4. The problem
• Internet is great but too easy to lie.
• The old solution : Identify the authority. Allow authority to impose the ‘truth’. Blindly
trust the authority.
• Single point of control/failure/bottleneck.
• Authority may be (or become) incompetent/compromised/biased or corrupt/unavailable
or some other unknown issue.
• No transparency. Can not verify much. Trust in institutions is waning.
• How can we do better? Avoid relying on authority. Use consensus of peers. Liars can lie
but ultimately, they will be ignored by all.
• Solution : chronicling : time series of archivable data that anyone can verify.
• Decentralized (storage, authority), transparent and permission-less, immutable.
5. What is a blockchain?
Block N
Prev
Hash
Data
Block N+1
Prev
Hash
Data
Block N+2
Prev
Hash
Data
Latest new block
• Digital messages bundled into blocks linked using cryptography
• Immutable Decentralized ledger
• Each block contains cryptographic hash of previous block, timestamp
and transaction data (arranged as a Merkle tree) => chronicling !
• Invented by Satoshi Nakamoto in 2008 as a public ledger of bitcoin
timestamp timestamp
timestamp
Old block
6. The Times 03/Jan/2009 Chancellor on
brink of second bailout for banks
• Bitcoin’s first block.
• This was probably intended as proof
that the block was created on or after
January 3, 2009, as well as a comment
on the instability caused by fractional-
reserve banking.
• This detail, "second bailout for banks"
could also suggest that the fact a
supposedly liberal and capitalist
system, rescuing banks like that, was a
problem for Satoshi . . . the chosen
topic could have a meaning about
bitcoin’s purpose . . .
• First draft published in Cypherpunk
mailing list.
• Could be a social, ecomomic and
political movement (similar to “occupy
movement”, Metoo, LGBTQ, black lives
matter etc).
• https://activism.net/cypherpunk/manif
esto.html
7. What is a Distributed Ledger Technology
(DLT)?
• Database of records that isn’t stored or confirmed by any central body. A
distributed ledger is merely a type of database spread across multiple
sites, regions, or participants.
• In DLT, the implementer has greater control over how it is in fact
implemented. They could, in principle, dictate the structure, purpose, and
functioning of the network that underpins its service.
• Cryptographic signing and linking groups of records in the ledger, to form
a chain is what sets blockchain apart from DLT.
• Blockchain is a type of DLT. DAG (Directed Acyclic Graph) based Tangle
(used by IOTA) and Hashgraph, are examples of DLT without any
blocks/chain.
8. The Benefits
Of
Blockchain
And
Distributed
Ledger
Technology
DLT gives control of all its information and transactions to
the users and promotes transparency. Decentralization.
They can minimize transaction time to minutes and are
processed 24/7 (saving businesses lot of money).
The technology also facilitates increased back-office
efficiency and automation (saving businesses lot of money).
DLTs cut down on operational inefficiencies.
Cuts the middle party.
Greater security is also provided due to their decentralized
nature, as well as the fact that the ledgers are immutable.
9. Blockchain
Applications
Crypto currencies & Smart contracts
Defi (traditional financial instruments in a decentralized way, lending/credit etc)
Banking the unbanked (Humaniq, bloom, moneyamigo) Unbanking the banked (OmiseGo)
Payments, Cross border money transfer (Stellar, ripple)
Asset management
Wallets, crypto exchanges, DEX
DAO (Decentralized autonomous organization)
Games : lottery based games (eg Fomo3D), non-fungible tokens (eg cryptokitties)
Prediction market : Augur
Notary : blocknotary.com, stampd.io: immutable copyrights, timestamp, interview
Infra – resource tokens – compute/storage etc
Distributed cloud storage : ipfs, storj.io : encrypt, split, distribute
Supply chain and proof of provenance
Digital identity, Authentication and authorization
IOT
10. Types of
blockchains
Public blockchain (e.g. bitcoin, Ethereum, Litecoin etc)
• Public - permissionless, trustless, immutable.
• Fully decentralized
Private blockchain aka permissioned blockchain (e.g. JP Morgan
Quorum, BankChain)
• Fully private with write permissions kept within a single organization
• Businesses have sensitive information that can not be shared publicly.
• Privacy of participants (ring signatures, stealth addresses etc)
• Privacy of data/transactions/balances (Zero Knowledge proofs, Pedersen
commitments)
• Transactions are private, known only to participants with permissions.
• Controlled by single organization. Centralized.
• Participants are known and trusted and need consent to join
Consortium blockchain aka shared permissioned blockchain (e.g.
Hyperledger, Ripple, R3)
• Partly private, permissioned, multi-org, semi-decentralized - Hybrid between public
and private
11. Big names in “Enterprise Blockchain”:
Hyperledger (https://www.hyperledger.org/)
Led by Linux Foundation, IBM (Hyperledger Fabric)
Focus: finance, healthcare, supply chain
Consortium of 20+ corporate members, 120+ start-up & ecosystem participants, 20+
institutions to advance blockchain technologies through open-source, collaborative
development
Produces enterprise-focused software solutions & tools for implementing blockchain
applications, PoCs, solutions, etc.
Hyperledger Fabric - Private permissioned blockchain, modular plug-and-play solutions
12. Hyperledger
(https://www.hyperledger.org/)
Burrow : modular blockchain client
with a permissioned smart contract
interpreter built in part to the
specification of the Ethereum Virtual
Machine (EVM).
Fabric : An enterprise-grade
permissioned DLT framework that
offers modularity, privacy options to
satisfy a broad set of industry use
cases ranging from finance, to
healthcare, to supply-chain and
more.
Grid : Hyperledger Grid is a
WebAssembly-based project for
building supply chain solutions. It
includes a set of libraries, data
models, and SDK to accelerate
development for supply chain smart
contracts and client interfaces.
Indy : It provides tools, libraries, and
reusable components for creating
and using independent digital
identities rooted on blockchains or
other distributed ledgers for
interoperability.
Iroha : This is a modular distributed
blockchain platform with its own
unique consensus and ordering
service algorithms, rich role-based
permission model and multi-
signature support.
Sawtooth : It includes a novel
consensus algorithm, Proof of
Elapsed Time (PoET), which targets
large distributed validator
populations with minimal resource
consumption.
And many more ...
13. (https://consensys.net/)
Incubator for Ethereum-
focused applications,
startups, and developer
tools. Founded in 2015
by Joe Lubin (co-founder
of Ethereum).
“Hub-and-spoke” model
with shared, central
resources and “spoke”
ventures. Enterprise
Ethereum.
Supports adoption,
ecosystem expansion,
network effects for
Ethereum.
Multiple divisions &
efforts : e.g. Gitcoin,
MetaMask, truffle,
Infura,
https://kaleido.io/
Blockchain as a Service.
14. R3 (https://www.r3.com/)
Enterprise blockchain company.
It leads an ecosystem of More
than 300 firms working together
to build dApps on top of Corda
for usage across industries such
as financial services, insurance,
healthcare, trade finance, and
digital assets.
Corda is R3’s distributed ledger
technology platform, open
sourced in November 2016,
specifically designed for financial
sector.
Data privacy, regulator focused,
smart contracts, enterprise
grade.
Point to point, no mining, no
broadcast, data sharing on need-
to-know basis.
https://www.corda.net/
15.
16. Intersection of many different fields
Cryptography
&
mathematics
Distributed
computing,
consensus
algorithms
Computer
Security
Fintech/DeFi,
Banking
Art, music,
gaming,
sports
Politics &
government
Law and
regulation
Game theory
& crypto
economics
Experts from
all these
fields trying
to sort this
out
Wild wild
west right
now
18. Fun facts about
Bitcoin
• Total #bitcoins fixed (deflationary) = 21 million, 85% mined so far.
• Inventor is unknown. Pseudo name - Satoshi Nakamoto.
• Published paper on 10/31/2008 : Bitcoin: A Peer-to-Peer Electronic Cash
System.
• May 22 bitcoin pizza day. First real world transaction in 2010, paid 10000
BTC for 2 Papa John’s pizzas.
• Genesis block “The Times 03/Jan/2009 Chancellor on brink of second
bailout for banks” https://en.bitcoin.it/wiki/Genesis_block
• HODL - originated in 2013 with a post to the bitcointalk forum. HODL as
Strategy and Philosophy. Move over HODL, it's time to BUIDL.
• Room 77 – Accepting Bitcoin since 2011.
• https://www.blockchain.com/explorer
• Not account based. Based on UTXO model (unspent transaction output).
• Implementations : Bitcoind (C++), btcd (go), bcoin (node.js).
• Bitcoin Improvement Proposals (BIPs) ~ RFC
19. Fiat
(traditional)
versus Crypto
currency
FIAT (TRADITIONAL)
CURRENCY
CRYPTO CURRENCY
Decentralized No (central bank) Yes (mathematical)
Type Real Virtual
Intermediates Yes No (peer to peer)
Portability & speed Moderate (slow) Yes
Durable Moderate Highly durable
Acceptance National Global
Secure Moderate High (but comes with Risks of
hacks/exploits etc)
Sovereign (government issued) Yes No
Smart No yes
21. Criticism
Poor Scalability
Hacks, attacks, vulnerability exploits
PoW – wastage of energy, scale, privacy, confirmation time etc
Regulatory issues
Frauds & Scams
Volatility
UX and usability – work in progress
Market manipulation
Dark web, silk road, extortion etc
Tax evasion
No killer app?
22. Fundamentals: Cryptographic
Hash Function Properties
• Pre-image resistance : Assume x is the message. Given H(x), it’s computationally
difficult to find x. aka trapdoor or one-way
Fingerprint analogy – whose fingerprint is this?
• Collision Resistance : Hard to find any two x and y s.t. H(x) == H(y)
Fingerprint analogy – can you find two random people with the same fingerprint?
• Second pre-image resistance : Given x, it’s computationally difficult to find
some value x’ s.t. H(x) == H(x’).
Fingerprint analogy – can you find someone else with the same fingerprint as you?
• Noncorrelation or Avalanche effect : A tiny change (even 1bit) in the input produces
extensive change in output (significantly different) s.t. it can not be correlated to the
hash of original message.
• Verifiability : Computing the hash of a message is efficient (linear complexity).
• Deterministic : A given input message always produces the same hash output.
• Bitcoin uses double hash, SHA-256(SHA-256(x)).
23. Crypto Basics – 1
Collision resistant hash functions
(CRHF)
• Collision resistant hash functions (CRHF)
Hash(Message) ---> T
| Input Message space | >> | target space | (256b)
• Hard to find collision although, using pigeonhole principle, many
collisions exist.
• Use Merkle trees for shorter proofs.
• Merkle tree is a tree in which every leaf node is labelled with the
hash of a data block, and every non-leaf node is labelled with
the hash of its child nodes.
24. Crypto Basics – 2
Proof of Work
• Proof of Work
- Goal : to build a puzzle such that to solve it, it takes
at least a constant time controlled by difficulty
level O(D), to verify though it takes O(1) time.
• Puzzle : Input x, solution y : H(x, y) < 2^n / D … n=256, D
varies.
- Verify(x, y) : accept if H(x,y) if hash has at least D
zeroes in the left of hash.
• CRHF does not mean it’s PoW secure
25. Crypto Basics - 3
Digital signatures
• Digital signatures
- Authentication, non-repudiation,
immutable (message integrity).
• Set of 3 algorithms. (G, S, V)
- Generator(): o/p (pk, sk), no i/p
- Sign(sk, m) : o/p sig
- Verify(pk, m, sig) : o/p yes/no
• Bitcoin, Ethereum uses ECDSA (suffers from
malleability attack)
• Future : Schnorr signatures, BLS signatures,
Ring signatures etc
26. Security perspective
• Do not roll your own crypto, must be peer reviewed and
battle tested. Even great mathematicians and cryptographers
make mistakes.
• Algorithms will be broken (advances in maths, computers,
tech etc).
• The time from acceptance to deprecation is shrinking.
• Keep up to date with deprecated functions (RC2/RC4, (X)DES,
SHA-1, MD2/MD4/MD5, RSA < 1024b, ECDSA 160b, SSL). Be
ready to swap in different encryption methods.
• Humans are the weakest link, how one uses cryptography can
undo security.
27. Merkle tree
A Merkle tree is a tamper-resistant data structure that
allows a large amount of data to be compressed into a
single number and can be queried for the presence of
specific elements in the data with a proof constructed in
logarithmic space.
28. Bloom filter
• A bloom filter is a probabilistic data structure that can answer the question of
whether a value is absent from a set while maintaining a constant space requirement
and a constant lookup time
• If the bloom filter responds that an item does exist in a set, it may be a false positive.
• A bloom filter consists of an array of bits and a set of hashing functions that each
return a number that corresponds to the index of a bit in the bit field.
• To encode a value, we pass the value as an input to each hashing function. We set the
bit at each returned index to 1. If the bit at a given index is already 1, no change
occurs.
• To ask the whether a value already exists in the bloom filter, we run the value
through each hashing function. If any function returns an index in the bit field that is
still 0, we can say for certain that the value has not yet been encoded.
• In Bitcoin, bloom filters allow lightweight wallets to request the transactions they care
about without revealing the user's identity. For example, the wallet may encode its
addresses into a bloom filter and send the bit field in a request to the network. The
answering node returns a list of transactions that involve addresses for which the
bloom filter returns a positive result. The list of transactions returned may contain
many false positives.
• The false positives help hide which addresses actually belong to the requester.
29. Simple
Payment
Verification
(SPV)
• SPV nodes don’t have all transactions and do not download full blocks,
just block headers. In order to verify that a transaction is included in a
block, without having to download all the transactions in the block, they
use an authentication path, or merkle path.
• The SPV node will establish a bloom filter on its connections to peers to
limit the transactions received to only those containing addresses of
interest.
• When a peer sees a transaction that matches the bloom filter, it will send
that block using a merkleblock message. The merkleblock message
contains the block header as well as a merkle path that links the
transaction of interest to the merkle root in the block.
• The SPV node can use this merkle path to connect the transaction to the
block and verify that the transaction is included in the block. The SPV
node also uses the block header to link the block to the rest of the
blockchain.
• The combination of these two links, between the transaction and block,
and between the block and blockchain, proves that the transaction is
recorded in the blockchain.
• All in all, the SPV node will have received less than a kilobyte of data for
the block header and merkle path, an amount of data that is more than a
thousand times less than a full block (about 1 megabyte currently).
• Application -> Thin wallets, say, on a Mobile.
30. Private Key &
Public Key &
Bitcoin address
• Bitcoin uses ECDSA to create sk and pk.
• secp256k1 : Y^2= ( X^3+ 7 ) over ( Fp)
• Private key (k)– simply a 256 bit number picked randomly. Toss a coin 256 times. Must be
kept secret.
• Public key (K) – scalar point multiplication of G by k on secp256k1 curve. Public. (x, y)
• Bitcoin address = Base58CheckEncode ( RIPEMD160(SHA256(K)) ) is 160 bit hash of Public
key.
• Base-58 alphabet:
- 1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz 58 characters
(omits 0, O, I, l) => Note : Case sensitive !!!
• Practically impossible for anyone to overlap. For reference
- Grains of sand on earth: 2^63
- With 2^63 earths, each with 2^63 grains of sand : 2^126 total grains of sand.
- 2^126 is only 0.000 000 00 58 % of 2^160.
- Population of earth : 7.5 billion (2017). Every person could have 2^127 addresses all to
themselves.
Private Key (k)
256 bit
Bitcoin Address (160 bit)
ECM RIPEMD160(SHA256(K))
Public Key (K)
K = (x, y)
31. Public Key
• Public Key (K) derived from private key (k) using
elliptic curve multiplication.
- K = k * G where G is a fixed generator point.
- ECC is a trapdoor function. easy to compute in one
direction, yet difficult to compute in the opposite
direction without knowing the trapdoor.
• The reverse operation, calculating k, for a Public
K is as difficult as trying all possible values of k
i.e. Brute Force search. This is aka “finding the
discrete logarithm problem”.
• Bitcoin uses a specific elliptic curve as defined in
an NIST standard, called secp256k1 curve.
32. Base58 Bitcoin Address
Type Version Base58 result
prefix
Bitcoin Address 0x00 1
Pay-to-Script-Hash
Address
0x05 3
Bitcoin Testnet
Address
0x6F m or n
Private Key WIF 0x80 5, K or L
BIP-38 Encrypted
Private Key
0x0142 6P
BIP-32 Extended
Public Key
0x0488B21E xpub
Note that Base-58 encoded Bitcoin address is case sensitive.
The new style addresses aka bech32 addresses are not case sensitive.
34. Layer 1 Consensus Basics :
Distributed systems properties,
BFT
• Concurrency
• Message passing – Synchronous (message delivered in fixed time) or Asynchronous (network may delay/duplicate/deliver out of order)
• Lack of global clock – time and order of events
• Independent failures, failure modes :
• Crash fail (stops without warning)
• Omission (messages dropped, delay/duplicate/out of order)
• Byzantine (may choose to be malicious, lie / collude), hardest
• Byzantine fault tolerance - Nodes can be both, honest or dishonest depending on incentives. Nodes may be B (byzantine) or A (altruistic) or
R (rational) meaning follow protocol only when it suits them.
35. FLP impossibility, CAP theorem
and Blockchain Trilemma
• FLP impossibility (Fischer Lynch Patterson 1982) : In case of async, pick any 2 out
of the following 3 to get a consensus Safety/Liveness/Fault tolerance.
• CAP theorem (1998 Brewer’s theorem @ UCB): It is impossible for a distributed
data store to simultaneously provide more than two out of the following three
guarantees:[
• Consistency: Every read receives the most recent write or an error
• Availability: Every request receives a (non-error) response – without the
guarantee that it contains the most recent write
• Partition tolerance: The system continues to operate despite an arbitrary
number of messages being dropped (or delayed) by the network between
nodes
• Distributed systems must have Partition Tolerance. That leaves A or C. A is
a must. So C goes out. It becomes eventual consistency.
• Blockchain Trilemma (Vitalik Buterin) : Can not have all three properties –
decentralization, security and scalability.
36. Consensus
(timeline)
• Byzantine generals problem : If f >= N/3 => consensus impossible. (f:
faulty/traitors N: total nodes). 2/3 nodes must be loyal.
• Fischer Lynch Patterson, FLP impossibility result (1982) : In case of
async, pick any 2 out of the following 3 to get a consensus
Safety/Liveness/Fault tolerance.
• Ben Or (1983), Rabin (1983), Partial Synchrony (1984), Viewstamped
replication (1988), Paxos (1990)
• Sybil attack – voting based systems, based on identity. Attacker can
make up identities. Solution : Make identities cost something.
• Practical Byzantine Fault tolerance PBFT (1999) : based on state
machine replication. f must be < N/3. Uses voting (leader, backup).
Exponential communication. Issue - Does not scale, Sybil Attacks
possible. Used in Hyperledger.
• RAFT (2014) Stanford, is not a BFT. Quorum uses a Raft implementation
in `etcd`
• Nakamoto (2008) – lottery. Used in Bitcoin.
• Federated Byzantine Agreement – each node can decide whom to trust
and be part of their decision-making group, called as a quorum slice.
Used in Stellar and Ripple. Every Byzantine general, responsible for
their own chain, sorts messages as they come in to establish truth.
In Ripple the generals (validators) are pre-selected by the Ripple
foundation. In Stellar, anyone can be a validator so you choose
which validators to trust.
37. Layer 1 : Consensus
• Agreement – no two correct processes decide differently
• Validity – If a process decides value v, then v was proposed by some valid process
• Safety = agreement + validity
• Termination – every correct process eventually decides correct value = liveness
38. Nakamoto
Consensus in
Bitcoin
No voting, no particular timing to hold a consensus.
No need for precise membership. Permissionless.
No identity required!
Solve a cryptographic puzzle instead of voting.
Not aiming for fully correct consensus. Eventual consistency.
Proof of work
• make it harder for dishonest miners to propose a block
• miners solve computationally hard problems when a block is created
Incentives for miners to be honest and to be on the longest
chain.
39. Nakamoto
Consensus
What do we agree on? – We agree on a block which has
a set of valid transactions.
Who can propose/author a block? – anyone who has
solved the puzzle. PoW in Bitcoin.
How do we agree? - Set of rules for consensus. Longest
chain wins (most PoW) => finality in 6 confirmations.
In Nakamoto :
• Agreement – NO, successful PoW does not guarantee finality.
• Validity – yes, o/p is one of the i/ps
• Termination – statistically yes, mathematical proof.
• Fault tolerance – yes, works even if one or more nodes fail.
• Finality - a block can get reversed. Practically, finality of 6
confirmations.
Cons - High latency, low throughput, does not scale,
wastes energy.
Anyone can author a block - PoW
Finality : longest chain wins
40. In Bitcoin
• Agreement – NO. Different miners may work on different set of transactions and thus may output different blocks if
they are able to solve the puzzle and this may cause a split or orphan blocks. This can happen due to network latency
or some mining policy or also with a double spend attack. So a successful PoW never guarantees finality.
• Validity – YES. Due to incentives, everyone wants to be on longest and valid chain.
• Termination – YES. Solving the puzzle is probabilistic. It's a Bernoulli trial since it has only 2 outcomes. Nodes try many
nonces (or reorder the transactions of Merkle tree) that this can be approximated by Poisson process. It is an
exponential distribution. Some blocks may be found sooner than 10 minutes and some later. There is no guarantee
that a solution is always found. But mathematically the probability of not finding a solution is very little. Also every
2016 blocks, the difficulty is auto adjusted (increased or decreased). So the output will be found almost always.
41. Mining • A “full node” must do the following :
- Download entire blockchain and verify the transaction history
- Nodes broadcast transactions, verify incoming transactions
- Miners create a block of valid transactions
- Find a nonce, timestamp, merkle root to solve the puzzle
- Reorder transactions in a block to change merkle hash if it runs out of
nonce/timestamp
- Broadcast your block
- Hope that your block is accepted by other nodes => Profit !
- Unsuccessful miners abandon their current candidate blocks and start work on new
ones, remove done tx from mempool
• Transaction fees depend on size of transaction
• Miner may also get an MEV (Miner extractable Value) - more on this later.
• Profit = Mining revenue (Block reward + transaction fees) - Mining cost (fixed costs +
variable costs)
• Fixed costs = hardware
• Variable costs = electricity , cooling, (pools : warehouse, personnel etc)
• Rewards/Incentive for honesty => more secure network.
• PoW ensures that miners willing to spend/invest for hw to earn BTC.
42. Mining
• Different miners may work on different set of transaction in a block.
• Mempool in RAM holds validated unconfirmed transactions until they are
picked.
• Miners see transactions before they are confirmed and could maliciously
change them before transactions are validated (e.g. Malleability of ECDSA
attack).
• Every block contains mining reward aka Coinbase transaction which is
the first transaction of a block, wherein, miner sends a reward to its own
address, for generating a new block through mining by solving the puzzle.
• The reward for mining the first block was 50 BTC. The reward is halved
every 210,000 blocks. Current block reward 6.25 BTC, mined
approximately every 10 minutes. It will take about 132 years to mine all
6,929,999 blocks, and the last block will be mined in 2140.
• Miners also collect transaction fees = Σ inputs – Σ outputs. Higher the fee,
higher the chance of transaction making into a block.
43. Mining
• CPU -> GPU -> Fpga -> Asic
• Asic mining
- Pros: Low power, higher hash rate, smaller, high profit
- Cons: Costly, coin specific, low resale, short life span, non-
upgradable, monopolies using dubious methods (asic boost,
selfish mining, eclipse attacks etc
• Asic resistant mining algorithms
- Reduce barrier to entry, increase decentralization, improve
security via increasing community participation
• PoW for Bitcoin is SHA256(SHA256(block_header))
• Ethereum uses PoW algorithm called 'ethash', designed to require
more memory to make it harder to mine using expensive ASICs.
• In 2018, Bitmain released Ethereum asic miner called Antminer E3. Eth
has proposed ProgPoW.
44. Mining Puzzles
• Memory-hard : requires lot of memory to solve puzzle. Asic resistant.
• Memory-bound : time to access memory dominates time to compute.
Note : A puzzle can be just memory‐hard without being memory‐bound, or
memory‐bound without being memory‐hard, or both.
• SHA-256 – Secure Hash, Bitcoin PoW (and used by many others)
• ETHASH - Ethereum’s PoW. Asic resistant via memory hardness.
• Scrypt – memory hard. Simpler and quicker than SHA-256. PoW in
Dogecoin, Litecoin etc
• Equihash – PoW for standard CPUs. Used in Bitcoin Cash, Zcash.
• Cryptonight – PoW for CPU mining. Used in Monero.
• Cuckoo cycle - ASIC-resistant PoW algorithm which is memory bound. Goal
is to find a fixed length L ring in the Cuckoo Cycle bipartite graph randomly
generated. CuckARoo (anti-ASIC) and CuckAToo (ASIC-friendly). Grin uses
90% CuckARoo + 10% CuckAToo.
45. What if two miners solve
puzzle at the same time?
• Both miners will broadcast their solution on the network
• Nodes will accept the first solution they hear and reject others
• Nodes always switch to the longest chain they hear
• Eventually the network will converge and achieve consensus
• Block height = Current block number starting from genesis block
• Block depth = #blocks after the given block
• To avoid double spend attack, 6 confirmations are recommended
by Satoshi.
• Finality time => one hour! Similar to credit card transactions
which can get reversed!
46. Bitcoin Block time and total supply
How often are new
blocks created?
Approximately once
every 10 minutes.
Every 2016 blocks,
the target T is
recalculated.
Let tsum = Number
of seconds taken to
mine last 2016 blocks
Tnew = (tsum/(14 ×
24 × 60 × 60) ) × T
The block reward
was initially 50 BTC
per block
Halves every 210,000
blocks ≈ 4 years
Became 25 BTC in
Nov 2012 and 12.5
BTC in July 2016
Total Bitcoin supply is fixed
- 21 million bitcoins
The last bitcoin will
be mined in 2140
Fun fact : In Sep2019, Block #597,273 was mined 119 minutes after its parent.
This happened only 10 times in Bitcoin's history, last time in May of 2014.
47. Mining calculators.
When is Bitcoin Mining profitable exactly?
• Ant-miner hydra : hash rate 18 TH/sec (tera = 10^12), power
consumption 1.7kWH
• #hashes per ant-miner in 1 hour = 64,800 * 10^12
• Assume Difficulty = 2^75
• #ant miners to mine 6 blocks in 1 hr = (2^75 * 6)/ 64,800 * 10^12
= 3,498,050
• Total power consumed = 3,498,050 * 1.7kW = 5.9million kWH
• Cost of electricity = $0.05 per kwh * 5.9 million kwh = 295K$
• 6 rewards = 6 * 12.5 BTC * 10000$ = 750K USD
• Pool fee, cooling, data center Opex costs, transaction fees, attacks etc
• Rigs 'Sold By Kilo' https://news.bitcoin.com/miner-goes-bankrupt-
manufacturers-stuck-with-inventory-old-rigs-sold-for-scraps/
48. Mining pools
• A user has to wait on average few years to mine a block
alone.
• Pooling of resources by miners, who share their processing
over a network, to share the reward. Expected revenue from
pool slightly lower than solo but it significantly reduces
variance of income.
• Monopoly 84% of mining by mining pools – centralization?
• A single pool with hash rate > 50% is a real threat.
• 74% of the hash power coming from China! “The Looming
Threat of China: An Analysis of Chinese Influence on Bitcoin”
– a Princeton research paper.
https://blockchain.princeton.edu/papers/2018-10-ben-
kaiser.pdf
• Geographical Centralization of Mining Risks 51% Attack.
• https://miningpoolstats.stream/bitcoin
• Multi pool mining – switch between altcoins. Pool hopping
attack.
• Stratum – pool mining protocol between miners and pool.
https://github.com/ctubio/php-proxy-stratum/wiki/Stratum-
Mining-Protocol
49. Why the miners are not in control?
Bitcoin : No foundation, unknown founder(s).
Ethereum : foundation ✔, founders known.
ICO : money raised by single company
Exchanges also play a role – what to
list, to support a fork or not, how to
label forks (BTC vs BCH) etc
/o
50. Game theory
• Game theory is the study of
mathematical models of strategic
interaction between rational decision-
makers. It has applications in all fields of
social science, as well as in logic and
computer science. Originally, it
addressed zero-sum games, in which
one person’s gains result in losses for
the other participants. — Wikipedia
B betrays B stays quiet
A betrays
Both jailed for
2 years.
A is free. B is
jailed for 3
years.
A stays
quiet
B is free. A is
jailed for 3
years.
Both jailed for
1 year.
Prisoner’s dilemma
The only possible outcome for two purely rational
prisoners is to betray each other!
51. Mining pool
strategy and
attacks
Pay per share: flat fee for each header < pool_target, beneficial for miners,
pool takes risk from reward variance. no incentive to submit valid block.
Proportional: get proportion of work done/block reward only when a block
is found. Lower risk for pool operators, one issue : pool hopping.
Finney attack (double spend), 51% attack, feather forking attack, asic boost,
Selfish mining, eclipse attack, goldfinger attack, fee sniping etc
Selfish mining – block withholding. Dishonest minority can attack! Solution -
Uncle blocks, choose randomly if more than one block appear
approximately at the same time (instead of choosing first) and Publish or
perish
Verifier’s dilemma – verification of blocks takes time. May be cheaper not
to verify?
52. Miner’s dilemma
A pool member can sabotage an open pool by
seemingly joining it but never sharing its proofs of
work. The pool shares its revenue with the attacker,
and so each of its participants earns less.
Any open pool can increase its own profits by attacking
another open pool. However, if both attack each other,
both earn less than if none attacks.
With any number of pools, no-pool-attacks is not a Nash
equilibrium.
With two pools, or any number of identical pools, there
exists an equilibrium that constitutes a tragedy of the
commons where the pools attack one another and all
earn less than they would have if none had attacked.
For two pools, the decision whether or not to attack is the
miner's dilemma, an instance of the iterative prisoner's
dilemma. The game is played daily by the active Bitcoin
pools, which apparently choose not to attack. If this
balance breaks, the revenue of open pools might
diminish, making them unattractive to participants.
53. Cryptoeconomics
• The creation of Bitcoin as a Byzantine Fault Tolerance (BFT) system is the result of a harmonious blend of
cryptography and game theory.
• The use of game theory within the cryptocurrency context is what gave birth to the concept of
Cryptoeconomics, which is basically the study of the economics of blockchain protocols and the potential
consequences that the design of these protocols may present - as a result of its participant behaviors. It also
considers the behavior of “external agents” that are not really part of the ecosystem, but could eventually join
the network only to try and disrupt it from within.
• One of the most important features of the Bitcoin network that protects it from malicious activity is the Proof
of Work consensus algorithm.
• It applies cryptographic techniques that cause the mining process to be very costly and demanding, creating a
highly competitive mining environment.
• Therefore, the architecture of PoW-based cryptocurrencies incentivizes the mining nodes to act honestly (so
they do not risk losing the resources invested).
• In contrast, any malicious activity is discouraged and quickly punished. The mining nodes that present
dishonest behavior will probably lose a lot of money and will get kicked out from the network.
• Consequently, the most probable and rational decision to be made by a miner is to act honestly and keep the
blockchain secure.
54. Double
spending
attack
Alice sends btc to Bob for goods, Bob does not wait for
confirmation. Alice can spend the same btc to pay address
controlled by herself before Bob’s transaction is confirmed. This is
known as Double spending attack. Sometimes done using ‘Replace
by Fee’ (pay higher transaction fee).
Even if it’s confirmed, Alice can mine herself and create longer
chain => 51% Attack!
What if Alice controls > 50% of the total network hash power?
If not, Alice can always collude with miners or bribe a miner
operator.
55. Double
spending
attack
Cryptocurrencies prevent double
spending by reaching consensus
on an ordered log of transactions.
Reaching consensus is difficult
because of the open setting.
Since anyone can participate, an
adversary can create an arbitrary
number of pseudonyms (Sybils)
making it infeasible to rely on
traditional consensus protocols
that require a fraction of honest
users.
Bitcoin solves this problem by using
Proof of work, where users must
repeatedly compute hashes to solve
puzzles and longest chain wins. PoW
ensures that an adversary does not
gain any advantage by creating
sybils.
However, PoW allows possibility of
forks when two blocks are mined at
same time. Mitigating forks requires
unfortunately high block time and
longer confirmation time. This is
where PoS comes in picture.
56. Bitcoin PoW
issues
• Wastage of energy
- https://digiconomist.net/bitcoin-energy-consumption
• Centralization in the hands of bunch of mining pools
• Scalability : bitcoin 7tps, eth 15 tps, ripple 1500 tps, visa
24000 tps!
• Forks : ambiguity not good in finance
• Long latency for confirmation (6 confirmations = 1 hour)!
• Not economical for micro-payments (use payment
channels, e.g. lightening)
57. Proof of stake
and other
consensus
algorithms
PoW issues – wastage of energy, concentration(mining pools), scalability, forks (ambiguity not good in finance),
long latency. Incentivizes to be good, but does not punish cheaters.
PoS : reward good + punish bad. node’s stake = the amount of currency a user holds in the system. The more stake
a user controls, the more authority they have over validation. Slashing – coins locked up to avoid nothing-at-stake
attack. Validators lock up coins as stake. Stake slashed if found malicious.
delegated PoS : Active delegates are voted into their roles by token holders. Used in EOS, stemmit, ARK etc
BFT
• Practical (PBFT) - good for enterprise consortium Used in Hyperledger, Zilliqa.
• Delegated (dBFT) – use stake to elect validators/ council to run PBFT. Used in NEO.
• Federated BFT – verified by a group. Used in Stellar (permissionless validators) and Ripple (permissioned validators)
PAXOS and RAFT – RAFT from Stanford, much easier to understand than Paxos. RAFT is crash fault tolerant (CFT)
followers blindly replicate leader, does not deal with Byzantine failures, so of not much use in Bitcoin world.
Algorand – uses PoS, voting to agree on a block.
Sharding - instead of delegates, work is split among all participating nodes. Example: Ethereum shard chains and
Near protocol
58. Consensus Algorithms : PBFT
(Practical Byzantine Fault Tolerance)
• Used in enterprise consortiums where members are partially trusted.
• #multicast messages needed in each phase of the three phase protocol multiplied by
each replica in set. Replica set |R| with the maximum number of replicas that can be
faulty is |R|= 3f + 1
• Issue 1: exponentially increasing message count as nodes (rather replicas) are added
to the set. Does not scale with #nodes.
• Solution: Rather than node == server, each organization would represent a node on
the network node == organization.
• Used in Hyperledger.
• Issue 2 : Closed (permissioned) membership list, otherwise susceptible to Sybil attack.
59. Delegated BFT (dBFT)
• To solve scaling issues of PBFT, here the stake holders (who own
the native crypto currency) vote to select delegates.
• Delegates is a validator responsible for voting on block
proposal.
• “Speakers” are randomly chosen from delegates.
• The speaker creates and broadcasts (proposes) the new block.
Two thirds of delegates must validate and approve the block,
otherwise it’s discarded. Based on PBFT.
• Delegates or speaker could be dishonest.
• Used in Neo. Delegates in Neo network currently held by NEO
council, thus impossible to launch 51% attack, but this is
centralized.
60. Federated BFT
Open to nodes joining in a
permission-less way =>
decentralized.
Used in Stellar and Ripple. In Ripple,
validators are preselected by Ripple
foundation, whereas in Stellar,
anyone can be a validator and you
choose which validators to trust.
A quorum is defined as a set of nodes
needed to reach an agreement in a
distributed system. Quorum
slices are the subsets of a quorum
that are capable of convincing
particular nodes of an agreement.
The FBA model relies on individual
nodes to choose their own sets of
quorum slices. A node can depend
on numerous slices for information,
and this trust can be based on
information from outside of the
system and can be dynamic.
Traditional BA requires that all nodes
accept the same slices.
Quorums intersect if they share a
node (good). When quorums do not
intersect, they are known as disjoint
quorums (bad).
61. Ethereum
proposed move
to PoS using
casper
• Casper FFG (Friendly Finality Gadget), a hybrid version of
PoS and PoW, where validators create checkpoints after
every 50 blocks, which creates a new genesis block. Now
discarded.
• Casper TFG (The Friendly Ghost), which requires
validators to put a certain amount of ETH as a deposit to
be able to create blocks. Any malicious attempt by the
validator may invoke a smart contract to destroy the
deposited amount. Uses slashing. This proposal is based
on the assumption that fear of penalty will keep the
validators in check to stay honest, thereby resolving the
nothing-at-stake problem.
• Casper v2 – PoS pure + sharding. Latest.
62. Verifiable Random
Function (VRF)
- Micali, Rabin, Vadhan @ MIT
• VRF is a pseudo-random function that provides publicly
verifiable proofs of its output’s correctness.
• Given an input value x, the owner of the secret key SK computes
value y = FSK(x) and the proof pSK(x).
• Using the proof and the public key PK=g^{SK}, anyone can check
that the value y = FSK (x) was indeed computed correctly, yet
this information cannot be used to find the secret key.
• VRFs provide deterministic pre-commitments which can be
revealed at a later time using proofs which can only be
generated by a private key.
• Unlike traditional digital signature algorithms, VRF outputs can
be published publicly without being subject to a preimage
attack, even if the verifier knows the public key (but not the
proof).
• Example : Non-interactive lottery. Organizer has secret function
FSK. Each user chooses some x. Organizer computes y = FSK(x). Y
somehow decides who is the winner. Issue is, users should not
bias the lottery ie. FSK(x) should look random and organizer
should not be able to lie about true y = FSK(x). => VRF.s
63. Algorand (Silvio Micali@ MIT)
• Based on VRF & Byzantine Agreement (BA), called BA⋆. Communication using Gossip protocol. “Pure Proof of Stake”.
• To prevent Sybil attack, Algorand assigns weight to each user based on money in the account. As long as money owned by honest
users is > 2/3, it can avoid double spend. Phase 1 A single token is randomly selected, its owner can propose the next block.
• Scalability is achieved using consensus by committee. A small set of representatives randomly selected based on weights.
Committee changes every round. Phase 2 committee may approve the block proposed.
• Cryptographic Sortition - To avoid targeted attacks on committee members, BA⋆ selects committee members in a private and
non-interactive way. . This means that every user in the system can independently determine if they are chosen to be on the
committee, by computing a function (a VRF) of their private key and public information from the blockchain. Secret self selection
lottery. If the function indicates that the user is chosen, it returns a short string that proves this user’s committee membership to
other users, which the user can include in his network messages. Since membership selection is non-interactive, an adversary
does not know which user to target until that user starts participating in BA⋆.
• Participant replacement. An adversary may target a committee member once that member sends a message in BA⋆. BA⋆
mitigates this attack by requiring committee members to speak just once. Thus, once a committee member sends his message
(exposing his identity to an adversary), the committee member becomes irrelevant to BA⋆
• Fast agreement, on-the-fly, mostly in first round itself. No forks ever (extremely rare). Trivial computation. Finality (no need for
”eventual consistency”, true decentralization (no miners, no incentives).
• Able to scale to millions of users and sustain a high transaction rate, without incurring significant cost to participating users.
Consensus on a block is reached in parallel while the block is being propagated to the network, which typically happens in a few
seconds.
• Algorand Claims : True decentralization, Security and Scale. Decentralized : anyone can participate, no miners. Secure : random
committee not known until after the fact. Messages are signed. Scalability : minimal messages, fast lottery, small committee.
64. Privacy & Anonymity
& Ambiguity
• Privacy is the ability to keep some things to yourself, regardless of their impact to
society. ... So privacy is a concept describing activities that you keep entirely to
yourself, or to a limited group of people. Failed in an exam?
• In contrast, anonymity is when you are okay for people to see what you do, just
not that it's you doing it. Eg wikileaks donations
• Weak anonymity: pseudonym (eg reddit/Slashdot) pro: reputation, con: side
channel leakage
• Strong anonymity: un-linkable posts (eg 4chan) con: no reputation
• Ambiguity – Ring signatures. “How to leak a secret” from MIT. Used in Monero.
• Bitcoin is pseudonymous. Not anonymous. Sender and receiver addresses are
known but their identity is not known.
• In Bitcoin, sender, receiver address and value is in clear (not encrypted).
65. Bitcoin de-anonymization
• Bitcoin de-anonymization
- At network layer. If enough nodes collude, use User’s IP address.
- Linking by “Idioms of use”.
Heuristic 1 : Two or more address i/p to same transaction => they are
controlled by same entity
Heuristic 2 : change address is controlled by same entity as i/p address
- Once one address is de-anonymized in a cluster, entire cluster can be de-
anonymized.
- Use mixer to be more anonymous, but has limitations
- Little better to use coin join. Also has issues.
- https://www.chainalysis.com/ and https://www.elliptic.co/
67. A bitcoin transaction
• Forth like stack based language. Example Alice wants to pay Bob
• Funding transaction
• Spending transaction
• UTXO model
Output locktime
2฿ Script PK1
5฿ Script PK (Alice)
Transaction
ID 1 Script Sig Alice Output0 Output1
To Bob To Alice
(change)
o/p index 1
Alice proves with SigAlice that this is Alice’s money to spend
68. Bitcoin Units of Measurement
Unit BTC
Cent-bitcoin (cBTC or bitCent) 0.01
Milli-bitcoin (mBTC or millibit) 0.001
Micro-Bitcoin (μBTC or bit) 0.000001
finney 0.0000001
satoshi 0.00000001
• Smallest unit is satoshi.
• There are 100,000,000 Satoshis in every Bitcoin (10^8).
69. Layer 2 : Bitcoin script
(programmable currency)
• Bitcoin Script is simple, stack-based, and processed from left to right (reverse polish). It is
intentionally not Turing-complete, with no loops.
• ScriptPublicKey is the locking script in output of funding transaction.
- [OP_DUP, OP_HASH160, PUSHDATA(20)[…20B..], EQUALVERIFY, CHECKSIG] where
DATA is bitcoin address which is H(PK).
• ScriptSig is the unlocking script in the input of spending transaction.
- [<sig>, <PK>] signature to prove that this money was yours to spend.
• {ScriptSig | ScriptPK } this runs as one program. A transaction is valid if nothing in the
combined script triggers failure & the top stack item is non-zero when the script exits.
• {Txid | o/p index} identifies utxo. UTXO = unspent transaction O/P
• Must be present in miners’ mempool ‘UTXO set’ before it’s allowed to spend.
• After spending, utxo is removed from miner’s mempool and now lives in blockchain.
• https://en.bitcoin.it/wiki/Script
• Recommended to have 6 blocks for confirmation.
70. P2PK (Pay to Public Key)
scriptPubKey <PK> OP_CHECKSIG
• Simplest.
• Remember, for any transaction to be valid, { ScriptSig | ScriptPK } must return (top of stack) non-zero.
• When the script runs, the CHECKSIG opcode compares the signature against the public key, and pushes a
1 on to the stack if it is valid.
• Not used any more.
scriptSig <Signature>
71. P2PKH (Pay to Public Key Hash)
scriptPubKey OP_DUP OP_HASH160 <Hashed PK> OP_EQUALVERIFY OP_CHECKSIG
• Shortest, safer, default.
• The original public key is DUPlicated and then HASH160'ed. This hashed value is compared with the
hashed public key in the scriptPubKey to make sure it is EQUALVERIFY. If it matches, the script
continues and the CHECKSIG checks the signature against the public key (just like a P2PK script).
• Why Hash the public key? Elliptic Curve Discrete Logarithm Problem (ECDLP). Currently hard but no
future guarantees. Hashing the public key gives extra protection.
scriptSig <Signature> <PK>
72. P2SH (Pay to Script Hash)
scriptPubKey OP_HASH160 <scriptHash> OP_EQUAL
• It makes it easier to share complex locking scripts with other people. It allows you to lock bitcoins
to the hash of a script, and you then provide that original script when you come unlock those
bitcoins. With P2SH, instead of giving someone an entire locking script, you can essentially just give
them a hash of your script instead. As a result, the sender is no longer burdened with the size (or
the details) of your locking script.
• Scripts smaller now => cheaper transaction cost for sender.
• P2SH scripts give more privacy.
• A smaller UTXO set. UTXO are in memory and contain ScriptPubKey. So by using smaller P2SH
scripts instead of larger P2MS scripts, you save on the amount of RAM needed to hold the UTXO
set.
scriptSig OP_0 <Signature> <Script>
73. P2MS (Pay to Multi Sig )
scriptSig OP_0 <Sig1> … <SigM> <redeemScript>
• Co-signatory : 2-of-2 address. Both signatures required. Dangerous.
- 2 on-chain transactions : open and close. Unlimited in off-chain.
• Escrow : 2-of-3.
• Many more applications of multi-sig.
• Caution – do not get fancy with scripting, most miners accept well known
scripts only.
scriptPubKey OP_DUP OP_HASH160 <redeemScriptHash> OP_EQUAL
redeemScript OP_M <PK1> … <PK_M> OP_N OP_CHECKMULTISIG M-of-N PK
M signatures
74. The Bitcoin Network Node
types
Reference Client (Bitcoin
Core): Contains a wallet, a
full blockchain database, a
miner and the network
routing capabilities.
Full Blockchain Node:
Contains full blockchain
database, and network
routing capabilities
Solo Miner: Contains the
mining function, the full copy
of the blockchain database
and the network routing
capabilities.
Lightweight (SPV) Wallet:
Contains a wallet and the
network routing capabilities.
Pool Protocol Servers: These
are gateway routers
connecting the P2P network
nodes running other
protocols such as pool
mining nodes or Stratum.
Mining Nodes: Contains the
mining function without the
full copy of the blockchain,
instead they have the
Stratum protocol or other
pool mining protocols.
Lightweight (SPV) Stratum
Wallet: Contains the wallet
and the network capabilities
on the Stratum protocol
without the blockchain.
The Bitcoin Relay Network is
a high-speed block-relay
system primarily for miners.
It relays blocks around the
globe in low global latency.
New : “FIBRE” based relay.
76. The bitcoin P2P network
• P2P architecture. Randomly wired gossip protocol network. All nodes equal.
• Peer discovery
• Option 1 : query DNS using some DNS seeds hard coded in bitcoin core (option –
dnsseed). These seeds are maintained by bitcoin community. Some of the DNS
seeds are custom implementations of BIND that return a random subset from a
list of bitcoin node addresses collected by a crawler or a long-running bitcoin
node.
• Option 2 : The cli argument -seednode can be used to connect to one node just
for introductions using it as a seed. After the initial seed node is used to form
introductions, the client will disconnect from it and use the newly discovered
peers (bitcoin-cli getpeerinfo)
• To connect to a peer, nodes establish a TCP connection, usually to port 8333 or an
alternative port if one is provided. Typical nodes create 8 outgoing connections, and if
publicly reachable, accept up to a few 100 incoming connections. Connections are used
to exchange transaction or blocks (using hash).
• Paths are not reliable, nodes come and go, and so the node must continue to discover
new nodes as it loses old connections as well as assist other nodes when they
bootstrap.
• SPV nodes weaker privacy than full nodes since it receives a subset of transactions.
Bloom filters are a way to reduce the loss of privacy.
• Original implementation of bitcoin communicates entirely in the clear. While this is not
a major privacy concern for full nodes, it is a big problem for SPV nodes.
• Two solutions : Tor Transport and P2P Authentication and Encryption with BIP-150/151.
77. Tor
• Tor is a distributed 'onion' network, that makes it more difficult for an
adversary to track any one peer on the network.
• Tor sends TCP packets over 3 (normal) or 7 (hidden services) Tor relays.
This is why it is so slow: your packet might have to go through 100s of
computers (counting Internet routers) before it reaches its destination.
Tor uses multiple layers of encryption that are pulled away for each
node. Hence the name The Onion Router
• Tor also is very useful to access the 'uncensored' internet in countries.
• Bitcoin's security model assumes that your node is well connected to
the rest of the network, so even in less-censored countries using
bitcoin over both Tor and clearnet can avoid being partitioned from
the network by the internet service provider.
• Preserving privacy means not only hiding the content of messages, but
also hiding who is talking to whom (traffic analysis).
• Tor provides anonymous connections that are strongly resistant to
both eavesdropping and traffic analysis.
• Bitcoin can run easily on the Tor network.
• https://en.bitcoin.it/wiki/Tor
78. Censorship
• 3 ways governments censor technology
• Regulations (claim it is illegal using out of date
regulations)
• Internet shutdown (& it’s common!)
• Fake news!
• Great firewall of China defeating ToR
• Deep packet inspection : Look inside payload, blocking
based on static signatures, or dynamically using ML.
• You can only be anonymous in a crowd
• Add multiple hops (ToR has only 3)
• Dummy traffic (create crowd)
• Timing obfuscation (random delay added)
• Packet size obfuscation (random size added)
• Nym Mixnets and Loopix Anonymous system
80. Bitcoind Protocol Messages src/protocol.h
• version - Information about program version and block count. Exchanged when first connecting.
• verack - Sent in response to a version message to acknowledge that we are willing to connect.
• addr - List of one or more IP addresses and ports.
• inv - "I have these blocks/transactions: ..." Normally sent only when a new block or transaction is being relayed.
This is only a list, not the actual data.
• getdata - Request a single block or transaction by hash.
• getblocks - Request an inv of all blocks in a range (block header hashes)
• getheaders - Request a headers message containing all block headers in a range.
• tx - Sends a single transaction. This is sent only in response to a getdata request.
• block - Send a block. This is sent only in response to a getdata request.
• headers - Send up to 2,000 block headers. Non-generators can download the headers of blocks instead of entire
blocks.
• getaddr - Request an addr message containing a bunch of known-active peers (for bootstrapping).
• submitorder, checkorder, and reply - Used when performing an IP transaction.
• alert - Send a network alert.
• ping - Does nothing. Used to check that the connection is still online. A TCP error will occur if the connection has
died.
81. Layer 3 : Wallets
• Track/store private key. Store, receive, transmit and list transactions.
• HD wallets – Hierarchically Deterministic, seed based. Back up only seed.
• Hot wallets
- Smartphone Apps : Trust wallet, MyCelium
- Online Web wallets : coinbase, binance
- Desktop wallets : exodus.io, Electrum
• Cold storage
- Brain wallet : uses mnemonic phrase. brainwallet.io, bad idea.
- Hardware wallet : Ledger nano S, Trezor Model T, manufacturing attacks.
- Paper wallet : safest. Can you trust https://www.bitaddress.org ?
• Multi-sig wallets – bitgo (mostly cold, small percentage hot)
82. Custodial wallets
• Private keys are stored by a third party. Thus, you do not have full control over
your funds, which makes these wallets a dubious choice.
• Advantages
- manage funds quickly, @ any time with internet.
- No chance to lose private key and lose access to money
• Disadvantages
- Custodian has control of your private keys and money
- Your crypto-coins can be seized by a court decision
- If your wallet gets hacked, your coins may go missing
• Similar in principle to bank.
• Custodial exchanges providing you wallets
- Bitfinex, Kraken, Bithumb, Coinbase, Mt Gox, BTC-e, Poloniex
• Custodial wallets
- Freewallet, blockchain.info, BTC.com
83. Wallets Comparison
Security Ease of use Frequency of use
Web wallet Low High High
Hardware wallet High Low Low
Desktop wallet Medium Medium Medium
84. Layer 3 - dApps : High level flow
• dApps have backend code running on a decentralized peer-to-peer
network and decentralized storage.
• Front-end : Build and deploy a normal HTML/CSS/JS front end. Front end
checks for a wallet and sends it the transaction.
• Wallet : Add the code to connect front end with wallet which holds
private keys and can sign a transaction. Metamask is a Ethereum wallet in
a browser as an extension. It injects web3.js code into the browser to talk
with Ethereum network. Front end can now talk with Web3.
• Library : Web3.js is the Ethereum compatible JavaScript API library which
implements the Generic JSON RPC spec. Web3js communicates via RPC
with the local node or test node. To interact with a deployed smart
contract, the contract’s address and the Application Binary Interface (ABI)
is required. The ABI is a description of the contract’s public interface in
the form of a JSON object.
• Smart contract : Write the smart contract to implement app’s core
functions. This smart contract runs on each node.
• Example : Etherisc dApp allows users to either buy or sell insurance for
flight delays and cancellations. Using the Ethereum blockchain, each and
every insurance agreement is available to view on a public database.
85. dApps of Web 3.0
• The front end is still the same (HTML/CSS/Js
etc), served from static hosting or cloud or
P2P (IPFS).
• Front end talks to Smart Contracts using
APIs.
• Smart contracts run code and store data on
blockchain network.
Web 2.0 Web 3.0 (dApps)
Scalable computation AWS EC2 Ethereum, Truebit
File storage Amazon S3 IPFS, Storj
External Data 3rd party APIs Oracles
Monetization Selling Ads, goods Token model
Payments Credit cards, paypal Ethereum, bitcoin, state
channels, 0x etc
86. Issues with dApps
• Scale – decentralization and speed are always a trade-off for a
public Blockchain. Solution is off chain payment channels or
sidenchains.
• Cost – computation runs on every node. By definition, at least
as costly as number of nodes.
• Time – Since multiple nodes have to first run the computation
(fast) and then come to a consensus about its result (slow), it’s
much slower than central servers.
• Governance model – It’s getting better, but harder to make fast
decisions to reach a consensus. Results in forks sometimes.
• Independence – CryptoKitties dApp should not stop
fundamental transaction of A paying B.
• Privacy – right to be forgotten. Use ZKP and such technologies
87. Tokens and
coins
Coins – have their own native blockchain.
Tokens – Don’t need their own blockchain.
Created on top of other blockchains. Give
certain rights to holders such as voting or
ability to use a platform/service/product
etc
88. Legal aspects & regulation –
country specific
Black Letter law – basic principles free from doubt or
dispute. Plain language, Supreme court.
Areas of law
Securities (SEC) The Securities and Exchange
Commission (SEC), as its name implies, oversees
securities issuance and exchange. According to the SEC,
Bitcoin is not a security.
Taxes (IRS) According to the Internal Revenue Service
(IRS) Bitcoin is property, taxed as property, like stocks or
bonds, any gain or loss from the sale or exchange is
taxed as a capital gain or loss
Commodities (CFTC) The Commodities Futures Trading
Commision (CFTC) ensures the integrity of futures and
swaps markets. . According the the CFTC, Bitcoin is a
commodity. Any swaps and futures involving bitcoin are
part of the CFTC mandate.
AML/KYC (FinCEN/states) The Financial Crimes
Enforcement Network (FinCEN) oversees financial crime
as part of the Bank Secrecy Act or BSA
Not Black letter law : Cryptocurrency law, analogies,
guidance, speeches, settlements
Hinman’s speech: When Howey meets Gary
89. Howey test, 1946
SEC v/s W.J.Howey Co.
• The said transaction will be called an investment contract if
it fulfills the following criteria:
1. It is an investment of money
2. The investment is in a common enterprise
3. There is an expectation of profit from the work of the
promoters or the third party.
• If the token/coin meets all the three aforementioned
criteria, then it is regarded as security.
• SEC chair said Bitcoin is NOT a security.
• There is simply no promoter or third-party upon which the
value of the “investment” in cryptocurrency depends.
There is no “effort” or “work” in the background which
affects the value of Bitcoin. Instead, its value depends on
government regulation, political and economic upheaval,
and media and trader enthusiasm.
90. Jurisdiction, Regulation &
Enforcement
• Jurisdiction is challenging to define in a fully digital world. Historically jurisdiction
have been defined by physical boundaries. However, these are difficult to draw
in a world that is already fully digital and concerned with privacy.
• Regulation is dependent on jurisdiction. If you don’t have a jurisdiction, how do
you identify relevant regulation? Without harmonized global regulation, people
will use jurisdiction as a tool to change the rules.
• Lastly, enforcement is what scares people into following regulation. Enforcement
requires penalties, which is what makes people fear the consequences of not
following the rules. Hence, enforcement will continue to be aggressive.
• Regulation is clear (mostly). It’s a Public ledger.
• Silk road case. DoJ seized bitcoins.
• Please pay your crypto taxes.
91. 3 types of
tokens
Cryptocurrencies (SEC)/Payment tokens(FINMA)
• means of payment/exchange. Not issued by a central
authority.
Utility token (SEC) / Utility token (FINMA)
• holding a utility token gives right to access to a
function/service provided directly by the businesses who
issued it or right to vote.
• Eg. filecoin – provides access to unused hard drive space.
• Does not pass Howey test. Relatively unregulated.
• The most popular example of utility token is the ERC20
Ethereum standard.
Security token (SEC) / Asset token (FINMA)
• passes Howey test. Tokens that equate to an ownership
stake in a company or DAO
92. ICO (Initial Coin
Offering)
• Cryptocurrency is sold in the form of tokens or coins to raise funding
for the startup. Allows startups to avoid regulatory compliance and
intermediaries such as venture capitalists, banks and stock
exchanges.
• First one Mastercoin (July2013). Also Ethereum in 2014.
• Crowdfunding or Private ICO. Most give access to native platform or
to the dApps. Purpose is usage and not investment.
• Pros : Open to general public, total decentralization as compared to
IPO. Equal opportunity and ease of access without “knowing the
guy” to invest at an early stage. Low entry threshold. No country
barriers. No commission, no taxes.
• Cons : No regulation, scams, hacker attacks, high volatility. Not
backed by any collateral.
• “SEC versus Kik”
• 43 ICOs in 2016 raising an aggregate $256 million; 343 ICOs in 2017
raising in excess of $6B; in 2018 $7.8B. Drop in 2019.
93. IEO (Initial
Exchange
Offering)
• The main difference between ICO and IEO is the
appearance of a third party. The exchange. The funds
aren’t sent to the smart contracts as they are during an
ICO. Everything is done through an exchange.
• Projects can outsource marketing and KYC/AML
compliance to exchanges with significant staff and
resources while benefiting from their exchange partner’s
professional reputation among traders.
• For the exchanges themselves, IEOs can be lucrative
because the exchanges charge partners sign-on fees and
a cut of each sale.
• Exchange and their IEO platforms: Binance Launchpad,
Bittrex International IEO, BitMax Launchpad, Huobi
Prime, OKEx IEO etc
94. ICO versus IEO
ICO IEO
Fundraising At issuer’s site At exchange
Smart contract managed by startup conducting token sale exchange
Cost of listing Low high
Screening None- anyone can launch Vetting by exchange before listing
Marketing budget needed significant low (exchange markets the tokens)
AML/KYC needed by token issuer Yes, but may vary No. Exchange conducts it.
Fraud risk High less
Crowdsale security Low - Token issuer’s headache –
reinvent the wheel
Exchange manages
95. STO (Security
Tokens
Offerings)
• Security tokens are actual financial securities that are
backed by something tangible like assets, equity, profits, or
revenue of the company.
• So if a startup is giving a Security token, you are either
getting actual equity in the company based on your
investment dollars, or you are getting a portion of the
company’s revenue or profit (dividend) plus certain rights
in the company.
• Like ICO, Security Token Offerings (STO) is the process to
issue security tokens but on a compliant basis after going
through KYC, AML, accredited investors checks etc.
• Pros : Compliant with laws. Lower risk than an ICO.
• Cons : bigger administrative burden, most difficult and
complex.
97. ICO vs IEO vs
STO: Which
One Is The
Best?
ICO is for cheap investments with fast cash out options.
IEO is good for investors looking for better security and
more serious investment opportunities.
STO is for investors with large budgets, who prefer
familiar real-life structure in the crypto investment
industry. Since tokens are protected by KYC/AML
processes and other regulatory security, STO keeps
small and amateur investors away. Such tokens can only
be purchased by accredited investors.
98. Hard fork
Follows Old
rules
Follows Old
rules
Follows Old
rules
Follows Old
rules
Follows New
rules
Follows New
rules
Follows New
rules
Hard fork : Non upgraded nodes reject new rules, thus diverging the chain.
- Planned : Usually upgrade to protocol with consensus from developers and community. E.g. monero introducing
ring CT.
- Contentious : Disagreement between various stakeholders in the project (developers, users, miners etc). E.g.
increasing Bitcoin’s block size from 1MB to 8MB - bitcoin cash hard fork.
• A hard fork can be implemented to correct important security risks found in older versions of the software, to add
new functionality, or to reverse transactions (as in the case with the hard fork to reverse the exploit in the DAO
(decentralized autonomous organization) in the Ethereum blockchain)
99. Soft fork
Follows Old
rules
Follows Old
rules
Follows Old rules but
violates new rules
Follows Old
& New rules
Follows Old
& New rules
Follows Old
& New rules
Soft fork : Blocks violating the new rules are made stale by the new mining majority.
• A soft fork is a backward compatible method of upgrading a blockchain. E.g. blocksize 1MB->500kb
- Does not need a upgrade to maintain consensus since all blocks with the new soft-forked in rules also
follow the old rules, therefore old clients accept them.
- miner-activated soft fork (MASF) : a majority of miners upgrade to enforce new rule.
- user-activated soft fork (UASF) : full nodes coordinate to enforce new rules, without support from miners.
• New transaction types can often be added as soft fork, example P2SH got added to Bitcoin.
100. Forks in Practice
• Hard forks
- New Bitcoins (Bitcoin Cash, Bitcoin Gold, Bitcoin
Diamond)
- Ethereum DAO hard fork
- Some cryptocurrencies hard fork frequently
(Monero, every 6 months)
• Soft forks
- Lots!
- Examples : P2SH, Segwit, OP_CHECKSEQVERIFY …
101. Payments
• Payment systems inaccessible to 65% of the world.
• Study by World Bank - Of the 1.7B unbanked, 1.1B have access to a
mobile device (this is about 65%).
• When they are accessible
- Up to 15-20% fees to send money cross border
- Credit card companies engage in rent seeking behavior –
collecting high fees, costs which are passed first to the
merchant and then eventually back to the consumers as well.
• Limitations
- Scale of tps (transactions per second) Bitcoin 7, Eth 15, visa
few thousand
- Token volatility
102. Scaling Bitcoin
• 1MB/block * 1 transaction/250B * 1 block/10 min = 5-7 tx/sec
Size of Block * Average Size of transaction * Block rate = TPS
• Larger block size needs hard fork. More propagation delay, harder to run full node, only DC can do,
increases centralization.
• Layer 1 solutions (on-chain) : SegWit, Hard fork (new currency) Dash/litecoin/BitcoinCash, Sharding
(eth)
• Layer 2 solutions (off-chain)
- Payment channels: Lightening for Bitcoin, Raiden for Ethereum. Sets up payment channels, unlimited off-chain
transactions, instant, micropayments. Cross block chain, atomic swaps. Layer 2 solution using multi sig and HTLC.
- Sidechains : are separate Blockchains (child) that are linked to the main (parent) Blockchain using a two-way peg.
A sidechain enables bitcoins and other ledger assets to be transferred between multiple blockchains.
103. Layer 1 scaling : Segregated Witness (SegWit)
• Original Blocksize 1MB. How to increase size without impacting legacy nodes ? => Soft fork
• The scriptSig part of Segwit transactions is called the “witness data”. When Segwit transactions are
sent to Legacy nodes the witness data is stripped. The key is that these “stripped” transactions are
still valid transactions on Legacy nodes, which gives us a savings over non-Segwit transactions. Thus,
more transactions can fit into the block sent to Legacy nodes without going over the 1,000,000 byte
limit.
• p2wpkh and p2wsh are very similar to p2pkh and p2sh respectively but move scriptSig data to the
end of the transaction.
• Pros
- More transactions in a block, making them cheaper, faster.
- Transaction malleability fixed. Also adds to scale. Enabling Lightening network.
• Cons
- Miners don’t like it. Covert asicboost incompatible with SegWit. Also lower fees affect their
profits. They don’t appreciate having to support the witness-data sidechain which doesn’t
provide any fee revenue at all. Wallets slow to adopt. Still about only 36% transactions use
segwit (Jan’19).
- Not a long-term solution for scalability problem.
- Caused divide in Bitcoin community. Disagreement caused hard forks, bitcoin cash for
example (BCH).
104. Layer 2 scaling using Payment channels -
Lightening network (BTC)
How does it work?
Bidirectional Payment
channels
Unconfirmed transactions
: constructed and signed
but not broadcast
Multi-sig: both keys
required to unlock
Revocable HTLC (hashed
Timelocks)
Enter Lightening => Layer-2 protocol. Instant payments, micropayments,
scalable, low cost, cross chain atomic swap!
https://lightning.network/
BTC transaction fees high, confirmation time long, paying for coffee on
blockchain no longer possible. Can not be used for micro payments.
105. Some fundamental constructs
Construct 1 : Locktime
• How can A irreversibly give B coins B can only spend *after* time
T?
• A pays coins to 2-of-2 multisig address owned by A and B,
creating UTXO
• A creates + signs transaction sending this UTXO to B, with
lock_time T
• A gives new transaction to B. B can sign, but can't submit until
time T.
• Example : B can spend only after say 18th birthday.
106. Construct 2 : OP_CLTV
• How can A give B coins but reclaim them, if not spent *before*
time T? B must spend *before* time T, if not spent, A should get it
back.
• A creates + signs but doesn't submit tx1 paying coins to B
• A sends H(tx1) to B, B creates + signs transaction tx2 paying
tx1 back to A with lock_time T, B sends tx2 to A, and NOW A
submits tx1.
• Issue is A requires B's interactive participation.
• Solution: New Bitcoin opcode OP_CheckLockTimeVerify (OP_CLTV)
• ScriptPK: IF <PK_B> ELSE <T> OP_CLTV DROP <PK_A> ENDIF
OP_CHECKSIG
• ScriptSig_B: <Sig_B> OP_1
• ScriptSig_A: <Sig_A> OP_0 [with lock_time >= T]
• Thus B can spend before time T, A can reclaim after time T.
107. Construct 3 : Hashlock
• A pays B coins, but B must reveal x where
y=SHA256(x) to claim
• ScriptPK: OP_HASH256 <y> OP_EQUAL <B's Key>
OP_CHECKSIG
• ScriptSig: <Sig> <x>
• This is known as a *hashlock* transaction
• Note these examples could use P2PKH as well
108. Construct 4 : Hashed Time Lock
Contract HTLC
• A pays B, B must reveal x by time T or else A can
reclaim coins.
• ScriptPK: IF OP_HASH256 <y> OP_EQUALVERIFY
<PK_B> ELSE <T> OP_CLTV DROP <PK_A> ENDIF
OP_CHECKSIG
• ScriptSig_B: <Sig_B> <x> OP_01
• ScriptSig_A: <Sig_A> OP_0 [with lock_time >= T]
• This is a *Hashed Time Lock Contract* (HTLC)
109. Atomic cross-chain swaps
• Based on HTLC
• B picks random x, computes y = SHA256(x).
• B Submits HTLC sending BTC to A with hash y,
timeLock=now+2days
• A submits HTLC to say Litecoin, sending LTC to B,
hash y, timelock=now+1 day.
• Note - For cross chain atomic swaps (without
third party), both blockchains should support
same hash function.
110. OP_CheckSequenceVerify
(OP_CSV)
• New feature: recycle sequence field of input for relative
timelock (BIP68). Low 16 bits specify time or block height since
corresponding output mined.
• Now we can use OP_CSV to let A *revoke* her transaction.
• Use this ScriptSig for funding transaction(E): HASH160 <CR-
HASH> EQUAL IF <PK_B> ELSE "24h" OP_CSV DROP <PK_A>
ENDIF CHECKSIG
• B can immediately spend this UTXO if he knows hash
preimage CR of CR-HASH A can spend this UTXO 24 hours after
it hits the blockchain
111. Revocable HTLC
• Now each commitment transaction has 3 outputs:
• Pay to A, pay to B, and pay to A or B depending if R known by time T
• Construct a *revocable* HTLC for the third output
• In commitment transaction A gives to C, third output has: HASH160 DUP
<R-HASH> EQUAL IF "24h" CHECKSEQUENCEVERIFY 2DROP <PKC> ELSE
<CRC-Hash> EQUAL NOTIF <T> CHECKLOCKTIMEVERIFY DROP ENDIF <PKA>
ENDIF CHECKSIG
• So A can spend if C revoked by revealing CRC, or if time T is passed C can
spend by revealing R and waiting 24h in case revoked
• In commitment transaction from C to A HASH160 DUP <R-HASH> EQUAL
SWAP <CRA-Hash> EQUAL ADD IF <PKC> ELSE <T> CHECKLOCKTIMEVERIFY
"24h" CHECKSEQUENCEVERIFY 2DROP <PKA> ENDIF CHECKSIG
• So C can spend immediately if it knows either R or CRA
• A must wait until time T and until 24 hours after submitted
112. Lightening (on Bitcoin
network)/Raiden (on Ethereum)
• On chain : only two transactions, open and close payment channel.
• Off chain : use revocable HTLC to do as many micropayments as needed.
• These channels can be closed unilaterally or bilaterally. This doesn’t mean that you need to
create a channel every time you want to transact with someone. You can use existing channels
of the people you are connected with (intermediaries).
• Low cost, instant payments, scalable, secure, private, cross blockchain atomic swaps.
• Types
- Poon-Dryja Payment Channels
- Decker-Wattenhofer duplex payment channels
- Decker-Russell-Osuntokun eltoo Channels
• Use case
- Frequent transactions between any two parties.
- Metering (streaming content, consult lawyer, doctor, or using parking lot) etc
- Tipping (https://tippin.me/)
• Limitations
- Interactive – all parties involved in transaction need to communicate. IOW, no offline
capability (unlike bitcoin). Sender, receiver and if you are using someone else’s payment
channel, then that party as well, needs to be online.
- Limit of max payment size 4,294,967 satoshis (339$ @ 1BTC=8K USD). Of course, this
may change in future software.
- The channel you are making the transaction through, should have enough funds to
support your transaction, that is, twice the amount of the transaction value.
113. Layer 2 scaling - Sidechains
• Sidechains are separate blockchains (child) that are linked to the main (parent)
blockchain using a two-way peg. A sidechain enables bitcoins and other ledger
assets to be transferred between multiple blockchains.
• Gives users access to new and innovative cryptocurrency systems using the
assets they already own.
• Avoids the liquidity shortages and market fluctuations associated with new
currencies.
• Developers get the opportunity to test software upgrades as well as beta
coin releases before they are released on the main chain.
• Sidechains are isolated, in the case of a break in a sidechain, the damage is
entirely confined to the sidechain itself.
• Goal is to move as much transaction bloat off of the main chain as possible.
• Ethereum solution -> Plasma https://www.learnplasma.org/en/learn billions of
updates per sec
• Matic network (area finance) uses PoS + Plasma MVP
• Loom network (area gaming) uses DPoS + Plasma Cash
114. Sidechains : An example – Matic Network
• Ethereum transactions take an average of 14 to 20 seconds, and costs $0.20 or so, in peak time it costs $0.50.
Traditional centralized apps do this in less than a second. Users have come to expect that when they stream a
video from YouTube, post an article to Twitter, or loot a monster’s corpse in World of Warcraft, this action will
occur instantly and at no cost. Yet in blockchain applications, users have been expected to pay for these same
types of actions before waiting several seconds or even minutes for them to process. Issue is PoW. Solution use
PoS/dPoS + Sidechains.
• The Matic Network consists of a root contract on the Ethereum mainnet (validated using PoW)and a Matic side-
chain that uses PoS to validate transactions. If a user wants to create a Matic account, he must transfer ETH to
the Matic Contract. This transaction is validated the same way that any Ethereum transaction is. Once the
account is created, the user receives Matic tokens in his account on the Matic sidechain.
• From there on, the user can transfer his Matic tokens to anyone in less than a second. He should also be able to
make transfers with no fees or fees that are negligible. If a user decides that he wants to remove his ETH from
the contract, he can burn his Matic tokens and get his ETH back in return. To validate Matic token transactions,
the Matic Network uses a Proof of Stake system.
• All owners of Matic tokens have the right to stake their tokens. Essentially, this means that they hold onto the
tokens and don’t spend them. In return, they earn the right to choose who the Proposer will be. After a certain
number of blocks have been produced, stakers will choose a Proposer who will propose that these blocks be
added to the Ethereum blockchain as a header block. The Proposer must first validate the blocks. The stakers
must then validate the blocks themselves to make sure that the Proposers’ blocks are correct. Once ⅔ of the
stakers have approved the checkpoint, there is a trial period in which any Ethereum node can challenge the
transaction. If no one challenges it, the transaction becomes part of the Ethereum blockchain. The Matic
Network does not publish its blocks to the Ethereum blockchain each time a block is produced. Instead, it
publishes numerous blocks to the Matic sidechain. Then, at the next checkpoint, it publishes all of these blocks to
the mainnet at once. This is how the Matic Network speeds up transactions and lowers costs. Blocks are created
by a smaller number of nodes called block producers. Block producers are chosen by stakers during checkpoints.
115. The Alts
• An altcoin is any digital cryptocurrency similar to
Bitcoin and is used describe any cryptocurrency
that is not a Bitcoin.
• Attributes altered such as
- Proof of something
- Supply : increase, reduce, fixed, random etc
- Speed : lower block time
- Privacy etc
116. Ethereum introduction
• Bitcoin some of the issues
- Not Turing complete (no jumps, no loops, long scripts)
- ScriptPK: does not control where the output goes to. Anybody who solves the script.
- Does not support state for multi stage contracts.
• Meet Ethereum. Open source Smart contract Blockchain platform.
• Creator Vitalik Buterin (Proposed in 2013, Launched in July 2015). License GPLv3.
• Currency 1 ether = 10¹⁸ weis. Also pays for Smart contracts.
• Note that ether supply is unlimited, unlike Bitcoin.
• New tools ->
• Solidity : Smart Contract programming language. Turing complete.
• Whisper : communication protocol for dApps
• Swarm : Ethereum decentralized storage protocol
• Mist: dApp browser
• Implementations : Parity (written in Rust) and Geth (written in Go)
• Some acronyms
- EIP Ethereum Improvement Proposal
- ERC Ethereum Request for Comments
- EVM Ethereum Virtual Machine
- ENS Ethereum Naming service
118. Transaction Parameters
nonce: #transactions sent by address of transactions sender. Nonce is incremented for every new transaction and this
allows the network to know the order in which the transactions need to be executed. Used for the replay protection.
gas : is the unit used to measure the fees for a particular transaction.
Init: only exists for contract creating transactions. EVM code fragment used to initialize the new contract account.
Data (optional): first 4 bytes of H(function signature from ABI) +arguments. The input data (args) of a message call.
gasPrice: is the amount of ether you are willing to spend on every unit of gas. Gas prices are current measured in
GWei and range from 0.1->100+Gwei. This is the transaction fee.
gasLimit: Maximum gas you are willing to pay for this transaction. This value insures that in case of an issue executing
your transaction (like infinite loop), you account is not drained of all the funds. Once the transaction is executed, any
remaining gas is sent back to your account. With every transaction, sender sets gasPrice and gasLimit. gasPrice *
gasLmit = max amount of wei sender if willing to pay for a transaction.
When 2 numbers are added a million times in Ethereum it costs ~$26.55 in fees. Danny Ryan compared that to an
AWS system, in 0.04 seconds, which going by the $0.0059 hourly Amazon EC2 rate costs $0.000000066. This means
that computation in Ethereum is 400 million times more expensive!
119. Gas table
• Smart contracts are compiled into low-level
machine instructions which are executed by EVM
(Ethereum Virtual Machine).
• Every single instruction costs gas.
• Storage is expensive and should be used sparingly.
• Writing to storage is the most expensive (20000)
and reading is cheaper (200).
• Some gas is refunded when storage is deleted or
set to 0.
122. Ethereum’s P2P network
• A Peer-to-Peer (P2P) network is an overlay network. It can be viewed as a directed graph
G = (V,E), where V is the set of peers in the network and E is the set of links between peers.
Each peer p has a unique identification number pid. A link (p,q) in E means that p has a
direct path to send a message to q; that is, p can send a message to q over the network
using q’s pid as the destination. At each peer’s level, the connectivity of the graph is
reflected in terms of its adjacencies to other peers. Overlay maintenance mechanisms are
used to keep the adjacency information updated, thus maintaining connectedness across
all nodes.
• Participants in the P2P network make a portion of their resources available to other
network participants. Each peer contributes compute cycles (CPU), disk storage, and
network bandwidth, without the need for a central coordination instance. Peers are both
suppliers and consumers of network resources, in contrast to the traditional client-server
model.
• The official Ethereum client node software, Geth, implements its peer discovery protocol
(the RLPx Node Discovery Protocol) based on an overlay maintenance mechanism called
Kademlia DHT (Distributed Hash Tables). While Kademlia is designed for efficiently locating
and storing content in a P2P network, Ethereum’s P2P network is only used to discover
new peers.
• https://github.com/ethereum/devp2p/blob/master/rlpx.md
123. Orphan blocks & Uncle/Ommer blocks
Orphan blocks : Bitcoin concept. Two blocks created at the
same time, but due to propagation delay, one becomes
part of longest chain. Other one (aka Stale block) is
discarded and no block reward is given to the miner.
Uncle blocks : Ethereum concept, lower block time causes
more Orphan blocks, here also it is a valid block mined at
the same time and is rejected, however, it’s linked to the
blockchain (with parent that is ancestor, max 6 blocks
back) and miner is rewarded smaller block reward (2.625
eth instead of 3 eth). Note : transactions in uncle blocks
are not considered valid.
This adds to the security of the chain since more computing has gone
into the blockchain with uncle blocks and thus is considered
‘heaviest’ and better than ‘longest’. This is EIP100, which changes the
difficulty calculation algorithm to include Uncles.
*Ommer is sometimes used but is not an English word, so uncle is
more commonly used but is not gender-neutral.
124. Tokens
• Tokens live in smart contracts, which themselves live in the Ethereum
blockchain.
• Tokens can be looked at as a “coin in a coin”
• The Ethereum blockchain itself has no salient distinction of ERC20, ERC721 as
tokens.
• To Ethereum, tokens are just variables defined in smart contracts. It’s just
humans writing the contracts who decide to assign some particular meaning
to some variables in smart contracts.
• Tokens can be fungible or non-fungible.
• Fungible : Alice’s 20$ bill is same as Bob’s 20$ bill.
• Non-Fungible : Alice’s dog is not same as Bob’s dog although they may be of
the same breed/color/age etc. Another example, the Mona Lisa is "non-
fungible".
• NFT properties : Unique, provably scarce, sometimes indivisible.
125. ERC20 tokens (Fungible)
• A standard API for fungible tokens that provides
basic functionality to transfer tokens or allow the
tokens to be spent by a third party.
• An ERC20 token is itself a smart contract that
contains its own ledger of balances.
• A standard interface allows other smart contracts
to interact with all ERC20 tokens, rather than using
special logic for each different token.
• https://github.com/ethereum/EIPs/blob/master/EI
PS/eip-20.md
• E.g. USDT, Dai, LEND, UNI, SNX etc
126. ERC20 token
Interface
• function transfer(address _to, uint256 _value)
external returns (bool);
• function transferFrom(address _from, address _to,
uint256 _value) external returns (bool);
• function approve(address _spender, uint256 _value)
external returns (bool);
• function totalSupply() external view returns
(uint256);
• function balanceOf(address _owner) external view
returns (uint256);
• function allowance(address _owner, address
_spender) external view returns (uint256);
127. ERC721 tokens (Nonfungible)
• Introduced as non-fungible token in 2017 by
Cryptokitties.
• While an ERC20 token represents a single type
of asset, an ERC721 token represents a class of
assets. In the case of CryptoKitties, its ERC721
token contract represents ALL the unique
kitties in the game, as well as who owns which.
• A player fully owns an asset, or not. It’s not
possible to own “half a kitty” in Cryptokitties,
for example.
128. NFT
• ERC-998 Allows bundles of separate ERC-721 tokens to be bought and sold in
one transaction. For example, an avatar having a hat, shirt, sword, etc say 10
separate erc-721 tokens, they all can be sold in one transaction instead of 10
transactions.
• ERC-1155 (pioneered by Enjin coin, blockchain based gaming) single contract
that supports fungibility agnostic tokens (fungible, non-fungible, semi-fungible)
and gas efficient contract. E.g. ERC-20 laser guns, but ERC-721 laser sword.
• Currently, digital tickets on ticketmaster, Fortnite skin on Fortnite’s platform. All
separate sites. With NFT market, they all can be interoperable on Ethereum due
to standardization.
• Marketplaces : create, buy/sell/exchange/ trades bid, bundle, decentralized,
open economy. Instant tradability. Fast liquidity. E.g. opensea.io, rarible.com
• Domain names, digital art, virtual world, collectibles, sports, gaming, music,
utility etc.
• Can also prove authenticity and scarcity of the digital asset.
129. Wrapped Tokens (WBTC)
• Wrapped tokens give the owners of digital assets freedom to explore other blockchains.
• WBTC is an ERC-20 token that’s backed on 1:1 basis with Bitcoin.
• When Bitcoin is wrapped, it is held in a reserve by the BitGo Trust (Custodian).
• In an aim to be fully transparent, #WBTC in circulation has been made public.
• A large chunk of DeFi and DApps run on Ethereum network.
• The market cap of bitcoin is much larger than any other coin.
• Majority of trading volume is on centralized exchanges. WBTC changes that.
• WBTC brings in more liquidity to DeFi and DEX etc.
• WBTC brings Bitcoin to the ERC20 format, creating smart contracts for Bitcoin. This makes it easier to write
smart contracts that integrate Bitcoin transfers.
• Maintaining various nodes and managing transaction types in order to support multiple currencies can be
onerous. Now exchanges, wallets, and payment apps only need to handle an Ethereum node.
• Send (W)BTC faster between Eth wallets, exchanges etc
• Launched 31 Jan 2019. 2300 BTC locked in WBTC tokens currently.
• Requesting or returning WBTC involves KYC => NOT private.
130. DeFi
• Conventional financial tools built on a blockchain, mostly Ethereum
• Stablecoins (DAI, Tether, USDC by Circle, PAX, Gemini $)
• Open Lending and borrowing Protocols (MakerDAO, BlockFi, Dharma, dYdX,
Compound Finance, Nuo)
• Lending and Margin trading (dYdX, Fulcrum)
• Derivatives - futures, options, swaps (Synthetics, Binance, Kraken etc)
• DEX (Deversify, Bancor, Kyber, Airswap, Uniswap)
• Open Marketplaces (District0x, GitCoin, OpenSea, OpenBazaar)
• Decentralized Prediction Markets (Augur, Gnosis)
• Issuance Platforms and Investing (Polymath, Harbor)
• Payments (Celer network, OmiseGo, Matic)
• And more …
• Instant transaction settlement and novel secured lending methods
• Collateralization of digital assets
• Integration with digital asset lending/borrowing
• No credit checks, meaning broader access to people that cannot tap into traditional
services.
• Caution : The old crypto saying “don’t put in more than you can afford to lose” goes
double for DeFi.
• CeFi – crypto products managed by Centralized orgs that holds custody of assets.
e.g. Getting a DeFi loan :
• No credit rating check
• No ID needed
• No paper work
• No banker
• No income/job necessary
• Instant approval
• Just need eth as collateral!
131. Stablecoins
Currency
- Store of value
- Medium of exchange
- Unit of account
• Synthetic USD trade pair for blockchain settlement needed say for Crypto
exchange to Crypto exchange.
• Speed of settlement matters. On chain more important.
• Liquidity between exchanges in USD equivalent is important
• Store of value without off ramp in times of downturn or volatility. Long
cash.
• Cryptocurrency designed to minimize volatility of the price of stablecoin.
• MS, Spotify, Quickbooks use BitPay to accept payment in BTC but
quickly convert to USD. Why? Low margin business cannot afford
high volatility. Because they are not in the business of speculating
on Bitcoin.
• Merchants faced with constantly adjusting BTC price for a
potential purchase => terrible UX
• Developing markets
- Inflation : Egypt (32%), Argentina(23%), Nigeria(16%), Venezuela
(741%).
- Dollarization : Seychelles 20% to 60%, Argentina (‘dolar blue’)
- Devaluation – Zimbabwe switched officially to USD in 2009.
• Prediction markets (Augur) : reduce risk using stablecoin.
• Financial markets: Hedging, Derivatives, Leverage – CDP allows
permission-less leveraged trading using stablecoin as a reliable collateral.
132. Stablecoins types
• Backed by (fiat/precious metals/crypto)
• Backed by fiat : either fully collateralized or partially.
May be pegged. e.g USDT (counterparty & regulatory
risk, may have solvency issues, TrueUSD etc).
• Backed by commodity : backed by precious metals (gold,
silver) e.g Digix Gold Tokens (DGX)
• Decentralized and Backed by cryptocurrency : issued with
cryptocurrencies as collateral (BTC/ETH etc). May be pegged
using interest rate. eg. DAI. Risks : Liquidation cascade, oracle
dependency
• Seigniorage-style (not backed) : Algorithmic. Value is
controlled by supply and demand through algorithms,
stabilizing price. Eg. Basis, Carbon
https://github.com/jordanlyall/dai-
universe
133. Tether (USD₮,
EUR₮)
• Three types : Omni Bitcoin Based, Erc20 based & proposed
Tron based
• Tether Volume (24hrs) $17B, Circulating supply $4B =>
Velocity = 4
• Biggest 24 hr volume cryptocurrency is Tether and not bitcoin!
• Velocity = “the number of times money changes hands”
• Note Tether daily volume ($17B) > Bitcoin daily volume
($15B).
• Claims 100% backed by ‘reserves’ (may not be cash).
• Market cap history – $1M (2015), $7M (2016), $1.3B (2017) -
>100x, $2B (2018), $4B(2019)
• Market caps of other notable stable-coins : Tether $4B, USDC
$400M, Paxos standard $250M, TrueUSD $200M, DAI $80M,
Gemini Dollar $50M
134. MakerDAO
Maker is a Decentralized Autonomous Organization (DAO) on the Ethereum blockchain with the objective of
minimizing the price volatility of its own stablecoin DAI, pegged at 1$ against the USD and lending platform. It
did 200M+ in loans in its 1st year – that took Lending club 5 years.
Maker stabilizes the value of Dai through a dynamic system of Collateralized Debt Positions (CDPs),
autonomous feedback mechanisms called Target Rate Feedback Mechanism (TRFM breaks peg to stabilize
around target price), and appropriately incentivized external actors.
Price of Maker (MKR) is not pegged. Maker is a utility token for governance and the price increases with the
usage of the Dai. Must lock up 150% Eth in collateral + 0.5% stability fee.
Deposit 150% collateral (say Eth) to create a CDP. Borrow DAI with a Collateralized Debt Position.
At the end of contract - Repay DAI + stability fee to withdraw collateral and close CDP.
Once generated, Dai can be used in the same manner as any other cryptocurrency
When collateral to debt ratio (Debt ceiling) falls low, automatically liquidates enough of collateral to buy back
as many Dai as issued. The issued Dai is thus taken out of circulation. It also collects principal + interest + 13%
penalty.
Global settlement : automatic last resort to cryptographic guarantee target price of DAI. Serious emergency
e.g market irrationality, crash, hack, security breach, upgrades.
External factors : Keepers (independent automated actor incentivized by profit opportunities in Debt Auctions
and CDP liquidation), Oracles (real time information about market price of collaterals), Global settlers voted
by MKR holders via governance.
135. MakerDAO example
• Investment leverage.
• Imagine you own $1,500 in ETH, and believe that ETH will
double in value. You do not have liquidity to buy more right now
but want to profit from your knowledge.
• First you lock up your $1,500 in ETH as collateral in a CDP. Then
you issue 1,000 Dai against the collateral and acquire a 1,000
Dai debt.
• Next you sell the 1,000 Dai on an exchange for $1,000 in ETH.
Through the CDP you now own $2,500 worth of ETH, including
the $1,500 that’s locked up as collateral.
• Your initial investment is leveraged 1.66X. When ETH doubles,
you sell it for Dai that you then use to repay your debt (with
interest) and you can walk home with a handsome profit.
Editor's Notes
Credit : Based on Gavin Wood’s slides
Smart contracts are automatic execution of business logic when certain criteria or triggers are met.
Credit Slideshare Jean-Christophe Busnel, Bitcoin
How do you get a Bitcoin Public Key from a Private Key : https://bitcoin.stackexchange.com/questions/25024/how-do-you-get-a-bitcoin-public-key-from-a-private-key
Private keys are secure from brute force attacks because of the sheer number of possible keys.
There are approximately 10^77 possible private keys, and for perspective, there are estimated to be 10^80 atoms in the observable universe.
Replace by fee : allows sender to bump the fee of a stuck transaction. Beware, if receiver does not wait for confirmation and sends goods, then sender can double spend and replace the tx with her own address with rbf.
Credit Neha Narula, MIT professor
https://people.cs.uchicago.edu/~davidcash/23280-winter-19/miners.pdf - Ittay Eyal, Cornell University
51% attack to undo an attacker ! https://www.coindesk.com/bitcoin-cash-miners-undo-attackers-transactions-with-51-attack
51% attack to undo an attacker ! https://www.coindesk.com/bitcoin-cash-miners-undo-attackers-transactions-with-51-attack
The Securities Act of 1933 and the Securities Exchange Act of 1934 dictate much of the U.S. government's approach to financial regulation, even nearly 100 years after they were established. Under these acts, transactions which qualify as "investment contracts" are considered securities, meaning that they are also subject to specific requirements related to disclosure and registration.
https://www.investopedia.com/terms/h/howey-test.asp
Yellow paper : https://ethereum.github.io/yellowpaper/paper.pdf
https://etherscan.io
The history of the block reward are as follows:
Block 0 to Block 4,369,999: 5 Ether
Block 4,370,000 to 7,280,000: 3 Ether (changed via EIP-649)
Block 7,280,000 to now: 2 Ether (changed via EIP-1234)
Auto liquidation https://medium.com/reserve-currency/our-analysis-of-the-makerdao-protocol-4a9872c1a824
Tokenomics
- UNI
max supply 1B
inflation rate of 2% per year after 4 yr vesting period.
While 60% of UNI tokens are technically held by the community, a quick glance at Etherscan suggests that a substantial chunk of UNI’s supply is held by whales
- CAKE
Bep20 token on BSC
No Supply cap
Inflationary : effective emission/day 750,000 (1.2M/day - burning 450K)
Distribution : 60% to yield farmers, 40% to CAKE stakers in syrup pools
Replace by fee : allows sender to bump the fee of a stuck transaction. Beware, if receiver does not wait for confirmation and sends goods, then sender can double spend and replace the tx with her own address with rbf.