lecture3
lecture3
(cs251.stanford.edu)
Note: HW#1 is posted on the course web site. Due Tue, Oct. 10.
Recap: the Bitcoin blockchain
genesis
block BH1 BH2 BH3
H version (4 bytes) H prev H prev
prev (32 bytes)
time (4 bytes) …
bits (4 bytes)
nonce (4 bytes)
Tx (32 bytes) Tx root Tx root
root 80 bytes
coinbase Tx
coinbase Tx
Tx sequence
coinbase Tx
Tx cannot be erased: mistaken Tx ⇒ locked or lost of funds
Tx structure (non-coinbase)
input[0] input: TxID 32 byte hash
inputs input[1] out-index 4 byte index
input[2] ScriptSig program
seq ignore
outputs output[0] TxID = H(Tx)
output[1] (excluding witnesses)
value 8 bytes
(segwit) witnesses output:
(part of input) ScriptPK program
(4 bytes)
locktime
#BTC = value/108
earliest block # that can include Tx
Example
null locktime
☓
null locktime
ScriptPKB:
DUP
HASH256
<addrB>
EQVERIFY
CHECKSIG
Transaction types: (1) P2PKH
pay to public key hash
“input” contains ScriptSig that authorizes spending Alice’s UTXO
• example: ScriptSig contains Alice’s signature on Tx
⟹ miners cannot change ScriptPKB (will invalidate Alice’s signature)
payer can specify complex conditions for when UTXO can be spent
P2SH
Miner verifies:
(1) <ScriptSig> ScriptPK = true ⟵ spending Tx gave correct script
(2) ScriptSig = true ⟵ script is satisfied
Example P2SH: multisig
Goal: spending a UTXO requires t-out-of-n signatures
threshold
hash gives P2SH address
Tx2: input: UTXO, sig1, sig3, PK1, PK2, PK3, 2-of-3 output 0
(spending Tx)
Example Bitcoin scripts
Protecting assets with a co-signatory
Alice stores her funds in UTXOs for addr = 2-of-2(PKA, PKS)
UTXOA𝖾 (PKB:0.1,
UTXOA) send <sigA> on Tx: <sigA> <sigB>
PKA:0
.01) on Tx
Escrow service: a dispute
(1) Backpack never arrives: (Bob at fault)
Alice gets her funds back with help of Judge and a
Tx: Tx: ( UTXOA 𝖾 PKA , sigA,
sigJudge ) [2-out-of-3]
s.t.:
• either success: Alice has 2 LTC and Bob has 5 BTX,
• or failure: no funds move.
Swap cannot get stuck
halfway.
Goal: design a sequence of Tx to do
this. solution: programming proj #1
ex 4.
Managing crypto assets: Wallets
Managing secret keys
Users can have many PK/SK:
• one per Bitcoin address, Ethereum address, …
Wallets:
• Generates PK/SK, and stores SK,
• Post and verify Tx,
• Show balances
Managing lots of secret keys
Types of wallets:
• cloud (e.g., Coinbase): cloud holds secret keys … like a bank.
• laptop/phone: Electrum, MetaMask, …client stores secret
• hardware: Trezor, Ledger, Keystone, … keys
• paper: print all sk on paper
• brain: memorize sk (bad idea)
• Hybrid: non-custodial cloud wallet (using threshold signatures)
Not your keys, not your coins … but lose key ⇒ lose funds
Simplified Payment Verification (SPV)
How does a client wallet display Alice’s current balances?
• Laptop/phone wallet needs to verify an incoming payment
• Goal: do so w/o downloading entire blockchain (366 GB)
SPV: (1) download all block headers (60 MB)
block header
We will see better light client designs later in the course (e.g. Celo)
Hardware wallet: Ledger, Trezor, …
End user can have lots of secret keys. How to store them ???
⋮
save list
of 24
words
Crypto Steel
𝑘
(1
)0
𝑘0
𝑘
(2
0
customers
)
𝑘0
(3
ℎ, 𝑘2 SKhot
used to 2% of
verify assets
cold
storage
balances
Problems
Can’t prove ownership of assets in cold storage,
without accessing cold storage:
• To prove ownership (e.g., in audit or in a proof of solvency)
• To participate in proof-of-stake consensus
Solutions:
• Keep everything in hot wallet (e.g, Anchorage)
• Proxy keys: keys that prove ownership of
assets, but cannot spend assets
END OF LECTURE