Blue Bird

Blockchain Foundations

Lesson 1: The Setting

2021-06-12

  • Administrivia
    • Course outline
    • 56 hours total
    • Theory
    • Coding
      • Goal: Make a simple working blockchain with a common protocol
      • The blockchains of all students must work with one another
  • An untrustworthy world
    • The concept of self-enforceability:
      • We don't want adversaries to be caught after the fact
      • We want adversarial behavior to be impossible
    • Adversaries can be very bad:
      • They can break laws
      • Burn money just so that you suffer
      • Kill people
      • Take over corporations
      • Take over governments
      • Change laws
      • Take over the courts
      • Sybil attack: Create an unlimited number of emails/IP addresses
      • Do this all in secret
  • The vision of money self-sovereignty
    • What if banks and regulators lied to you about how much money they have?
    • What if a single bank lies about some customers having more money than they actually do?
  • Goal:
    • Transparency / verifiability (everyone knows that the money they claim they have, they actually have)
    • Decentralized money, self-sovereign money (money issuance should not be controlled by a centralized -despite elected- party)
    • We can pick and choose which of these features we like, e.g. centralized issuance + public verifiability
  • What is money?
    • Money is not inherently worthy -- it has value because we socially ascribe value to it
    • It is a social construct, or social delusion (similar to laws, corporations, and human rights)
    • Money today is fiat (but money as a social construct is ascribed to "non-fiat" money such as gold and shells, too)
    • Some historical notes on money
    • How do we know today who owns what? Did we track it through history? Do we have that history? No -- we trust our social environment. A kind of "honest majority" setting.
  • The role of computer science
    • Understanding and systematizing the computational aspect of rules, regulations, and processes
  • The adversary
    • Probabilistic algorithms
    • Polynomial-time algorithms (and the complexity classes P, BPP, NP)
    • Game-based security
    • Probability of success
    • "For all" adversaries
    • Negligibility
    • Problems hard in the average case VS problems hard in the worst case
  • The network
    • Connectedness and message delivery
    • The non-eclipsing assumption
    • The gossip protocol
  • Exercises 0 and 1

Lesson 2: The Application Layer - UTXO

2021-06-17

  • Commitment schemes
  • The binding and hiding games
  • Hashes
  • The collision resistance and pre-image resistance games
  • Public and private keys
  • Signatures, signing, verifying, correctness, security
  • The existential unforgeability game
  • A transaction
  • Addresses
  • One input and one output
  • Amounts
  • Inputs and outputs in UTXO
  • Splitting money
  • Merging money
  • Conservation Law
  • Change
  • Outpoints -- the transaction graph
  • The transaction ledger / transaction serialization
  • UTXO as application state
  • The evolution of the UTXO
  • What money do I own? Calculating balances
  • Double spending
  • Reading: Chapter 5 introduction and section 5.1 from Modern Cryptography (2nd ed.)
  • Reading: Chapter 12 introduction (skip comparison to MACs and relation to encryption) and sections 12.1, 12.2, 12.3 from Modern Cryptography (2nd ed.)
  • Exercises 2 and 3

Lesson 3: Blocks and chains

2021-06-22

  • The decentralized setting; the network
  • Adversarial and honest nodes, corruption, sybil attacks
  • Network delays, message delivery
  • Broadcasting transactions to everyone - be your own bank
  • Money arising out of social consensus
  • The double spending attack
  • Simple ideas don't work: Serializing transactions naively, the critical time Δ
  • Proof-of-work as a consensus mechanism without blocks
  • The honest computational majority assumption
  • The proof-of-work equation; the parameters T and κ
  • The block
  • The chain
  • The longest chain rule
  • The mempool
  • Temporary forks / reorgs
  • Coming to an agreement: Blockchain convergence
  • The genesis block; the arrow of time
  • Verifying chains
  • The Chain Growth, Common Prefix, and Chain Quality, intuitively
  • Transaction confirmation rules; the Common Prefix parameter k
  • The minority double spending attack and its inevitable failure; negligibility in k
  • Maintaining the UTXO under reorgs
  • Exercises 4 and 5

Lesson 4: Blockchain Economics and Attacks

2021-06-28

  • Probability of obtaining a block; the value p
  • Attacks of a majority miner
    • Censoring transactions
    • Double spending
    • The impossibility of spending others' money
    • The impossibility of breaking chain growth
  • Healing from temporary dishonest majority
    • Healing from censorship
    • Temporarily rejecting payments: resilience to double spending attacks
  • The expected block generation time η
  • Balancing the values T and k
    • Loss of security due to small k and small T: variance attacks
    • Loss of security due to large k and large T: fan-out attacks
  • Attacks of a minority miner
    • The Selfish Mining attack
    • Selfish Mining simulation and bounds for 1/3 and 1/2 adversaries
  • The weak conservation law
  • Fees
  • The coinbase transaction, the inductive base of the UTXO graph
  • The money supply
  • Supply adjustment in Bitcoin - halving
  • The limited total money supply of Bitcoin
  • Supply adjustment in Monero - smooth emission
  • Empty blocks
  • Rational miners, miner incentivisation
  • The block size limit
  • Collecting transactions into blocks, the knapsack algorithm
  • A look at Bitcoin's blockchain explorer blocks and transactions
  • Mining pools
  • The pooled mining protocol
    • Why pools? The variance problem
    • Decreasing variance while keeping expectation the same
    • Centralized pools and pool operators
    • Light blocks (shares) and the light PoW equation
  • Reading: Satoshi's Bitcoin paper
  • Optional Reading: Selfish Mining paper
  • Exercises 6 and 7

Lesson 5: Mining and Wallets

2021-07-02

  • Mining hardware: CPUs, GPUs, ASICs
  • GetWork / the mining template
  • The cost of mining: Empty blocks, optimistic mining
  • Online and offline wallets
  • Wallet seeds
  • Hardware wallets, brain wallets
  • Optional Reading: Bitcoin Brain Drain
  • Exercise 8

Lesson 6: The Application Layer - Accounts

2021-07-02

  • Maintaining your own UTXOs for spending
  • Optimizing for fees: Wallet UTXO selection policy
  • p2pk / p2pkh and quantum security
  • Hashing a public key
  • The transaction as a state machine transition
  • The UTXO as a state machine α with transaction transitions δ
  • Account states: Balances
  • A transaction in accounts
  • Replayability and nonces
  • The account balances as a state machine α with transaction transitions δ
  • Practical transactions in Bitcoin and Ethereum
  • Look at the Bitcoin and Ethereum transaction graph
  • Motivation: Payment conditions and covenants
  • Smart contracts in the UTXO model
  • Bitcoin scripts
  • Exercise 9

Lesson 7: Light verification

2021-07-05

  • The Random Oracle model
  • Random Oracles are collision resistant
  • Random Oracle collision resistance security proof
  • Random Oracles are pre-image resistant
  • Random Oracle pre-image resistance security proof
  • Block predictions are difficult in the Random Oracle model
  • Authenticated data structures
  • Merkle trees
  • Building a complete Merkle tree from data
  • Building a Merkle tree proof
  • Validating a Merkle tree proof
  • Merkle trees in the torrent protocol
  • Merkle tree game-based security definition
  • Merkle tree security theorem and proof
  • The SPV protocol
  • Light clients
  • Sparse Merkle trees, Merkle-Patricia tries: Polynomial data in an exponential sea
  • Reading: Section 5.5 from Modern Cryptography (2nd ed.)
  • Exercise 10

Lesson 8: Consensus in earnest

2021-07-07

  • The backbone model in the static difficulty setting
  • Interactive Turing machines
  • The environment
  • Synchronous time: The integer round
  • The theoretical network model
  • The rushing adversary
  • The Sybil adversary
  • The parties: The parameters n, t
  • The honest majority assumption: The parameter δ
  • Mining modeled as a Random Oracle: The parameter q
  • The backbone protocol
  • Validating blocks
  • The longest chain rule
  • Mining
  • The Chain Growth property: The parameters s and τ
  • The Common Prefix property: The parameter k
  • The Chain Quality property: The parameters ℓ and μ
  • Ledger liveness: The parameter u
  • Ledger safety
  • Proof of liveness from Chain Growth and Chain Quality
  • Calculation of the liveness parameter u
  • Proof of safety from Common Prefix
  • Successful rounds and uniquely successful rounds
  • The probabilistic treatment using the random variables X, Y, and Z
  • Probabilities of success and failure
  • Chernoff bound intuition
  • Chernoff bound theorem for binomial distributions: The parameter ε
  • Convergence opportunities
  • Uniquely successful rounds avoid fan-out attacks unless matched by adversarial mining power
  • Reading: Pages 1-19 of the Backbone paper

Lesson 9: Blockchains are secure

2021-07-09

  • The equal computational split model
  • The world is a good place: Typical executions
  • The distance between X and Y: The block production parameter f
  • The distance between Y and Z: The Chernoff error parameter ε
  • The Chernoff waiting time λ
  • The balancing equation 3ε + 3f < δ, setting ε = f = δ / 3
  • Calculating the relationship between adversarial power (n, t), network diameter, and block production rate
  • The Typicality Theorem
  • The Chain Growth Lemma
  • A proof of the Chain Growth property, calculation of the parameters s=λ and τ=(1 - ε)f
  • The Chain Slowness Lemma
  • The Pairing Lemma
  • A proof of the Common Prefix property
  • Reading: Pages 19-25 of the Backbone paper

Lesson 10: Smart contracts

2021-07-15

  • Smart contracts in the accounts model
  • Turing completeness, quasi turing completeness
  • Gas, gas price, starting gas
  • Contract and personal accounts
  • Value transfers between personal accounts
  • The smart contract transaction format
  • Transaction initiation
  • Message passing between contracts
  • Smart contract state as a state machine
  • State commitment in block headers
  • Nested Merkle tries
  • Receipts
  • Light mining using block state commitments
  • The Ethereum Virtual Machine
  • Contracts, methods
  • The ABI
  • Contract execution must be deterministic and isolated
  • An attack against Common Prefix in a minority-adversary non-deterministic contract world
  • Oracles
  • A flight insurance contract
  • Validating an HTTPS response from a contract

Lesson 11: Solidity overview

2021-07-22

  • Solidity grammar and syntax
  • Contracts, methods
  • Flow control, loops, conditions
  • Variables, simple and complex data types, storage locations
  • Payable methods
  • Reverting, exceptions
  • Gas costs of operations
  • ERC-20 tokens and ICOs
  • ERC-721 tokens and NFTs
  • Exercise 11

Lesson 12: Coding in Solidity

2021-07-22

  • Reentrancy
  • Auctions
  • Front-running
  • Naming services, ENS
  • Commit/reveal schemes
  • Randomness
  • Events
  • The receipts tree
  • Decentralized mining pools
  • Exercise 12

Lesson 13: Superlight verification

2021-07-29

  • The non-interactive prover/verifier model
  • The one honest prover assumption
  • The polylog verifier
  • Superblocks
  • The superblock equation: The level μ parameter
  • The LCA block and repetition for Chernoff concentration
  • The interactive PoPoW protocol
  • PoPoW interactivity succinctness: Logarithmic number of rounds
  • PoPoW communication succinctness: Constant communication per round
  • PoPoW security
  • Non-interactivity: The limited superfork argument
  • NIPoPoWs
  • Light mining with full verification in chains with state commitments
  • Online NIPoPoWs
  • Superlight mining

Lesson 14: Proof of stake

2021-08-29

  • The proof-of-work environmental impact
  • The honest stake assumption
  • Grinding attacks
  • Proof-of-stake time: The slot
  • Combining honest and adversarial randomness to obtain unbiased randomness
  • Pseudorandomness: Getting more randomness from little randomness
  • Epoch randomness
  • Slot leaders
  • The Ouroboros protocol
  • k+1 blocks in any continuous 2k slots
  • Secret Sharing Schemes
  • Verifiable Secret Sharing
  • Publicly Verifiable Secret Sharing
  • Force-opening commitments using honest majority
  • Verifiable random functions
  • The proof-of-stake equation
  • The Ouroboros Praos protocol

Lesson 15: DeFi, Blockchain Governance and Evolution

  • ERC-20 and ICOs
  • ERC-721, ERC-1155 and NFTs
  • Soft forks
  • Hard forks
  • Velvet forks
  • DAOs
  • TheDAO hack, Ethereum and Ethereum Classic
  • Epochs, the m parameter
  • Target recalculation and difficulty adjustment
  • Difficulty clamping, the τ parameter
  • Exercises 13 and 14

Lesson 16: Privacy Coins

  • The problem of linkability
  • The problem of traceability
  • Privacy in UTXO and in accounts
  • Address reuse
  • Ring signatures
  • Elliptic Curves as additive groups
  • Group generators
  • Private and public keys in elliptic curves
  • The DLOG problem in Elliptic Curves
  • Unlinkability using ring signatures
  • Untraceability using stealth addresses
  • CryptoNote and Monero