Teacher Xiao Zhen from Peking University's "Blockchain Technology and Application" open class notes-BTC

This note is a record of the main knowledge and logic during the study period. According to the course content, it is divided into two parts, BTC and ETH. This part is the BTC part

Teacher Xiao Zhen from Peking University's "Blockchain Technology and Application" open class notes-ETH

01-Course Introduction

---

• References (subject to the code)
  • BitCoin and Cryptocurrency Technologies A Comprehensive Introduction (published in 2016, outdated)
  • Ethereum white paper, yellow paper, source code
  • SolidityDocumentation

Course Outline: Bitcoin

• bitcoin
  • Cryptography Basics
  • Bitcoin Data Structure
  • Consensus Protocol and System Implementation
  • Mining algorithm and difficulty adjustment
  • bitcoin script
  • Soft forks and hard forks Anonymity and privacy protection

Course Outline: Ethereum

• Ethereum
  • Overview: Account-Based Distributed Ledgers
  • Data structures: state tree, transaction tree, receipt tree
  • GHOST protocol
  • Mining: memory-hard mining puzzle
  • Mining Difficulty Adjustment
  • proof of stake
    • Casper the Friendly Finality Gadget(FFG)
  • smart contract
• Summary and Outlook
  
  

02-BTC-Principles of Cryptography

---

Bitcoin mainly uses two functions in cryptography: 1. Hash 2. Signature

• The hash function used in cryptography is called a cryptographic hash function: it has several important properties:

1. collision (here refers to hash collision) resistance: no other input can be found to make its hash value consistent with the hash value of the original input
2. The calculation process of hiding hash function is one-way and irreversible
3. Puzzle friendly means that the value range of the hash value is unpredictable in advance, that is, mining finds a random number so that the hash value is smaller than the target and can only keep trying

• Open an account in the Bitcoin system:

1. Create a public-private key pair (public key, private key) locally, which is an account. The public-private key pair comes from an asymmetric encryption algorithm.

2. Encrypt with your public key, and decrypt with your own private key after you receive it

3. Private key for signature, public key for decryption

4. So a good source of randomness is needed to generate a public-private key pair
   
   

03-BTC-data structure

---

• hash pointer

  Ordinary pointers store the address of a structure in memory. The hash pointer in Bitcoin only saves the hash value H() of the structure. Find the location based on the hash value and judge whether it has been tampered with

• The most basic structure in Bitcoin is the blockchain

  • What is the difference between blockchain and ordinary linked list:

    1. Hash pointers are used instead of ordinary pointers (B block chain is a linked list using hash pointers)

    2. Ordinary linked list can change any element, it has no effect on other elements in the linked list. The blockchain affects the whole body, so it only needs to save the last hash value to judge whether the blockchain has changed and where it has changed.

  • The block is divided into Block header and Block body

    • The block header contains the root hash in the Merkle tree

• Merkle Tree (data structure of blocks in Bitcoin)

  • The bottom layer is data blocks, the upper three layers of internal nodes are all hash pointers, the first layer is the root node, and the block of the root node can also take a hash, called the root hash (root hash). Each data block is a transaction

  • Function: Provide merkle proof: prove that the transaction in a data block is included in the block

    • Prove that the yellow tx is in the block:

      According to the red hash value returned by the full node, calculate whether the root hash value is the root hash value in the block header

      Light nodes only have block headers

    • How to prove that a certain transaction is not included in the merkle tree?

      If there are some requirements for the order of the leaf nodes, such as sorting by the hash value of the transaction. Each leaf node is a transaction, and the content of the transaction is hashed once, and the hash values ​​are arranged in ascending order. The transaction to be checked first calculates a hash value to see where it should be if it is inside. For example, between the third and fourth, the proof provided at this time is that the third and fourth leaf nodes must go up to the root node. If the hash values ​​are all correct, and the hash value calculated by the root node has not been changed, it means that the third and fourth nodes are indeed adjacent points in the original merkle tree. If the transaction you are looking for exists, it should be between these two nodes. But it doesn't appear, so it doesn't exist. Its complexity is also in log form, at the cost of sorting. The sorted one is called sorted merkle tree. This kind of sorted merkle tree is not used in Bitcoin, because there is no need to prove non-existence in Bitcoin.

04-BTC-Consensus Protocol

---

• The difference between digital currency and paper currency is that it can be copied, which is called double spending attack.
  Decentralized currency needs to solve two problems:

  • question

    1. Issuance of digital currency

    2. How to verify the validity of the transaction and prevent double spending attack.

  • Solution:

    • Bitcoin issuance is determined by mining

      The ultimate source of every bitcoin is the coinage transaction in every newly mined block

    • Rely on blockchain data structures

      Indicate the source of the coin and the source balance. The ultimate source of the source is the minting transaction in each new block

• transfer transaction

  • information

    • The payer obtains the payee's public key through other channels

    • The payee and others need to know the payer's public key (given by the payer in the transaction)

      1. Verify the identity of the payer
      2. In the source of the currency, the output of the minting transaction has the hash of the payer's public key, which can be verified as legal

    • How to prevent others from forging signatures with their own public key?

      • These are executed by input and output scripts, and if the input and output scripts can be executed correctly together, it means that the transaction is legal

        In essence, it is to see if the hash of the public key of the previous payment matches the hash of the public key of this transaction

• Distributed consensus: The content of the ledger must achieve a distributed consensus

  • There is also a famous conclusion: CAP Theorem

    • Consistency [consistency of system state]

    • Availability [others can use]

    • Partition tolerance

      The content of the theory is: any distributed system, such as a distributed hash table, can only satisfy at most two of these three properties. If you want the first two properties, you will not get the third property.

  • Bitcoin's consensus protocol:

    • Vote by computing power

      Each node can assemble a candidate block locally, put the transactions it considers legal in it, and then start trying various nonce values ​​(occupying 4 bytes) to see which one can satisfy the inequality H(block header)≤target. If a node finds a nonce that meets the requirements, it obtains the right to bookkeeping.

      The so-called bookkeeping right is the right to write the next block into the Bitcoin ledger. Only when this nonce is found, the node that obtains the bookkeeping right has the right to publish the next block. After other nodes receive the block, they need to verify the validity of the block.

      • Verify legitimacy:

        • nBits field (encoding of target threshold)
        • nonce
        • The transaction is legal: legally signed, not double spent

        If the nonce is found at the same time, then it depends on who is on the longest legal chain

05-BTC-implementation

---

• Transaction-based ledger model

  The blockchain is a decentralized ledger, and Bitcoin uses a transaction-based ledger model (transaction【transaction】-based ledger【ledger】). The system does not show how much money is in each account.

  • Account-based ledger model: Ethereum

  • UTXO：

    Bitcoin full nodes need to maintain a UTXO set, that is, a set of outputs that have not been spent. In order to quickly detect double spending.

  • Transaction fee

    • total inputs=total outputs

      Some transactions have total inputs slightly larger than total outputs.
      If 1 bitcoin is input, 0.99 bitcoin is output, and another 0.01 bitcoin is used as a transaction fee to the node that obtains the bookkeeping right to publish the block.

    • Mainly block rewards

      The block reward is halved every 210,000 blocks, and it takes about 4 years to mine 210,000 blocks. The average block generation time designed by the Bitcoin system is 10 minutes, which means that the entire system will generate a new block in an average of 10 minutes.

Block Example

• Notes:

  Example of a block
  The first line: the block contains 686 transactions
  The second line: the total output of XXX bitcoins The
  fourth line: the total transaction fee (the sum of the transaction fees of 686 transactions) The bottom line : the block
  reward (the main driving force for miners to mine) The fifth line: the serial number of the block The sixth line: the block timestamp the number
  
  
  
  

  Right: The first line: the hash value of the block header of the block
  The second line: the hash value of the previous block header
  (note: the calculation of the hash value only counts the block header)
  The common point of the two hash values: there is a string of 0 in front. It is because the set target preset value is expressed in hexadecimal, which is a long string of 0s in front. Therefore, for any block that meets the difficulty requirements, the hash value of the block header must have a long string of 0s.
  The fourth line: merkle root is the root hash value of the merkle tree composed of those transactions contained in this block.

• Improve the search space

  It is not enough to just change the random number during mining. The nonce has only 2 to the 32nd possible value, and the root hash value can also be changed.

  You can change the coinbase field in the minting transaction, thereby changing the hashMerkleRoot in the block header, and the search space is increased to 2 to the 92nd power.

  It can be understood that there is no input information for minting transactions, and no output information for destroying bitcoins, so additional information can be input. So people often add what they want to the blockchain by burning bitcoins.

• Bernoulli trial (Bernoulli experiment)

  Each attempt of a nonce in the mining process can be regarded as a Bernoulli trial (Bernoulli experiment). Every random Bernoulli experiment constitutes a Bernoulli process. One of its properties is: no memory.

  A Poisson process can be used instead of a Bernoulli process. What we really care about is the system block time, which obeys the exponential distribution.

  • progress free

    The exponential distribution is also memoryless. Because the characteristic of the probability distribution curve is: truncate from one place at will, and the remaining part of the curve is the same as the original one. For example: I have been waiting for ten minutes, and no one has found a legal block, so how long do I have to wait? Still referring to the probability density function distribution, the average wait is still ten minutes. How long it will take to dig in the future has nothing to do with how long it has been dug in the past.

    • Guarantee mining fairness

      Miners with strong computing power have done more work in the past. After trying so many unsuccessful nonces in the past, the probability of successful nonces will increase. In this way, progress free is the guarantee of mining fairness

/** Nodes collect new transactions into a block, hash them into a hash tree,
 * and scan through nonce values to make the block's hash satisfy proof-of-work
 * requirements.  When they solve the proof-of-work, they broadcast the block
 * to everyone and the block is added to the block chain.  The first transaction
 * in the block is a special one that creates a new coin owned by the creator
 * of the block.
 */
class CBlockHeader
{
public:
    // header
    int32_t nVersion;
    uint256 hashPrevBlock;
    uint256 hashMerkleRoot;
    uint32_t nTime;
    uint32_t nBits;
    uint32_t nNonce;	

    CBlockHeader()
    {
        SetNull();
    }

    SERIALIZE_METHODS(CBlockHeader, obj) { READWRITE(obj.nVersion, obj.hashPrevBlock, obj.hashMerkleRoot, obj.nTime, obj.nBits, obj.nNonce); }

    void SetNull()
    {
        nVersion = 0;
        hashPrevBlock.SetNull();
        hashMerkleRoot.SetNull();
        nTime = 0;
        nBits = 0;
        nNonce = 0;
    }

    bool IsNull() const
    {
        return (nBits == 0);
    }

    uint256 GetHash() const;

    int64_t GetBlockTime() const
    {
        return (int64_t)nTime;
    }
};

06-BTC-Network

---

• network structure

  • Application layer: BitCoin Block Chain
  • Network layer: P2P Overlay network

• spread

  • seed node

    To join the P2P network, you must first know that there is at least one seed node, and then you need to contact the seed node, and it will tell you other nodes in the network it knows. The communication between nodes is through TCP, which is beneficial to penetrate the firewall. When you want to leave, you don't need to do anything, you don't need to notify other nodes, just exit the application. Other nodes have not heard your message, and will delete you after a while.

  • neighbor node

    The design principles of the Bitcoin network are: simplicity and robustness, not efficiency. Each node maintains a set of neighbor nodes, and message propagation takes the form of flooding in the network. When a node hears a message for the first time, it spreads it to all its zero-degree nodes, and at the same time records that I have received this message. The next time you receive this message, you don’t need to forward it to the zero-degree node.

    The selection of neighbor nodes is random without considering the underlying topology. For example, a node in California may choose a zero-degree node in Argentina. The advantage of this design is to enhance the robustness. It does not consider the underlying topology, but the sacrifice is efficiency. The speed of transferring money to people around you is similar to transferring money to people in the United States.

  • Waiting for the chain

    In the Bitcoin system, each node maintains a collection of transactions waiting to be uploaded to the chain. If a collection of transactions is waiting to be written into the blockchain, when you hear a certain transaction for the first time, add this transaction to the collection and forward this transaction to the node, and then you do not need to forward this transaction when you receive it later, so as to avoid the wireless transmission of the transaction on the network. The premise of forwarding is that the transaction is legal.

  • bandwidth

    The Bitcoin protocol has a limit of 1M bytes on the block size. The transmission method adopted by the Bitcoin system is very bandwidth-intensive, and bandwidth is the bottleneck. Calculated according to the block size limit of 1M, it may take tens of seconds for a newly released block to be transmitted to most of the network. This is already a long time, so this limit value is not small.

07-BTC-mining difficulty

---

• Bitcoin algorithm: SHA-256

$$2^{256}$$

$$H(blockheader)\le target$$

$$difficulty=\frac{difficulty1target}{target}$$

• Motivation adjustment: shorter block time

  If there are many forks in the future, a certain transaction in a previous block is likely to suffer from a fork attack, and malicious nodes will try to roll back. Because there are many forks in the future, the computing power will be dispersed, and the probability of malicious nodes succeeding is greater. At this time, malicious nodes do not need 51% of the computing power, and maybe 10% of the computing power is enough, so the shorter the block generation time, the better.

• Adjust the content

  The Bitcoin protocol stipulates that the target pre-value should be adjusted after every 2016 blocks, which is about every two weeks. That is, the average block time is 10 minutes

$$target=target\ast \frac{actualtime}{expectedtime}$$

08-BTC-Mining

---

• full node

  • Always online
  • Maintain complete blockchain information on local hard drive
  • Maintain the UTXO collection in the memory, while quickly checking the correctness of the transaction
  • Monitor transaction information on the Bitcoin network to verify the legitimacy of each transaction
  • Decide which transactions will be included in the block
  • Listen to the blocks dug by other miners to verify their legitimacy
  • mining
    • decide which chain to dig down
    • Which fork to choose when there are forked chains of equal length

• light node

  • not always online
  • Instead of saving the entire blockchain, just save the block header of each block
  • Do not save all transactions, only save transactions related to yourself
  • It is impossible to verify the legitimacy of most transactions, only those transactions related to itself can be verified
  • Unable to check the correctness of the block published on the network
  • The difficulty of mining can be verified
  • It can only detect which is the longest chain, but does not know which is the longest legal chain

• Mining Equipment Evolution

  1. CPU
  2. GPU
  3. ASIC( Application Specific Integrated Circuit )芯片

• mining puzzle

  Some new blockchains may use the same algorithm, merge mining

• mining pool

  There are many miners connected to the mine owner, and the miners are only responsible for calculating the hash value. Solve the problem of unstable income.

  • Calculate miner income:

    • Reduce miner difficulty

      Increase the target, dig a nonce called share, and calculate how many shares the miner submitted.

      The coinbase domain has been set by the mine owner, so it cannot be stolen

  • Disadvantages:

    Centralization of computing power, malicious attacks do not necessarily have to master the computing power

  
  

09-BTC-Script

---

• introduce

  The figure is an example of a bitcoin transaction. The transaction has one input and two outputs. The upper left corner says output, which is actually the input of this transaction. For the two outputs on the right, unspent on the top means no spending, and spent on the bottom means spent. The transaction has already received 23 confirmations, so there is little chance of a rollback.

  The following is the input and output script of this transaction. The input script contains two operations, which respectively push two very long numbers onto the stack. The scripting language used by Bitcoin is very simple, and the only memory space that can be accessed is a stack. Unlike general-purpose programming languages, like C language C++ has global variables, local variables, and dynamically allocated memory space, it is a stack here, so it is called a stack-based language. Here the output script has two lines, corresponding to the above two outputs respectively. Each output has its own separate piece of script.

transaction structure

"result":{
    "txid": "921a...dd24", // transaction id
    "hash": "921a...dd24",
    "version": 1,
    "size": 226,
    "locktime": 0,		// 用来设定交易的生效时间，0：立即生效
    "vin": {...},		// 输入脚本
    "vout": {...},		// 输出脚本
    "blockhash": "0000000000000000000002c510d...4c0b",
    "confirmations": 23,
    "time": 1530846727,	// 交易时间
    "blocktime": 1530846727
}

"vin": [{
   "txid": "c0cb...c57b",	// 来源交易的哈希值
    "vout": 0,				// 这个交易里的第几个输出
    "scriptSig": {			// 输入脚本，下文写成input script
        "asm": "3045...0018",	// 输入脚本内容
        "hex": "4830...0018"
    },
}],

"vout": [{
    "value": 0.22684000,	// 单位是比特币
    "n": 0,					// 第几个输出
    "scriptPubKey":{		// 输出脚本， 下文写成 output script
        "asm": "DUP HASH160 628e...d743 EQUALVERIFY CHECKSIG",	// 输出脚本内容
        "hex": "76a9...88ac",
        "reqSigs": 1,	// 需要多少个签名才能兑现（单重多重）
        "type": "pubkeyhash",	// 公钥哈希
        "address": ["19z8LJkNXLrTv2QK5....."]	// 输出地址
    }
},{
    "value": 0.53756644,
    "n": 1,
    "scriptPubKey":{
        "asm": "DUP HASH160 628e...d743 EQUALVERIFY CHECKSIG",
        "hex": "76a9...88ac",
        "reqSigs": 1,
        "type": "pubkeyhash",
        "address": ["1LvGTpdye....."]
}],

• Note:

  The input and output structure is an array, which can consist of multiple inputs and outputs

The form of the input and output script

• Implementation modalities

  Execute the input script of the current transaction first, and then execute the output script of the source transaction

P2PK(Pay to Public Key)

//	P2PK
//	input script
	PUSHDATA(Sig)
//	output script
	PUSHDATA(PubKey)
    CHEKSIG

P2PKH(Pay to Public Key Hash)

// P2PKH(Pay to Public Key Hash) 最常用
// input script
	PUSHDATA(Sig)
    PUSHDATA(PubKey)
// output script
    DUP	// 复制栈顶元素
    HASH160
    PUSHDATA(PubKeyHash)
    EQUALVERIFY
    CHECKSIG

P2SH(Pay to Script Hash)

• What is given is not the hash of the payee's public key, but the hash of the redeem script

  • redeem script form
    1. P2PK
    2. P2PKH
    3. multi-signature form

• The input script needs to give some signatures and a serialized redeemScript, and the verification is divided into two steps

  • Verify that the serialized redeemScript matches the hash in the output script
  • Deserialize and execute redeemScript to verify that the signature given in the input script is correct

• Nature:

  Shift complexity from output scripts to input scripts

// P2SH实现P2PK
// input script
    PUSHDATA(Sig)
    PUSHDATA(serialized redeemScript)
//	output script
    HASH160
    PUSHDATA(redeemScriptHash)
    EQUAL
// redeemScript
    PUSHDATA(PubKey)
    CHECKSIG

// P2SH实现多重签名
// input script
	FALSE // 忽略这一行，这个是应对内部bug的
	PUSHDATA(Sig_1)
    PUSHDATA(Sig_2)
        ...
    PUSHDATA(Sig_M)
    PUSHDATA(serialized RedeemScript)
// output script
    HASH160
    PUSHDATA(RedeemScriptHash)
    EQUAL
// redeemScript
    M
    PUSHDATA(pubkey_1)
    PUSHDATA(pubkey_2)
        ...
    PUSHDATA(pubkey_N)
    N
    CHECKMULTISIG

• Note

  This input script is provided by the e-commerce company when it spends the output. For transactions paid by users, the output script only needs to know the hash value

  All codes omit the OP_ prefix

  
  

Proof of Burn

// output script
	RETURN
    [zero or more ops or text]

Such an output can never be spent, this proves the method of destroying Bitcoin

In fact, the output amount is 0, which is equivalent to only paying the transaction fee, so that it does not need to be stored in UTXO

10-BTC-Fork

---

• state fork

  • deliberate fork：forking attack

• protocol fork: disagreement on the protocol

  • hard fork: hard fork

    • The block size limit in Bitcoin. 1M->4M

      1M=1 million. A transaction is roughly considered to be 250 bytes, 1 million/250=4000, and a block is about 4000 transactions. On average, a block appears in 10 minutes. 4000/(60×10)=7, about 7 transactions per second, that is, 7tx/sec. This transmission speed is very low.

      The new node will think that 4M and 1M are legal, and the old node will not recognize 4M, so these two chains will not disappear

  • soft fork: soft fork

    • block size limit. Suppose 1M -> 0.5M

      The new node does not recognize the original block, but the old nodes do. Therefore, if the node does not update the software, it will always follow the longest legal chain and be discarded. So there will be no permanent fork.

    • coinbase area

      The first 8 bytes of coinbase are used as random nonce.

      Someone suggested to use the following bytes as the root hash value of UTXO

    • Pay to Script Hash

  • What the old nodes do not recognize is a hard fork, and what the old nodes recognize is a soft fork.

    Soft fork: as long as the system has a majority of nodes updated, there will be no permanent fork

    Hard fork: As long as there are nodes in the system that do not update the protocol, a permanent fork will occur

11-BTC-Q&A

---

1. What if the recipient is not online during the transfer transaction?

   At this time, the receiver does not need to be online. The transfer transaction is just recorded on the blockchain, and the bitcoin in one person's account is transferred to another person's account. It does not matter whether the other person is connected to the Bitcoin network at that time.

2. Assuming that a full node receives a transfer transaction, is it possible that the receiver's receiving address in the transfer transaction is something that the node has never heard of before?

   this is possible. There is no need to notify other people when a Bitcoin account is created, just generate a public-private key pair locally. Only when money is received for the first time after the receiving address is generated, other nodes know the existence of this account.

3. What should I do if my account's private key is lost?

   After the private key is lost, there is no way to do it. The money in the account becomes dead money and can never be withdrawn. In a decentralized system, no one can reset your password for you.

4. What if the private key is compromised?

   For example, if you find that there are some suspicious transactions on your account, what should you do at this time? At this time, you should transfer the money in your account to another safe account as soon as possible. This is also different from our usual life experience. If there are some suspicious transactions on the bank account, the first thing we think of is to notify the bank. Can you reset the password and freeze the account to prevent others from taking the money, and these are impossible in the blockchain world.

5. What should I do if I write the wrong address when transferring money?

   There is no way. If you write the wrong address and transfer to the wrong person, we have no way to cancel the transaction that has already been issued. Once the transfer transaction in Bitcoin is published to the blockchain, there is no way to cancel it. When transferring to the wrong address, if we know who it was transferred to, we can contact the other party. If you don't know whose address is transferred, or if it is an address that does not exist, then there is no way.

6. Then ask a question: How do proof of burn and OP_RETURN actually work? When a full node receives a transfer transaction, it first needs to check the validity of the transaction, and only legal transactions will be written into the blockchain. The OP_RETURN statement is an unconditional return error. In this case, how can it pass the verification and be written into the blockchain?

   This statement will not be executed when verifying the validity of the current transaction. That is, the output script of the current transaction will not be executed when verifying the legitimacy of the transaction. The output script of this transaction will only be executed when someone wants to spend the money and there will be another transaction later to spend the output of this transaction.

7. Will some miners steal the answer when mining?

   Won't. There is a coinbase transaction in the released block, and there is a payee address in it, which is the address of the miner who dug the mine. If A digs the mine, it will be A's receiving address. If you want to steal the answer, you need to replace A's address with your own address, and if the address changes, the content of the coinbase transaction will change. What will this lead to? Causes the root hash value of the merkle tree to change, because this transaction and other transactions contained in the block are combined to form the merkle tree. If any one changes, the root hash value will change. The nonce is in the block header, and the root hash value is also in the block header. After the content of the block header changes, the original found nonce becomes invalid. So it is impossible to steal the answer, because the nonce dug by each miner is bound to his own payment address.

8. How to judge which miner should pay the transaction fee? That is, how do you know in advance which miner will dig the mine?

   It is not necessary to know in advance which miner will get this transaction fee. How is the transaction fee calculated? total inputs>total outputs, the difference is the transaction fee. In the published transaction, a transaction can have many inputs and many outputs, and the total input minus the total output is the transaction fee. Who does not need to know in advance, which miner has dug the mine, can collect the transaction difference contained in this block as his own transaction fee

12-BTC-Anonymity

---

• Under what circumstances is it possible to destroy anonymity in the Bitcoin system?

  For example, online shopping, Bitcoin transactions allow multiple inputs and multiple outputs. And multiple inputs may be the same person, because this person may control the private keys of these two accounts at the same time.

• The Bitcoin system runs on the application layer, and the bottom layer is the network layer. Therefore, to improve anonymity, we can start from two aspects.

  • How to improve anonymity at the network layer?
    The anonymity at the network layer is relatively easy to solve. Blockchain is a new thing, but the anonymity academic community at the network layer already has a good solution: multi-path forwarding. It is the same principle as Onion Routing (TOR). That is to say, the message is not directly sent from the sender to the receiver, but needs to be forwarded many times in the middle. Each node in the middle only knows who its previous node is, but it doesn't know who sent the message first. Of course, some nodes in the middle may be bad, but as long as one node on the path is honest, the identity of the original initiator can be hidden. This is also the basic principle of onion routing.

  • How does the application layer improve anonymity?

    Mixing different people's coins (coin mixing), that is, mixing your identity with other people's identities, so that others can't tell who is who. Not only the blockchain, but also can be used in various other fields that require anonymity. There are some websites specializing in coin mixing, which provide certain services and charge certain service fees. All those who want to do coin mixing send their coins to the website, and the website undergoes some internal reorganization, and then you get the coins back. At this time, the coins taken out are not the coins published on the website, but some coins are randomly drawn for you.

• Why is it so difficult to protect privacy?

  The essential reason is that the blockchain is public and cannot be tampered with. Immutability is disastrous for privacy protection.

zero-knowledge proof

• concept:

  A zero-knowledge proof is when one party (the prover) proves to another party (the verifier) ​​that a statement is true without revealing any information other than that the statement is true.

• example:

  To prove that an account is mine, all I need is to give the private key. But the private key cannot be disclosed directly, so the signature generated by the private key is given. Assuming that the other party knows the public key of the account, the correctness of the signature can be verified. Whether this is a zero-knowledge proof is actually controversial, because I have given other information besides the private key, and whether it counts depends on the application.

homomorphic hiding

The mathematical basis of zero-knowledge proof is homomorphic hiding

• The first property shows that the encryption function value E will not collide, which is different from the hash function, and the hash function may collide. This property in turn states that if E(x) and E(y) are equal, then x and y are also equal. (This statement is the converse of the above statement)

• The second property shows that the encryption function is irreversible. Knowing the value after encryption, there is no way to deduce the value before encryption.

• The third property is the most important, called homomorphic operation. What it says is to perform some algebraic operations on the encrypted function value, which is equivalent to directly performing algebraic operations on these inputs and then encrypting them.

  Homomorphic addition: the sum of encrypted values ​​is equal to the encryption of the sum.
  Homomorphic multiplication: The product of encrypted values ​​is equal to the encryption of the product.

• example:

  As shown, Alice wants to prove to Bob that she knows a set of numbers x and y such that x+y=7,
  while keeping Bob from knowing the specific values ​​of x and y.

  • answer

    Alice sends the values ​​of E(x) and E(y) to Bob

    Bob calculates the value of E(x+y) by receiving E(x) and E(y)

    Bob calculates the value of E(7) at the same time, if E(x+y)=E(7), then the verification passes, otherwise the verification fails

Blind signing method

1. User A provides the SerialNum, and the bank returns the signature Token without knowing the SerialNum, reducing A's deposit
2. User A hand over SerialNum and Token to B to complete the transaction
3. User B takes SerialNum and Token to the bank to verify that the bank has passed the verification and increases B's deposit
4. The bank cannot link A to B

Zcash and Zcash (cryptocurrency designed for anonymity)

Zero coins and zero banknotes are integrated with anonymization at the protocol layer, and their anonymity attributes come from cryptographic guarantees

• There are base coins and zero coins in the zerocoin system. Through the back and forth conversion between base coins and zero coins, the correlation between the old address and the new address is eliminated. The principle is similar to the coin mixing service

  There are base coins (such as Bitcoin) and zero coins in zero coins. When you use it, you need to prove that there is a base coin, so that the base coin becomes unspendable, and then exchange for a zero coin. When you spend the zero coin, you only need to use zero knowledge to prove that the coin you spent is a legal coin that exists in the system, but you don’t need to disclose which coin you are spending in the system.

• The zerocash system uses the zk-SNARKs protocol and does not rely on a basic currency. The blockchain only records the existence of transactions and the proofs of key attributes required by miners to verify the normal operation of the system. Neither the transaction address nor the transaction amount is displayed on the blockchain, and all transactions are carried out through zero-knowledge verification.

  ZCash has no base currency and is a complete ZCash. Zcash and Zcash are not 100% anonymous and safe. Among the factors affecting anonymous security, there is still one factor that cannot be solved, that is, when interacting with entities. For example, when someone wants to use these coins to do bad things, when converting a large amount into this cryptocurrency, or when converting these cryptocurrencies into cash, they still have to reveal their identity. No matter how well these cryptocurrencies are mathematically designed, they only say that they have anonymity for the transfers already in the blockchain, and the anonymity of interacting with the outside world is still a weakness. So it still cannot provide 100% anonymity.

13-BTC-Thoughts

---

• hash pointer

  The hash value itself is a pointer

  • So how can we find the content of the previous block?

    The full node generally stores these blocks in a (key, value) database. The key is the hash of the block, and the value is the content of the block. A commonly used key value database is level DB. The linked list structure of the so-called blockchain is actually calculated using the hash value in the level DB. As long as you have the hash value of the last block, you can retrieve the content of the last block by searching the level DB and the value corresponding to the hash key. Then in the header of this block, there is a hash value pointing to the previous block. Then look for the key and value, you can find the content of the previous block, and so on, step by step to find out, and finally you can find out the entire blockchain.

• block love

  That is, a private key is divided into several parts, and several people keep them separately. Only when everyone takes out their own part of the private key can the complete private key be synthesized

  But if it is cut off, one of the couple wants to withdraw the money after breaking up, he already knows half of the private keys, and he only needs to guess the remaining 128-bit private key. Reducing the length of the private key by half does not mean reducing the difficulty by half. The difficulty has dropped from 2 to the 256th power to 2 to the 128th power. The former is far greater than the latter, and the difficulty of cracking has dropped a lot. If it is the example of four partners, three of them want to withdraw money without telling the other, then they only need to try 2 to the power of 64.

  Therefore, for a shared account of multiple people, do not use the method of truncating the private key, but it is better to use multi-signature, and each private key used in multi-signature is independently generated. And multi-signature also provides some other flexibility, for example, you can ask any of N people to give M signatures at will.

• distributed consensus

  Strictly speaking, Bitcoin has not achieved a real consensus, because the consensus achieved may be overturned at any time, such as a fork attack. You think that a consensus has been achieved. After the fork attack, the system will roll back to the previous state. In theory, it is even possible to roll back to the Genesis block.

• Scarcity of Bitcoin

  The reason for miners to mine is to obtain income, and the income of mining must be greater than the cost to be profitable. To attract others to mine, one must either increase mining revenue or reduce mining costs. Any newly issued cryptocurrency has a problem of being able to start. In order to attract miners to mine in the early stage, miners can be given more income. Bitcoin's approach is: ①The early difficulty setting is relatively low. ② Early block rewards are relatively high.

  In fact, the constant total amount of Bitcoin is not suitable for use as currency. The Ethereum mentioned later does not have the practice of regularly halving block rewards. Some new currencies even have their own inflation function, and the circulation of the currency must be increased by a certain percentage every year. Because scarce things are not suitable for currency, inflation will make money less valuable, but a good currency must have the function of inflation.

• quantum computing

  With the development of quantum computing and the computing power of quantum computers becoming more and more powerful, will cryptocurrencies become insecure?

  This worry is unnecessary:

  ①Quantum computing technology is still a long way from being practical, and it may not necessarily have a substantial connection in the lifetime of Bitcoin. If quantum computing can be powerful enough to destroy the encryption system in the future, it will first impact the traditional financial industry. For example, many financial activities we conduct online: online banking, online transfer, and online payment will all become unsafe. So instead of worrying about the impact of quantum computing on Bitcoin, it is better to worry about the impact of quantum computing on the traditional financial industry, because most of the money is still in the traditional financial industry, and the market value of cryptocurrencies only accounts for a small part of the modern financial system.

  ②In Bitcoin, the public key of the account is not directly exposed, but an address is obtained after hashing with the public key. In the asymmetric encryption system used in Bitcoin, the public key can be derived from the private key. So as long as you keep the private key safe, it doesn't matter if you lose the public key. Obviously, the private key cannot be derived from the public key, otherwise it will be troublesome.

  Assuming that quantum computing technology is developed in the future, and the private key can be deduced from the public key, what should we do? Bitcoin added another layer of protection when it was designed. Instead of using the public key itself, it uses the hash of the public key. So if someone wants to steal money from your account, the first thing to do is to use the address to deduce your public key, which is equivalent to reversing the hash value of the public key, which cannot be done even with a quantum computer.

Teacher Xiao Zhen from Peking University's "Blockchain Technology and Application" open class notes-ETH