The document discusses blockchain and cryptocurrency technologies. It provides information on the following key points: - Cryptographic hash functions are the backbone of blockchain and map variable-length inputs to fixed-length outputs, making it difficult to determine the input from the output or find colliding inputs. - Blockchain uses these hash functions to create tamper-evident linked data structures like blocks in a blockchain or nodes in a Merkle tree. This allows transactions in a blockchain to be publicly verifiable and tamper-resistant. - Bitcoin implements blockchain technology to create a decentralized transaction ledger. Transactions are grouped into blocks and miners compete to add new blocks through a computational puzzle. This consensus mechanism allows all nodes to agree

1. BLOCKCHAIN
The foundation behind Bitcoin
Sourav Sen Gupta
Indian Statistical Institute, Kolkata

2. CRYPTOGRAPHY
Backbone of Blockchain Technology

3. Component 1 : Cryptographic Hash Functions

4. Map variable-length input to constant-length output.
HASH FUNCTIONS
h y
x
101011101011001…0010110100101 101110101001000110111100010101

5. Finding the pre-image of a given output is not easy.
HASH FUNCTIONS
h y
?
101011101011001…0010110100101 101110101001000110111100010101

6. Finding a colliding twin of a given input is not easy.
HASH FUNCTIONS
h y
x1
101011101011001…0010110100101
101110101001000110111100010101
x2
1100101001011001…110010100110

7. Finding any colliding pair of inputs is not easy.
It is of course possible, but not easy.
HASH FUNCTIONS
h y
x1
101011101011001…0010110100101
x2
1100101001011001…110010100110
101110101001000110111100010101

8. Minor input-mismatch to major output-mismatch.
HASH FUNCTIONS
h
y1
x1
101011101011001…0010110100101 101110101001000110111100010101
x2
101010101011001…0010110100101 y2 110010100101100100110010100110

9. Merkle-Damgard Construction
Example : SHA 256 — used in Bitcoin
CONSTRUCTIONS
f
m1
IV f
m2
f
mn
h

10. Sponge Construction
Example : SHA 3 — used in Ethereum
CONSTRUCTIONS
f
m1
f
m2
f
mn
f
h1
c
r

11. Provably secure scheme for Commitment
Random nonce r must have a high min-entropy for this scheme to be secure.
APPLICATIONS
h y
x
r
commit(x) :
c = h(r || x)
verify(c,r,x) :
h(r || x) == c

12. Provably secure scheme for tamper-detection
APPLICATIONS
h y
x
record(x) :
c = h(x)
verify(c,x) :
h(x) == c

13. Tamper-evident data pointer = Hash Pointer
Hash Pointer
DATA STRUCTURES
h hash(data)
data
addr(data)

14. Tamper-evident linked data structure = Block
DATA STRUCTURES
h
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp

15. Tamper-evident linked-list = Blockchain
DATA STRUCTURES
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp

16. Tamper-evident linked-list = Blockchain
DATA STRUCTURES
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp
Block
HP(block)
data
timestamp

17. Tamper-evident binary-tree = MerkleTree
DATA STRUCTURES
Node
HP(left)
data
timestamp
HP(right)
Node
HP(left)
data
timestamp
HP(right)
Node
HP(left)
data
timestamp
HP(right)
Node
HP(left)
data
timestamp
HP(right)
Node
HP(left)
data
timestamp
HP(right)
HP(root)

18. Tamper-evident binary-tree = MerkleTree
DATA STRUCTURES
Node
HP(left)
data
timestamp
HP(right)
Node
HP(left)
data
timestamp
HP(right)
Node
HP(left)
data
timestamp
HP(right)
Node
HP(left)
data
timestamp
HP(right)
Node
HP(left)
data
timestamp
HP(right)
HP(root)

19. DATA STRUCTURES
Properties Blockchain Merkle Tree Merkle Trie
Size of Commitment O(1) O(1) O(1)
Append a Block/Node O(1) O(log n) O(k)
Update a Block/Node O(n) O(log n) O(k)
Proof of Membership O(n) O(log n) O(k)
Structural Abstraction List of Objects Set of Objects Set of (key, value)
Used for Construction Bitcoin Bitcoin Ethereum

20. QUESTIONS
Can any pointer-based data structure
be efficiently converted into a
Hash-Pointer based data structure?
Will such an exercise be at all useful in any use case?
Do these structures provide any additional advantage?

21. Component 2 : Digital Signature Schemes

22. Digital signature as a set of three algorithms
DIGITAL SIGNATURE
s = sign(sk,m) verify(pk,m,s)
pk
sk
?
keygen(n)
1
2 3

23. (sk, pk) = keygen(n) verify(pk,m,sign(sk,m)) = True
DIGITAL SIGNATURE
pk
sk
?
s = sign(sk,m) verify(pk,m,s)
keygen(n)

24. Given pk and access to sign(mi) as an oracle, an adversary should
not be able to create a valid fresh message-signature pair (m,s)
DIGITAL SIGNATURE
pk
sk
?
s = sign(sk,m) verify(pk,m,s)
keygen(n)

25. Elliptic Curve Digital Signature Algorithm (ECDSA)
ECDSA on curve E(Fp) : { (x,y) in Fp x Fp | y2 = x3 + 7 }
with base prime p = 2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1
CONSTRUCTION
Fp
Q

26. Elliptic Curve group of size |E(Fp)| = q ~ p ~ 2256
ECDSA on curve E(Fp) : { (x,y) in Fp x Fp | y2 = x3 + 7 }
with base prime p = 2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1
CONSTRUCTION
Parameters Format Range Bit-size
sk random Zq 256
pk sk x G E(Fp) 512
m hash(M) Zq 256
Signature (r, s) Zq x Zq 512

27. Publish the public key pk as your Identity
Use the secret key sk to prove your identity
APPLICATION
pk
sk
sk
verify(pk,m,sign(sk,m))
sk
?

28. BITCOIN
Blockchain in Practice

29. BITCOIN
Ledger of Transactions
between
Pseudonymous Identities
Semi-Decentralised Publicly-Verifiable
Tamper-Resistant Eventually-Consistent

30. Economic Transaction
that we are familiar with
NOT BITCOIN
Tx

31. NOT BITCOIN
Tx
Centralised Account-based Ledger

32. NOT BITCOIN
Tx
Decentralised Account-based Ledger

33. Tx
NOT BITCOIN YET
Tx
Decentralised Transaction-based Ledger
Tx Tx Tx Tx Tx
Tx

34. TRANSACTION
Tx
Network verifies the Signature
Tx
Signed by

35. TRANSACTION
Tx
Network verifies the Signature
Tx
Signed by
pk
sk
pk

36. Input :Array of previousTransactions | Output :Array of recipient Addresses
R1
TRANSACTION
Tx
Tx
pk2
sk1
Tx
pk1
Tx
pk3
sk2 sk3
pk
R2
pk
R3
pk
Sender(s)
Recipient(s)
Network verifies the Signature(s)

37. Input :Array of previousTransactions | Output :Array of recipient Addresses
R1
TRANSACTION
Tx
pk2
sk1
Tx
pk1
Tx
pk3
sk2 sk3
pk
R2
pk
R3
pk
Tx
Recipients
Signatures
Input
Transactions
Network verifies the Signature(s)

38. TRANSACTION Metadata
Input(s)
Output(s)
Data obtained from blockchain.info

39. LEDGER
Tx
Decentralised Transaction-based Ledger
Tx Tx Tx
Tx Tx Tx Tx
Tx Tx Tx Tx
Tx Tx Tx Tx Tx Tx Tx Tx

40. BLOCK
Data obtained from blockchain.info

41. BLOCK
Data obtained from blockchain.info

42. BLOCK
Data obtained from blockchain.info

43. BLOCK
Data obtained from blockchain.info

44. BLOCK
Data obtained from blockchain.info

45. BITCOIN
Tx
Tx
Tx
Tx
Mining
Transaction

46. MINING
Tx
Tx
Tx
Tx
Computational
Lottery (Puzzle)
Transaction
Winner writes
the next block
Existing blocks
at a given time
Find r such that
hash(r || m) < C

47. MINING
Data obtained from blockchain.info

48. MINING
Data obtained from blockchain.info

49. MINING
Data obtained from blockchain.info

50. MINING
Data obtained from blockchain.info

51. MINING
Data obtained from blockchain.info

52. BITCOIN
Tx
Tx
Tx
Tx
Mining
Transaction

53. BITCOIN
Framework — Decentralised peer-to-peer collaborative network
Goal : All peers should agree on a sequence of transactions

54. BITCOIN
Publicly-Verifiable
as the complete ledger and the hash function is public

55. BITCOIN
Tamper-Evident / Tamper-Resistant
as the ledger is connected through a chain of hash pointers
X X X
X
X X X

56. BITCOIN
Eventually-Consistent
as the longest chain eventually sustains as the main chain

57. BITCOIN
Data obtained from blockchain.info

58. BITCOIN
Data obtained from blockchain.info

59. BITCOIN
Data obtained from blockchain.info

60. BITCOIN
Semi-Decentralised
as the mining is dominated by computational power

61. BITCOIN
Data obtained from blockchain.info

62. BITCOIN
Data obtained from blockchain.info

63. Robin Yao (BW), Wang Chun (F2Pool), Marshall Long (FinalHash), Pan Zhibiao (Bitmain)
Liu Xiang Fu (Avalon), Sam Cole (KnCMiner) and Alex Petrov (BitFury)

64. BITCOIN
Semi-Decentralised Publicly-Verifiable
Tamper-Resistant Eventually-Consistent

65. ECONOMICS
The success story of Bitcoin

66. BITCOIN
Data obtained from blockchain.info

67. BITCOIN
Data obtained from blockchain.info

68. BITCOIN
Data obtained from blockchain.info

69. BITCOIN
Data obtained from blockchain.info

70. BITCOIN
Data obtained from blockchain.info

71. BITCOIN
Data obtained from blockchain.info

72. SECURITY
The threat from Bitcoin

73. BITCOIN
Transactions : Completely transparent and public
Identities : Opaque and pseudonymous addresses
~ 170 Million bitcoin addresses
~ 150 Million bitcoin transactions
~ 80 GB of compressed raw data
~ 80% of transactions have < 2 inputs
~ 90% of transactions have < 3 outputs

74. BITCOIN

75. BITCOIN
Identities : Opaque and pseudonymous addresses
Anyone can create arbitrarily many identities
All identities “look” the same on the network
~ 170 Million bitcoin addresses
~ 150 Million bitcoin transactions
Provides “anonymity” of Bitcoin transactions.

76. BITCOIN
Data obtained from blockchain.info

77. BITCOIN
Data obtained from blockchain.info

78. BITCOIN
Data obtained from blockchain.info

79. Dark Marketplaces to buy-and-sell Drugs

80. Dark Marketplaces to buy-and-sell Guns and Fake ID

81. BITCOIN
Identities : Opaque and pseudonymous addresses
Anyone can create arbitrarily many identities
All identities “look” the same on the network
~ 170 Million bitcoin addresses
~ 150 Million bitcoin transactions
Is it still possible to trace transactions and identities?

82. DE-ANONYMIZATION
Potential solution to the threat from Anonymity

83. R1
TRANSACTION
Tx
R2
Rm
S1
S2
Sn

84. EXAMPLE #1
Tx R1
S1
1FLa9NcXJPA2XvF34LRuB4zbXX4Ws32dpL 18rdKmjrg1EawxgiVT3ikLExj6GWS2MNCk
Note : Single recipient with an exact match of input to output — highly unlikely.

85. R1
EXAMPLE #2
Tx
R2
S1
1Ao6mKMEXxCVNVAuGjfLXZ3Zf43hd3yAEq
16pDB5bvoqRGvoH32GaJLfsEcaMc2T9xDr
1H3bY2Cv1pmn8ffTdyeRvZAUjNJC1giQHm
Note : Nice complete denomination along with a random change.

86. R1
EXAMPLE #3
Tx
R2
S1
1PXzMrz8KBNEkTt3Wnuqy4axiWszbyQKyE
1AASWBCGveXH6H5yTCZW2x7uZrawDiqp4U
19onWuLmjXGVfc7oUAEVuy9Yd3jxqhsUbK
Note : 0.01121504 BTC = 6.50 USD at the time of transaction.

87. EXAMPLE #4
Tx R1
S1
19SZcQ2CzJacQZE9rYwQjsfcBKMWDNwBWD
1PLjv1VzGEKxtM2FnRzg2FmDjen9trUBrh
Note :Two arbitrary inputs exactly match up to a desired output — highly unlikely.
S2
13Zjnzx8VxtLUEiYcrVXKp5sLucLMvBqaG

88. R1
EXAMPLE #5
Tx
R2
S1
1Djvb34FNpNXtrbbjaQeERZf68cyUdWyzd
1Nq612zwhEZDBNz2AeWKZxD6LvwiLm6cQU
1AffmSG4tcNRjcgTWTnS6TM3cWPeeA9EVd
Note :Two input transactions coupled for a payment plus some random change.
S2
17atn5sagYRBUvzgFLd9bUjWF4yStkdokW
6.13 USD
6.03 USD
4.10 USD
7.95 USD

89. CLUSTERING
1FLa9NcXJPA2XvF34LRuB4zbXX4Ws32dpL
18rdKmjrg1EawxgiVT3ikLExj6GWS2MNCk
1Ao6mKMEXxCVNVAuGjfLXZ3Zf43hd3yAEq 16pDB5bvoqRGvoH32GaJLfsEcaMc2T9xDr
1H3bY2Cv1pmn8ffTdyeRvZAUjNJC1giQHm
1PXzMrz8KBNEkTt3Wnuqy4axiWszbyQKyE
1AASWBCGveXH6H5yTCZW2x7uZrawDiqp4U
19onWuLmjXGVfc7oUAEVuy9Yd3jxqhsUbK
19SZcQ2CzJacQZE9rYwQjsfcBKMWDNwBWD
1PLjv1VzGEKxtM2FnRzg2FmDjen9trUBrh
13Zjnzx8VxtLUEiYcrVXKp5sLucLMvBqaG
1Djvb34FNpNXtrbbjaQeERZf68cyUdWyzd
1Nq612zwhEZDBNz2AeWKZxD6LvwiLm6cQU
1AffmSG4tcNRjcgTWTnS6TM3cWPeeA9EVd
17atn5sagYRBUvzgFLd9bUjWF4yStkdokW

90. IDENTIFICATION
1FLa9NcXJPA2XvF34LRuB4zbXX4Ws32dpL
18rdKmjrg1EawxgiVT3ikLExj6GWS2MNCk
1Ao6mKMEXxCVNVAuGjfLXZ3Zf43hd3yAEq 16pDB5bvoqRGvoH32GaJLfsEcaMc2T9xDr
1H3bY2Cv1pmn8ffTdyeRvZAUjNJC1giQHm
1PXzMrz8KBNEkTt3Wnuqy4axiWszbyQKyE
1AASWBCGveXH6H5yTCZW2x7uZrawDiqp4U
19onWuLmjXGVfc7oUAEVuy9Yd3jxqhsUbK
19SZcQ2CzJacQZE9rYwQjsfcBKMWDNwBWD
1PLjv1VzGEKxtM2FnRzg2FmDjen9trUBrh
13Zjnzx8VxtLUEiYcrVXKp5sLucLMvBqaG
1Djvb34FNpNXtrbbjaQeERZf68cyUdWyzd
1Nq612zwhEZDBNz2AeWKZxD6LvwiLm6cQU
1AffmSG4tcNRjcgTWTnS6TM3cWPeeA9EVd
17atn5sagYRBUvzgFLd9bUjWF4yStkdokW

91. CLUSTERING
The Unreasonable Effectiveness of Address Clustering — Harrigan and Fretter, May 2016

92. DE-ANONYMIZATION
Passive :Analytics on 80 GB of Bitcoin blockchain data
— Clustering of Bitcoin Addresses with suitable definition of Metrics
— Identification of the Clusters using known and/or leaked Addresses
Active : Injecting and tracking marked Bitcoin transactions
— Registering on Dark Marketplaces, Exchanges, and Mining Pools
— Using Addresses leaked from all these sources for Identification
Elliptic (https://www.elliptic.co/) does something similar in the UK.
We should try to build our own tool for de-anonymization.

93. BLOCKCHAIN
Versatile Toolkit for Protocols

94. Input :Array of previousTransactions | Output :Array of recipient Addresses
R1
TRANSACTION
Tx
pk2
sk1
Tx
pk1
Tx
pk3
sk2 sk3
pk
R2
pk
R3
pk
Tx
Recipients
Signatures
Input
Transactions
Network verifies the Signature(s)

95. TRANSACTION Metadata
Input(s)
Output(s)
Data obtained from blockchain.info

96. BITCOIN SCRIPT
Data obtained from blockchain.info

97. POTENTIAL
With a powerful Scripting Language

98. Developing “Smart Contracts” on Blockchain

99. Ethereum
Smart Contracts
Proof of Space
Retricoin Namecoin
Proof of Retrievability
Proof of Stake
Proof of Commitment
Bitcoin-NG
Perma-Coin
RSCoin
SpaceMint
GHOST
ZeroCoin
Zcash
Smart Properties
Proof of Existence
ADePT
Ripple
BitShares
Factom
BigchainDB
OneName
OpenBazaar
BitGold
BitNation
BitHealth

100. Thank you for listening!
“Bitcoin is an idea with disruptive ramifications.”