10. How to locate transaction
Assume P transactions in the Merkle tree,
We need O(logN) hashes to construct a path
to verify if a transaction exist here
authentication path :
HL , HIJ , HMNOP , HABCDEFGH
11. How to locate transaction
Assume P transactions in the Merkle tree,
We need O(logN) hashes to construct a path
to verify if a transaction exist here
authentication path :
HL , HIJ , HMNOP , HABCDEFGH
20. KEY(PUBLIC)
• COMPRESSED • UNCOMPRESSED
(x, y)
k = 04xyk = 02x, if y is even
k = 03x, if y is odd
• 66 hex digits • 130 hex digits
04f29a7f486c90281f9396945e99ab35e2ed732c008a
da71e8e745da38dc63ac97b723fe731555dfba9dd60c
0cc8fbc8f26c35739f10c068125e6394839a47eb1e
02f29a7f486c90281f9396945e99ab35e2
ed732c008ada71e8e745da38dc63ac97
23. Mnemonic Code Word
1. Create a random sequence (entropy) of 128 to 256 bits
2. Create a checksum of the random sequence by taking the
first few bits of its SHA256 hash
3. Add the checksum to the end of the random sequence
4. Divide the sequence into sections of 11 bits, using those to
index a dictionary of 2048 pre-defined words
5. Produce 12-24 words representing the mnemonic code
24. Mnemonic Code Word
1. Create a random sequence (entropy) of 128 to 256 bits
2. Create a checksum of the random sequence by taking the
first few bits of its SHA256 hash
3. Add the checksum to the end of the random sequence
4. Divide the sequence into sections of 11 bits, using those to
index a dictionary of 2048 pre-defined words
5. Produce 12-24 words representing the mnemonic code
26. Hierarchical Deterministic Wallets
• tree structure can be used to express additional organizational
meaning
• users can create a sequence of public keys without having
access to the corresponding private keys
• insecure server or in a receive-only capacity
28. Hierarchical Deterministic Wallets
• parent private key and public key (256bit)
• seed called a chain code (256bit)
• index number (32bit)
Extended Keys : key + chain code
30. Hierarchical Deterministic Wallets
• Solution : Hardened Child Key Derivation
• use parent private key to derive child chain code
• best practice, the level-1 children of the master keys are
always derived through the hardened derivation, to prevent
compromise of the master keys
31. Hierarchical Deterministic Wallets
• Index numbers for normal and hardened derivation
• Normal : 0 ~ 2^31 -1 , first one displayed as 0
• Hardened : 2^31 ~ 2^32 -1 , first one displayed as 0’
• HD wallet key identifier (path)
33. Key Format
• Private Key
• Wallet Import Format(WIF) : a way of encoding a private
key so as to make it easier to copy
• Public Key
34. Other Format
• Encrypted Private Key
• private key(usually in WIF) + passphrase
• => Base58Check encoded encrypted private key
with the prefix 6P
• need passphrase to decrypt
35. • Block Structure
• Key, Address and Wallet
• Transaction
• Mining and Consensus
• Network
38. Life Cycle
• Most important thing in Bitcoin network
• All designs in Bitcoin are created for transaction’s creation,
broadcast and verification
• Life cycle :
CREAT
ED
SIGNE
D
BROADCAS
TED
VERIFIED
AND
COLLECT
ED
Every node will
send validated
transaction to its
3~4 neighbors.
39. UTXO
• Unspent Transaction Output
• locked to specific owner
• no balance of a bitcoin address account; only scattered UTXO
• balance is the sum of UTXO of that address
Account-based ledger
Alice transfer $10 to me
Bob transfer $5 to me
transfer $13 to David
transfer $10 to Alice
Transaction-based ledger
Input from a1,$10, to me
Input from b1,$5, to me
Input from c1,c2,$13, to David
Input from c3,$5, to Alice
only need to verify output from specific transaction
40. UTXO
• Unspent Transaction Output
• locked to specific owner
• no balance of a bitcoin address account; only scattered UTXO
• balance is the sum of UTXO of that address
Account-based ledger
Alice transfer $10 to me
Bob transfer $5 to me
transfer $13 to David
transfer $10 to Alice
Transaction-based ledger
Input from a1,$10, to me
Input from b1,$5, to me
Input from c1,c2,$13, to David
Input from c3,$5, to Alice
only need to verify output from specific transaction
• efficient verification
• consolidating funds : merge my own
coins together to one address
• joint payments : combine payments
from multiple person
• change address : the change are
changed to another address
41. UTXO
• Unspent Transaction Output
• locked to specific owner
• no balance of a bitcoin address account; only scattered UTXO
• balance is the sum of UTXO of that address
Account-based ledger
Alice transfer $10 to me
Bob transfer $5 to me
transfer $13 to David
transfer $10 to Alice
Transaction-based ledger
Input from a1,$10, to me
Input from b1,$5, to me
Input from c1,c2,$13, to David
Input from c3,$5, to Alice
only need to verify output from specific transaction
• efficient verification
• consolidating funds : merge my own
coins together to one address
• joint payments : combine payments
from multiple person
• change address : the change are
changed to another address
42. Structure
• Metadata
• Locktime
• the earliest time that a transaction is valid and can be
relayed on the network or added to the blockchain
• = 0 : no locktime limit
• < 500 million : block height
• > 500 million : Unix Epoch timestamp
49. Script
• Pay-to-public-key-hash (P2PKH)
• Majority
• Public-key
• Public key is store in the locking script
rather than Public key hash
• generated by older mining software that
has not been updated to use P2PKH
50. Script
• Multi-Signature
• Locking script
• M <Public Key 1> <Public Key 2> ... <Public
Key N> N OP_CHECKMULTISIG
• Unlocking script
• OP_0 <Signature B> <Signature C>
• Data Output(OP_RETURN)
• allows developers to add 40 bytes of non-payment
data to a transaction output
• un-spendable output
51. Script
• Pay-to-Script-Hash(P2SH)
• pay to a script matching this hash, a script which
will be presented later when this output is spent
• P2SH addresses are Base58Check encodings of
the 20 byte hash of a script
• use version prefix 5, which results in Base58Check
encoded addresses starting with 3
• the redeem script can be invalid , which will result
in un-spendable bitcoin
52. Script
• Pay-to-Script-Hash(P2SH)
• pay to a script matching this hash, a script which
will be presented later when this output is spent
• P2SH addresses are Base58Check encodings of
the 20 byte hash of a script
• use version prefix 5, which results in Base58Check
encoded addresses starting with 3
• the redeem script can be invalid , which will result
in un-spendable bitcoin
53. Script
• Pay-to-Script-Hash(P2SH)
• pay to a script matching this hash, a script which
will be presented later when this output is spent
• P2SH addresses are Base58Check encodings of
the 20 byte hash of a script
• use version prefix 5, which results in Base58Check
encoded addresses starting with 3
• the redeem script can be invalid , which will result
in un-spendable bitcoin
54. Script
• Pay-to-Script-Hash(P2SH)
• pay to a script matching this hash, a script which
will be presented later when this output is spent
• P2SH addresses are Base58Check encodings of
the 20 byte hash of a script
• use version prefix 5, which results in Base58Check
encoded addresses starting with 3
• the redeem script can be invalid , which will result
in un-spendable bitcoin
advantage:
nodes keep less record
55. Transaction Fee
• = sum of output - sum of input
• independent of the transaction’s bitcoin value,
but generally determined by size of a
transaction
• others are more willing to put a transaction into
a block if it’s fee is high
• is used to stop spam transactions and DDoS
56. • Block Structure
• Key, Address and Wallet
• Transaction
• Mining and Consensus
• Network
61. Task of Bitcoin Miners
• maintaining block chain and listen for new
blocks
• listen for transactions : listen and validate
• assemble a new block
• compute the answer(nonce) and broadcast the
block
62. Proof of Work
• spam email check
• difficult to produce but easy to verify
• a base string + nonce -> hash
• nonce : number used only once
• base string : Hello, world!
• target : hash begins with certain zeros
63. Proof of Work
• spam email check
• difficult to produce but easy to verify
• a base string + nonce -> hash
• nonce : number used only once
• base string : Hello, world!
• target : hash begins with certain zeros
64. Difficulty
• averagely 10 mins per block generation
• determine the difficulty
• adjust every 2 weeks
• next_difficulty = previous_difficulty * (2
weeks) / (time to mine last 2016 blocks)
65. Coinbase Transaction
• a null hash pointer
• a parameter contain arbitrary data , usually used
to signal support by miners for different new
features (vote)
• BIP , Bitcoin Improvement Proposal
• value contains block reward and all the
transaction fees of the block
69. Problem & Attack
• steal bitcoin?
• protected by digital signature
• steal private keys
• fork
• P2P network latency
• miner will go with the main(longest) chain
• lose if not on the main chain
• double-spend attack?
• a block is generated about every 10 minutes
• should wait at least 6 blocks(confirmation)
70. Problem & Attack
• Sybil attacks
• refuse to relay blocks and transactions,
disconnecting you from the network
• open to double-spending attacks
• 51% attack
• could change the main chain
71. Problem & Attack
• Sybil attacks
• refuse to relay blocks and transactions,
disconnecting you from the network
• open to double-spending attacks
• 51% attack
• could change the main chain
73. Application of Bitcoin
• Escrow Application
• MULTISIG and a third party
• green address
• bank-controlled address
• bank guarantee it will not double-spend (real
world guarantee) , so recipient won’t have to
worry about confirmations of the transaction
which would take an hour
• trackable
74. Application of Bitcoin
• micro-payment
• bond : broadcast by recipient in the beginning
• refund : MULTISIG , requires both sender and
receiver to sign ; spend the money of bond ,
transfer them to both sender and recipient
• lock time : set the time t when recipient fail to
broadcast the payment by t , sender can get
the whole money back instead of money being
hold hostage by recipient
79. Mining History
• FPGA Mining
• Field Programmable Gate Array, Verilog
• allowing the owner of the card to customize it
or reconfigure it
• better performance, cooling
• malfunction and errors, difficult to optimize the
32bit addition step, less accessible
81. Mining History
• ASIC Mining
• Application Specific Integrated Circuits
• chips designed, built, and optimized for the
sole purpose of mining Bitcoins
• rapidly increasing network hash rate, shipping
speed is crucial
• short lifetime
89. Mining Pool
• pay-per-share
• flat fee on every share, even no valid block
found
• manager absorb the risk
• took advantage by competitors
• proportional
97. SPV client
• Simplified Payment Verification nodes
• retrieve only block headers, 1000 times smaller
than full blockchain
• request for specific transaction from peers
• Sybil attack
• double spending attack
• privacy revealed
• Bloom Filter
98. Bloom Filter
• probabilistic search filter, a way to describe a
desired pattern without specifying it exactly
• a variable-size array of N binary digits
• a variable number of M hash functions, output
between 1 and N
• varying the level of accuracy and therefore
privacy by picking different N & M
99. Bloom Filter
• To add a pattern to the bloom filter, the pattern is
hashed by each hash function in turn
• corresponding bit of hash output is set to 1