Lecture 3 Summary
Author: Rea Savla
I. Cryptographic Hash Functions
In this lecture, we dove into the low-level specifics of Bitcoin that make it work. Bitcoin was innovative because it allowed a decentralized network to reach consensus. It achieved this via tamper-evidence, which means although one can modify the information that passes along the Bitcoin network, it would be obvious that some modification has been made. This tamper evident system allows us to be sure any update on Bitcoin is the same for everyone.
We achieve a tamper evident system using cryptographic hash functions to produce standardized random “fingerprints” of our data. If the data changes, so will the fingerprints. Cryptographic hash functions do the following:
Cryptographic hash functions are pseudorandom: although the output for any given input seems random, the output will remain consistent for that input.
Important Properties of Cryptographic Hash Functions:
- Pre-image Resistance: Given H(x), it is computationally difficult to determine x
- Second-image Resistance: Given x, it is computationally difficult to find some value x’ such that H(x) == H(x’)
- Collision Resistance: It is computationally difficult to find x and y such that H(x) == H(y)
These properties produce the Avalanche effect, where even any small change in the input leads to a significant pseudorandom change in the output.
The particular hash function Bitcoin uses is SHA256, which takes in an input of size less than 2^64 bits and produces a 256 bit fix sized output.
II. A Tamper Evident Database
This cryptographic hash function is used to make an entire tamper evident database in Bitcoin. The Block Header of a block on Bitcoin, is a hash of many contents within the block, most notably its Merkle Root, Previous Block Hash, and Nonce fields. The Merkle Root represents a summary of transactions, the Previous Block Hash represents the chaining, and the Nonce represents the Proof-of-Work.
The Merkle Root is the head of the Merkle Tree, a binary tree of hashes of all the previous transactions. The Previous Block Hash contains the hash of the previous block. Both of these hashes change if any of the previous transactions or blocks is modified.
The Nonce is the manifestation of the proof-of-work in Bitcoin; it is a numerical value that must be found to solve the partial preimage hash puzzle. Miners hash the entire block header (the input) and tweak the nonce and coinbase until they find an output that solves the hash puzzle.
Hash puzzles must be:
- Computationally Difficult: The solution to the hash puzzle cannot be easily found
- Parameterizable: The difficulty of the hash puzzle should be adjustable
- Easily Verifiable: Computers should have to do little work to ensure the answer is correct
The difficulty of the hash puzzle in Bitcoin is:
difficulty = difficulty * two weeks / time to mine previous 2016 blocks
Once miners solve the puzzle, they receive bitcoin via a coinbase transaction. Whenever miners produce a block, they first create a coinbase transaction, which is the first transaction of the Merkle Tree.
Using cryptographic hash functions, we ensure previous blocks remain tamper evident; we now turn our attention to how digital signatures help us ensure current transactions are tamper evident as well. Public and Private keys in Bitcoin are generated using Elliptic Curve Digital Signature Algorithm (ECDSA). ECDSA has three key properties:
- Given the encrypted message and the sender’s public key, the recipient should be able to identify the message origin. Since the message has been signed by the sender’s private key, the ability to encode it using the public key demonstrates the original sender has authorized this message.
- The digital signature scheme must also ensure non-repudiation: once the sender signs the message, they should not be able to undo it.
- Finally, the scheme must maintain integrity; since messages are signed with the private key, they cannot be modified after signing.
Identity in Bitcoin is derived from private keys, which are generated randomly. Public keys are the result of Elliptic curve point multiplication of the private key against a known generator point on the curve. Given the public key, it is computationally infeasible to arrive at the private key.
We can apply these concepts of private and public keys to understand how transactions in Bitcoin work. Spending bitcoin is the act of redeeming previous transaction outputs with a proof that you are the legitimate redeemer, and then specifying who can redeem the output of the transaction you are now creating, by encoding that per’s information in your transaction.
A transaction has three main sections:
- Metadata: Contains housekeeping data, a unique ID of this transaction, locktime, and size
- Inputs: Contains a list of previously created UTXOs and proof of eligibility to redeem this money
- Outputs: Contains a list of new UTXOs that will be sent to new addresses. These values are locked by a script only the intended redeemer can unlock.
Bitcoin uses the stack-based, Turing-incomplete language named Script to create transactions. Locking and Unlocking Scripts are contained in transaction input and previous transaction output and are used to redeem the output of a previous transaction and specify requirements for redeeming transactions, respectively. Senders specify a Locking Script, and recipients specify an Unlocking Script. In Pay-to-Pub-Key-Hash (P2PKH), the recipient says “send your coins to the hash of this Public Key.” In Pay-to-Script-Hash (P2SH), the recipient says “Send your coins to the hash of this Script; I will provide the script and the data to make the script evaluate to true when I redeem the coins.” The latter is popular among customer-vendor transactions, where the vendor (recipient) is responsible for writing the script.