EmmanuelleAnceaume …people.irisa.fr/Emmanuelle.Anceaume/Bitcoin-keynote.pdf · 5 Publicledgers...
Transcript of EmmanuelleAnceaume …people.irisa.fr/Emmanuelle.Anceaume/Bitcoin-keynote.pdf · 5 Publicledgers...
1
MADS
Emmanuelle Anceaume
Blockchain Technology and the Bitcoin Cryptocurrency
http://people.irisa.fr/Emmanuelle.Anceaume/
2
Content of this lesson
I Crypto backgroundI hash functionsI digital signaturesI hash pointersI Merkle trees
I Bitcoin principlesI Peer-to-peer networksI TransactionsI Blocks
I Agreement protocolsI Leader electionI « Nakamoto Consensus »
3
2008 : The Bitcoin white paper
4
An overview of Bitcoin
I Bitcoin is a cryptocurrencyand payment system
I It allows users toanonymously exchangegoods against digitalcurrency
I All the valid transactions arerecorded in a public ledger,the blockchain
I Allows anyone to auditand check the integrity ofall the transactions
Bob -> Alice ฿0.001 Chunk -> Sara ฿0.05Eva -> Alice ฿0.009Alice -> John ฿0.02Bob -> Chunk ฿0.7
Peter -> Bob ฿0.008Bob -> Alice ฿0.05
Bob -> Alice ฿0.046Bob -> Alice ฿0.008
Ledger
5
Public ledgers
No trustworthy centralized control.Everyone
I maintains its own copy of the ledgerI disseminates all the transactionsI can read all the transactions
Bob -> Alice ฿0.001 Chunk -> Sara ฿0.05Eva -> Alice ฿0.009Alice -> John ฿0.02Bob -> Chunk ฿0.7Peter -> Bob ฿0.008Bob -> Alice ฿0.05
Bob -> Alice ฿0.046Bob -> Alice ฿0.008
Ledger
Bob -> Alice ฿0.001 Chunk -> Sara ฿0.05Eva -> Alice ฿0.009Alice -> John ฿0.02Bob -> Chunk ฿0.7Peter -> Bob ฿0.008Bob -> Alice ฿0.05
Bob -> Alice ฿0.046Bob -> Alice ฿0.008
Ledger
Bob -> Alice ฿0.001 Chunk -> Sara ฿0.05Eva -> Alice ฿0.009Alice -> John ฿0.02Bob -> Chunk ฿0.7Peter -> Bob ฿0.008Bob -> Alice ฿0.05
Bob -> Alice ฿0.046Bob -> Alice ฿0.008
Ledger Bob -> Alice ฿0.001 Chunk -> Sara ฿0.05Eva -> Alice ฿0.009Alice -> John ฿0.02Bob -> Chunk ฿0.7Peter -> Bob ฿0.008Bob -> Alice ฿0.05
Bob -> Alice ฿0.046Bob -> Alice ฿0.008
Ledger
Bob -> Alice ฿0.001 Chunk -> Sara ฿0.05Eva -> Alice ฿0.009Alice -> John ฿0.02Bob -> Chunk ฿0.7Peter -> Bob ฿0.008Bob -> Alice ฿0.05
Bob -> Alice ฿0.046Bob -> Alice ฿0.008
Ledger
Bob -> Alice ฿0.001 Chunk -> Sara ฿0.05Eva -> Alice ฿0.009Alice -> John ฿0.02Bob -> Chunk ฿0.7Peter -> Bob ฿0.008Bob -> Alice ฿0.05
Bob -> Alice ฿0.046Bob -> Alice ฿0.008
Ledger
AchievingI consistency, efficiency and availability of the ledgerI auditability, immutability of the transactions
While preventingI transaction censorchip and double-spending attacks
6
Basic principlesI Crypto currency
I relies on cryptographic toolsI Decentralized system
I peer-to-peer architectureI Trustless model
I does not require a central server to validate/abort financialtransactions but requires participants to be online
I Anonymous usersI neither sellers nor buyers use their real identities to use
Bitcoins but if you are not careful your transactions can be tiedtogether
Satoshi Nakamoto. Bitcoin : APeer-to-Peer Electroni Cash System.October 2008,http ://nakamotoinstitute.org/bitcoin/
7
Bitcoin relies on a set of distributed algorithms
Bitcoin:
Peer-to-Peer Network
• Dissemination of transactions and blocks in the open and large scale Bitcoin system
Cryptographic primitives
• Bitcoins are immutable• Hash functions• Digital signature
• Merkle tree
Mining & Incentive
• Approximate the selection of a leader randomly chosen• Proportional to a resource we hope nobody can monopolize
(denial of service)• proof of work using hash puzzle (moderately difficult to
compute, parametrizable cost, trivial to verify)• Regulate the creation of new bitcoins
Blockchain & Agreement
• No trusted entity in charge of validating transactions nor creating money
• Total and secure ordering of all the valid transactions ever created
• Append only data structure
8
Preliminaries on crypto
I cryptographic hash functionsI digital signaturesI Merkle tree
9
hash functions
All currencies need some way to control supply and preventcounterfeiting money
I Fiat currencies (Dollar, Euro, Yen, Yuan)I central banks mint physical currencyI integrity of bank notes is guaranteed by anti-counterfeiting
features to physical currencyI Digital currencies
I a string of « 0 » and « 1 »I no central bank to prevent double-spending attacksI heavy use of cryptography
10
Hash functions
A hash function is an algorithm that allows to compute afingerprint of fixed size from data of arbitrary size
H : 0, 1∗ → 0, 1n
M 7→ H(M)
I rather than manipulating data of arbitrary size, a fingerprint isassociated to each data which makes operation easier
11
Hash functionsA hash function satisfies the following properties
I The input space is the set of strings of arbitrarily lengthI « hello world » and « hellohellohello world » are perfectly fine
inputsI The output space is the set of strings of fixed length
I H(« hello world ») = 000223I H(« hellohellohello world ») = 130554
I H is deterministicI H is efficiently computable
I Given a string s of length n the complexity to compute H(s) isO(n)
In addition to these properties, crypto-hash functions haveadditional requirements
12
Properties of cryptographic hash functions
I Collision resistanceIt must be difficult to find two inputs x and x ′ such that
H(x) = H(x ′)
I Second pre-image resistanceGiven an input x , it must be difficult to find an input value
x ′ 6= x such that H(x ′) = H(x)
I Pre-image resistanceGiven z , it must be difficult to find an input value x such that
H(x) = z
13
Collision resistance
Find two inputs x and x ′ such that H(x) = H(x ′)
x
y
H(x)=H(y)
14
Collision resistance
collisions do exist
possible inputspossible outputs
Image source: Bitcoin and Cryptocurrency Technologies.
15
Collision resistance
collisions do exist
possible inputspossible outputs
but can anyone find them ?
Image source: Bitcoin and Cryptocurrency Technologies.
16
Collision resistance property
Find two inputs x and x ′ such that H(x) = H(x ′)
Generic attack (i.e., a technique capable of attacking any n-bithash function )
I Choose 2n/2 random messages (birthday paradox)I Compute the hashed values and store themI Find one pair (x,x’) such that H(x) = H(x ′)
17
Birthday paradoxBirthday paradox is about the probability that, in a set of mrandomly chosen people, some pair of them will have the samebirthday.
I if m = 23 the probability to have collision is 50%I if m = 70 then p is equal to 99.9%
18
Birthday paradoxLet us first compute the probability that no two persons have thesame birthday. Let p′(m) be this probability
p′(m) =365365
364365
. . .365− (m − 1)
365
=365!
(365−m)!
1365m
Thus the probability p(m) that there exists two persons having thesame birthday is
p(m) = 1− p′(m) = 1− 365!(365−m)!
1365m
' 1− e−m(m−1)2×365
Thus
m(p) '
√2× 365 ln(
11− p
)
19
Birthday paradox
m(p) '
√2× 365 ln(
11− p
)
we get
m(1/2) = 23
In our case, the set of possible values is equal to 2n with n thelength of the binary string of the fingerprintThus
m(1/2) '√2 ln 2 2n/2
' 2n/2
20
Collision resistance property
Find two inputs x and x ′ such that H(x) = H(x ′)
Generic attack (i.e., a technique capable of attacking any hashfunction)
I Choose 2n/2 random messagesI Compute the hashed values and store themI Find one pair (x , x ′) such that H(x) = H(x ′)
If a computer calculates 10, 000 hashes/sI it would take 1027 years to output 2128 hashes, andI thus 1027 years to produce a collision with probability 1/2
Astronomical number of computations ! !So far no hash functions have been proven to be collision resistant
21
Collision resistance propertyTo summarize :
Collision resistant hash functions allows usI to identify data by its hashed value (i.e digest, fingerprint)
I if H(x) = H(y) then it is safe to assume that x = y
I Bitcoin :I to identify blocks in the blockchainI to make blocks resistant to tampering (modifying a single bit
changes the fingerprint)
22
Second-preimage resistance
Given an input x , it is difficult to find an input value x ′ 6= x suchthat H(x ′) = H(x)
Generic Attack : probabilistic search
I Given x and its hashed value H(x) (n bits value)I Randomly choose xi and compute zi = H(xi )
I Proba(zi = H(x)) = 1/2n
I Thus after having chosen 2n inputs it is likely that one canfind a pre-image xi 6= x such that H(xi ) = H(x)
23
File integrity
file1 H( file1) = 3214 5670 ab67 0123 8760 2123 34BF 0A23
(256 bits)
file2
Assume you have file 1
Is it possible to build another file, file 2, such that both files have the same fingerprint?
24
Preimage resistance
Given z , find an input value x such that H(x) = z
Generic Attack : probabilistic search
I Given a hashed value z
I Randomly choose xi and compute zi = H(xi )
I Proba(zi = z) = 1/2n
I Thus after having chosen 2n inputs it is likely that one canfind a pre-image xi such that H(xi ) = z
25
Passwords storage
I In your machine, passwords are not stored. Only their hashedvalue is stored
I When you want to authenticate, the login pg computes thehashed value, which is compared with the one stored in/etc/passwd
Property : Given the hashed value y it must be difficult to find xsuch that H(x) = H(password) = y
26
Merkle-Damgard construction
27
Hash pointers
A hash pointer is the cryptographic hash value of the pointedinformation
45etb
H(bloc)=6736a
6736a
info n
1b781
H(bloc)=1b781 H(bloc)=56ac3
56ac3
28
Hash pointers
Hash pointers allows the construction of a log data structure thatallows the detection of any manipulation
45etb
H(bloc)=6736a
6736a
info n
1b781
H(bloc)=1b781 H(bloc)=56ac3
56ac3
29
Hash pointers
Hash pointers allows the construction of a log data structure thatallows the detection of any manipulations
45etb
H(bloc)=6736a
6736a
info n
1b781
H(bloc)=1b781 H(bloc)=56ac3
56ac3
n'
30
Hash pointers
Hash pointers allows the construction of a log data structure thatallows the detection of any manipulations
45etb
H(bloc)=6736a
6736a
info n
1b781
H(bloc)=1b781 H(bloc)=56ac3
56ac3
n'
31
Hash pointers
Hash pointers allows the construction of a log data structure thatallows the detection of any manipulations
45etb
H(bloc)=6736a
6736a
info n
1b781
H(bloc)=1b781 H(bloc)=56ac3
56ac3
n'
3 By only keeping the hash pointer of the head of the datastructure, we have a tamper-evident hash of a possibly verylong list
32
Hash tree : Merkle Tree
A Merkle tree 1 is a tree of hashes
I Leaves of the tree are data blocksI Nodes are the hashes of their childrenI Root of tree is the fingerprint of the tree
1. Merkle, R. C. (1988). "A Digital Signature Based on a ConventionalEncryption Function". Advances in Cryptology - CRYPTO ’87.
33
Hash tree : Merkle Tree
h000 = h(b0) h001 = h(b1)
h00 = h( h000 || h001 )
h0 = h( h00 || h01 )
b0 b1
h010 = h(b2) h011 = h(b3)
h01 = h( h010 || h011 )
b2 b3
h100 = h(b4) h101 = h(b5)
h10 = h( h100 || h101 )
h1 = h( h10 || h11 )
b4 b5
h110 = h(b6)
h11 = h( h110 || h110 )
b6
h = h( h0 || h1 )
34
Hash tree : Merkle Tree
3 Checking the integrity of the n data blocks of the treeI easy due to collision resistance property of crypto. hash
functionsI Data blocks membership
I checked with log n pieces of information and in log n operations
35
Hash tree : Merkle Tree
h000 = h(b0) h001 = h(b1)
h00 = h( h000 || h001 )
h0 = h( h00 || h01 )
b0 b1
h010 = h(b2) h011 = h(b3)
h01 = h( h010 || h011 )
b2 b3
h100 = h(b4) h101 = h(b5)
h10 = h( h100 || h101 )
h1 = h( h10 || h11 )
b4 b5
h110 = h(b6)
h11 = h( h110 || h110 )
b6
h = h( h0 || h1 )
36
Hash tree : Merkle Tree
I know the root of the Merkle tree, and I would like to knowwhether data block b3 belongs to the tree ?
Question : How can I do that without looking for the full tree ?
37
Hash tree : Merkle Tree
b3
h = h( h0 || h1 )
38
Hash tree : Merkle Tree
h011 = h(b3)
b3
h = h( h0 || h1 )
39
Hash tree : Merkle Tree
h010 = h(b2) h011 = h(b3)
b3
h = h( h0 || h1 )
h01 = h( h010 || h011 )
40
Hash tree : Merkle Tree
h00 = h( h000 || h001 )
h010 = h(b2) h011 = h(b3)
h01 = h( h010 || h011 )
b3
41
Hash tree : Merkle Tree
h00 = h( h000 || h001 )
h0 = h( h00 || h01 )
h010 = h(b2) h011 = h(b3)
h01 = h( h010 || h011 )
b3
h = h( h0 || h1 )
42
Hash tree : Merkle Tree
h00 = h( h000 || h001 )
h0 = h( h00 || h01 )
h010 = h(b2) h011 = h(b3)
h01 = h( h010 || h011 )
b3
h = h( h0 || h1 )
h1 = h( h10 || h11 )
43
Hash tree : Merkle Tree
h00 = h( h000 || h001 )
h0 = h( h00 || h01 )
h010 = h(b2) h011 = h(b3)
h01 = h( h010 || h011 )
b3
h = h( h0 || h1 )
h1 = h( h10 || h11 )
44
Hash tree : Merkle Tree
I know the root of the Merkle tree, and I would like to knowwhether data block b3 belongs to the tree ?
Question : How can I do that without looking for the full tree ?
I need log n pieces of information and log n hash operations
45
Digital signature primitive
A digital signature is just like a signature on a document
I Only the creator of the document can sign, but anyone canverify it
I Signature is tied to a particular document
How can we build such a digital signature ?
46
Digital signatureThree functions :
I (sk ,pk) := generateKeys(keysize)I sk : private signing keyI pk : public verification key
I sig := sign(sk , H(message))I ver := verify(pk , sig)
47
Digital signatureRequirements :
I The verify operation must return true when fed with validsignatures
verify(pk , sign(sk , H(message)))=H(message)I The signature scheme is unforgeable
An adversary that knows pk and can choose any messages tobe signed cannot produce a verifiable signature for another
message
48
Digital signature
M
H(M)
H(M) = 01011011
SIG(H(M),s_k)(M, sig)
= sig
Alice Bob
H(M)
VER(p_k,sig) = ver
if (ver = H(M)) then sig is valid
Indeed: ver = VER(p_k, sig) = VER(p_k, SIG(H(M),s_k)) = H(M)
49
Digital signature
I The algorithms to generate keys and sign must have access toa good source of randomness
I Signing the hash of a message is as safe as signing themessage itself
In Bitcoin, the signature scheme is ECDSA (Elliptic Curve DigitalSignature Algorithm) 2
I private key = 256 bitsI Public key = 512 bitsI Message = 256 bitsI signature = 512 bits
2. Johnson, Don, Alfred Menezes, and Scott Vanstone. The elliptic curvedigital signature algorithm (ECDSA) . International Journal of InformationSecurity 1.1 (2001) : 36-63
50
Using verification public key as an identityIdea : use the verification key of a signature as an identity
I If you see a msg such that the signature verifies under pk (i.e.verify(pk , sig)= msg) then on can see pk as a party sayingstatements by signing them
I To speak on behalf of pk one must know skI So there is an identity in the system such that only a single
one can speak for it which is what we want for a signature
3 By looking at public keys as identities you can generate asmany identities as you want !
51
Using verification public key as an identity
I Create new identities :I Eric creates a new pair (sk ,pk)I pk is the public name Eric usesI Eric is the only person that can speak on behalf of pk because
he knows skI pk is sufficient ! nobody needs to know that Eric created it
I Creation of identities as often as you want !I no central authority in charge of registering new identities !I this is the way Bitcoin creates identities (called addresses)
I address = Hash(public key)
52
Using verification public key as an identitySome words on privacy
I no relationships between pk based identities and real identitiesI by using the same pk (identity) an adversary can infer some
relationships based on the activity of pk
53
Transaction
The state of the Bitcoin world is represented by transactions
I data structure that allows Alice to transfer bitcoins to Bob andCharly
I does not contain any confidential informationI verifiable by anyone → no trusted third-party !
I Alice’s account(input address)
I Bob’s and Charly’saccounts (outputaddress)
I possibly somechange
I transactions fees
Input #1
Output ref. + script
Input #2
Output ref. + script
Transaction
Output #1account + ฿
Output #2account + ฿
54
Transaction
An account is a « one shot object »
I an account is a <(private key,public key), amount of bitcoins>I debited once !I each time you are the recipient of a transaction, it’s safer if
you create a new account (privacy reasons)
Checking the ownership of an account
I how can anyone check that I am the legitimate owner of anaccount since there are no identities in a transaction ?
I using « public keys » as identities
55
Transaction
I Bitcoin relies on a (limited) script languageI to lock an output, the script provides a challenge
I i.e., fingerprint of the recipient public key, H(pk)I to unlock an input, the script provides the solution of the
challengeI i.e., public key pk together with sk ’s signature
Input #1
Output ref. + script
Input #2
Output ref. + script
Transaction
Output #1account + ฿
Output #2account + ฿
56
Script language
57
Script language
58
Script language
Input ----
Output OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
Transaction T
Input <sig> <pubKey>
Output ----
Transaction T'
<sig>
OP_DUP OP_HASH<pubKey>
<sig><pubKey>
<pubKey>
<sig><pubKey>
<pubKey>
pubHashA>
OP_EQUALVERIFY
<sig><pubKey>
OP_CHECKSIGif true empty
59
Relying on past transactions to create new ones
Transaction 20ab3701i
Transaction 74201ab3c
UTXO
UTXO = Unspent Transaction Output
Output #2account + ฿ + script
Output #1account + ฿ + script
Output #1account + ฿ + script
Output #1account + ฿ + script
Input #1
Output ref. + script
Transaction 1206ac34e
Output #2account + ฿ + script
Output #3account + ฿ + script
Output #1account + ฿ + script
Input #1
Output ref. + script
Input #2
Output ref. + script
Input #1
Output ref. + script
Input #2
Output ref. + script
Do not forget Tx fees, i.e., ฿ input > ฿ output
UTXO
60
Peer-to-Peer Network
I Topology formed through a randomized processI No coordinating entityI Broadcast is based on flooding/gossiping neighbors’ link
Tx d->e
Tx a->B
Tx a->B Tx a->B
Tx a->B
Tx a->B
Tx a->B
Tx a->B
Tx a->B
Tx a->B
Tx a->B
Tx d->e
Tx d->e
Tx d->e
Tx d->e
Tx d->e
Tx a->B
Tx d->e
Tx d->e
Tx a->B
Tx a->BTx d->e
61
Peer-to-Peer Network
transactiontransactiontransactiontransactiontransaction
transactiontransactiontransactiontransaction
transactiontransactiontransactiontransactiontransaction
transactiontransactiontransactiontransactiontransactiontransaction
transactiontransactiontransactiontransactiontransaction
transactiontransactiontransactiontransaction
transactiontransactiontransactiontransactiontransaction
transactiontransactiontransactiontransactiontransactiontransaction
transactiontransactiontransactiontransactiontransaction
bag of transactions
node of the network
Internet
62
Resistance to « double-spending attacks »
transactiontransactiontransactiontransactiontransaction
transactiontransactiontransactiontransaction
transactiontransactiontransactiontransactiontransaction
transactiontransactiontransactiontransactiontransactiontransaction
transactiontransactiontransactiontransactiontransaction
bag of transactions
node of the network
Internet
63
Required properties
1. ConnectivityI Each node should receive any broadcast information
2. Low latency 3
msg. transmission timeblock time interval
� 1
3 Allows to keep the probability of fork small (i.e. 10−3)3 PoW mechanism allows this ratio to continuously hold7 No more than 7 trans/s can be permanently confirmed in
average ! !
3. J. Garay and A. Kiayias, The Bitcoin Backbone Protocol : Analysis andApplication, Eurocrypt 2015
64
A chain of blocks : the blockchain
A publicly, immutable, and totally ordered log of transactions
65
Block of transactions
Transaction 945846Transaction 58801aTransaction 665389Transaction 7654ab
.
.
.Transaction 321456
66
Blocks of transactions
Transaction 945846Transaction 58801aTransaction 665389Transaction 7654ab
.
.
.Transaction 321456
Transaction 437621Transaction 8593abTransaction 12367bTransaction 793154
.
.
.Transaction 653278
Transaction 336789Transaction 7245abTransaction 635566Transaction 12f4a22
.
.
.Transaction 232356
67
Resistant to attacks
Transaction 945846Transaction 58801aTransaction 665389Transaction 7654ab
.
.
.Transaction 321456
Transaction 437621Transaction 8593abTransaction 12367bTransaction 793154
.
.
.Transaction 653278
Transaction 336789Transaction 7245abTransaction 635566Transaction 12f4a22
.
.
.Transaction 232356
68
Resistant to attacks
Transaction 945846Transaction 58801aTransaction 665389Transaction 7654ab
.
.
.Transaction 321456
Transaction 437621Transaction 8593abTransaction 12367bTransaction 793154
.
.
.Transaction 653278
Transaction 336789Transaction 7245abTransaction 635566Transaction 12f4a22
.
.
.Transaction 232356
Transaction 945846Transaction 58801aTransaction 665389
Transaction 7654ab...
Transaction 321456
69
A chain of blocks : the blockchain
A publicly, immutable, and totally ordered log of transactions
I Why digital signatures are not sufficient ?
7 do not prevent double-spending attacks
I How can we securely link blocks ?
3 by linking them with cryptographic fingerprints
I How can we prevent transactions in a block from beingmanipulated ?
3 efficient cryptographic fingerprint of the transactions
I Who is allowed to create blocks ?
3 any node in the network capable of solving a given challenge
I Who is in charge of checking that blocks are correctlycreated ?
3 everyone ! !
70
A chain of blocks : the blockchain
A publicly, immutable, and totally ordered log of transactions
I Why digital signatures are not sufficient ?7 do not prevent double-spending attacks
I How can we securely link blocks ?
3 by linking them with cryptographic fingerprints
I How can we prevent transactions in a block from beingmanipulated ?
3 efficient cryptographic fingerprint of the transactions
I Who is allowed to create blocks ?
3 any node in the network capable of solving a given challenge
I Who is in charge of checking that blocks are correctlycreated ?
3 everyone ! !
71
A chain of blocks : the blockchain
A publicly, immutable, and totally ordered log of transactions
I Why digital signatures are not sufficient ?7 do not prevent double-spending attacks
I How can we securely link blocks ?3 by linking them with cryptographic fingerprints
I How can we prevent transactions in a block from beingmanipulated ?
3 efficient cryptographic fingerprint of the transactions
I Who is allowed to create blocks ?
3 any node in the network capable of solving a given challenge
I Who is in charge of checking that blocks are correctlycreated ?
3 everyone ! !
72
A chain of blocks : the blockchain
A publicly, immutable, and totally ordered log of transactions
I Why digital signatures are not sufficient ?3 do not prevent double-spending attacks
I How can we securely link blocks ?3 by linking them with cryptographic fingerprints
I How can we prevent transactions in a block from beingmanipulated ?
3 efficient cryptographic fingerprint of the transactionsI Who is allowed to create blocks ?
3 any node in the network capable of solving a given challenge
I Who is in charge of checking that blocks are correctlycreated ?
3 everyone ! !
73
A chain of blocks : the blockchain
A publicly, immutable, and totally ordered log of transactions
I Why digital signatures are not sufficient ?7 do not prevent double-spending attacks
I How can we securely link blocks ?3 by linking them with cryptographic fingerprints
I How can we prevent transactions in a block from beingmanipulated ?
3 efficient cryptographic fingerprint of the transactionsI Who is allowed to create blocks ?
3 any node in the network capable of solving a given challengeI Who is in charge of checking that blocks are correctly
created ?
3 everyone ! !
74
A chain of blocks : the blockchain
A publicly, immutable, and totally ordered log of transactions
I Why digital signatures are not sufficient ?7 do not prevent double-spending attacks
I How can we securely link blocks ?3 by linking them with cryptographic fingerprints
I How can we prevent transactions in a block from beingmanipulated ?
3 efficient cryptographic fingerprint of the transactionsI Who is allowed to create blocks ?
3 any node in the network capable of solving a given challengeI Who is in charge of checking that blocks are correctly
created ?3 everyone ! !
75
How can we securely link blocks ?
Cryptographic Hash functions
I allows you to compute a fixed-size fingerprint from any type ofdata
I deterministic functionI efficiently computableI practically impossible to invert (« one-way function »)
More on hash functions
H(block n-6) H(block n-5) H(block n-4) H(block n-3) H(block n-2) H(block n-1)
block n-6 block n-5 block n-4 block n-3 block n-2 block n-1 block n
H(block n-7)
Transaction 945846Transaction 58801aTransaction 665389Transaction 7654ab
.
.
.Transaction 321456
Transaction 437621Transaction 8593abTransaction 12367bTransaction 793154
.
.
.Transaction 653278
Transaction 336789Transaction 7245abTransaction 635566Transaction 12f4a22
.
.
.Transaction 232356
Transaction 652a11Transaction 432312Transaction 733566Transaction 22f432
.
.
.Transaction 672356
Transaction 336789Transaction 7245abTransaction 635566Transaction 12f4a22
.
.
.Transaction 232356
Transaction 437621Transaction 8593abTransaction 12367bTransaction 793154
.
.
.Transaction 653278
Transaction 945846Transaction 58801aTransaction 665389Transaction 7654ab
.
.
.Transaction 321456
76
How can we prevent transactions of a block from beingmanipulated ?
Merkle tree
A Merkle tree 4 is a treeI Leaves of the tree are data blocksI Nodes are the cryptographic hashes of their childrenI Root of tree is the fingerprint of the tree
More on Merkle tree
H(block n-6)Merkle root
H(block n-5)Merkle root
H(block n-4Merkle root
H(block n-3Merkle root
H(block n-2Merkle root
H(block n-1)Merkle root
block n-6 block n-5 block n-4 block n-3 block n-2 block n-1 block n
H(block n-7)Merkle root
Transaction 945846Transaction 58801aTransaction 665389Transaction 7654ab
.
.
.Transaction 321456
Transaction 437621Transaction 8593abTransaction 12367bTransaction 793154
.
.
.Transaction 653278
Transaction 336789Transaction 7245abTransaction 635566Transaction 12f4a22
.
.
.Transaction 232356
Transaction 652a11Transaction 432312Transaction 733566Transaction 22f432
.
.
.Transaction 672356
Transaction 336789Transaction 7245abTransaction 635566Transaction 12f4a22
.
.
.Transaction 232356
Transaction 437621Transaction 8593abTransaction 12367bTransaction 793154
.
.
.Transaction 653278
Transaction 945846Transaction 58801aTransaction 665389Transaction 7654ab
.
.
.Transaction 321456
4. Merkle, R. C. (1988). "A Digital Signature Based on a ConventionalEncryption Function". Advances in Cryptology - CRYPTO ’87.
77
Who is allowed to create blocks ?
Miners, i.e., any node capable of solving a highly complexcomputational puzzle
I A leader election algorithm is run among all the minersI Probabilistic oracleI Synchronize the creation of blocksI Prevent Sybil attacksI Incentivize correct behavior through currency creation
78
Minting money to incentivize correct behavior
BLOCK n
Previous block n-1
Merkle tree (root)
Proof of work
TransactionsT0T1...
BLOCK n-1BLOCK n-2
Coinbase transaction�12.5 + transactions
fees
I Nodes are working (racing) to solve the computational puzzleI This is in exchange for monetary rewards
I Coinbase transaction = 12.5 bitcoins + transaction feesI Started at 50 bitcoins and is halved every 210, 000 blocks
I This incentivizes miners to only work on valid blocksI « valid block » : for miners, this means blocks for which the
majority will accept to build upon
79
Blockchain Proof-of-Work
80
Blockchain Proof-of-Work
I Comes down to compute a hash partial inversionI find pre-image for a partially specified hash function output
81
Proof-of-Workstring=HelloWorld !, nonce=0, difficulty=000
82
Proof-of-Work
string=HelloWorld !, nonce=0, difficulty=000 1
HelloWorld!0:3f6fc92516327a1cc4d3dca5ab2b27aeedf2d459a77fa06fd3c6b19fb609106a
83
Proof-of-Work
string=HelloWorld !, nonce=1, difficulty=000 4
HelloWorld!0:3f6fc92516327a1cc4d3dca5ab2b27aeedf2d459a77fa06fd3c6b19fb609106aHelloWorld!1:b5690c48c2d0a09481186aaa99e4e090901ff2ac4d572e6706dfd30eefc22a27
84
Proof-of-Work
string=HelloWorld !, nonce=2, difficulty=000 2
HelloWorld!0:3f6fc92516327a1cc4d3dca5ab2b27aeedf2d459a77fa06fd3c6b19fb609106aHelloWorld!1:b5690c48c2d0a09481186aaa99e4e090901ff2ac4d572e6706dfd30eefc22a27HelloWorld!2:5b6fd9c27fcb54ca23404d9428f081b7c9280ba6370e33a6a20b16f40ce76320
85
Proof-of-Work
string=HelloWorld !, nonce=3, difficulty=000 3
HelloWorld!0:3f6fc92516327a1cc4d3dca5ab2b27aeedf2d459a77fa06fd3c6b19fb609106aHelloWorld!1:b5690c48c2d0a09481186aaa99e4e090901ff2ac4d572e6706dfd30eefc22a27HelloWorld!2:5b6fd9c27fcb54ca23404d9428f081b7c9280ba6370e33a6a20b16f40ce76320HelloWorld!3:9c5d769416aa0ca894abf22bd17bd30fbb6959291423ae1903a9f86a1fe7ce78....
86
Proof-of-Work
string=HelloWorld !, nonce=94, difficulty=000 5
HelloWorld!0:3f6fc92516327a1cc4d3dca5ab2b27aeedf2d459a77fa06fd3c6b19fb609106aHelloWorld!1:b5690c48c2d0a09481186aaa99e4e090901ff2ac4d572e6706dfd30eefc22a27HelloWorld!2:5b6fd9c27fcb54ca23404d9428f081b7c9280ba6370e33a6a20b16f40ce76320HelloWorld!3:9c5d769416aa0ca894abf22bd17bd30fbb6959291423ae1903a9f86a1fe7ce78....HelloWorld!94:7090a0e5d88cff635e42ea33fcd6091a058e9cdd58ab8cd5c21c1c70421e35c6
87
Proof-of-Work
string=HelloWorld !, nonce=95, difficulty=000 2
HelloWorld!0:3f6fc92516327a1cc4d3dca5ab2b27aeedf2d459a77fa06fd3c6b19fb609106aHelloWorld!1:b5690c48c2d0a09481186aaa99e4e090901ff2ac4d572e6706dfd30eefc22a27HelloWorld!2:5b6fd9c27fcb54ca23404d9428f081b7c9280ba6370e33a6a20b16f40ce76320HelloWorld!3:9c5d769416aa0ca894abf22bd17bd30fbb6959291423ae1903a9f86a1fe7ce78....HelloWorld!94:7090a0e5d88cff635e42ea33fcd6091a058e9cdd58ab8cd5c21c1c70421e35c6HelloWorld!95:b74f3b2cf1061895f880a99d1d0249a8cedf223d3ed061150548aa6212c88d43HelloWorld!96:447ca2fa886965af084808d22116edde4383cbaa16fd1fbcf3db61421b9990b9
88
Proof-of-Work
string=HelloWorld !, nonce=97, difficulty=000, 6
HelloWorld!0:3f6fc92516327a1cc4d3dca5ab2b27aeedf2d459a77fa06fd3c6b19fb609106a
HelloWorld!1:b5690c48c2d0a09481186aaa99e4e090901ff2ac4d572e6706dfd30eefc22a27
HelloWorld!2:5b6fd9c27fcb54ca23404d9428f081b7c9280ba6370e33a6a20b16f40ce76320
HelloWorld!3:9c5d769416aa0ca894abf22bd17bd30fbb6959291423ae1903a9f86a1fe7ce78
....
HelloWorld!94:7090a0e5d88cff635e42ea33fcd6091a058e9cdd58ab8cd5c21c1c70421e35c6
HelloWorld!95:b74f3b2cf1061895f880a99d1d0249a8cedf223d3ed061150548aa6212c88d43
HelloWorld!96:447ca2fa886965af084808d22116edde4383cbaa16fd1fbcf3db61421b9990b9
HelloWorld!97:000ba61ca46d1d317684925a0ef070e30193ff5fa6124aff76f513d96f49349d
89
Blockchain Proof-of-Work
Properties
I Algorithmically computableI Difficult to solve but quickly verifiedI Difficulty proportional to computation power
I average generation time : 10 minutesI proba p that one try is successful is p = D/2κ with {0, 1}κ the
range of H(.) and D the difficultyI around 23, 000, 000× 1012 hash/s
I Memoryless process
H(block n-6)Merkle root
Nounce
H(block n-5)Merkle root
Nounce
H(block n-4)Merkle root
Nounce
H(block n-3)Merkle root
Nounce
H(block n-2)Merkle root
Nounce
H(block n-1)Merkle root
Nounce
block n-6 block n-5 block n-4 block n-3 block n-2 block n-1 block n
H(block n-7)Merkle root
Nounce
Coinbase transac.Transaction 945846Transaction 58801aTransaction 665389Transaction 7654ab
.
.
.
Coinbase transac.Transaction 437621Transaction 8593abTransaction 12367bTransaction 793154
.
.
.
Coinbase transac.Transaction 336789Transaction 7245abTransaction 635566Transaction 12f4a22
.
.
.
Coinbase transac.Transaction 652a11Transaction 432312Transaction 733566Transaction 22f432
.
.
.
Coinbase transac.Transaction 336789Transaction 7245abTransaction 635566Transaction 12f4a22
.
.
.
Coinbase transac.Transaction 437621Transaction 8593abTransaction 12367bTransaction 793154
.
.
.
Coinbase transac.Transaction 945846Transaction 58801aTransaction 665389Transaction 7654ab
.
.
.
90
Blockchain construction
1
Block !
1
Block !
1
Block !
1
Block !
1
Block !
1
Block !
1
Block !
A B C D E F G
(B0,⊥)
B1
B2
B3
B4
B5
B6
B7
B8
(B0,⊥)
B1
B2
B3
B4
B5
B6
(B0,⊥) (B0,⊥) (B0,⊥) (B0,⊥) (B0,⊥)
90
Blockchain construction
2 5 3 3 4 1 2
Block ! Block ! Block ! Block ! Block ! Block ! Block !
A B C D E F G
(B0,⊥)
B1
B2
B3
B4
B5
B6
B7
B8
(B0,⊥)
B1
B2
B3
B4
B5
B6
(B0,⊥) (B0,⊥) (B0,⊥) (B0,⊥) (B0,⊥)
90
Blockchain construction
1
Block !
6
Block !
3
Block !
4
Block !
5
Block !
1
Block !
3
Block !
A B C D E F G
(B0,⊥)
B1
B2
B3
B4
B5
B6
B7
B8
(B0,⊥)(B1,B)
B2
B3
B4
B5
B6
(B0,⊥) (B0,⊥) (B0,⊥) (B0,⊥) (B0,⊥)
90
Blockchain construction
5 1 3 5 1 4 3
Block ! Block ! Block ! Block ! Block ! Block ! Block !
A B C D E F G
(B0,⊥)(B1,B)
B2
B3
B4
B5
B6
B7
B8
(B0,⊥)(B1,B)
B2
B3
B4
B5
B6
(B0,⊥)(B1,B)
(B0,⊥)(B1,B)
(B0,⊥)(B1,B)
(B0,⊥)(B1,B)
(B0,⊥)(B1,B)
90
Blockchain construction
5 4 2 3 2 1 1
Block ! Block ! Block ! Block ! Block ! Block ! Block !
A B C D E F G
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,E )
B6
B7
B8
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,E )
B6
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,E )
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,E )
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,E )
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
90
Conflict : Transient inconsistencies
6 3 5 5 4 6 5
Block !
Block ! Block ! Block ! Block !
Block !
Block !
A B C D E F G
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,E )
(B6,A)
B7
B8
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,E )
B6
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,E )
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,E )
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,E )
(B ′6,F )
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
91
Blockchain fork
BLOCK n-2BLOCK n-3 BLOCK n-1 BLOCK n BLOCK n+1 BLOCK n+2
BLOCK n+1
Nakamoto conflict chain ruleMine on the longest branch !
I Proba. that a block is removed from the blockchain decreasesexponentially with the number k of blocks appended to it.
I k = confirmation levelI When k ≥ 6, this proba is very small
91
Conflict : Transient inconsistencies
1 3 6 5 4 2 6
Block ! Block !
Block !
Block ! Block ! Block !
Block !A B C D E F G
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,E )
(B6,A)
(B7,G )
B8
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,E )
(B ′6,F )
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,E )
(B ′6,F )
(B ′7,C )
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,E )
(B ′6,F )
(B ′7,C )
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,E )
(B6,A)
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,E )
(B ′6,F )
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,E )
(B6,A)
(B7,G )
91
Conflict : Transient inconsistencies
6 3 2 5 4 2 4
Block !
Block ! Block ! Block ! Block ! Block ! Block !
A B C D E F G
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,B)
(B6,A)
(B7,G )
(B8,A)
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,B)
(B6,A)
(B7,G )
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,B)
(B6,A)
(B7,G )
(B8,A)
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,B)
(B6,A)
(B7,G )
(B8,A)
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,B)
(B6,A)
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,B)
(B6,A)
(B7,G )
(B8,A)
(B0,⊥)(B1,B)
(B2,E )
(B3,C )
(B4,A)
(B5,B)
(B6,A)
(B7,G )
92
Nakamoto consensus protocol
1. Leader election among all the minersI Probabilistic oracleI Synchronize the creation of blocksI Prevent Sybil attacksI Incentivize correct behavior through currency creation
2. A simple and local arbitration ruleI Select the chain which required the greatest among of work
B0 Bi
Bi+1
Bi+1
93
Nakamoto consensus protocol
1. Leader election among all the minersI Probabilistic oracleI Synchronize the creation of blocksI Prevent Sybil attacksI Incentivize correct behavior through currency creation
2. A simple and local arbitration ruleI Select the chain which required the greatest among of workI Random nature of the PoW = one chain will be extended more
than the others
B0 Bi
Bi+1
Bi+1
94
The 50% attack
I Once a transaction has been inserted in a block B of theblockchain, the sender of coins will typically expect someproduct or service in return
I This is undermined if the sender would be able, after receivingthe product, to broadcast a conflicting transaction sending thesame coin back to itself, and such that by chance this nonlegitimate transaction would appear in some concurrent blockB ′
I By applying the Bitcoin rule, this concurrent block B ′ mightinvalidate the legitimate one B if B ′ belongs to a longest chainthan the one of B
B0
Ti T
T’
95
The 50% attack (con’t)
I Thus as long as a legitimate recipient of a transaction is notsure that the coins it received will not be redirected to anotherparty, it is safer for him to wait before delivering the product(otherwise the recipient would lose its product withoutreceiving any coins)
The question is how long the recipient of transaction T ′ mustwait before delivering its product/service ?
I If an attacker controls a substantial computational power hemay succeed in computing sufficiently many concurrent blocksso that eventually « his » branch becomes longer than the onemined by honest miners, and win its attack
96
The 50% attack
I A transaction is said to have n confirmations if it included in ablock B which is part of the longest chain, and there are nblocks in the path from that block B to the leaf of the chain
I It is generally assumed that a transaction with enoughconfirmations is safe from double spending attacks
I We now study what it means « enough confirmations »
97
A game between two teamsWe consider two teams :
I A bad team Q which tries to make a successfuldouble-spending attack
I A honest team P which behave correctlySuppose that the legitimate transaction T belong to block B , andthe conflicting one T ′ belongs to block B ′
98
A game between two teams
1. Secretly team Q mines a chain of blocks B ′ . . . which builds onthe latest block that precedes block B
2. Team Q waits until block B receives enough confirmations andthe recipient, confident in its payment, sends the product
3. Team Q continues to mine blocks in the secret chain (whichcontradicts block B) until this secret chain is longer than thepublic chain (the one that contains B)
4. Then team B broadcasts its secret chain. This chain beinglonger that the public one, it is considered as the new validone, and thus the payment to the recipient will be replaced bythe payment to the attacker
99
A game between two teams
I Let n be the number of blocks after the fork in the publicchain (mined by team P)
I Let m be the number of blocks that team Q succeded to mineafter the fork
I Both teams are trying to win the competitionI The question is « Is team Q will be able to catch-up with a
longer chain ? » or will the gap just keep increasing, leavingteam Q behind with a chain which will never be valid ?
B0
Ti T
T’
nblocks
m blocks z blockslatetocatchup
TeamQTeamP
100
A game between two teams
I We suppose that the total hashrate of team P and team Q isconstant and equal to H
I Team P has a hashrate of p.HI Team Q has a hashrate of q.H, where p + q = 1
I Let z = n −m
I z is the number of blocks by which the honest team (P) hasan advantage on the attacker (team Q)
I when team P finds a block, z increases by 1 and when team Qfinds a block, z decreases by 1
I z = −1 then the attack of team Q succeeds. If it neverhappens, the attack fails
101
A game between two teams
I This process is equivalent to a discrete time Markov chainI A step is defined as finding a block by team P or team QI We have at step i + 1
zi+1 = zi + 1 with probability p andzi+1 = zi − 1 with probability q
102
A game between two teams
I Let az be the probability that the attacker will be able tocatch up when it is z block behind the honest team (initialdisadvantage = z)
I if z < 0 then az = 1 (the attacker has a longer branch)I now, if z ≥ 1, what is the value of az ?I if the next block which is found is found by the honest team,
which happens with probability p, then the attacker will bez + 1 blocks behind, and its probability of success will be az+1
I if the next block which is found is found by the attacker,which happens with probability q, then the attacker will bez − 1 blocks behind, and its probability of success will be az−1.
I This leads to the following relation
az = paz+1 + qaz−1
103
A game between two teams
I We haveaz = paz+1 + qaz−1
I remember that p + q = 1, which leads to
az = 1 if z < 0 or if q > p
az = (q/p)z+1 if z ≥ 0 and q ≤ p
Remarks :I if the attacker owns more than 50% of the computational
power, then he always succeeds catching up, from any gap z
I when q < p the probability of success decreases exponentiallywith gap z . The lower q is, the faster the decay.
104
A game between two teams
I We have just seen that the probability that the attackersucceeds depends on z
I So what is a reasonable value for the number of confirmationsn for a merchant to be sure that his transaction will stayforever in the blockchain ?
I We model m as the number of successes (blocks found by theattacker) before n failures (blocks found by the honest team).Thus m is a negative binomial variable.
I The probability P(q,m, n) of having m success before nfailures is
P(q,m, n) =
(m + n − 1
m
)pnqm
I Once n blocks have been mined by the honest team in aperiod of time during which m + 1 blocks have been found bythe attacker, the race starts with z = n −m − 1
105
A game between two teams
I Thus the probability for a double-spending attack to succeedwhen the merchant waits for n confirmations blocks is theprobability of the attacker progressing from 1 pre-computedblock to m blocks and then catching up from a difference ofm −m blocks :
d =∞∑
m=0
an−m−1P(q,m, n)
d =n∑
m=0
an−m−1P(m) +∞∑
m=n+1
an−m−1P(m)
d =n∑
m=0
an−m−1
(m + n − 1
m
)pnqm+
∞∑m=n+1
an−m−1
(m + n − 1
m
)pnqm
d = 1−∑n
m=0(m+n−1
m
)(pnqm − qnpm) if q < p
d = 1 if q ≥ p
106
Probability of a successful double spend attack as a functionof the attacker’s hashrate q and the number ofconfirmations n
107
Looking at the blockchain as a shared object
107
Looking at the blockchain as a shared object
1
Block !
1
Block !
1
Block !
1
Block !
1
Block !
1
Block !
1
Block !
A B C D E F G
(B0,⊥)
B1
B2
B3
B4
B5
B6
B7
107
Looking at the blockchain as a shared object
2
Block !
5
Block !
3
Block !
3
Block !
4
Block !
1
Block !
2
Block !
A B C D E F G
(B0,⊥)
B1
B2
B3
B4
B5
B6
B7
107
Looking at the blockchain as a shared object
1
Block !
6
Block !
3
Block !
4
Block !
5
Block !
1
Block !
3
Block !
A B C D E F G
(B1,B)(B0,⊥)
B1
B2
B3
B4
B5
B6
B7
write(B
1,B)
107
Looking at the blockchain as a shared object
1
Block !
6
Block !
3
Block !
4
Block !
5
Block !
1
Block !
3
Block !
A B C D E F G
(B1,B)(B0,⊥)
B1
B2
B3
B4
B5
B6
B7
read()=(B
0 ,⊥)(B
1 ,B)
107
Looking at the blockchain as a shared object
5
Block !
4
Block !
2
Block !
3
Block !
2
Block !
1
Block !
1
Block !
A B C D E F G
(B5,E )(B4,A)(B3,C )(B2,E )(B1,B)(B0,⊥)
B1
B2
B3
B4
B5
B6
B7
107
Looking at the blockchain as a shared object
5
Block !
4
Block !
2
Block !
3
Block !
2
Block !
1
Block !
1
Block !
A B C D E F G
(B5,E )(B4,A)(B3,C )(B2,E )(B1,B)(B0,⊥)
B1
B2
B3
B4
B5
B6
B7
write(B
6,A)
read()=?
107
Looking at the blockchain as a shared object
5
Block !
4
Block !
2
Block !
3
Block !
2
Block !
1
Block !
1
Block !
A B C D E F G
(B5,E )(B4,A)(B3,C )(B2,E )(B1,B)(B0,⊥)
B1
B2
B3
B4
B5
B6
B7
write(B
6,A)
read()=?
write(B
6 ,F)
108
The main steps to write and read the blockchain
I As you have seen, each miner needs to locally manage a datastructure from which it extracts the blockchain, i.e., thelongest chain (more exactly the one which required the mostamount of work)
I Actually this data structure is a treeI the root of the tree is the common block called the genesis
blockI Let T B be this tree, and B be the longest chain in T BI What about the read and write operations :
I a read operation on T B should return BI a write operation on T B should try to change the value of T B
with a new block B, that is B to which is appended B
109
The main steps to write and read the blockchainI When a miner wishes to augment the blockchain with a new
blockI it first invokes a read on T B to get the current blockchain BI then the miner creates its block B1, appends it to B :B ← B ⊕ B1
I then it invokes a write on T B with B as parameterI finally it broadcasts B in the system (actually from a practical
point of view, only B is broadcast)
Blockchain -as-a-shared -object Algorithm //run by a miner
{repeat forever{B = DLR.read()create the well -formed block b from Bappend b to BDLR.write(T B,B)
}}
110
Classical Shared RegistersLiveness : Any read / write operation terminates1. Safe register Safety :
read() =
{last written value,any value of the register domain if concurrent write
2. Regular register Safety :
read() = v
{last written value,value written by a concurrent write
3. Atomic register Safety :(Regular register safety) +
(no old / new inversions
)
111
Blockchain
BLOCK n-2BLOCK n-3 BLOCK n-1 BLOCK n BLOCK n+1 BLOCK n+2
BLOCK n+1
112
Classical Shared Registers
I If we look at the blockchain as a shared object, we observethat it is quite different from a read/write register
I In a classic R/W register, we do not impose that writeoperations depend on each other
I We need to introduce a new object that better captures thesemantics of blockchains
113
Algorithm run by a miner in terms of read and writeoperations
Blockchain -as-a-shared -object Algorithm // runby a miner
{repeat forever{B = DLR.read()create the well -formed block b from Bappend b to Bwrite(T B,B)
}}
114
Algorithm run by a miner in terms of read and writeoperations
Operation read(){
return best_chain(B)}
115
Algorithm run by a miner in terms of read and writeoperations
Operation write(T B,B){
update_tree(T B,B)broadcast(B)
return}
116
Algorithm run by a miner in terms of read and writeoperations
I Recall that an important property of Bitcoin is the number ofconfirmations n
I Once a block has n (e.g. n = 6) confirmations then one mayhave confidence that this block will stay forever in theblockchain
! !'
write(!)$ read()%>$!'
n
117
Algorithm run by a miner in terms of read and writeoperations
Operation write(T B,B){
update_tree(T B,B)broadcast(B)repeatB′ = read()
until length(B′) ≥ length(B)+nif B = prefix(B′)
return trueelse
return abort
upon deliver(B)update_tree(T B,B)
}
118
Distributed Ledger Register (DLR)
I A DLR should mimic the behavior of a blockchain andI A DLR should allow any number of writers (miners) to write it
andI A DLR should allow any number of readers (anyone) to read it
119
Distributed Ledger Register (DLR)
I DLR = tree structure T BI Root = genesis blockI Branch = sequence of blocks
I Value of DLRI longest sequence of blocks starting from the genesis block
(initial value of the register)I called the blockchain, and denoted B
I Two operations :I DLR.read() : returns the blockchainI DLR.write(B) : update the value of DLR with B
120
write() operation
Definition (n-valid)
Operation write(B) invoked at time tw > 0 is n-valid if and onlyif for any read operation r invoked at time tr , tr > tw , r returns B′such that
I B is a prefix of B′ and length(B′) ≥ length(B) + n.write(B) :update T B with Breturns true if it is n-valid, abort otherwise
!0
!
!''
!'
write(!)$%>$true
read()%>$!'
n
write(!'')$%>$abort
121
Specification of the Distributed Ledger RegistersA Multi-Reader/Multi-Writer Distributed Ledger is defined by thefollowing properties :
I Liveness Any invocation of a read or a write(B) operationterminates
I n-consistency Any read() operation returns B whose prefixB′ is the value of the register written by the last n-validwrite(B′) operation that precedes read().
In other words the n-consistency property says that the returnedblockchain except for the last n appended blocks isexactly the value written by the last n-valid write()operation
122
Blockchain-as-a-shared-object Algorithm proof : liveness
LemmaBlockchain-as-a-shared-object Algorithm (A) satisfies the livenessproperty of the DLR
ProofI The read() operation (see code) always returns since the read
is executed locallyI For the write() operation (see code), the only blocking part of
the code is the repeat loopI By assumption of A, miners continuously try to create blocks
which gives rise to the invocation of write() operationperiodically
I Thus the loop stops, which allows the write() operation toeither return true or abort
I This ends the proof
123
Blockchain-as-a-shared-object Algorithm proof : n-validity
LemmaEach non aborted write() operation invoked by A satisfies then-validity property of the DLR
ProofI Let w be any non aborted write(B) operation that completes
at time t
I Note that this operation returns only when the best chain inthe tree, say B′, has B as a prefix and has at least k additionalblocks (see code)
I Let r be a read() operation that happens after op w .I If r is invoked by the miner that invoked w then necessarily the
n-validity holdsI Otherwise, by the property of the broadcast, there is a time τ ,
such that by time t + τ , B′ has reached all the nodes. Henceany read() invoked after t + τ returns at least B′
I This completes the proof
124
Blockchain-as-a-shared-object Algorithm proof :n-consistency
LemmaEach read() operation invoked by A after that τ time units haveelapsed since the last n-valid operation satisfies the n-consistency