Blockchain Lecture 2

Kookmin University
Hyoung Joong Kim

2024/09/23

[email protected]
https://www.facebook.com/groups/622457634874980
 Blockchain Blockchain & Cryptography
Fall Semester, 3rd Year Spring Semester, 4th Year

• What to Learn
• Major features and applications of Bitcoin and cryptocurrencies
• Textbook: Bitcoin and Cryptocurrency Technologies
• Lecture link: https://bitcoinbook.cs.princeton.edu/
• Q&A and discussions: https://www.facebook.com/groups/622457634874980
• Who Should Listen
• Those who interested in the future of the financial industry
• Those who looking for new areas in electronic engineering, computer
engineering, financial engineering, etc.
• What to Pay Attention
• At Kookmin University, in principle, face-to-face lectures, and for other
university students, online lectures, at the same time.
• Due to online/offline lectures, assignments instead of midterm/final exams
• Questions/discussions/quizzes/assignments will count toward your grade.
• Submit to: [email protected]
 Centralization vs Decentralization

• Centralization and decentralization competes in a variety of different digital technologies.

• Internet is a decentralized system that has historically compete with and prevailed against
“walled-garden” social media such as Facebook.
• Email base on the Simple Message Transfer Protocol (SMTP) is a decentralized system, but
most users rely on a centralized service like Gmail instead of their own servers.
• Many users love the decentralized version control system (DVCS), but prefer a single, central,
and shared repository such as GitHub.
• People are still new to decentralized systems and have yet to find applications that can fully
leverage their advantages.
• The most successful and innovative decentralized service to date is cryptocurrency and
decentralized finance.
 Aspects of Decentralization in Bitcoin

1. Who maintains the ledger of transactions?

• Like referees, nodes maintain ledgers of all transactions.
2. Who has authority over which transactions are valid?
• Nodes validate each block before it can be added to the blockchain.
3. Who creates new bitcoins?
• New bitcoins are created by miners through mining process.
4. Who determines how the rules of the system change?
• Developers make a proposal and miners vote on it.
5. How do bitcoins acquire exchange value?
• Bitcoin is given value by its users, supply, and demand.

In Bitcoin alone, there is no individual or entity that arbitrarily decides any of the above.
 Bitcoin Peer-to-Peer Network
• Bitcoin P2P network is close to purely decentralized, since anybody can run a Bitcoin node, and the
entry barrier is fairly low.

• Bitcoin mining is technically also open to anyone, but it requires a high capital cost.
• Bitcoin nodes run updates to the software, which has a bearing on how and when the rules of the
system change.
 Bitcoin’s Key Challenge

• The key technical problem in building a distributed e-cash system is achieving distributed
consensus.
• The distributed consensus problem seeks agreement among a number of nodes on a single data
value.
• Did the miner find a correct nonce value to receive the mining reward?
• Does the Bitcoin transaction constitute a double spend?
• A majority consensus requires more than half of the available votes, but one or more faulty
nodes can distort the resulting outcome, resulting in no consensus or consensus being reached
in the wrong way.
• Protocols that solve consensus problems are designed to deal with a limited number of faulty or
malicious nodes.
 Distributed Key-Value Store for Bitcoin
Input Data Partition Consistent Hash
Key Value Data Logic Function
1243 ABCD
2857 WXYZ
Key-Value Store
LevelDB
(LSM-tree)

Server 1 Server 2 Server 3

Distributed Key-Value Store

Key Value • The Bitcoin network consists of full nodes (archival nodes or
Block Hash Block pruned nodes) or lightweight (Simple Payment Verification)
(32 Bytes) Information nodes that can utilize a distributed key-value store.
• Distributed consensus technology is required to ensure that
Key Value nodes are always synchronized and store the same results.
Transaction Hash Transaction
• Distributed key-value store can be used for distributed domain
(32 Bytes) Information
name services or a public key directory
 Distributed Consensus

• Assumption
• There are n nodes, and each node has an input value.
• Some of these nodes are faulty or malicious.
• Fail-stop: faulty nodes stop and do not work. (see Paxos or Raft algorithms)
• Byzantine: faulty nodes may work arbitrarily. (See PBFT algorithm)
• A distributed consensus protocol has the following three properties:
• Termination (Liveness): All honest nodes eventually decide. (Liveness guarantees that
“something good eventually happens.”)
• Agreement (Safety): All honest nodes select the same value. (Safety guarantees that “a bad
thing never happens.”)
• Validity: The value that has been decided must have been proposed by some honest
nodes.

Read https://users.cs.duke.edu/~chase/cps212-archive/slides/consensus.pdf
 Impossibility Results

• FLP (Fischer, Lynch, and Paterson) impossibility means that, in an asynchronous network, no
distributed consensus protocol can meet the three properties (liveness, safety, and fault-
tolerant) at the same time.
• Consensus model of Bitcoin puts an emphasis on liveness so that a new block is generated
every 10 minutes.
• BFT-style consensus model (i.e. PBFT of Tendermint) prioritize safety first.

Wrong message
Sender Receiver
node node

Byzantine fault Unbounded message delay

Sender Receiver
model node node
Asynchronous
network model
X
Sender
node Node failure
Receiver
node
 Specialties of Bitcoin Consensus

• FLP impossibility results were proven for a specific model such as distributed databases, and
this model doesn’t carry over very well to the Bitcoin setting.
• Incentive:
• Bitcoin mining nodes must submit correct values ​to receive block mining rewards and
transaction fees. (validity)
• Bitcoin incentives are monetary incentives, which motivate actors to behave honestly.
• Provability:
• Since the things that must be agreed upon are publicly verifiable values, such as hash values,
there can be no disagreement.
• Randomness:
• It does away with the notion of a specific starting point and ending point for consensus.
• Consensus takes place over a long time, about an hour in the practical system. (Liveness
over Safety or Finality)
 Consensus without Identity Using a Blockchain

• Bitcoin nodes do not have persistent, long-term identities.

• In a pure peer-to-peer system, there is no central authority to assign identities to nodes and
prevent new nodes from being created randomly. (decentralized)
• Sybil attacks become much easier when nodes do not have identity.
• A malicious adversary can gain profit by arbitrarily creating and controlling multiple nodes
(a.k.a. Sybils).
• The self-generated public key used as the participant's identity is not linked to their real-
life identity (such as social security number or driver license number).
• Pseudonymity is essentially the goal of Bitcoin to support privacy.
• Bitcoin does not provide strong anonymity, as multiple transactions can often be linked to
each other (linkability), but it does have the advantage that no one needs to reveal their
real-life identity to participate (anonymity).
 Consensus without Identity

• Identification is important for security.

• A Bitcoin node can function properly without an identity.
• In a Bitcoin network, like a lottery or raffle system, there is no need to track people, assign
them identities, or verify their identities.
• Sybil attack is difficult and extremely expensive.
• Miners are randomly successful at generating a new block.
• Malicious miners only have a chance to attack if mining is successful.
• Even if the adversary creates many Sybil nodes, only one Sybil node will randomly succeed
in generating a new block.
• It is not cost-effect for the adversary to multiply his computing power by creating Sybil
nodes.
 Implicit Consensus
Explicit describes something that is very clear and without vagueness or
ambiguity. Implicit often functions as the opposite, referring to something
that is understood, but not described clearly or directly, and often using
implication or assumption.
To help remember, explicit things are explained, implicit things are implied.

• There is no consensus on which block to choose in each round, and no voting of any kind, but
a random node wins the mining competition and creates the block.
• There is a process in place to handle whether the node in question is malicious, but it an
implicit one.
• Other nodes will implicitly accept or reject that block by choosing whether or not to build
on top of it.
• If they accept that block, they extend the blockchain and include the accepted block,
signaling their acceptance to their peers.

• If they reject that block, they discard that block and expand the blockchain based on
previously accepted block.
 Consensus Algorithm (Simplified)
1. Unconfirmed new transactions are broadcast to all nodes and stored in a node’s memory pool.
• Since there is no centralized memory pool, each node maintains its own mempool, so different
nodes can store different TXs in their own mempools.
• The node checks and validates the TX, adding it to its mempool and broadcasting it to its peers.
2. Each node collects unconfirmed new transactions into a block.
• Each node that receives the TX checks and validates the TX, replicating it across the network.
3. In each round a random node gets to broadcast its block.
• Mining nodes adds the TXs to a block and then compete to solve the hash of the block to be
the one to add it to the blockchain.
• Once a miner is successful and the block of TXs is added to the blockchain, the new block is
broadcast back across the network.
4. Other nodes accept the block only if all transactions in it are valid (unspent, valid signatures).
• If the nodes have any of those mined TXs stored in their mempool, they remove the TXs.
5. Nodes express their acceptance of the block by including its hash in the next block they create.
 Malicious Actions in Bitcoin
• Stealing Bitcoin: Can Alice steal bitcoins of Bob?
• Alice must succeed in generating a block.
• Alice must create a valid transaction to move Bob’s bitcoin, but Alice cannot know Bob’s
private key.

• Denial of Service Attack: Can Alice deny service to Bob?

• Alice must succeed in generating a block.
• Alice can exclude any transactions originating from Bob’s address.
• Other miners will include Bob’s transaction.

• Block Withholding Attack: Can Alice withhold a valid block?

• Alice succeeds in generating a valid block, but refuses to broadcast it to make the
mining pool lose all bitcoin rewards. (see sabotage attack)
• If Alice later broadcasts the withheld block, one of the valid blocks will be appended to
the blockchain and the rest will be discarded. (see selfish mining)

Read https://hackingdistributed.com/2014/12/03/the-miners-dilemma/
 Double Spending Attack
Transaction pointer to
𝐻(𝐶𝐴 )

Digital Signature
𝐶𝐴 𝐶𝐴 → 𝐵 signed by Alice with 𝑠𝑘𝐴

Pay to Bob with 𝑝𝑘𝐵

Double spending attempt

𝐶𝐴 → 𝐴 • Double spending chance is low: two or more

Transaction pointer to blocks must be created simultaneously, and
𝐻( 𝐶𝐴 ) transactions attempting to move the same
Digital Signature
coin must be accepted in each block.
signed by Alice with 𝑠𝑘𝐴 • In fact, double spending attacks were
rampant:
Pay to Alice with 𝑝𝑘𝐴
Read https://ethereumclassic.org/blog/2023-11-21-what-is-a-51-attack
 Double Spending Attack

𝐶𝐴 𝐶𝐴 → 𝐵

• Cryptography protects against invalid TXs being

𝐶𝐴 → 𝐴 confirmed, and consensus protocol screens out invalid
TXs.
• Only the longest chain survives, the rest are discarded.
• Since Bitcoin is designed to favor agreement (safety)
over termination (liveness), it is safe to wait for at least
6 confirmations to avoid double spending.
 Incentives and Proof of Work

• Punishment is not easy.

• There is no engineering technique to detect the attacker’s intention and deliberateness in
advance.
• It is not easy to determine which is the morally legitimate transaction (see Alice  Bob or
Alice  Alice) since here is no global memory pool to detect the possibility of malicious
attack (e.g., double spending attack).
• It is not easy to penalize the malicious nodes since they don’t have identities.
• Incentives can make nodes behave well.
• If a problem cannot be solved technically, introducing incentives or regulations may be
effective.
• Block reward and transaction fees are the two pillars of incentive.
Two Pillars of Incentive: Block Reward and Transaction Fees
Block Reward
• Block rewards for proof-of-work miners validates TXs on the blockchain and secure the network.
• Block rewards are not awarded when a node engages in malicious behavior.
• In 2009, the block reward was 50 BTC per block, and it was halved every 210,000 blocks created.
• As the block reward halving continues, the it will converge to 0 in 2140 and it will stop.
• The introduction of block reward halving was designed to suppress inflation and make Bitcoin a
deflationary currency.
• Bitcoin operates on a deflationary model with a fixed supply cap of 21 million BTC.

Transaction Fees
• All transaction fees generated from transactions included in a block are given to the miner who
successfully created the block.
• Transaction fees were originally used as a way to discourage people from flooding the network with
transactions, but they are primarily a means of incentivizing miners to add transactions to blocks.
• After 2140, transaction fees will be the only incentive.
 Mining and Proof of Work

• The core idea of ​proof-of-work is to ensure that nodes are selected randomly in proportion to
their resources, so that no one can monopolize mining.
• If the resource is computing power, then that is proof-of-work.
• If it is proportional to the ownership of the cryptocurrency, then it is proof of stake.

• Mining process is finding a nonce satisfying 𝐻(𝑛𝑜𝑛𝑐𝑒| 𝑝𝑟𝑒𝑣𝑖𝑜𝑢𝑠 ℎ𝑎𝑠ℎ |𝑡𝑥| 𝑡𝑥 | ⋯ | 𝑡𝑥 < 𝑡𝑎𝑟𝑔𝑒𝑡.
• The difficulty of Bitcoin mining is adjusted so that on average, 1 block is generated every 10
minutes, or 2,016 blocks every two weeks.
• Solving a hash puzzle is called a Bernoulli trial, which is a probabilistic random experiment in
which there are only two possible outcomes: the hash either belongs to the target or does
not.
• Bernoulli trials can be well approximated by a continuous probability process (a.k.a., Poisson
process), for a series of discrete events where the average time between events is known, but the
exact timing of events is random.

Read https://suhailsaqan.medium.com/explaining-bitcoin-mining-as-a-poisson-distribution-92b2481fb80f
 Cost of Mining
IF
mining reward > mining cost
THEN
the miner makes a profit
where
mining reward = block reward + transaction fees
mining cost = hardware cost + operating cost (electricity, cooling, etc.)

• Hardware cost is fixed, whereas the electricity cost is variable.

• Rewards depends on not only the power of hardware, but also on the hash rate.
• Mining reward is denominated in bitcoin, but mining cost is denominated in fiat money.
• To make more profit, miners may use other mining strategies instead of honestly following the
protocol.
 Bitcoin Decentralization Recap

• No real-world identity is required to participate in the Bitcoin protocol.

• Although P2P networks are imperfect and insecure, Bitcoin's security comes from its blockchain
and consensus protocol.
• There is a risk that orphan blocks may be created and then removed, so it is safe to wait for at
least 6 confirmations..
• The probability that a node will create a block is proportional to its computational power or hash
rate.
• As the hash rate increases, the difficulty increases and the expected reward for each miner
decreases.
Getting a Cryptocurrency off the Ground

Security of
Blockchain
System

Bitcoin is
bootstrapped
Health of
Mining Exchange
Ecosystem Value of
Currency
 51 Percent Attack
• The attacker cannot steal Bitcoins because he does not know the private keys for valid Bitcoins.

• The attacker can create an invalid block containing invalid transactions, but honest nodes will
reject the block and fork the blockchain if he continues to do so.

• The attacker can attempt to spend invalid bitcoins on the market, but traders refuse them.
• The attacker can suppress some transactions from the blockchain, but honest node will include
them.
• The attacker can suppress some transactions from being broadcast, but honest node will
propagate them.

• The attacker can temporarily disrupt the consensus mechanism for their own gain, such as
increasing block rewards, but this will soon be stopped.
• Attackers can destroy trust in Bitcoin and have negative impacts.
• However, double spending attacks were rampant due to 51% attacks. (see Ethereum Classic case
where exchanges were victims)
• Miners with low hash rate cannot compete since difficulties arise shortly due to 51% attack.
 Home Assignment #2
1. Read about the 51% attacks on Ethereum Classic and Bitcoin SV. What was the attacker’s
approach, who were the victims of the attacks, and can these types of attacks be prevented?

2. There are cases where other altcoins, excluding Ethereum Classic and Bitcoin SV, suffered
damage from 51% attacks. The attacker participated in mining by mobilizing a huge hash
power, so the existing loyal miners gave up mining due to the sudden increase in difficulty.
After the attacker left, it took time for the difficulty to adjust, so even if they wanted to mine,
they had no choice but to rest and wait. Explain the problem of difficulty adjustment that
made this inevitable.

Due date: October 7.