2018 SAI workshop blockchain Kristof Verslype

Blockchain & Toepassingen
E e n v e r k e n n i n g ‘o n d e r d e m o t o r k a p ’
Kristof Verslype
Smals Onderzoek (smalsresearch.be)
www.cryptov.net
SAI Workshop – 22 januari 2018 - Brussel

2
Kristof Verslype
@KristofVerslype
kristof@cryptov.net
be.linkedin.com/in/verslype
www.cryptov.net
Doctor of Engineering (KU Leuven)
Researcher, advisor & speaker
in crypto, privacy & blockchain tech
www.smals.be
@Smals_ICT
www.smalsresearch.be
@SmalsResearch
W h o a m I ?

3
Heeft u een vraag? Stel ze!
AGENDA
Doelstelling: inzicht krijgen in de technologie achter de hype
4
Permissioned
5
Cases
1
Introduction
2
Unpermissioned
6
Conclusions
3
Smart contracts

Blockchain gaat over Vertrouwen
Reductie afhankelijkheid centrale partijen (Disintermediatie)
4
Blockchain Netwerk
Bescherming data Afdwingen regels

Perspectief
5https://hbr.org/2017/01/the-truth-about-blockchain
“Hoewel de impact enorm zal zijn, zal het decennia
duren voor blockchain om in onze economische en
maatschappelijke structuren te sijpelen.”
Tijd nodig om economie te transformeren:
- TCP/IP: 30 jaar
- Elektriciteit: 20 jaar
Grondleggende technologie
Het heeft het potentieel om nieuwe fundamenten voor
ons economisch en sociaal systeem te creëren.
Toestand vandaag:
- 3-5 jaar eer volwassen
- 3% POCs in productie

Idee
6
Transactions
5,1 BTC →
0,7 BTC →
Transactions
5,1 BTC →
0,7 BTC →
Transactions
5,1 BTC →
0,7 BTC →
Transactions
5,1 BTC →
0,7 BTC →
Ik transfereer 0,4
BTC naar
Ok!
Ok!
Ok!
0,4 BTC →
Bob
Alice
Charlie
Dave
0,4 BTC →
0,4 BTC →
0,4 BTC →

Idea
7
Transactions
5,1 BTC →
0,7 BTC →
Transactions
5,1 BTC →
0,7 BTC →
Transactions
5,1 BTC →
0,7 BTC →
Transactions
5,1 BTC →
0,7 BTC →
I transfer
0,4 BTC to .
Ok!
Ok!
Ok!
0,4 BTC →
Bob
Alice
Charlie
Dave
0,4 BTC →
0,4 BTC →
0,4 BTC →
Blockchain
Atomisch
Iedereen schrijft de transactie in zijn/haar append-only spreadsheet
of niemand → Consensus mechanisme
Geldig
Enkel geldige transacties worden aanvaard door het netwerk
Vb. Bob is eigenaar / heeft het geld niet reeds eerder gespendeerd
Veilig en robuust
Systeem blijft correct werken, zelfs indien deel participanten offline of
kwaadaardig is
Relatief snel
Gedistribueerd

Consensus: Byzantine General Problem
8
- N generals
- Some might be traitors
- Messages can get lost
- Honest generals need
consensus: attack or not

Blockchain
9
Aan vaste frequentie nieuwe blokken gecreëerd
met daarin de meest recente transacties
De blockchain bevat
alle transacties
Transacties in de blockchain
zijn onverwijderbaar
Blockchain = aaneenschakeling van
blokken, die transacties bevatten
Vele entiteiten bezitten dezelfde
kopie van de blockchain
Block 51
Header
Block 52
Header
Block 53
Header Header
Block 54
5,10 BTC →
0,70 BTC →
Blockchain specifiek: 10 minutes in
Bitcoin, 10 seconden in Ethereum,…
0,40 BTC →

Idee
10
Transactions
5,1 BTC →
0,7 BTC →
Transactions
5,1 BTC →
0,7 BTC →
Transactions
5,1 BTC →
0,7 BTC →
Transactions
5,1 BTC →
0,7 BTC →
0,4 BTC →
Bob
Alice
Charlie
Dave
0,4 BTC →
0,4 BTC →
0,4 BTC →

Bescherming Data
11
Transaction
0,01 BTC →
Vertrouwde
entiteit
Transaction
Data
Untamperable
(integrity)
Unremovable
(non-repudiability)
Timestamp
Eigenschappen van data in een blockchain
Transparent
(verifiable)
Authentic
Robust
(availability)
→ Applications other then cryptocurrencies
On existing or own blockchain

Application Domains
12
Diploma
Alice
Master in
Lego Design
KU Leuven
Registration
facts
Transfer
of assets
Streamlining
processes
Enforcement
of agreements
Protection data
Enforcement of rules

13
Registration Facts
Vaccination
IdentityDiplomaMarriage
Medical
records
TaxesSupply chain
Tracking
Driving license
Political
mandates
Official
documents
History /
overview
Will
Hash of records on blockchain
- Integrity
- Non-repudiability (completeness)
- Timestamp
Confidence in correctness
- Authenticity
- Integrity
- Timestamp
- Long term-validity
- Transparency
- Non-
repudiability (no
denial)
- Integrity
Logically centralising
dispersed data about
provenance in single
data structure (without
central authority)

14
Registration Facts
Alice
9AF
Employer
Alice does not need copy of blockchain
In reality usually more crypto
hashing, encryption, pseudonyms
Transaction 9AF
Diploma
Alice
Master in
Lego Design
KU Leuven
Alice

15
Registration Facts
Alice
9AF
Employer
Transaction 9AF
Diploma
Alice
Master in
Lego Design
KU Leuven
Diploma
Alice
Master in
Lego Design
KU Leuven
Best match with GDPR
Data potentially again spread over multiple servers…
Reduces potential of smart contracts

Verificatie Certificaten
16https://www.dnvgl.be/certificering/certificaten-in-de-blockchain.html?utm_source=be&utm_medium=persbericht&utm_campaign=be-persbericht-270917

17
Applications: Transfer Assets
Ticket
.bitDomain name
Copyrights
Bitcoin Monero Ethereum
Crypto
currencies
Untangible
assets
DiamondCar
Land register
Tangible
assets
Electricity

18
Transfer Assets
Transaction 23F
→
Transaction XP0
→ 9BG
Transaction 9BG
→ 23F
Authority
(Mortgage office)
The lawful
owner
is .
The lawful
owner
is .
Owner 1 (Bob) Owner 2 (Charlie)
The lawful
owner
is .
Only required for
initial registration
Full history on the
blockchain
Owner can prove (s)he
is the lawful owner

19
Transfer Assets
Transaction 23F
→
Authority
(Mortgage office)
Owner 1 (Bob) Owner 2 (Charlie)
Transaction 9BG
→ 23F
→
Transaction XP0
→ 9BG
→
Owner 3 (Alice)
Only if both & sign
transaction, it is valid No trusted intermediary
required to temporarily
hold funds
Extra rules possible
(Eg. valid soil certificate
or approval by notary)
Hide exact amount
Register renovation &
verification history

Streamlining Processes
Banks share blockchain
instead of all own DB
Citizen moves and
declares it once. All
stakeholders informed
(electricity provider,
post, municipalities, …)
Citizen declares birth once.
All stakeholders informed
(local administration,
childcare system , bank,
mutualities, insurance, …)
Processes between governmental
institutions (e.g. automatic
subsidies)
Advantages
- Reduced trust in central authority
- Robust (HA system with LA nodes)
- Unmodifiable audit trail
- Every step validated / according to the rules
- One data structure (consistency)
- Uniform data representation
(standardisation)
20

Enforcements of Agreements
21
Processing
medical prescriptions Elections
Flight Delay
Insurance
Blocking
rent guaranteeCrowdfundingApplication & Payment
of subsidies / benefits
Smart locks
Permissions
access PII
Transport
conditions
Auction

Central DB Vs. Blockchain
22
Central DB Blockchain
Disintermediation The essence of blockchain tech is
reducing reliance upon intermediaries /
authorities
Integrity / transparency /
verifiability
Blockchain is a tamper-proof history,
verified by multiple nodes.
Confidentiality Multiple nodes in network need access
to data to validate transactions and
update smart contract. Harder to have
flexible access control
Robustness High availability with low available
nodes. Geen SPOF / extreme fault
tolerance thanks to redundancy
Performance & speed Blockchain inherently less efficient: sig
creation & verification, data transfer,
consensus, storage, …
“If trust and robustness aren’t an issue, there’s nothing
a blockchain can do that a regular database cannot.”
Gideon Greenspan
https://www.multichain.com/blog/2016/03/blockchains-vs-centralized-databases/

Yes
Yes
Yes
4.2 Does a traditional
decentralized approach result in
data consistency issues or
complex/slow information flows?
Yes
4.3. Do we have
relatively simple & static
business rules between
multiple parties?
Yes
4.1. Is transparency,
verifiability or
auditability
important?
Let’s talk!At least one incoming green arrow
Answer the following three questions separately
Probably not a good
idea to use
blockchain
No
No
3 x No
2. Are only low performance write operations required?
(in seconds, not milliseconds)?
3. Is a traditional centralized approach,
resulting in a trusted, all-knowing party, suboptimal?
(Factors: trust, governance, privacy, security, cost, availability,…)
Yes
1. Do multiple parties need to interact with each other and
does this result in the storage of data that should stay
accessible by multiple parties?
No
23

24
Permissionless Permissioned
Toegang & gebruik door hele wereld Extra laag voor toegangscontrole
Volledig transparant Meer controle op wie ziet wat (vb. audit)
Meestal erg onefficiënt Pakken efficiënter
Vertrouwen gedistribueerd Vertrouwen gedecentraliseerd
Cryptomunt vereist Cryptomunt niet steeds vereist
Public / open Enterprise / Consortium

25https://coinmarketcap.com/
2 types of forks
- Fork from a code base
(e.g. Litecoin)
- Fork from a blockchain
(e.g. Bitcoin Cash & Bitcoin Gold)

Some Cryptography
26
Digital signatures Cryptographic hash Merkle Tree
Bloom filters Encryption
“The art of writing or solving codes.”

Symmetric Encryption
27
← 𝑔𝑒𝑛𝐾𝑒𝑦 ()
Example: AES
← 𝑒𝑛𝑐( , )
← 𝑑𝑒𝑐( , )

Public Key Cryptography
28
PK SK
, ← 𝑔𝑒𝑛𝐾𝑒𝑦𝑝𝑎𝑖𝑟()
SK
𝑠𝑖𝑔 ← 𝑠𝑖𝑔𝑛( , )
PK
𝑡𝑟𝑢𝑒 ← 𝑣𝑒𝑟𝑖𝑓𝑦( , 𝑠𝑖𝑔, )
Change 1 bit in doc →
invalid signature
Examples: RSA, DSA, ECDSA
What public key belongs to BOB? → Certificates
Signed by trusted authority
Bob
PK
Expires:
31/12/2020
CA: VeriSign
Certificate

Cryptographic Hash Function
Examples: SHA2, RIPEMD, SHA3 (keccak)
29
“Hello world!”
5e 50 6e 82 7f d5 50 ec 4e 08 8e e7 75 8f 34 b3
a6 8e 34 93 d5 89 98 52 97 48 f0 c6 c1 70 f3 3c
5f 3b fa 41 9c 63 be 2a 3a 09 ad bd 06 30 c5 1f
64 5e b0 3a ba fc d5 f2 ad 39 63 7a 30 6b 41 77
c0 53 5e 4b e2 b7 9f fd 93 29 13 05 43 6b f8 89
31 4e 4a 3f ae c0 5e cf fc bb 7d f3 1a d9 e5 1a
Unique fingerprint of some data
Fixed-length output One-way Collision resistant
c3 5e 79 4b cf 52 34 c4 5a fc 19 c0 04 79 3d e7
d3 d2 4b 20 12 d0 3b f6 13 8b 23 c9 97 41 8a 50“Hell0 world!”

Merkle Tree
30
ℎ1 ←
ℎ𝑎𝑠ℎ(𝑑𝑎𝑡𝑎1)
ℎ1−2 ← ℎ𝑎𝑠ℎ(ℎ1||ℎ2) ℎ3−4 ← ℎ𝑎𝑠ℎ(ℎ3||ℎ4)
ℎ 𝑟𝑜𝑜𝑡 ← ℎ𝑎𝑠ℎ(ℎ1−2||ℎ3−4)
𝑑𝑎𝑡𝑎1 𝑑𝑎𝑡𝑎2 𝑑𝑎𝑡𝑎3 𝑑𝑎𝑡𝑎4
ℎ2 ←
ℎ3 ←
ℎ4 ←
ℎ 𝑟𝑜𝑜𝑡: Hash van een set documenten

Merkle Tree: Prove Membership
31
ℎ1−2 ← ℎ𝑎𝑠ℎ(ℎ1||ℎ2)
ℎ 𝑟𝑜𝑜𝑡 ← ℎ𝑎𝑠ℎ(ℎ1−2||ℎ3−4)
𝑑𝑎𝑡𝑎2
ℎ2 ←
𝒉 𝟑−𝟒
𝒉 𝟏

Databases
32
NoSQL Examples: LevelDB, RocksDB, CouchDB,
Relational database NoSQL
Key-value store
Faster

33
AGENDA
4
Permissioned
5
Cases
1
Introduction
2
Unpermissioned
6
Conclusions
3
Smart contracts

34http://uk.businessinsider.com/bitcoin-pizza-day-passes-2000-20-million-2017-5
Op 22 mei 2010 kocht een software
ontwikkelaar 2 pizza’s voor 10 000 bitcoin.
Vandaag zijn 10 000 bitcoins meer dan 130
miljoen dollar waard

Bitcoin prijs
35
16 500 000 BTC in omloop
 Totale waarde: ± 240 miljard $
Alle cryptomunten samen:
±720 miljard $

Traditionele Internationale Transactie
36
Bob Alice

Traditionele Internationale Transactie
37
Bob Alice
Is dit mogelijk zonder vertrouwde partij?
1e gedistribueerde cryptomunt (2009)
Schok doorheen de financiële wereld
Snel aandacht voor Bitcoin/blockchain vanuit de financiële wereld
Cryptocurrencies solve the double
spend problem with crypto and exist
since the eighies (David Chaum)

Pseudoniemen & Sleutels
38
0,40 BTC → 0,40 BTC →Niet maar

Blockchain
39
Block 51
Header
Block 52
Header
Block 53
Header Header
Block 54
5,10 BTC →
0,70 BTC →
0,40 BTC →
1Nf311Qb8rLDk
1F1tAaz5x1HUX
3BcMuv1VJqm Bob
Alice
Charlie
Dave

Transacties & UTXOs
40
Header
Block 51
Header
Block 52
Header
Block 53
Header
Block 54
Mijn bitcoins zijn verspreid in de blockchain over meerdere transacties
Transaction Z4R
0,01 BTC →
Transaction 06D
12,6 BTC →
Transaction 83F
1,2 BTC →
Transaction YC0
0,8 BTC →
0,4 BTC →
Output Addr BTC
Z4R[0] 0,01
06D[0] 12,6
83F[0] 1,2
Output Addr BTC
Z4R[0] 0,01
06D[0] 12,6
YCO[0] 0,8
YCO[1] 0,4
Most recent state,
derived from the
blockchain (history)

Transactions & UTXO
41
input[0] output[0]
output[1]
output[2]
Transaction YC0
Outputs
0,7 BTC →
0,4 BTC →
Inputs
TRX[1]
Z4R[1]
Transaction TRX
Outputs
0,8 BTC →
1,0 BTC →
0,4 BTC →
Inputs
DRX[1]
K5T[0]
Output Addr BTC
Z4R[0] 0,01
06D[0] 12,6
83F[0] 1,2
Output Addr BTC
Z4R[0] 0,8
TRX[2] 0,4
8GJ[0] 0,8
YCO[0] 0,7
YCO[1] 0,4
Transaction Z4R
Outputs
0,8 BTC →
0,1 BTC →
Inputs
DRX[0]
Transaction 8GJ
Outputs
0,8 BTC →
Inputs
TRX[0]
Output Addr BTC
Z4R[0] 0,8
TRX[2] 0,4
8GJ[0] 0,8
TRX[1] 1,0
Z4R[1] 0,1

Bitcoin
42
Miner
Full node
Light node
Blockchain
append-only
Geschiedenis van Bitcoin
UTXO
Relevant info
UTXO
UTXO
UTXO
UTXO
UTXO
UTXO
UTXO

44
0,40 BTC → 0,40 BTC →Niet maar

Pseudonyms & Keys (simplified)
45
PK SK
, ← 𝑔𝑒𝑛𝐾𝑒𝑦𝑝𝑎𝑖𝑟()
https://en.bitcoin.it/wiki/Technical_background_of_version_1_Bitcoin_addresses
← 𝑣𝑒𝑟𝑠𝑖𝑜𝑛 𝑝𝑢𝑏𝐾𝑒𝑦𝐻𝑎𝑠ℎ || checksum
25 bytes
SK
𝑠𝑖𝑔 ← 𝑠𝑖𝑔𝑛({ , }, )
PK
PK
𝑡𝑥 = { , , 𝑠𝑖𝑔}
PK
𝑝𝑢𝑏𝐾𝑒𝑦𝐻𝑎𝑠ℎ ← ℎ𝑎𝑠ℎ 𝑅𝐼𝑃𝐸𝑀𝐷(ℎ𝑎𝑠ℎ 𝑆𝐻𝐴256( ))
65 bytes
20 bytes

Transactions & UTXO
46
input[0] output[0]
output[1]
output[2]
Transaction YC0
Outputs
0,7 BTC →
0,4 BTC →
Inputs
TRX[1]
Z4R[1]
Transaction TRX
Outputs
0,8 BTC →
1,0 BTC →
0,4 BTC →
Inputs
DRX[1]
K5T[0]
Output Addr BTC
Z4R[0] 0,01
06D[0] 12,6
83F[0] 1,2
Output Addr BTC
Z4R[0] 0,8
TRX[2] 0,4
8GJ[0] 0,8
YCO[0] 0,7
YCO[1] 0,4
Transaction Z4R
Outputs
0,8 BTC →
0,1 BTC →
Inputs
DRX[0]
Transaction 8GJ
Outputs
0,8 BTC →
Inputs
TRX[0]
An input consumes
an output

47
{
"ver":1,
"inputs":[
{
"prev_out":{
“hash":37b2fd4cc6ca73f73b24ed6b10fccd20e322a87f195a36a5dd8962ad9f442301,
"n": 1,
},
"scriptSig":"PUSHDATA(71)[304402…0b01] PUSHDATA(33)[032725…f528] "
}
],
"out":[
{
"value": 3744000,
"scriptPubKey": "DUP HASH160 PUSHDATA(20)[659042…33c7] EQUALVERIFY CHECKSIG "
},
{
"value": 1018920,
"scriptPubKey":"DUP HASH160 PUSHDATA(20)[4fc238…da88] EQUALVERIFY CHECKSIG"
}
],
}
https://blockchain.info/tx/b657e22827039461a9493ede7bdf55b01579254c1630b0bfc9185ec564fc05ab?format=json
Transaction
Signature Public key
PubKeyHash

48
{
"ver":1,
"inputs":[
{
"prev_out":{
"n": 1,
},
}
],
"out":[
{
"value": 3744000,
"scriptPukKey": "DUP HASH160 PUSHDATA(20)[659042…33c7] EQUALVERIFY CHECKSIG "
},
{
"value": 1018920,
}
],
}
Transaction
OP_DUP
OP_HASH160
PUSHDATA(20)[a83fc0…8a87]
OP_EQUALVERIFY
OP_CHECKSIG
PUSHDATA(71)[304402…0b01]
PUSHDATA(33)[032725…f528]
Tx 37b2fd4cc6ca73f73b24ed6b10fccd20e322a87f195a36a5dd8962ad9f442301
…
"out":[
…
{
"value": 4920000,
"scriptPubKey": "DUP HASH160 PUSHDATA(20)[a83fc0…8a87] EQUALVERIFY CHECKSIG "
}
…
], Creator of transaction has to prove
that (s)he own the money

49
OP_DUP
OP_HASH160
PUSHDATA(20)[a83fc0…8a87]
OP_EQUALVERIFY
OP_CHECKSIG
scriptPubKey
referenced, older
transaction input
PUSHDATA(71)[304402…0b01]
PUSHDATA(33)[032725…f528]
scriptSig in input
new transaction
OP_DUP
OP_HASH160
PUSHDATA <pubKeyHash?>
OP_EQUALVERIFY
OP_CHECKSIG
PUSHDATA <signature>
PUSHDATA <pubKey>
PUSHDATA
<signature>
PUSHDATA
<signature>
<pubKey>
OP_DUP
<signature>
<pubKey>
<pubKey>
OP_HASH160
<signature>
<pubKey>
<pubKeyHash>
PUSHDATA
<signature>
<pubKey>
<pubKeyHash>
<pubKeyHash?>
OP_EQUALVERIFY
<signature>
<pubKey>
OP_CHECKSIG
true
Checks whether this is a
valid signature for the
entire transaction
Ripemd(sha256(pubKey))

50
{
"ver":1,
"inputs":[
{
"prev_out":{
"n": 1,
},
}
],
"out":[
{
"value": 3744000,
"scriptPukKey": "DUP HASH160 PUSHDATA(20)[659042…33c7] EQUALVERIFY CHECKSIG "
},
{
"value": 1018920,
}
],
}
Transaction
Tx 37b2fd4cc6ca73f73b24ed6b10fccd20e322a87f195a36a5dd8962
…
"out":[
…
{
"value": 4920000,
"scriptPubKey": "DUP HASH160 PUSHDATA(20)[a83fc0…8a87] E
}
…
],
Transaction fee =
4 920 000 – (3 744 000 + 1 018 920)
= 157 080 satoshi = 0.0015708 BTC

Multisig Transaction
51
What?
- A transaction that is only valid when it is signed by at
least n out of m entities
- In bitcoin context: money can only be unlocked when n
out of m entities agree
Why?
- E.g. blocked rent guarantee : 2-3 multisig
- We will see later that this tx type is also usefull in other
situations

scriptPubKey (referenced tx)
OP_2
PUSHDATA <A pubkey>
PUSHDATA <B pubkey>
PUSHDATA <C pubkey>
OP_3
OP_CHECKMULTISIG
PUSHDATA PUSHDATA
<sig A> <sig A>
<sig B>
scriptSig (new tx)
PUSHDATA <sig A>
PUSHDATA <sig C>
PUSHDATA <scriptMs>
PUSHDATA
<sig A>
<sig B>
2
<pubKey A>
OP_2
<sig A>
<sig B>
2
Multisig without P2SH

OP_2
PUSHDATA <A pubkey>
PUSHDATA <B pubkey>
PUSHDATA <C pubkey>
OP_3
OP_CHECKMULTISIG
scriptSig (new tx)
PUSHDATA <sig A>
PUSHDATA <sig C>
PUSHDATA <scriptMs>
Multisig without P2SH
OP_CHECKMULTISIG
true
OP_3
<sig A>
<sig B>
2
<pubKey A>
<pubKey B>
<pubKey C>
3
PUSHDATA
<sig A>
<sig B>
2
<pubKey A>
<pubKey B>
<pubKey C>
PUSHDATA
<sig A>
<sig B>
2
<pubKey A>
<pubKey B>
Not ideal for the sender/buyer
- WTF is this script you are sending me?
- I don’t care about what you are doing. I
just want to send money to an address
- I will have to pay a higher tx fee!
=> P2SH solves this

Multisig with P2SH
54
Referenced tx New tx
input[0]
input[1]
output[0]
output[1]
output[2]
scriptSig
<sig A>
<sig B>
<scriptMultisig>
scriptPubKey
<pubKeyHashMultisig>
input[0] output[0]
output[1]
P2SH: Pay to script hash
𝑝𝑢𝑏𝐾𝑒𝑦𝐻𝑎𝑠ℎ𝑀𝑢𝑙𝑡𝑖𝑠𝑖𝑔 ← ℎ𝑎𝑠ℎ(𝑠𝑐𝑟𝑖𝑝𝑡𝑀𝑢𝑙𝑡𝑖𝑠𝑖𝑔)

55
OP_HASH160
PUSHDATA <scriptMsHash?>
OP_EQUAL
PUSHDATA OP_EQUAL
PUSHDATA PUSHDATA PUSHDATA
<sig A> <sig A>
<sig B>
<sig A>
<sig B>
<scriptMs>
OP_HASH160
<sig A>
<sig B>
<scriptMsHash>
<sig A>
<sig B>
<scriptMsHash>
<scriptMsHash?>
<sig A>
<sig B>
scriptMs
OP_2
PUSHDATA <A pubkey>
PUSHDATA <B pubkey>
PUSHDATA <C pubkey>
OP_3
OP_CHECKMULTISIG
scriptSig (new tx)
PUSHDATA <sig A>
PUSHDATA <sig C>
PUSHDATA <scriptMs>
true
Multisig
with P2SH
Shared address

56
scriptMs
OP_2
PUSHDATA <A pubkey>
PUSHDATA <B pubkey>
PUSHDATA <C pubkey>
OP_3
OP_CHECKMULTISIG
OP_CHECKMULTISIG
true
OP_3
<sig A>
<sig B>
2
<pubKey A>
<pubKey B>
<pubKey C>
3
PUSHDATA
<sig A>
<sig B>
2
<pubKey A>
<pubKey B>
<pubKey C>
PUSHDATA
<sig A>
<sig B>
2
<pubKey A>
<pubKey B>
PUSHDATA
<sig A>
<sig B>
2
<pubKey A>
OP_2
<sig A>
<sig B>
2
Multisig with P2SH

57
Colored Coins
Transaction
0,01 BC →
Data
Publiek pseudoniem van overheid / school / …
Transaction
0,01 BC →
Data
Pseudoniem notaris
Pseudoniem 1e eigenaar
Transaction
0,01 BC →
Transaction
0,01 BC →
Value transfer
Record keeping
Possible to store up to 80 bytes of arbitrary data in transaction
(Fingerprint van)
Beschrijving van de asset
Fingerprint van
diploma, certificaat, …

Colored Coins
58
Transaction K8V
Outputs
output[0]: 0,0001 BTC →
output[1]:
Inputs
OP_RETURN
PUSHDATA <data>
marks transaction
output as invalid
max 80 bytes
Implemented by Open Assets
https://github.com/OpenAssets/open-assets-protocol/blob/master/specification.mediawiki

- Mining
60
‘Miners’ gaan in competitie met elkaar om als
eerste een rekenintensieve cryptografische
puzzel te vinden (per blok).

Bitcoin Mining
61
000000000000000002A386ADBAED073B0
2E66EE8A6A61FD83BA33DF434553671
Header
Hash
(fingerprint)
function
669831a3180f1e77e9e3c904b76d6254
03924303118ff97acff2d8599b9dc91b
bc9e7154309cdc81c5b6203b04531581
07e8d4c4cfe6eeb82fbaddefa345dc7b
015487950321
Eigenschappen
- Moeilijk te vinden
- Makkelijk te verifiëren
- Aanpasbare moeilijkheidsgraad
Winnaar beloond
- Nieuwe bitcoins
- Transactievergoedingen
Disclaimer: in werkelijkheid wordt enkel de header gehasht, die een fingerprint bevat van de transacties

Merkle Tree
62
ℎ1 ←
ℎ1−2 ← ℎ𝑎𝑠ℎ(ℎ1||ℎ2) ℎ3−4 ← ℎ𝑎𝑠ℎ(ℎ3||ℎ4)
𝑚𝑟𝑘𝑙 𝑟𝑜𝑜𝑡 ← ℎ𝑎𝑠ℎ(ℎ1−2||ℎ3−4)
ℎ2 ←
ℎ3 ←
ℎ4 ←
ℎ 𝑟𝑜𝑜𝑡: Hash van alle transacties in blok
tx2tx1
nonce
coinbase
tx4tx3

Bitcoin Mining
63
000000000000000002A386ADBAED073B0
2E66EE8A6A61FD83BA33DF434553671
Header
mrklroot
Hash
(fingerprint)
function
669831a3180f1e77e9e3c904b76d6254
03924303118ff97acff2d8599b9dc91b
bc9e7154309cdc81c5b6203b04531581
07e8d4c4cfe6eeb82fbaddefa345dc7b
015487950321
Disclaimer: Ook dit is nog steeds een vereenvoudiging
Full client can prove to light
client that transaction is
included in the block

64
Difficulty adjusted every 2 weeks (2016 blocks) based on
 Frequency higher at the end of such a window
(in case increasing prices)
difficulty ∗ 232
= 8 044 926 758 032 733 372 416 hashes / block
⇔ 13 408 211 263 387 888 954 hashes/s

Ecologische Impact
65https://digiconomist.net/bitcoin-energy-consumption
Elektriciteitsverbruik per land
> 70% in China
Zwakke milieuwetgeving
→ Goedkope elektriciteit
(steenkool & waterkracht)
Max. capaciteit
3 transacties / sec.

Block Header
66
ver 536870912
prev_block "0000000000000000006be77c…59f44707583dfdb6ed5854c"
mrkl_root "ef921086403dd412ad2eb150…36dabbba24b43a196b55079"
time 1514287770
difficulty 30c31b18
nonce 1531448244
nb 1732
Header
Block 53
Coinbase transaction
- New bitcoins created for miner
- Transaction fees for miner
- Also arbitrary data to solve puzzle
Transaction K8V
Outputs
input[0]: 16,4 BTC →
input[1]:
Inputs
OP_RETURN
PUSHDATA <random>

Mining Pools
67
A stable income for small miners

Mining Pools
68
A stable income for small miners
- Group of miners working together on the same puzzle
- Coordinating manager. Others can join.
- Manager sends only headers to members
- Member has x% of computation power → x% of reward if pool finds puzzle
- Pool member proves that he does his share by sending “near solutions” to
the manager
Coinbase
mrklroot
nonce
tx1tx0
nonce
coinbase
tx3tx2
mrklroot
h(h(tx0)||h(tx1)) h(h(tx2)||h(tx3))

Full Client
70
Block 51
Header
Block 52
Header
Block 53
Header Header
Block 54
Header HeaderHeader Header
Light Client

Light Clients
71
ℎ1 ←
ℎ1−2 ← ℎ𝑎𝑠ℎ(ℎ1||ℎ2) ℎ3−4 ← ℎ𝑎𝑠ℎ(ℎ3||ℎ4)
𝑚𝑟𝑘𝑙 𝑟𝑜𝑜𝑡 ← ℎ𝑎𝑠ℎ(ℎ1−2||ℎ3−4)
ℎ2 ←
ℎ3 ←
ℎ4 ←
ℎ 𝑟𝑜𝑜𝑡: Hash van alle transacties in blok
tx2tx1
nonce
coinbase
tx4tx3
5487950321Coinbase
mrklroot

Gelijktijdige Blokcreatie
72
Wat gebeurt er indien twee miners ongeveer gelijktijdig een geldig blok vinden
Langste tak is diegene die aanvaard wordt
(correcter: tak met meeste ‘werk’)
Daarom best een aantal blokken wachten
vooralleer transactie als verwerkt te beschouwen

Gelijktijdige Blokcreatie
73
Genesis block
- We hebben tenminste een hash
nodig als ‘root of trust’
- Hierin kun je ‘gratis geld’ toekennen
aan de eerste investeerders
Orphan blocks

Consensus
Proof-of-Work
- x% resources → x% blokken
- Cryptografische puzzel
- Competitie
- Mining - Erg energieintensief
- Controle: > 50% rekenkracht
in unpermissioned blockchain netwerken
Proof-of-Stake
- x% stake (e.g. coins) → x% blokken
- Deterministisch algoritme voor
selectie participant die blok creëert
- Minting - Efficiënt
- Controle: > 50% stake (moeilijker)
- Incentive voor minter om
verschillende in stand te houden
=> Machtige participant kan blockchain controleren
(hybrid)

Veiligheid
76
Block 51
Header
Block 52
Header
5,10 BTC →
Header
Block 53
0,70 BTC →
Header
Block 54
0,40 BTC →
Header
Block 53
0,70 BTC →
Header
Block 52
Header
Block 54
0,40 BTC →
Hoe ouder de transactie, hoe beter beschermd
Want gevolgd door meer blokken
waarvoor cryptografische puzzel opnieuw opgelost moet worden
Veiligheid proportioneel tot de hoeveelheid rekenkracht

Security
77
Mathematical assumptions
E.g. ECDSA
Cryptographic assumptions
E.g. SHA-2 & RIPEMD
Applicative asssumptions
E.g. No miner > 50% mining power
← Heavy assumption
Bitcoin is conceptually secure as long as some assumptions are met
In crypto
- We trust that the assumptions are (and stay) correct
- Weaker assumptions → stronger solutions
- Heavier assumptions → weaker solutions

Veiligheid
Het bitcoin protocol is veilig zolang er geen participant meer dan
50% van de rekenkracht bezit (*)
(*) According to Decker and Wattenhofer 49,1% suffices due to stale blocks
Bitcoin is niet alleen een concept…
User Software Infrastructure
Loss
Theft
Abuse
James Howells, who works in IT, lost in 2013 7500 bitcoins by throwing
away by accident an old hard disk, which contained his secret key.
Nearly 4M Bitcoins Lost Forever
Source: chainalysis.com

79
51% Attack on Krypton
https://cryptohustle.com/krypton-recovers-from-a-new-type-of-51-network-attack
August 26, 2016.
Krypton, an Ethereum-based blockchain,
recovered from a novel version of a 51%
attack which appears to be the first of its
kind.
The exploit includes a two pronged attack:
first prong was, overpowering the network
with at least 51% of the hashing power to
roll back transactions and spend the same
coins twice, and the second prong was
DDoS-ing nodes to multiply network
power. This exploit should be understood by
all smaller coins to prevent copycat attacks.

Risico
80
Card Stop
Afhaallimiet
Terugbetaling
Centrale entiteit → individuele gebruiker
→ Soms zijn we blij dat er een centrale partij is
Omgaan met verlies

Hardware Wallets
81
Sleutel fysiek beschermd met hardware token

82https://www.wired.com/story/i-forgot-my-pin-an-epic-tale-of-losing-dollar30000-in-bitcoin/?mbid=nl_102917_daily_list1_p1
But don’t loose your PIN / Password!

83
(pseudonym)
Shamir Secret Sharing (1979)

Online Wallets
84
Online
wallet
Beheert jouw bitcoins
Volledig vertrouwen nodig
Enkele gehackte online wallets…
Klanten verloren geld

85https://www.theguardian.com/technology/2017/dec/07/bitcoin-64m-cryptocurrency-stolen-hack-attack-marketplace-nicehash-passwords

Pseudoniemen
87
Fysieke wereld Bitcoin netwerk
1Nf311Qb8rLDkWTHrhpmNewZzkcWFYptfc
1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX
3BcMuv1VJqmwY5Wim8MPAzKAAiAKby9LcN
Charlie
Bob
Alice

88
Bitcoin & Anonimiteit
QR-code
- bevat pseudoniem
- Scan om te betalen
Alle transacties van en naar
dit pseudoniem zijn publiek
Meerdere pseudoniemen
- Minder praktisch
- Links nog steeds mogelijk
Tweerichtings
Subway kan ook jouw bitcoin
geschiedenis te weten komen

Bitcoin & Anonimiteit
89Fleder, Michael, Michael S. Kester, and Sudeep Pillai. "Bitcoin transaction graph analysis." arXiv preprint arXiv:1502.01657 (2015).
Transaction graph for 1 day
Gebruikers onthullen hun pseudoniem
- Op het Internet
- Aan anderen bij een transactie
=> Linken aan persoon / nickname

Pseudoniemen
90
Charlie
Bob
Alice

Hierarchical Deterministic Wallets
91
BIP 0032
PK SK
PK
0
PK
1
PK
n
. . .
SK
0
SK
1
SK
n
. . .
- Generate unlimited number of
addresses / pseudonyms based on
one private key
- Create new addresses without
needing your private key
- Multiple levels deep

One-Time Pseudoniemen
92
Transaction
0,8 BC →
0,4 BC →
Charlie
Bob
Alice

Bitcoin Anonymity
93Fleder, Michael, Michael S. Kester, and Sudeep Pillai. MIT. "Bitcoin transaction graph analysis." arXiv preprint arXiv:1502.01657 (2015).
Transaction graph for 1 day
‘Geïdentificeerde’ personen gelinkt aan
- SilkRoad
- Wikileaks
- SatoshiDICE

Why is Bitcoin Used?
98
Hard to find exact numbers
Illegal activities Gambling
Speculation Protection against
inflation/crash local
currency (e.g. Venezuela)
International
transactions
Transactions of small amounts sometimes very expensive

Average Transaction Fee in $
99https://bitinfocharts.com/comparison/bitcoin-transactionfees.html#1y
Volatile & unpredictable Based on supply & demand
Based on size (in bytes) of transaction, not on amount
Payed by the entity sending money
Double volatility: value and transaction costs

100
Tussenpartij of autoriteit elimineren
⇏
Efficienter en/of goedkoper

Bitcoin & Regulering
Wie bepaalt de regels?
101

Power to the People?
102
Core developers
Propose official Bitcoin client
Miners
Use proposed client
Process transactions
Bitcoin holders
Use proposed client
Centralisation of mining
> 50% of mining power
→ Rewrite the blockchain
Implement the
rules of the game

Forks & Consensus
103
Changing the rules of the game
Size≤
1MB
Size≤
1MB
Size≤
1MB
Size≤
1MB
Size≤
1MB
Size≤
1MB
Size≤
1MB
Size≤
2MB
Size≤
2MB
Size≤
2MB
Three options
- The whole community accepts new rule
- (Almost) no one accepts new rule
- A significant part accepts nuw rule,
a significant part does not

Afsplitsingen (Forks)
104
Maart ‘17
Aug. ‘17
Alsof er op de tabel van Mendeljev
plots naast het zeldzame Au (Goud)
nieuwe, even zelfdzame elementen
ontstaan met quasi dezelfde
eigenschappen
Okt. ‘17
Bestaande munten splitsen mee

Total Amount of Bitcoins
105
Total amount of bitcoins created
Deflatoir
→ Toenemende waarde
→ incentief tot sparen

Hard & Soft Forks
106http://vitalik.ca/general/2017/03/14/forks_and_markets.html
Soft Fork
- Reduced set of transactions /
blocks that are valid
- Transaction/blocks valid under
the new rules considered valid
by old nodes
- Example: P2SH
Hard Fork
- Expanded set of transactions /
blocks that are valid
- Transaction/blocks valid under
the new rules considered
invalid by old nodes
- Considered more difficult
because everyone has to
update on time
- Example: SegWit

Snelheid
108
0
< $25
few sec.
# Bevestigingen
Bedrag
Tijd
1
< $250
±10 min.
2
< $2500
±20 min.
3
< $25 000
±30 min.
4
< $250 000
±40 min.
5
< $2,5M
±50 min.
6
< $25M
±60 min.
Theoretisch ben je zelfs na 60 min. nog niet zeker
Aantal bevestigingen hangt af van riscotolerantie

109https://www.vrt.be/vrtnws/nl/2017/10/12/wachten-tot-een-overschrijving-op-uw-rekening-staat--vanaf-eind-/#

Blockchain.info
110
Schaalprobleem
- Alle transacties op blockchain
- 3 transacties / sec. ↔ Visa: 10 000 / sec.
- En blockchain toch al 120GB groot
Schaalprobleem
- Alle transacties in blockchain
- 3 transacties per seconde ↔ Visa: 65 000 / sec.
(Verhoogt geleidelijk danzij invoering SegWit)
- En reeds > 151 GB (excl. UTXO, SegWit))
Bitcoin Blockchain Grootte
blockchain.info/charts/blocks-size
Toekomst: Lightening network

We trust…
111
The correctness of the assumptions
The unhackability of website & trade platforms
The unhackability of out blockchain client
Our infallibility (onfeilbaarheid)
Miners not to rewrite the blockchain collectively
That the value of Bitcoin will not collapse
That miners en core developers will not
change the rules against our interests
That the network will not be saturated and that the transaction
fees will be reasonable when we want to do a transactions

Old Concepts
112
Concept Year
Stack-oriented programming language 1957 - GEORGE
Cryptographic hash function Late ‘70
Digital signatures 1977 (1973) - RSA
Merkle trees 1979
Shamir secret sharing 1979
Proof-of-Work 1993

Have a look at
113
https://blockchain.info/
https://bitcoin.org/nl/download

Enkele Bedenkingen
114
Bitcoin is een eerste experiment
• Niet perfect en dat mogen we ook niet verwachten
• Gebruik van eenvoudige, oude crypto concepten (jaren ‘70)
• Interessante nieuwe concepten
Uitdagingen
• Technische: schaalbaarheid, privacy, transactiekosten, forks,
efficiëntie, …
• Niet-technisch: juridisch, maatschappelijk, risico,…
Idee distributie vertrouwen m.b.v. technologie
• “Alles dat met een vetrouwde autoriteit gedaan kan
worden, kan ook zonder” - D. Boneh, crypto prof. @ Stanford
• Niet enkel blockchain technologie

115
Secure
Human meaningful Decentralized
Conjecture: “Having the three properties simultanesously is not possible”
Zooko’s triangle
Desired properties for names of participants in a network

• Blockchain to store (tradable) name/value pairs
– For instance: DNS: domain name/IP address
• Refutes Zooko’s triangle
• Forked from Bitcoin code, but separate blockhain
• Launched in 2011
• Currency: Namecoin (NMC)
116http://www.econinfosec.org/archive/weis2015/papers/WEIS_2015_kalodner.pdf

117
input[0]
NAME_NEW Transaction QA2
Outputs
0,01 NMC →
…
Inputs
DRX[1]
…
𝑐𝑜𝑚𝑚𝑖𝑡𝑚𝑒𝑛𝑡
input[0]
NAME_FIRSTUPDATE Transaction XBL
Outputs
0,01 NMC →
…
Inputs
QA2[0]
…
𝑛𝑎𝑚𝑒, 𝑛𝑜𝑛𝑐𝑒, 𝑣𝑎𝑙𝑢𝑒
input[0]
NAME_UPDATE Transaction W2T
Outputs
0,01 NMC →
…
Inputs
XBL[0]
…
𝑛𝑎𝑚𝑒, 𝑣𝑎𝑙𝑢𝑒’
Three transaction types
- Wait at least 12 blocks
- Nonce prevents front-running
- Miner checks if nonce & name
match with commitment & if tx
QA2 not older than 36000 blocks
Use: Renew, Transfer, Change
Miner checks if names match &
if tx XBL not too old
𝑐𝑜𝑚𝑚𝑖𝑡𝑚𝑒𝑛𝑡 ← ℎ𝑎𝑠ℎ 𝑛𝑜𝑛𝑐𝑒 | 𝑛𝑎𝑚𝑒))

118
input[0]
Outputs
0,01 NMC →
…
Inputs
DRX[1]
…
input[0]
Outputs
0,01 NMC →
…
Inputs
QA2[0]
…
input[0]
Outputs
0,01 NMC →
…
Inputs
XBL[0]
…
OP_NAME_NEW
PUSHDATA <commitment>
OP_2DROP
OP_DUP
OP_HASH160
OP_EQUALVERIFY
OP_CHECKSIG
Data given to miner as
part of scriptPubKey

119
input[0]
Outputs
0,01 NMC →
…
Inputs
DRX[1]
…
input[0]
Outputs
0,01 NMC →
…
Inputs
QA2[0]
…
input[0]
Outputs
0,01 NMC →
…
Inputs
XBL[0]
…
OP_NAME_FIRSTUPDATE
PUSHDATA <name>
PUSHDATA <nonce>
PUSHDATA <value>
OP_2DROP
OP_2DROP
OP_DUP
OP_HASH160

input[0]
Outputs
0,01 NMC →
…
Inputs
DRX[1]
…
input[0]
Outputs
0,01 NMC →
…
Inputs
QA2[0]
…
input[0]
Outputs
0,01 NMC →
…
Inputs
XBL[0]
…
120
OP_NAME_UPDATE
<name>
<value>
OP_2DROP
OP_DROP
OP_DUP
OP_HASH160
OP_EQUALVERIFY
OP_CHECKSIG

121
AGENDA
4
Permissioned
5
Cases
1
Introduction
2
Unpermissioned
6
Conclusions
3
Smart contracts

Blockchain gaat over
Distributie van Vertrouwen
122
Blockchain Netwerk
Bescherming data Afdwingen regels

Smart Contracts (aka chaincode)
123
Regels zijn
- Hardgecodeerd in de
Bitcoin software
- Applicatiespecifiek
→ Niet flexibel
Code die uitgevoerd wordt op het blockchain netwerk, zonder centrale partij
Kan een blockchain netwerk ook op
een flexibele regels afdwingen voor
een diverse set van applicaties?

Smart Contracts (aka chaincode)
124
Regels zijn
- Hardgecodeerd in de
Bitcoin software
- Applicatiespecifiek
→ Niet flexibel
Code die uitgevoerd wordt op het blockchain netwerk, zonder centrale partij
- Smart contract = set
applicatiespecifieke regels
- Blockchain netwerk dwingt regels af,
zorgt voor correcte uitvoering
- Smart contracts kan cryptogeld
ontvangen, bijhouden en uitgeven
Verwerken
voorschriften
Verkiezingen Verzekeringen
Sterke toename potentieel blockchain technologie

Voorbeelden
125
http://dapps.ethercasts.com/
Smart locks (wagen, huis, …)
Blokkeren huurwaarborg
Verkiezingen
Veiling Crowdfunding
Afspraken tussen partijen die elkaar niet vertrouwen

Smart Contracts
126
Contract Auction{
function bid()
function end()
HighestBid: €
HighestBidder:
Beneficiary: Charlie
}
bid(), 20€
end()
bid(), 10€
20€
02010
Bob
Alice
Charlie
Alice
10€
Bob
Smart contract kan cryptogeld tijdelijk blokkeren
Niemand kan de correcte uitvoering beïnvloeden

Events in Smart Contracts
127
Contract{
function bid(){…}
function end(){…}
HighestBid: €
HighestBidder:
Beneficiary: Charlie
}
bid(...), 20€
end(...)
bid(...), 10€
20€
02010
Bob
Alice
Charlie
Alice
10€
Bob
bidEvent: 10€
bidEvent: 10€
bidEvent: 20€
bidEvent: 20€
Events informeren Charlie & Dave over nieuwe biedingen
Oude events zichtbaar: Charlie & Dave niet per se permanent online
Dave

Smart contract
Piece of code published on the blockhain and run
in a distributed way by the blockchain network
=> Not smart
=> Mostly not a (legal) contract
128
It is deaf & blind:
- It only knows its own status & the function parameters when a function is called
- It has no knowledge about anything else in the world / on the blockhain
It is reactive
- It will not do anything, unless a function is called
- This can result in a function call in another smart contract
It is distributed
- All full nodes know & execute the smart contract
- In some permissioned blockchains, this can be limited to a subset

Smart Contract Blockchain
129
contract c
Header
Block 51
c.bid(), 10€
Header
Block 52
Header
Block 53
c.bid(), 20€
Header
c.end()
Block 54Publiceren contract
(genesis transaction or
deploy transaction)
Oproepen functie
(invoke transaction)

Netwerk
130
Miner
Validating (full) node
Light node
Blockchain
append-only
Geschiedenis van smart contracts
Smart contract
Wijzigbaar door
oproepen van functies

Bitcoin
131
Miner
Validating (full) node
Light node
Blockchain
append-only
Geschiedenis van Bitcoin
UTXO
Relevant info
UTXO
UTXO
UTXO
UTXO
UTXO
UTXO
UTXO

132
contract SimpleAuction
{
address public beneficiary;
uint public auctionStart;
uint public biddingTime;
address public highestBidder;
uint public highestBid;
bool ended;
event HighestBidIncreased(address bidder, uint amount);
event AuctionEnded(address winner, uint amount);
function SimpleAuction(uint _biddingTime, address _beneficiary)
{
beneficiary = _beneficiary;
auctionStart = now;
biddingTime = _biddingTime;
}
function bid() payable
Smart Contract Code
Disclaimer: Een Ethereum exploit wordt genegeerd voor de eenvoud
http://solidity.readthedocs.io/en/develop/solidity-by-example.html

Doe dit NOOIT…
133
// Proof of Ownership contract
contract ProofOfOwnership{
mapping(bytes32=>bool) proofs;
//calculate and store the proof for a document
function notarize(string document){
var proof = sha256(document);
proofs[proof] = true;
}
// check if a document has been notarized
function checkDocument(string document) returns (bool){
var proof = calculateProof(document);
return proofs[proof];
}
}
Dit werd als ernstig voorbeeld gegeven op een seminarie door een expert
proofs: c0796844c3cbc… → true
5d5f4926be230… → true
c56d58202b0aa… → true
17f8f6699a8948… → true
…
document VOLLEDIG bewaard in transactie op blockchain

Orakels
134
En wat indien een orakel foute informatie aanlevert?
- Contract uitvoering kan niet teruggedraaid worden
- Meerdere oracles die stemmen?
Soms heeft een smart contract gegevens nodig uit de reële wereld
Compensatie Verzekering
Vertrouwde leverancier van gegevens uit de reële wereld
Orakel roept telkens contractfunctie aan → Transactie op blockchain

135
In summary
- Launched: July 30 2015 after ICO (0.1 Ether per $)
- Unpermissioned blockchain-based smart contract platform
- Smart contracts written in Solidity (or Serpent)
- Most popular smart contract platform
- 2nd biggest cryptcurrency (Ether)
Two types of accounts
- Externally owned accounts
- Contracts can receive, contain and send money
Every account (contract or user) has a balance (↔ Bitcoin)

136
{
bool ended;
{
auctionStart = now;
}
...
}
6060604052346100005760405161037c3803806
37c833981016040528080518201919050505b5b
3600060006101000a81548173fffffffffffffffffffffff
fffffffffffff021916908373ffffffffffffffffffffffffffffffff
ffff1602179055505b8060019080519060200190
805460018160011615610100020316600290049
600052602060002090601f01602090048101928
01f106100b557805160ff1916838001178555610
3565b828001600101855582156100e357918201
b828111156100e2578251825591602001919060
101906100c7565b5b50905061010891905b8082
1156101045760008160009055506001016100ec
5b5090565b50505b505b6102608061011c60003
6000f30060606040526000357c0100000000000
000000000000000000000000000000000000000
000900463ffffffff16806341c0e1b514610049578
3cfae321714610058575b610000565b34610000
6100566100ee565b005b3461000057610065610
82565b604051808060200182810382528381815
815260200191508051906020019080838360008
Ontwikkelomgeving
Programmeertaal: Solidity
Gecompileerde Ethereum
byte code op blockchain
Turing compleet (↔ Bitcoin scripts). Alles wat te berekenen is met
een computer kan ook in Solidity / Ethereum byte code
Difficult to interprete byte code: recompile source code & compare

Transaction Costs
138
contract demo{
function notarize(string doc){
}
function increment(string doc) returns uint{
return document.length;
}
function loop(string doc){
while(true){}
}
}
Transaction equally big,
but different consumption of resources (computation, storage)
→ Bitcoin’s pay-per-byte model insufficient
→ More resource intensive functions are more expensive
Transaction fee
Transaction
size
Smart contract
execution

Gas & Gasprice
139
Example: Hash 128 bytes of data
Gas price: 28 Gwei (= 0.000000028)
Price Ether: 980$
Gas: 30 + 4*6 = 54
Cost: 54 * 28 Gwei = 0,000001512 Ξ (0,0015$)
200 bytes tx: < 34600 gas = 0,0009688 Ξ (0,949$)
https://etherscan.io/chart/gasprice - https://etherscan.io/chart/gaslimit
Operation Gas
Transaction 21000
Transaction zero byte 4
Transaction non-zero byte 68
ADD 3
MULTIPLY 5
KECCAK256 (SHA3) 30
256 BITS KECCAK INPUT 6
… …
- Gas: Amount of required work to
execute code (unit of work)
- Gas Price: Compensation for the
miner per unit of work (gas)
Market (supply-demand) driven
- Miner’s fee: 𝑔𝑎𝑠 ∗ 𝑔𝑎𝑠𝑝𝑟𝑖𝑐𝑒
Incentive for efficient
smart contracts
- No byte limit (↔Bitcoin)
- Gas limit:moving,
currently 8M gas
Block limit

140
{
bool ended;
function SimpleAuction(uint _biddingTime, address _beneficiary){…}
function bid() payable {…}
function end() {…}
}
Smart Contract Code
Real cost bid() function
Gas: 63230
Gasprice: 0.000000028 Ether
1 ether: 980$
=> 1,74$ (04/01/2018)

Doe dit NOOIT…
142
// Proof of Ownership contract
contract ProofOfOwnership{
//calculate and store the proof for a document
function notarize(string document){
}
// check if a document has been notarized
function checkDocument(string document) returns (bool){
var proof = calculateProof(document);
return proofs[proof];
}
}
Dit werd als ernstig voorbeeld gegeven op een seminarie door een expert
proofs: c0796844c3cbc… → true
5d5f4926be230… → true
c56d58202b0aa… → true
17f8f6699a8948… → true
…
document VOLLEDIG bewaard in transactie op blockchain
Hoge miner’s fee (1Mb => $1871)

Transaction Processing
143https://ethereum.stackexchange.com/questions/3/what-is-meant-by-the-term-gas
Transaction
gasPrice Fee per gas (unit of work) end-user is willing to pay
(Higher fee → faster processing)
startGas (gasLimit) Max. amount of gas allowed to be consumed
data Smart contract function invocation data
….
Three options
gasPrice too low
miners refuse to process tx
End-user pays nothing
1 gasPrice ok, but startGas too low
Insufficient gas to process tx
(Failed) tx registered in blockchain
End-user looses money
2
gasPrice ok, startGas ok
Tx in blockchain, code executed
end-user pays gasPrice * consumedGas to miner
3

- Mining
144
ASIC resistant
- Computation AND memory
required
- Ideal: less centralisation
- DAGs (Directed Acyclyc Graphs)
- DAG renewed every epoch (=
30000 blocks = 125 hours = ca. 5.2
days
Target: 1 block every 10 secs

Mining
145
4GB RAM
6x AMD Radeon RX 470/570
60GB SSD
Intel Celeron G1840
1000W

Modified GHOST protocol
148
time
Miner A
Miner B
Miner C
Ethereum target frequency: 10 seconds.
It takes 12 seconds for block to propagate through network (Bitcoin)
Many Orphan blocks (uncles)
Consequences
- Weaker security (4/11 of work is lost)
- Centralisation: Big miners have extra advantage: can relatively often mine
directly on top of the block they just mined, without propagation delay
1
2
2
3
3
4
5
5
5
6
7

149
Is secured
by more
work
Minder gets 7/8 of normal
reward (incentive for smaller
miners to continue
Miner gets full miner’s reward
+ 3,125 % per included uncle
Result
- Stronger chain
- Weaker centralisation
- Chain size does not grow much: only header of uncle relevant
4
5
5 63

150
Is secured
by more
work
Minder gets 6/8 of normal
reward (incentive for smaller
miners to continue
Miner gets full miner’s reward
+ 3,125 % per included uncle
Up to 7 levels 1st generation: 7/8
2nd generation: 6/8
….
7th generation: 1/8
4
5
5 63 7

151
Transaction
Transaction
Block 52
transactionRoot52
receiptsRoot52
stateRoot52
Transaction
difficulty solution
nb timeparent
Block 53
transactionRoot53
receiptsRoot53
stateRoot53
difficulty solution
nb timeparent
Transac
Transac
tra
re
difficu
paren
transactionRoot52
Transaction
Transaction
Transaction
Transaction
Hoe weten we dat het netwerk de code correct uitvoert?

152
Block 53
transactionRoot53
receiptsRoot53
stateRoot53
difficulty solution
nb timeparent
transactionRoot53
Transaction
Transaction
Transaction
Transaction
Transaction Transaction Transaction Transaction
transactionRoot53
Full node can prove to light node that
transaction was included

Vereenvoudigde World State
153
stateRoot52
Contract1 Contract2
a = 123 b = false x = 10000 y = 1amount = 50 amount = 0

154
stateRoot52
Contract1 Contract2
a = 123 b = false x = 10000 y = 1amount = 50 amount = 0b = true
Contract’1
stateRoot53
Some parts of the tree can be removed. This is called ‘pruning’

155
Contract2
a = 123 x = 10000 y = 1amount = 50 amount = 0b = true
Contract’1
stateRoot53

156
Contract2
a = 123 x = 10000 y = 1amount = 50 amount = 0b = true
Contract’1
Block 53
transactionRoot53
receiptsRoot53
stateRoot53
difficulty solution
nb timeparent
transactionRoot53
Transaction
Transaction
Transaction
Transaction
stateRoot53
=?
true: accept & forward block
false: reject block
Vertrouwen gedistribueerd over het netwerk

Events
157
Block 53
transactionRoot53
receiptsRoot53
stateRoot53
difficulty solution
nb timeparent
transactionRoot52
Transaction
Transaction
Transaction
Transaction
logsBloom
Receipt
- 𝑅 𝜎: Post-transaction state root
- 𝑅 𝑢: Cummulative gas used so far by block
- 𝑅 𝑏: Set of events/logs created
- 𝑅𝑙: Bloom filter for those logs
receiptsRoot53
txReceipt txReceipt txReceipt txReceipt
Allows to efficiently check if there
are relevant events in the block
Receipts stored off-chain

Efficient way to check membership, without disclosing the set’s content
158
Bloom Filters
False positives
possible, false
negatives not
(1970)

Contract Address
Needed to call functions & to send
money to the contract
159
ℎ ← ℎ𝑎𝑠ℎ 𝑆𝐻𝐴3 𝑎𝑑𝑑𝑟𝑒𝑠𝑠 𝑝𝑢𝑏𝑙𝑖𝑠ℎ𝑒𝑟 𝑛𝑜𝑛𝑐𝑒
Transaction
- nonce
- to: null
- data: contract code
- sig_data
- signature data
Incremented each time the
user creates a transaction
under this address
The user’s address is
derived from this
information
𝑎𝑑𝑑𝑟𝑒𝑠𝑠 𝑐𝑜𝑛𝑡𝑟𝑎𝑐𝑡 ← 𝑐𝑜𝑝𝑦(12, 31, ℎ)

160
- boolean: bool
- bytes: bytes1=byte, bytes2, bytes3, …, bytes32
- signed: int8, int16, int24, … int256,
- unsigned: uint8, uint16, uint24, … uint256
- address: address
- arrays
- …
- float & double not supported yet
Some types
More fine grained control over byte size of variables

Application Binary Interface (ABI)
162
Function definition in ABI
{
"constant": false,
"inputs": [
{
"name": "proposal",
"type": "uint8"
}
],
"name": "vote",
"outputs": [],
"payable": false,
"stateMutability": "nonpayable",
"type": "function"
}
Smart contract API
function vote(uint8 proposal) public
{
…
}
Included in application that calls smart
contract function (e.g. Javascript),
together with smart contract address
Information required to create the data field in a transaction
in order to call a contract function
Usage
- Encoding/decoding data into/out
transaction
- Determining function identifier:
bytes4(sha3(vote_abi))

Ethereum client
E.g. geth (Go) - geth.ethereum.org
Ethereum Client
163
NoSQL Database
E.g. LevelDB for geth
Nodejs Web3js
(library)
Command line
terminal
JSON-RPC
Javascript Web3js
(library)
JSON-RPC
Dapp (Distributed
application)
ABI (Application
Binary Interface))
ABI (Application
Binary Interface))

Connecting your Application
164
var web3 = new Web3(new
Web3.providers.HttpProvider("http://localhost:8545));
var account = web3.eth.accounts[0];
if(account == null){
web3.personal.newAccount("pwd123");
account = web3.eth.accounts[0];
}
var contrAddr = '0x77ee109e51de81cdbd3193734622c2564a7fdd96';
var contrAbi = […];
var contract = web3.eth.contract(contrAbi).at(contrAddr);
web3.personal.unlockAccount(account, "pwd123", 60000);
contract.issuePrescription(addressPt, drug, time);

165
URL
Yellow paper http://gavwood.com/paper.pdf
Documentation http://www.ethdocs.org/en/latest/
Source code https://github.com/ethereum
Online IDE https://remix.ethereum.org
Explore the blockchain https://etherscan.io
Command-line client https://geth.ethereum.org/downloads/
MIST Browser https://github.com/ethereum/mist/releases
Have a look at

Transaction Limit: ± 25tx/sec.
166
3/12: accounting for 13 % of all gas use

The DAO
170
Investeerders transfereren Ether naar The
DAO and ontvangen daarvoor voting tokens
1
Contractors dienen investeringsvoorstellen in
2
Investeerders stemmen voor / tegen voorstel
3
Smartcontract transfereert al dan niet geld
4
Set van smart contracts gepubliceerd op Ethereum
Een aantal cijfers
$54m gelekt
naar aanvaller
18 000
investeerders
14% van
alle Ether
$168m
verzameld
Volledig transparant:
code, data & historiek public.
Iedereen kan audit doen
Bugs
- “Code is law”?
- Investeerders vertrouwen dat smart
contract doet wat ze verwachten

Ethereum Hard Fork
171
Decentralised Autonomous Organisation (DAO)
DAO verzamelde
$168M (Juni ‘16)
DAO bug exploit –
$54M in Ether lekt
weg (July ‘16)

Ethereum Hard Fork
172
DAO verzamelde
$168M (Juni ‘16)
DAO bug exploit –
$54M in Ether lekt
weg (July ‘16)
Verwachting/Hoop
(Steun voor) oude tak verdwijnt volledig
“The DAO bug exploit is nooit gebeurd”
Een deel van het verleden wordt collectief vergeten

Ethereum Hard Fork
173
DAO verzamelde
$168M (Juni ‘16)
DAO bug exploit –
$54M in Ether lekt
weg (July ‘16)
Realiteit: beide takken blijven naast elkaar
→ Replay attack mogelijk

Ethereum Hard Fork
174
Tamper-resistance
- Hoe onwijzigbaar is de blockchain?
Niet zo absoluut als beweerd wordt
- Nog aftakkingen (forks)?
Contract split
- Plots niet één, maar twee smart contracts. Welk is geldig? (finaliteit)
- Vb. Eén veiling, met twee verschillende winnaars

Lessons Learned
NIET correct:
Blockchain is onwijzigbaar
WEL correct:
Blockchain is niet eenzijdig wijzigbaar
(Gelijkaardig bij permissioned blockchains)
175

http://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/
The DAO -
Recursive Call Bug
function splitDAO(…){
…
uint fundsToBeMoved = …
newDAO.createProxyToken.value(fundsToBeMoved)(msg.sender)
…
withdrawRewardFor(msg.sender);
totalSupply -= balances[msg.sender];
balances[msg.sender] = 0;
paidOut[msg.sender] = 0;
return true;
}
177
contract daoExploiter{
function (){
DAO.splitDAO()
}
}
function withdrawRewardFor(address _account){
…
rewardAccount.payOut(_account, reward)
…
}
function payOut(address _recipient, uint _amount){
…
_recipient.call.value(_amount)())
…
} Executed many times
(until out of gas)
Money leaks away
to attacker
Alice

178
{
bool ended;
{
auctionStart = now;
}
Smart Contract Code
// addres previous highest bidder
contract auctionExploiter{
function (){
doWhatever…
}
}
New highest bidder unknowingly pays for the
execution of unknown, untrusted code

179
{
uint public auctionEnd;
mapping(address => uint) pendingReturns;
bool ended;
{
biddingEnd = now + _biddingTime;
}
…
}
Smart Contract Code
Key Value
<Address1stBidder> 0,01 Ξ
<Address2ndBidder> 0,02 Ξ
<Address3thBidder> 0,03 Ξ
… …

180
{
…
{
require(now <= auctionEnd);
require(msg.value > highestBid);
if (highestBidder != 0)
pendingReturns[highestBidder] += highestBid;
highestBidder = msg.sender;
highestBid = msg.value;
HighestBidIncreased(msg.sender, msg.value);
}
function end() {
require(now >= auctionEnd);
require(!ended);
ended = true;
AuctionEnded(highestBidder, highestBid);
beneficiary.send(this.balance)
}
}
Key Value
… …

181
{
…
function withdraw() public returns (bool)
{
uint amount = pendingReturns[msg.sender];
if (amount > 0) {
pendingReturns[msg.sender] = 0;
if (!msg.sender.send(amount)) {
pendingReturns[msg.sender] = amount;
return false;
}
}
return true;
}
}
Now you have to pay twice
- Once to place a bid
- Once to get your maney back
Key Value
… …

182https://www.theguardian.com/technology/2017/nov/08/cryptocurrency-300m-dollars-stolen-bug-ether

The Bug
183
Bob Alice Charlie
Multisig
wallet
Multisig
wallet
Multisig
wallet
Library
// become owner of the library
function initWallet(address[]
_owners, uint256 _required,
uint256 _daylimit){
…
}
// kill the contract
function kill(address _to) {
suicide(_to);
}
https://medium.com/@Pr0Ger/another-parity-wallet-hack-explained-847ca46a2e1c

184https://motherboard.vice.com/en_us/article/zmvkke/this-is-not-a-drill-a-hacker-allegedly-stole-dollar32-million-in-ethereum

185httpshttps://motherboard.vice.com/en_us/article/zmvg58/hacker-allegedly-steals-dollar74-million-in-ethereum-with-incredibly-simple-trick

Myriad of attack vectors possible,
although cryptographically secure
blockchain technology is used
186

Smart Contracts - Samengevat
187
Automatiseren regels &
afdwingen afspraken
tussen partijen die elkaar niet 100%
hoeven te vertrouwen,
zonder daarbij afhankelijk te zijn
van een centrale partij.
(en pas op voor bugs!)

Smart Contracts - Samengevat
188
“A Distributed state machine
with money”

189
AGENDA
4
Permissioned
5
Cases
1
Introduction
2
Unpermissioned
6
Conclusions
3
Smart contracts

190
Permissionless Permissioned
Toegang & gebruik door hele wereld Extra laag voor toegangscontrole
Volledig transparant Meer controle op wie ziet wat (vb. audit)
Meestal erg onefficiënt (competitie) Pakken efficiënter (samenwerking)
Vertrouwen gedistribueerd Vertrouwen gedecentraliseerd
Cryptomunt vereist Cryptomunt niet steeds vereist
Public / open Enterprise / Consortium
Eg. Processing medical prescriptions
- Only accredited doctors can issue new
prescriptions
- Only RIZIV/INAMI can publish smart contracts
& determines what doctors are accredited
- 5/7 mutualities validate transactions

Twee Consortia
191
Fabric
Burrow
LINUX FOUNDATION
USES

Permissioned Blockchain
192
https://www.hyperledger.org

193
- Fork from Bitcoin code (06/2015)
- Version 2.0 coming soon
History
- Issue & transfer multiple asset types
- Publish data (data streams)
- Grant & revoke rights
- NO smart contracts
- Simple, easy to use, efficient
Functionality
Multisig
https://www.multichain.com/blog/2017/11/three-non-pointless-blockchains-production/
Transparency & auditability
in workflow management
Trading catastrophe bonds
without TTP (Euroclear)
Notarizing
e-commerce transactions
Real-world apllications

Mining
194
0 ≤ 𝑚𝑖𝑛𝑖𝑛𝑔 − 𝑑𝑖𝑣𝑒𝑟𝑠𝑖𝑡𝑦 ≤ 1
All miners allowed to mine next block
=> risk of forks, risk of mining starvation
A miner should wait untill all other
miners have created a block
 Blockchain halts when one miner
unavailable (robusness)
 Block not signed by right miner is
not accepted by network
A block is created by only one ‘miner’ who signs it.
Bob Charlie Alice Dave

Mining
195
0 ≤ 𝑚𝑖𝑛𝑖𝑛𝑔 − 𝑑𝑖𝑣𝑒𝑟𝑠𝑖𝑡𝑦 ≤ 1
𝑠𝑝𝑎𝑐𝑖𝑛𝑔 = 𝑚𝑖𝑛𝑖𝑛𝑔 − 𝑑𝑖𝑣𝑒𝑟𝑠𝑖𝑡𝑦 ∗ ( 𝑴𝒊𝒏𝒆𝒓𝒔 − 1)
Stochastic process
Two miners create block simultaneously: short-lived fork
Mining-diversity fixed at block-creation time
A sequence of blocks is signed by at least x miners
Bob Charlie Alice Dave
𝑚𝑖𝑛𝑖𝑛𝑔 − 𝑑𝑖𝑣𝑒𝑟𝑠𝑖𝑡𝑦 ∶ 0.75
𝑠𝑝𝑎𝑐𝑖𝑛𝑔 = 2
Consensus only undermined
if at least 75% of miners colluding

Setup phase
196
Setup phase
Some rules relaxed
- Admin can attribute and revoke rights without voting
- No mining order enforced
=> Allows the admin to set up the blockchain
Bob
Creates blockchain and
temporarily has unlimited rights
Charlie Alice
𝑠𝑒𝑡𝑢𝑝 − 𝑓𝑖𝑟𝑠𝑡 − 𝑏𝑙𝑜𝑐𝑘𝑠 = 4
𝑡𝑎𝑟𝑔𝑒𝑡 − 𝑏𝑙𝑜𝑐𝑘 − 𝑡𝑖𝑚𝑒 = 30
=> Bob has 120 seconds

Permisisons
197
- connect, mine,
- activate (connect, receive, issue), admin (other)
- send, receive, issue (assets)
- create (streams)
Blockchain specific
- write
- read (encryption)
Stream specific
- Proposal published on blockchain as transaction
- Votes published on blockchain as transaction
- Parameters
𝑎𝑑𝑚𝑖𝑛 − 𝑐𝑜𝑛𝑠𝑒𝑛𝑠𝑢𝑠 − 𝑚𝑖𝑛𝑒 = 0.5
𝑎𝑑𝑚𝑖𝑛 − 𝑐𝑜𝑛𝑠𝑒𝑛𝑠𝑢𝑠 − 𝑐𝑟𝑒𝑎𝑡𝑒 = 0.5
…
Granting rights

Connect
198
Bob
Charlie
Alice
Dave
ConnectConnect
Connect
SK SK
SK SK

Connect
199
𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒 = dec( , 𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒)
PK?
SK SK
Charlie
Connect
Dave
I am
𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒 𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒 ← getRand()
𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒,
PK
= hash
? PK
∈ { }
?
𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒 ← enc( , 𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒)
SK
Establish
secure channel
Conn. info
Requires mutual challenge reponse authentication

Connect
200
Bob
Charlie
Alice
Dave
ConnectConnect
Connect
SK SK
SK SK
Note: In bigger networks, peers are only connected to a subset of the other peers

Some Parameters
• target-block-time = 15
• maximum-block-size = 8388608
• setup-first-blocks = 60
• mining-diversity = 0.75
• admin-consensus-mine = 0.5
• mine-empty-rounds = 10
• initial-block-reward = 0
• reward-halving-interval
• minimum-relay-fee (min. tx fee)
201
Multichain 1: Parameters cannot be changed after block creation
Multichain 2: Some parameters can be changed

Performance
202https://www.multichain.com/blog/2017/06/multichain-1-beta-2-roadmap/

Connecting your Application
203
let multichain = require("multichain-node")({
port: 6282,
host: '127.0.0.1',
user: “kristofrpc",
pass: "iejrcwwX9oCQoQh8vcghEncgJm2"
});
multichain.getAddresses(function(err, addresses){
if(!err) console.log(addresses);
})
multichain.issue({address: someAddress, asset: “cryptoFrank", qty:
50000, units: 0.01, details: {hello: "world"}}, function(err, res){
console.log(res)
})
multichain.sendAssetFrom({from: someAddress, to: someOtherAddress,
asset: “cryptoFrank", qty: 5}, function(err, tx) {
console.log(tx);
})

Getting Started
https://www.multichain.com/getting-started/
204

205
History
- June 2014: Launched
- Previously known as Eris (Renamed in 10/2016)
- March 2017, Monax joined Hyperledger project
Fork Ethereum code
- Supports smart contracts
- In Solidity, but compiles for you
- Tests during deploy time
Provenance of diamonds
Prototype to improve
electronic data interchange
between financial institutions.
Experiments by
DLT Consortium
of 60 > banks

Overview
206
BURROW - Version 0.16
- Consensus engine
(per block same ordered list of tx
- Efficient (< 2secs)
- Valid block signed by ≥ 2/3 of weight
- Version 0.17
- Node
- Executes smart contract
- Web server (JSON-RPC or REST)
- Smart contract off-chain test env.
- Storage, permissions
- Version 0.18
- Create & publish smart contracts
Does compilation for you
- Invoke & query smart contracts
- Blockchain management

Name registry
• Key-value store for bulk data off-chain.
• Regulated with tokens.
207
Storing 3 kb for 10 blocks
=> the total cost = 1*1*(3000 + 32)*10 = 30320 tokens
https://monax.io/docs/documentation/db/latest/specifications/api/#namereg

Rights
208
https://github.com/tendermint/tendermint/wiki/Eris-Permissions
https://monax.io/docs/specs/jobs_specification/
Grouped in roles: administrator, validator, developer, participant, …
root full permissions. Use with care.
send permission to send TX.
call permission to call contracts.
name permission to add an entry in name registry.
create_contract permission to create contract.
create_account permission to create an account.
bond permission to send a bond TX allowing to be part of the
validator pool.
add_role permission to add roles to accounts.
has_role permission to query role of accounts.
rm_role permission to remove role from accounts.
set_base permission to set permissions.
unset_base permission to remove permissions.
has_base permission to query permissions of an account.
set_global permission to set burrow network parameters.

genesis.json{
…
"accounts": [
{
"address": "12A4B709AD2A24A72F4930221DCCF5C4675E048E",
"amount": 99999999999999,
"name": “testchain_kristof",
"permissions": {
"base": {
"perms": 16383,
"set": 16383
},
"roles": []
}
},
…
}
209
- All tokens generated in
genesis block
- User management
afterwords possible

Function-Specific Permissions
contract AccountValidator {
address public owner = msg.sender;
function validate(address addr) constant returns (bool) {
return addr == owner;
}
function setOwner(address owner_) {
if(msg.sender == owner)
owner = owner_;
}
}
210

Getting Started
211
https://monax.io/docs/getting-started/

• Started as IBM project
• Smart contracts are called ‘chaincode’
212
FABRIC
Releases
- 16/09/2016: V0.6-preview
- 11/07/2017: V1.0
- 01/11/2017: V1.1-preview
Properties
- Modular
- Updatable chaincode
- Distinction of roles
- Not everyone can access all smart contracts,
not all validators runs all smart contracts

HL Fabric - Overview
213
Alice
API
Keys
Certs
Membership
Service
Blockchain
network
Register
Enroll
Deploy
Invoke
Query

Endorsement Policies
214
https://hyperledger-fabric.readthedocs.io/en/latest/arch-deep-dive.html#endorsement-policy-specification
http://hyperledger-fabric.readthedocs.io/en/latest/endorsement-policies.html
AND(‘Smals.member', ‘RSZ.member', ‘FodFin.member')
ESmals = {Alice, Bob}, ERSZ = {Charlie, Dave}, EFodFin = {Eve, Frank, George}
- Weight > 50
- Hyperledger Burrow (Monax): weight > 2/3 (fixed, global policy)
Weighted endorser set E =
{Alice=49, Bob=15, Charlie=15, Dave=10, Eve=7, Frank=3, George=1}
- (Alice OR Bob) AND (any two of: Charlie, Dave, Eve, Frank, George)
- 5 out of the 7
Set of Endorsers E = {Alice, Bob, Charlie, Dave, Eve, Frank, George}
Each smart contract has its own endorsement policy
In Hyperledger Fabric

Hyperledger Fabric
215
Endorser E1 Endorser E2 Endorser E3 Peer P1
Client
Transaction
Proposal
Transaction
Proposal
Transaction
Proposal
Transaction
Proposal
Orderer O1 Orderer O1
Ordering Service

Hyperledger Fabric
216
Client
Transaction
Proposal
Transaction
Proposal
Ordering Service

Hyperledger Fabric
217
Client
Transaction
Proposal
Ordering Service

Client
Invokes smart
contract code by
creating a
transactions,
collecting
endorsements
and sending it al
lto the ordering
service
Orderers
If endorsement policy met: include validated
transactions into block & distribute block
(Non-endorsing) Peer
Executes locally smart
contract code
Endorsers (Endorsing peers)
- Validates transaction proposals
- Executes locally smart contract code
Hyperledger Fabric
218
Client
Transaction
Proposal
Ordering Service

Hyperledger Fabric - Channels
219
data blue transactions / smart contracts
only visible for E1, E2, en P2
Peer P2 Peer P3
Ordering Service
One ordering service, but multiple
channels / blockchains

Cert. authority
Smals
RootCert
HyperLedger Fabric
220
Orderer O2
Endorser E2
ECert2
Federation of Notaries
Client C2
eBox @ Smals
Orderer O1 ECert1
Client C1
Orderer O3
Endorser E3
ECert3
Orde van Vlaamse Balies
Client C3

Membership Sevice Provider
221
Hierarchical, centralized top-down structure to protect a blockchain

222
Enrollment CA
Membership Service Provider
Transaction CA
Root CA
Long-term certificate
Alice
ECert
Two types of ECerts
1) signing
2) encryption

223
Enrollment CA
Membership Service Provider
Transaction CA
Root CA
Short term
Different TCerts not linkable
to each other or to Alice
=> privacy
Alice
ECert
ECert
TCert
TCert
TCert
Two types of TCerts
1) signing
2) encryption

Hyperledger Fabric
224
Alice’s Client
Transaction
Proposal
Transaction
Proposal
Transaction
Proposal
Transaction
Proposal
Ordering Service
Cert Cert Cert
ECert or TCert
(depends upon smart
contract access rules)
All participants have known identities.
Every transaction can be linked to identity by MSP
SOLO or KAFKA

Apache KAFKA
225
Stream processing platform, which aims to provide a unified, high-
throughput, low-latency platform for handling real-time data feeds

Deploy Transaction
226
Channel
Users (peers): pkchain
Validators (endorsers) skchain
https://github.com/hyperledger-archives/fabric/blob/master/docs/protocol-spec.md

Deploy Transaction
227
Channel

Deploy Transaction
228
Channel
ALL validators/endorsers can access the contract state, code and API
Essentially, a secret key is shared (bad practice)
What if you want to remove an endorser?
- Knowledge of PKC allows
users to create transaction
- Publisher can see
everything

Invoke & Query Transactions
231
- Every validator on the channel can
see the contract identifiers
- At least the endorsers and
publisher can decrypt the
invokation data
The invoker can decrypt her
own invokation data

Summary
232
Heavy & complex solution
Not elegant
↔ Blockchain filosophy
(hacked CA = free access rights)
Flexible
Uses traditional crypto
=> There is still a lot of work to do
Very active community
Not mature yet
Not always a drama if you loose
your key

Philosofical Question
Is a permissioned blockchain still a blockchain?
233
You loose
- Transparency
- Anonymity
- Openness,
- (Partially) distributed character

Getting Started
234
https://hyperledger-fabric.readthedocs.io/

Comparison
235
Multichain HL Burrow HL Fabric
Code fork from Bitcoin Ethereum From scratch
Complexity Low Medium High
Flexibility Low Medium High
Efficiency High Medium Low
Community Small Medium Large
Smart contracts No Yes Yes
Validation Chosen mining-
diversity
Tendermint
(>2/3)
Per-contract
policiy
Geen one-technology-fits-all
Keuze blockchain technologie/platform afhankelijk
van vereisten applicatie

236
AGENDA
4
Permissioned
5
Cases
1
Introduction
2
Unpermissioned
6
Conclusions
3
Smart contracts

Aantoonbaarheidsdienst
237
eBox
Trust model
- Member trusts his/her organization
- Organizations do not trust eBox
- We want proof-of-delivery and
proof-of-receipt (with timestamp)
- Org & ebox never simultaneously
malicious
Federation
of Notaries
Orde van
Vlaamse Balies
FPS Justice

238
Attack vectors Stakeholders Sender eBox In
Modify content
Modify timestamp
Modify sender id
Modify recipient id
Create bogus document actions
Prevent document action registration
N/A
Requirements sending document

239
Approach 1: with a smart contract
Who is lying?

240
Approach 2: Multisig
Better security Lower complexity
Higher performaceLess flexibility

Verwerking Medische Voorschriften
241
Arts Apotheker
€ €
€
€
Mutualiteit
Patient
Tariferingsdienst
Money transfer
Data transfer
Physical delivery
Voordelen
- Sterke reductie afhankelijkheden organisaties
- Verdwijnen complexe informatiestromen
- Sterke confidentialiteits- en privacygaranties
Functionaliteit
- Verwerkingscyclus voorschrift
- Real-time analyse RIZIV
Disclaimer: interne POC door Smals Research, zonder overleg stakeholders zoals RIZIV

Prescription Smart Contract
242
Contract PrescriptionProcessing
Presc issue()
fill()
insure()
assign()
confirm()
Presc
Presc
Presc
Doctor
Pharmacist
Mutuality
Patient Tarification
office
issue()
assign()
fill()
insure()
confirm()
Events provide entities with required data
Contract enforces rules such as “no double spend” & “only doctors can issue”

7a2
3b
3a
4
5 7b
8 9 10a
10b
issue() fill() confirm()insure() assign()
Contract function call
Event observation
Direct communication
Doctor Patient Pharmacist
Tar. officeMutuality
Prescription
Medicine
Valid from
Patient
Tarification office
Mutuality
Pharmacist
Doctor
Delivered
Id
Reduced fee?
Prescription
Medicine
Valid from
Patient
Tarification office
Mutuality
Pharmacist
Doctor
Delivered
Id
Reduced fee?
Prescription
Medicine
Valid from
Patient
Tarification office
Mutuality
Pharmacist
Doctor
Delivered
Id
Reduced fee?
6a
1 6b
function() Contract function
The Smart Contract
243

244
Orderer O2
Endorser E2
Mutuality
Client C2
Enrollment CA
Orderer O2
Endorser E2
Tarification Office
Client C2
Enrollment CA
RIZIV
Client C2
Enrollment CA
Transaction CA
Complex & heavy infrastructure
- Yearly 116M prescriptions processed
- For each prescription, the RIZIV issues 5 enrollment certificates
- Every prescription processing step needs sufficient endorsements
- Heavy reliance upon RIZIV, mutualities and enrollment offices (CAs)
Verwerking Medische Voorschriften
Approach 1: Hyperledger Fabric

245
One-Time Pseudonyms
Charlie
Bob
Alice
Blockchain network
Link
Link
Link
Link
245

Different Views
246
One-time patient pseudonyms on the blockchain
Rest of the world
Similar for doctors, pharmacists, mutualities and tarification offices

Contract State
247
Single-use addresses
Physician
pseudonym
Pharmacist
pseudonym
Insurer
pseudonym
Tar. office
pseudonym
Permanent addresses
Col. of Ph.
pseudonym
RIZIV
pseudonym
Prescription
Drug description 1
Valid from 1
Patient 1
Inv. office 5
Insurer 2
Pharmacist 3
Physician 1
Refund 2€
Filled 4
Prescription
Drug description 1
Valid from 1
Patient 1
Inv. office 5
Insurer 2
Pharmacist 3
Physician 1
Refund 2€
Filled 4
Prescription
Drug description 1
Valid from 1
Patient 1
Inv. office 5
Insurer 2
Pharmacist 3
Physician 1
Refund 2€
Filled 4
Prescription
Drug description 1
Valid from 1
Patient 1
Inv. office 5
Insurer 2
Pharmacist 3
Physician 1
Refund 2€
Filled 4
Calling a contract function
- Contract checks if you own a
registered pseudonym in right set
- Contract removes pseudonym
RIZIV registers pseudonyms in batch
- RIZIV offline -> no impact

Comparison
248
HL Fabric One-time pseudonyms
Validation Per transaction Per block
Certificates 5 per prescription (Almost) none
High availability RIZIV none
Architectural complexity High Medium
Required storage To be calculated / tested
Disclaimer: I might be somewhat biased 

249
AGENDA
4
Permissioned
5
Cases
1
Introduction
2
Unpermissioned
6
Conclusions
3
Smart contracts

The bigger picture
250
Blockchain Technology
Distributed Ledger Technology
Techology for distributed trust
Bitcoin
Hyperledger Fabric
Ethereum
Monero IOTA
CORDA
Multi-party computation
Zero-knowledge proofs
Homomorphic Encryption
…
…
…
Blockchain is één technologie.
Niet de eerste, en wellicht niet de laatste
Attribute-Based Credentials

IOTA (The Tangle)
251https://iota.org/IOTA_Whitepaper.pdf
Node valideert twee andere transactie om zelf transactie te kunnen creëren
Lost daartoe cryptografische puzzel op
Geen transaction fees (dus geen geldcreatie door minen)
Sneller & schaalbaarder dan blockchain
Doel: micropayments
Cummulative weigth

IOTA (The Tangle)
Node valideert twee andere transactie om zelf transactie te kunnen creëren
Lost daartoe cryptografische puzzel op
Geen transaction fees (dus geen geldcreatie door minen)
Sneller & schaalbaarder dan blockchain
Doel: micropayments

IOTA (The Tangle)

IOTA (The Tangle)
254
Low load and high load

Initial Coin Offerings (ICO)
255https://www.economist.com/news/finance-and-economics/21721425-it-may-also-spawn-valuable-innovations-market-initial-coin-offerings
Publicatie white paper
(Claims meestal niet geaudit)
ICO periode:
Investeerders kopen munten
Gewoonlijk aan vaste prijs
Meestal ongereguleerd
Business operationeel
Gebruik vereist munten
Munten verhandelbaar
Crowdfunding door lanceren nieuwe cryptomunt
Succesvol → meer vraag → hogere waarde
(beperkt aantal munten)
Manier om geld te verdienen aan gedistribueerde protocols
Gedecentraliseerd
platform voor
competitie online game
Gedecentraliseerde
cloud opslag

Conclusies
Het gaat over VERTROUWEN
• Veelbelovende technologie voor applicaties die
traditioneel vertrouwen vereisen in centrale partijen.
• Daarom wordt het als disruptief beschouwd
Geen oplossing voor alles
• Het is mogelijk met blockchain ≠ Blockchain is de
beste keuze
Uitdagingen
• Schaalbaarheid, sleutelbeheer, privacy, juridisch, …
• Veel onderzoek (MIT, KU Leuven, TU Delft, IBM, …)
256

Uitdagingen
=> Veel onderzoek om deze uitdagingen aan te pakken
Standaardisatie /
best practices
Sleutelbeheer &
bescherming end-
points
Rechsonzekerheid
Privacy &
confidentialiteit
Gebaseerd op
aantal aannames
Schaalbaarheid
Veiligheid Andere
Volatiliteit
wisselkoersen
257
Bugs in smart
contracts

Perspectief
259https://hbr.org/2017/01/the-truth-about-blockchain
“Hoewel de impact enorm zal zijn, zal het decennia
duren voor blockchain om in onze economische en
maatschappelijke structuren te sijpelen.”
Tijd nodig om economie te transformeren:
- TCP/IP: 30 jaar
- Elektriciteit: 20 jaar
Grondleggende technologie
Het heeft het potentieel om nieuwe fundamenten voor
ons economisch en sociaal systeem te creëren.
Toestand vandaag:
- 3-5 jaar eer volwassen
- 3% POCs in productie

Conclusies
261
H Y P E H Y P EU i t d a g i n g e n
Erg jonge technologie, in volle ontwikkeling

262
Dr. Kristof Verslype
Researcher, advisor & speaker
in crypto, privacy & blockchain tech
Q u e s t i o n s & C o n t a c t
© Benjamin Reay
@KristofVerslype
kristof.verslype@smals.be
be.linkedin.com/in/verslype
www.cryptov.net
www.smalsresearch.be
@SmalsResearch
www.smals.be
@Smals_ICT
Personal

2018 SAI workshop blockchain Kristof Verslype

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 2018 SAI workshop blockchain Kristof Verslype

Similar to 2018 SAI workshop blockchain Kristof Verslype (20)

More from Smals

More from Smals (20)

Recently uploaded

Recently uploaded (20)

2018 SAI workshop blockchain Kristof Verslype