Bitcoin and Cryptocurrency Technologies

More documents

Recommendations

Info

major one is the leap of faith that we asked you to take that somehow we can pick a random node. Second, we’ve created a new problem by giving nodes these incentives for participation. The system can become unstable as the incentives cause a free‐for‐all where everybody wants to run a Bitcoin node in the hope of capturing some of these rewards. And a third one is an even trickier version of this problem, which is that an adversary might create a large number of Sybil nodes to try and subvert the consensus process. Mining and proof‐of‐work. It turns out that all of these problems are related, and all of them have the same solution, which is called proof‐of‐work. The key idea behind proof‐of‐work is that we approximate the selection of a random node by instead selecting nodes in proportion to a resource that we hope that nobody can monopolize. If, for example, that resource is computing power, then it’s a proof‐of‐work system. Alternately, it could be in proportion to ownership of the currency, and that’s called proof‐of‐stake. Although it’s not used in Bitcoin, proof‐of‐stake is a legitimate alternate model and it’s used in other cryptocurrencies. We’ll see more about proof‐of‐stake and other proof‐of‐work variants in Chapter 8. But back to proof‐of‐work. Let’s try to get a better idea of what it means to select nodes in proportion to their computing power. Another way of understanding this is that we’re allowing nodes to compete with each other by using their computing power, and that will result in nodes automatically being picked in that proportion. Yet another view of proof‐of‐work is that we’re making it moderately hard to create new identities. It’s sort of a tax on identity creation and therefore on the Sybil attack. This might all appear a bit vague, so let’s go ahead and look at the details of the proof‐of‐work system that’s used in Bitcoin, which should make things a lot clearer. Bitcoin achieves proof‐of‐work using hash puzzles. In order to create a block, the node that proposes that block is required to find a number, or nonce, such that when you concatenate the nonce, the previous hash, and the list of transactions that comprise that block and take the hash of this whole string, then that hash output should be a number that falls into a target space that is quite small in relation to the much larger output space of that hash function. We can define such a target space as any value falling below a certain target value. In this case, the nonce will have to satisfy the following inequality: H (nonce || prev_hash || tx || tx || ... || tx) < t arget As we saw earlier, normally a block contains a series of transactions that a node is proposing. In 1 addition, a block also contains a hash pointer to the previous block . In addition, we’re now requiring that a block also contain a nonce. The idea is that we want to make it moderately difficult to find a nonce that satisfies this required property, which is that hashing the whole block together, including that nonce, is going to result in a particular type of output. If the hash function satisfies the 1 We are using the term hash pointer loosely. The pointer is just a string in this context as it need not tell us where to find this block. We will find the block by asking other peers on the network for it. The important part is the hash that both acts as an ID when requesting other peers for the block and lets us validate the block once we have obtained it. 64
puzzle‐friendliness property from Chapter 1, then the only way to succeed in solving this hash puzzle is to just try enough nonces one by one until you get lucky. So specifically, if this target space were just one percent of the overall output space, you would have to try about 100 nonces before you got lucky. In reality, the size of this target space is not nearly as high as one percent of the output space. It’s much, much smaller than that as we will see shortly. This notion of hash puzzles and proof of work completely does away with the requirement to magically pick a random node. Instead, nodes are simply independently competing to solve these hash puzzles all the time. Once in a while, one of them will get lucky and will find a random nonce that satisfies this property. That lucky node then gets to propose the next block. That’s how the system is completely decentralized. There is nobody deciding which node it is that gets to propose the next block. Difficult to compute. There are three important properties of hash puzzles. The first is that they need to be quite difficult to compute. We said moderately difficult, but you’ll see why this actually varies with time. As of the end of 2014, the difficulty level is about 10 20 hashes per block. In other words the size of the target space is only 1/10 20 of the size of the output space of the hash function. This is a lot of computation — it’s out of the realm of possibility for a commodity laptop, for example. Because of this, only some nodes even bother to compete in this block creation process. This process of repeatedly trying and solving these hash puzzles is known asBitcoin mining, and we call the participating nodes miners. Even though technically anybody can be a miner, there’s been a lot of concentration of power in the mining ecosystem due to the high cost of mining. Parameterizable cost. The second property is that we want the cost to be parameterizable, not a fixed cost for all time. The way that’s accomplished is that all the nodes in the Bitcoin peer‐to‐peer network will automatically recalculate the target, that is the size of the target space as a fraction of the output space, every 2016 blocks. They recalculate the target in such a way that the average time between successive blocks produced in the Bitcoin network is about 10 minutes. With a 10‐minute average time between blocks, 2016 blocks works out to two weeks. In other words, the recalculation of the target happens roughly every two weeks. Let’s think about what this means. If you’re a miner, and you’ve invested a certain fixed amount of hardware into Bitcoin mining, but the overall mining ecosystem is growing, more miners are coming in, or they’re deploying faster and faster hardware, that means that over a two week period, slightly more blocks are going to be found than expected. So nodes will automatically readjust the target, and the amount of work that you have to do to be able to find a block is going to increase. So if you put in a fixed amount of hardware investment, the rate at which you find blocks is actually dependent upon what other miners are doing. There’s a very nice formula to capture this, which is that the probability that any given miner, Alice, is going to win the next block is equivalent to the fraction of global hash power that she controls. This means that if Alice has mining hardware that’s about 0.1 percent of total hash power, she will find roughly one in every 1,000 blocks. What is the purpose of this readjustment? Why do we want to maintain this 10‐minute invariant? The 65
Page 1 and 2:
Bitcoin and Cryptocurrency Technolo
Page 3 and 4:
Preface — The Long Road to Bitcoi
Page 5 and 6:
work, there is also the issue of co
Page 7 and 8:
Finally, CyberCash has the dubious
Page 9 and 10:
This was the first serious digital
Page 11 and 12:
and so on — powers of two. That w
Page 13 and 14: Figure 3 shows the user side of the
Page 15 and 16: initial cost to acquire all the equ
Page 17 and 18: the system is to record the relativ
Page 19 and 20: original design. However, after Bit
Page 21 and 22: A final reason that’s often cited
Page 23 and 24: Chapter 1: Introduction to Cryptogr
Page 25 and 26: Figure 1.2 Because the number of
Page 27 and 28: Property 2: Hiding The second pr
Page 29 and 30: ecome: ● ● Hiding: Given H(
Page 31 and 32: SHA‐256 uses a compression functi
Page 33 and 34: Figure 1.5 Block chain.A block c
Page 35 and 36: Figure 1.7 Merkle tree. In a Mer
Page 37 and 38: throughout this book. 1.3 Digital S
Page 39 and 40: Figure 1.9 Unforgeability game.
Page 41 and 42: andomness just in making a signatur
Page 43 and 44: 1.5 A Simple Cryptocurrency Now let
Page 45 and 46: The first key idea is that a design
Page 47 and 48: Figure 1.13 A PayCoins Transa
Page 49 and 50: Perusing the NIST standard that def
Page 51 and 52: Chapter 2: How Bitcoin Achieves Dec
Page 53 and 54: state of the system. The implicatio
Page 55 and 56: consensus is somewhat pessimistic,
Page 57 and 58: Implicit Consensus. This assumpt
Page 59 and 60: Figure 2.2 A double spend attempt.
Page 61 and 62: In general, the more confirmations
Page 63: Figure 2.4 The block reward is c
Page 67 and 68: possible outcomes, and the probabil
Page 69 and 70: theory problem that’s not easily
Page 71 and 72: this interlocking interdependence b
Page 73 and 74: Further reading The Bitcoin whitepa
Page 75 and 76: Chapter 3: Mechanics of Bitcoin Thi
Page 77 and 78: In this example, Alice specifies tw
Page 79 and 80: 3.2 Bitcoin Scripts Each transactio
Page 81 and 82: the Bitcoin language and one has to
Page 83 and 84: exactly the same script, which is i
Page 85 and 86: in the normal case, this isn’t th
Page 87 and 88: Technically all of these transactio
Page 89 and 90: The header mostly contains informat
Page 91 and 92: in turn sends it to all of its peer
Page 93 and 94: Figure 3.10 Block propagation ti
Page 95 and 96: that actually affect them. So they
Page 97 and 98: that the old version would accept a
Page 99 and 100: Exercises 1. Transaction validation
Page 101 and 102: Chapter 4: How to Store and Use Bit
Page 103 and 104: software can automatically turn the
Page 105 and 106: The cryptographic magic that makes
Page 107 and 108: may never know (or care) who the co
Page 109 and 110: Given this stringent requirement, s
Page 111 and 112: There is a formula called Lagrange
Page 113 and 114: Ideally, the site will encrypt thos
Page 115 and 116:
seen exchanges that fail due to bre
Page 117 and 118:
Figure 4.5: Proof of liabilities.
Page 119 and 120:
crypto and we won’t cover it here
Page 121 and 122:
Figure 4.8: Payment process involvi
Page 123 and 124:
transaction can't create coins, but
Page 125 and 126:
of U.S. dollars per day pass throug
Page 127 and 128:
Now if you look at a particular sec
Page 129 and 130:
alance of 500,000 BTC. It then sign
Page 131 and 132:
Chapter 5: Bitcoin Mining This chap
Page 133 and 134:
In most cases you'll try every sing
Page 135 and 136:
You can see in Figure 5.3 that over
Page 137 and 138:
steady‐state, the period to find
Page 139 and 140:
TARGET=(65535
Page 141 and 142:
Disadvantages of GPU mining. GPU
Page 143 and 144:
may be the fastest turnaround time
Page 145 and 146:
Figure 5.10: Evolution of mining
Page 147 and 148:
Hopefully, over time the embodied e
Page 149 and 150:
Still, if we could replace Bitcoin
Page 151 and 152:
Figure 5.11: Illustration of uncert
Page 153 and 154:
Figure 5.13: Mining rewards. Thr
Page 155 and 156:
Some mining hardware even supports
Page 157 and 158:
By April 2015, the situation looks
Page 159 and 160:
Figure 5.15 Forking attack.A mal
Page 161 and 162:
Temporary block‐withholding attac
Page 163 and 164:
the transaction from address X
Page 165 and 166:
Chapter 6: Bitcoin and Anonymity
Page 167 and 168:
Unlinkability. To understand unl
Page 169 and 170:
eason is that use cases that we cla
Page 171 and 172:
But this reveals something. The tra
Page 173 and 174:
the other hand, are often not new a
Page 175 and 176:
Figure 6.5. Labeled clusters.
Page 177 and 178:
Luckily, this is a problem of commu
Page 179 and 180:
they are unhappy with anonymity pro
Page 181 and 182:
Fees should be all-or-nothing. M
Page 183 and 184:
Somebody looking at this transactio
Page 185 and 186:
a single transaction that combines
Page 187 and 188:
just minting one doesn’t automati
Page 189 and 190:
Efficiency. Recall the statement
Page 191 and 192:
We start with Bitcoin itself, which
Page 193 and 194:
An alternative design to Zerocoin i
Page 195 and 196:
elieve the same thing. So consensus
Page 197 and 198:
of developers who maintain Bitcoin
Page 199 and 200:
The interesting case is if the fork
Page 201 and 202:
eing effectively bankrupt. As of ea
Page 203 and 204:
In an important sense it doesn't ma
Page 205 and 206:
of illegal items becomes potentiall
Page 207 and 208:
arrest. So although Ulbricht was th
Page 209 and 210:
kind of business that will handle l
Page 211 and 212:
een enough time for sellers to buil
Page 213 and 214:
The text refers to “activities in
Page 215 and 216:
A book that looks at the history of
Page 217 and 218:
It’s easy to see how Bitcoin’s
Page 219 and 220:
Why might memory‐hard and memory
Page 221 and 222:
Until recently, it wasn’t known i
Page 223 and 224:
meaning the exponential growth peri
Page 225 and 226:
Next, consider the problem that SET
Page 227 and 228:
In Permacoin, each miner Msto
Page 229 and 230:
Interestingly, these concerns have
Page 231 and 232:
they can perform the signatures on
Page 233 and 234:
schemes also require a small amount
Page 235 and 236:
to provide an effective solution, t
Page 237 and 238:
Chapter 9: Bitcoin as a Platform In
Page 239 and 240:
means that if you actuallydo
Page 241 and 242:
CommitCoin exploits this property.
Page 243 and 244:
features without needing to change
Page 245 and 246:
would just look like a dollar bill.
Page 247 and 248:
you. In particular, you can’t use
Page 249 and 250:
To solve this problem we can once a
Page 251 and 252:
NBA draft lottery.One example th
Page 253 and 254:
that there’s no way for anyone to
Page 255 and 256:
to predict the low‐level fluctuat
Page 257 and 258:
design, because miners have to veri
Page 259 and 260:
Here's another example, this time f
Page 261 and 262:
You can also trade shares for futur
Page 263 and 264:
Order books.The final piece o
Page 265 and 266:
Chapter 10: Altcoins and the Crypto
Page 267 and 268:
Attracting miners has special impor
Page 269 and 270:
with the launch date of the altcoin
Page 271 and 272:
Namecoin is technically interesting
Page 273 and 274:
10.3 Relationship Between Bitcoin a
Page 275 and 276:
Switching costs are certainly not z
Page 277 and 278:
If our altcoin is merge‐mined, we
Page 279 and 280:
When we think about a rational mine
Page 281 and 282:
DepositA [Altcoin block chain] Refu
Page 283 and 284:
Sidechains. The sidechains vision i
Page 285 and 286:
lock themselves could tell us. This
Page 287 and 288:
written in bytecode and executed by
Page 289 and 290:
Bitcoin. In particular, there are c
Page 291 and 292:
The simple binary Merkle tree used
Page 293 and 294:
Chapter 11: Decentralized Instituti
Page 295 and 296:
Bitcoin, Alice can remotely transfe
Page 297 and 298:
only these signatures of limited fo
Page 299 and 300:
11.3 Template for Decentralization
Page 301 and 302:
Sidebar: trust.Some people in th
Page 303 and 304:
competition among intermediaries. P
Page 305 and 306:
To drive home the mismatch between
Page 307 and 308:
Conclusion to the book Some people
show all

Bitcoin and Cryptocurrency Technologies

Create successful ePaper yourself

Delete template?

Save as template?