod p• G : base point

• p : prime number

ADDRESS• HASH 160• BASE58 ENCODING

04f29a7f486c90281f9396945e99ab35e2ed732c008ada71e8e745da38dc63ac97b723fe731555dfba9dd60c0cc8fbc8f26c35739f10c068125e

6394839a47eb1e

7c4c8fc7afbf33660bef88460b8ef86bcc9d1134

1CLEWPDWRkTV2wEKZsDGPUWR1yXZwxsPQk

KEYPrivate Key

Public Key

Address

ECDSA

HASH160 + Base58Check

KEY(PUBLIC)• COMPRESSED • UNCOMPRESSED

(x, y)

k = 04xy k = 02x, if y is evenk = 03x, if y is odd

• 66 hex digits • 130 hex digits04f29a7f486c90281f9396945e99ab35e2ed732c008ada71e8e745da38dc63ac97b723fe731555dfba9dd60c0cc8fbc8f26c35739f10c068125e6

394839a47eb1e

02f29a7f486c90281f9396945e99ab35e2ed732c008ada71e8e745da38

dc63ac97

WALLET

WALLET

Non-deterministic Wallet : random generated

Deterministic Wallet(Seeded Wallet)

Mnemonic Code Word1. Create a random sequence (entropy) of 128 to 256

bits2. Create a checksum of the random sequence by taking

the first few bits of its SHA256 hash3. Add the checksum to the end of the random

sequence 4. Divide the sequence into sections of 11 bits, using

those to index a dictionary of 2048 pre-defined words5. Produce 12-24 words representing the mnemonic

code

Mnemonic Code Word1. Create a random sequence (entropy) of 128 to 256

bits2. Create a checksum of the random sequence by taking

the first few bits of its SHA256 hash3. Add the checksum to the end of the random

sequence 4. Divide the sequence into sections of 11 bits, using

those to index a dictionary of 2048 pre-defined words5. Produce 12-24 words representing the mnemonic

code

Hierarchical Deterministic Wallets

Each parent key can have 4 billion children keys

Hierarchical Deterministic Wallets• tree structure can be used to express additional

organizational meaning• users can create a sequence of public keys without

having access to the corresponding private keys• insecure server or in a receive-only capacity

Hierarchical Deterministic Wallets

Hierarchical Deterministic Wallets• parent private key and public key (256bit)• seed called a chain code (256bit)• index number (32bit)

Extended Keys : key + chain code

Hierarchical Deterministic Wallets• Potential problems

Hierarchical Deterministic Wallets• Solution : Hardened Child Key Derivation

• use parent private key to derive child chain code

• best practice, the level-1 children of the master keys are always derived through the hardened

derivation, to prevent compromise of the master keys

Hierarchical Deterministic Wallets

• Index numbers for normal and hardened derivation• Normal : 0 ~ 2^31 -1 , first one displayed as 0• Hardened : 2^31 ~ 2^32 -1 , first one displayed as

0’

• HD wallet key identifier (path)

FORMAT

Key Format

• Private Key• Wallet Import Format(WIF) : a way of encoding a

private key so as to make it easier to copy

• Public Key

Other Format

• Encrypted Private Key• private key(usually in WIF) + passphrase• => Base58Check encoded encrypted private

key with the prefix 6P• need passphrase to decrypt

• Block Structure• Key, Address and Wallet• Transaction• Mining and Consensus• Network

TRANSACTION

TRANSACTION

Life Cycle• Most important thing in Bitcoin network• All designs in Bitcoin are created for transaction’s

creation, broadcast and verification• Life cycle :

CREATED

SIGNED

BROADCASTED

VERIFIED AND

COLLECTED

Every node will send validated transaction to

its 3~4 neighbors.

UTXO• Unspent Transaction Output

• locked to specific owner• no balance of a bitcoin address account; only scattered UTXO• balance is the sum of UTXO of that address

Account-based ledgerAlice transfer $10 to me

Bob transfer $5 to metransfer $13 to David

transfer $10 to Alice

Transaction-based ledgerInput from a1,$10, to meInput from b1,$5, to me

Input from c1,c2,$13, to David Input from c3,$5, to Alice

only need to verify output from specific transaction

UTXO• Unspent Transaction Output

• locked to specific owner• no balance of a bitcoin address account; only scattered UTXO• balance is the sum of UTXO of that address

Account-based ledgerAlice transfer $10 to me

Bob transfer $5 to metransfer $13 to David

transfer $10 to Alice

Transaction-based ledgerInput from a1,$10, to meInput from b1,$5, to me

Input from c1,c2,$13, to David Input from c3,$5, to Alice

only need to verify output from specific transaction

• efficient verification• consolidating funds : merge my

own coins together to one address• joint payments : combine

payments from multiple person• change address : the change are

changed to another address

UTXO• Unspent Transaction Output

• locked to specific owner• no balance of a bitcoin address account; only scattered UTXO• balance is the sum of UTXO of that address

Account-based ledgerAlice transfer $10 to me

Bob transfer $5 to metransfer $13 to David

transfer $10 to Alice

Transaction-based ledgerInput from a1,$10, to meInput from b1,$5, to me

Input from c1,c2,$13, to David Input from c3,$5, to Alice

only need to verify output from specific transaction

• efficient verification• consolidating funds : merge my

own coins together to one address• joint payments : combine

payments from multiple person• change address : the change are

changed to another address

Structure• Metadata

• Locktime• the earliest time that a transaction is valid and can

be relayed on the network or added to the blockchain

• = 0 : no locktime limit• < 500 million : block height• > 500 million : Unix Epoch timestamp

Structure• Input : UTXO

Structure• Output

Script• Output

• How to unlock?• concatenate input with output

• Input

Script• Output

• How to unlock?• concatenate input with output

• Input

• 5 standard transaction• Pay-to-public-key-hash (P2PKH)

Majority• Public-key• Multi-Signature• Pay-to-Script-Hash(P2SH)• Data Output(OP_RETURN)

Script

Script

Script

• Pay-to-public-key-hash (P2PKH)• Majority

• Public-key• Public key is store in the locking script

rather than Public key hash• generated by older mining software

that has not been updated to use P2PKH

Script• Multi-Signature

• Locking script• M <Public Key 1> <Public Key 2> ...

<Public Key N> N OP_CHECKMULTISIG• Unlocking script

• OP_0 <Signature B> <Signature C>• Data Output(OP_RETURN)

• allows developers to add 40 bytes of non-payment data to a transaction output

• un-spendable output

Script• Pay-to-Script-Hash(P2SH)

• pay to a script matching this hash, a script which will be presented later when this output is spent

• P2SH addresses are Base58Check encodings of the 20 byte hash of a script

• use version prefix 5, which results in Base58Check encoded addresses starting with 3

• the redeem script can be invalid , which will result in un-spendable bitcoin

Script• Pay-to-Script-Hash(P2SH)

• pay to a script matching this hash, a script which will be presented later when this output is spent

• P2SH addresses are Base58Check encodings of the 20 byte hash of a script

• use version prefix 5, which results in Base58Check encoded addresses starting with 3

• the redeem script can be invalid , which will result in un-spendable bitcoin

Script• Pay-to-Script-Hash(P2SH)

• pay to a script matching this hash, a script which will be presented later when this output is spent

• P2SH addresses are Base58Check encodings of the 20 byte hash of a script

• use version prefix 5, which results in Base58Check encoded addresses starting with 3

• the redeem script can be invalid , which will result in un-spendable bitcoin

Script• Pay-to-Script-Hash(P2SH)

• pay to a script matching this hash, a script which will be presented later when this output is spent

• P2SH addresses are Base58Check encodings of the 20 byte hash of a script

• use version prefix 5, which results in Base58Check encoded addresses starting with 3

• the redeem script can be invalid , which will result in un-spendable bitcoin

advantage:nodes keep less record

Transaction Fee

• = sum of output - sum of input• independent of the transaction’s bitcoin

value, but generally determined by size of a transaction

• others are more willing to put a transaction into a block if it’s fee is high

• is used to stop spam transactions and DDoS

• Block Structure• Key, Address and Wallet• Transaction• Mining and Consensus• Network

MINING AND CONSENSUS

MINING AND CONSENSUS

MINING AND CONSENSUS

MINER

Task of Bitcoin Miners

• maintaining block chain and listen for new blocks

• listen for transactions : listen and validate

• assemble a new block• compute the answer(nonce) and

broadcast the block

Proof of Work• spam email check• difficult to produce but easy to verify• a base string + nonce -> hash

• nonce : number used only once• base string : Hello, world!• target : hash begins with certain zeros

Proof of Work• spam email check• difficult to produce but easy to verify• a base string + nonce -> hash

• nonce : number used only once• base string : Hello, world!• target : hash begins with certain zeros

Difficulty• averagely 10 mins per block generation• determine the difficulty

• adjust every 2 weeks• next_difficulty = previous_difficulty * (2

weeks) / (time to mine last 2016 blocks)

Coinbase Transaction• a null hash pointer• a parameter contain arbitrary data ,

usually used to signal support by miners for different new features (vote)• BIP , Bitcoin Improvement Proposal

• value contains block reward and all the transaction fees of the block

Coinbase Transaction only transaction fees left

Broadcast

• previous block hash value + nonce• put the nonce into block header• broadcast to network• easy verify by other miners

THREAT

Problem & Attack• steal bitcoin?

• protected by digital signature• steal private keys

• fork• P2P network latency• miner will go with the main(longest) chain• lose if not on the main chain

• double-spend attack?• a block is generated about every 10 minutes• should wait at least 6 blocks(confirmation)

Problem & Attack• Sybil attacks

• refuse to relay blocks and transactions, disconnecting you from the network

• open to double-spending attacks• 51% attack

• could change the main chain

Problem & Attack• Sybil attacks

• refuse to relay blocks and transactions, disconnecting you from the network

• open to double-spending attacks• 51% attack

• could change the main chain

APPLICATION

Application of Bitcoin• Escrow Application

• MULTISIG and a third party• green address

• bank-controlled address• bank guarantee it will not double-spend

(real world guarantee) , so recipient won’t have to worry about confirmations of the transaction which would take an hour

• trackable

Application of Bitcoin• micro-payment

• bond : broadcast by recipient in the beginning

• refund : MULTISIG , requires both sender and receiver to sign ; spend the money of bond , transfer them to both sender and recipient

• lock time : set the time t when recipient fail to broadcast the payment by t , sender can get the whole money back instead of money being hold hostage by recipient

Application of Bitcoin B A BBond refund

100

Ecosystem - a cyclic nature

ValueSecurity

Mining

Digital Signature

Tamper-resistent

Market Price

Massive Users

Mining History• CPU Mining

• while Loop• too slow

• GPU Mining• parallelism , overclocking• floating point units, power consuming,

cooling

Mining History

Source: LeonardH, cryptocurrenciestalk.com

Mining History• FPGA Mining

• Field Programmable Gate Array, Verilog• allowing the owner of the card to

customize it or reconfigure it• better performance, cooling• malfunction and errors, difficult to

optimize the 32bit addition step, less accessible

Mining History

Mining History• ASIC Mining

• Application Specific Integrated Circuits• chips designed, built, and optimized for

the sole purpose of mining Bitcoins• rapidly increasing network hash rate,

shipping speed is crucial• short lifetime

Mining History

Mining History• Today

• professional mining, not friendly to individual

Mining History• Where to set up?

• climate: cool• cost of electricity:

cheap• network position

• ideal place• Republic of Georgia• Iceland

Mining History

Mining Pool• Miner

• only one mission: computing• Pool Manager

• listen to transactions and verify• build blocks• update software

Mining Pool• Rewards

• based on work done

share

Mining Pool• Rewards

• based on work done

share

Mining Pool• pay-per-share

• flat fee on every share, even no valid block found

• manager absorb the risk• took advantage by competitors

• proportional

Mining Pool• started around 2010• 51% mining pools

2014/62014/8 2015/42016/3

Mining Pool• good for small miners, fast update• centralization, few fully-validating nodes

• Block Structure• Key, Address and Wallet• Transaction• Mining and Consensus• Network

Bitcoin Network• bitcoin P2P protocol • extended bitcoin network

• bitcoin P2P protocol• mining pool protocol• Stratum protocol

Bitcoin Network• Node Functions

Bitcoin Network• Node Types

Bitcoin Network• Node Types

SPV client• Simplified Payment Verification nodes

• retrieve only block headers, 1000 times smaller than full blockchain

• request for specific transaction from peers

• Sybil attack• double spending attack• privacy revealed

• Bloom Filter

Bloom Filter• probabilistic search filter, a way to describe

a desired pattern without specifying it exactly

• a variable-size array of N binary digits• a variable number of M hash functions,

output between 1 and N• varying the level of accuracy and therefore

privacy by picking different N & M

Bloom Filter

• To add a pattern to the bloom filter, the pattern is hashed by each hash function in turn

• corresponding bit of hash output is set to 1

Bloom Filter

collision

probabilistic :more collision, less accuracy

Bloom Filter Maybe YES, Definitely NO

Bitcoin Network

• Block Structure• Key, Address and Wallet• Transaction• Mining and Consensus• Network