This document provides an overview of the Cryptocurrency Engineering and Design course at MIT. It introduces the instructors and discusses the course structure, which includes lectures, labs, and a final project. It then discusses some of the core concepts needed to build a cryptocurrency, including hash functions, signatures, and examples of early digital cash systems like Chaumian e-cash. The document outlines the first programming assignment, which involves implementing Lamport signatures using only hash functions.

1. Cryptocurrency Engineering and
Design
MAS.S62
2/7/2018 Lecture 1
1

2. Introduction
• Who we are
– Neha Narula
– Tadge Dryja
– James Lovejoy (TA)
• Digital Currency Initiative
• Course
– Lectures (20%)
– Labs (40%)
– Final project (40%)
2

3. Cryptocurrency Engineering and Design
• What is a cryptocurrency?
• How is it different than a regular currency?
• What does it mean to build one?
3

4. What we are not going to do
• How to ICO
• Trading advice
• Permissioned blockchains
4

5. Origins of Money
Images of sheep, grains, various ancient and modern currencies © unknown. All rights reserved. This content
is excluded from our Creative Commons license. For more information, see https://ocw.mit.edu/fairuse.
5

6. Traditional payments
Alice: $10
Bob: $0
“I, Alice, would like
to send Bob $5”
Alice Bob
Various clip art images in this document © unknown. All rights reserved. This content is excluded from our
Creative Commons license. For more information, see https://ocw.mit.edu/fairuse.
6

7. Traditional payments
Alice: $5
Bob: $5
Bob, I sent you $5!
Alice Bob
7

8. Traditional payments
Alice: $5
Bob: $5
Alice Bob
8

9. Traditional payments
Alice Bob
Alice: $5
Bob: $5
9

10. Pros/cons of banks
Pros
• Digital payments
Cons
• Not peer-to-peer (bank must be online during every
transaction)
• Bank can fail
• Bank can delay or censor transactions
• Privacy
10

11. The bank can fail
Alice: $10
Bob: $0
Alice Bob
11

12. The bank can delay or censor
Alice: $10
Bob: $0
“I, Alice, would like
to send Bob $5”
No!
Alice Bob
12

13. E-cash
“I, Alice, would like
a coin”
Alice Bob
13

14. E-cash
SN
Alice Bob
14

15. E-cash
Alice Bob
SN
15

16. E-cash
Alice Bob
SN
16

17. E-cash
SN
SN
Alice Bob
17

18. E-cash
SN
Alice Bob
18

19. Pros/cons of simple e-cash
Pros
• Digital payments
• Peer-to-peer
Cons
• Bank needs to be online to verify
• Bank can fail
• Bank can delay or censor transactions
• Privacy
19

20. Chaumian e-cash
• Alice can choose SN
• Alice “blinds” her message to the bank so
bank can’t see SN
• When Bob redeems, bank doesn’t know
payment came from Alice
20

21. Chaumian e-cash
“I, Alice, would like
a coin b(SN)”
Alice Bob
21

22. Chaumian e-cash
Alice Bob
Sig(b(SN))
Sig(SN), SN 22

23. Chaumian e-cash
Alice Bob
Sig(SN), SN
23

24. Chaumian e-cash
Alice Bob
24

25. Chaumian e-cash
Sig(SN), SN
SN
Alice Bob
25

26. Double spend detection
Alice Bob
uAlice, vAlice
Charlie
26

27. Pros/cons of Chaumian e-cash
Pros
• Digital payments
• Peer-to-peer
• Privacy
• Offline double-spend detection
Cons
• Bank can censor withdrawals and deposits
27

28. Alice Bob
How to build decentralized digital token
transfer?
1MHepPtrqAxZ
28

29. mas.s62
lecture 1
2018-02-07
Neha Narula & Tadge Dryja
29

30. Primitives for making a
cryptocurrency
Hash functions
Signatures
30

31. Hash functions
Simple, right? But powerful.
hash(data) -> output
data can be any size; output is
fixed size
31

32. Hash functions
Important. You can do everything*
with just hash functions.
*can’t do some fun stuff with keys
(Key exchange, signature aggregation, etc)
32

33. Hash functions
Any size input, fixed output… output
is “random” looking
What’s that mean? Deterministic, no
randomness
But the outputs look like noise;
half the bits are 1s, half are 0s 33

34. Hash functions
Somewhat more well defined -
“Avalanche effect”: change 1 bit of
the input, about half the output
bits should change
34

35. Hash functions
Well defined: what it shouldn’t do
preimage resistance
(2nd preimage resistance)
collision resistance
35

36. preimage resistance
given y, you can’t find any x such
that hash(x) == y
(you can find it eventually, but
that will take 2256
operations (1078
))
36

37. 2nd preimage resistance
given x, y, such that hash(x) == y,
you can’t find x’ where
x’ != x
and hash(x’) == y
(this one is a bit of a mess so lets
leave it at that) 37

38. collision resistance
nobody can find any x, z such that
x != z
hash(x) == hash(z)
(again, you can find them eventually. And in
this case, not 2256
) 38

39. resistances
Practically speaking, collision
resistance is “harder”;
collision resistance is broken while
preimage resistance remains
Examples: sha-1, md5
39

40. usages
hashes are names
hashes are references
hashes are pointers
hashes are commitments
40

41. Commit reveal
Commit to something secret by
publishing a hash
Reveal the preimage later.
Example: a1c089bf65e852cf2ba2010d2ba84e2025ec937b5f8b9dac682c35dcf498aef4
41

42. Commit reveal
a1c089bf65e852cf2ba2010d2ba84e2025ec937b5f8b9dac682c35dcf498aef4
Reveal:
I think it won't snow Wednesday! d79fe819
$ echo "I think it won't snow Wednesday! d79fe819" | sha256sum
a1c089bf65e852cf2ba2010d2ba84e2025ec937b5f8b9dac682c35dcf498aef4 -
42

43. Commit reveal
$ echo "I think it won't snow Wednesday! d79fe819" | sha256sum
a1c089bf65e852cf2ba2010d2ba84e2025ec937b5f8b9dac682c35dcf498aef4 -
Add randomness so people can’t guess
my preimage; HMAC
This is a kind of proto-signature
43

44. Linked list with hashes
We could call this a “hash-chain”
Also, it’s basically git
44

45. Binary tree with hashes
How can 2 inputs go to 1 output?
Not a collision. Concatenate then
hash: h(a,b) 45

46. What’s a signature?
Signatures are useful! Messages from
someone. 3 functions needed:
GenerateKeys()
Sign(secretKey, message)
Verify(publicKey, message, signature)
46

47. 3 functions
GenerateKeys()
Returns a privateKey, publicKey pair
Takes in only randomness
47

48. 3 functions
Sign(secretKey, message)
Signs a message given a secretKey.
Returns a signature.
48

49. 3 functions
Verify(publicKey, message, signature)
Verify a signature on a message from
a public key. Returns a boolean
whether it worked or not.
49

50. Signatures from hashes
It’s doable! In fact, you’ll do it!
First pset is to implement a
signature system using only hashes.
This is called “Lamport Signatures”
50

51. Lamport Sigs: Generate key
Make up 256*2 random 256 bit numbers
… (256)
… (256)
0
1
51

52. Lamport Sigs: Generate key
Get hashes for each
… (256)
… (256)
0
1
52

53. Lamport Sigs: Generate key
= Secret key = public key
… (256)
… (256)
0
1
53

54. Lamport Sigs: Sign
Hash string to sign.
“Hi” = 8f434346648f6b96df89dda901c5176b10a6d83961dd3c1ac88b59b2dc327aa4
Pick private key blocks to reveal
based on bits of message to sign
54

55. Lamport Sigs: Sign
Hash string to sign.
Pick private key blocks to reveal
based on bits of message to sign
01101110
55

56. Lamport Sigs: Verify
Hash each block of the signature
Verify that it turns into the block
of the public key
56

57. Lamport Sigs: Signing again
Signing more than once reveals more
pieces of the private key
57

58. Lamport Sigs: Signing again
Signing more than once reveals more
pieces of the private key
58

59. Lamport Sigs: Signing again
1 sig: can’t forge anything
2 sigs: ~½ bits constrained
3 sigs: ~¼ bits constrained
59

60. pset01: Lamport signatures
In golang
On github
Most of the signing code is written
Tests implemented
Also public key with 4 signatures;
try to forge another!
Office hours / messages on slack
60

61. MIT OpenCourseWare
https://ocw.mit.edu/
MAS.S62 Cryptocurrency Engineering and Design
Spring 2018
For information about citing these materials or our Terms of Use, visit: https://ocw.mit.edu/terms.