Professional Documents
Culture Documents
Solution 1:
For each record, we digitally sign it (or hash it and sign the hash: Q: difference?)
Q: Does it work?
No, someone may still delete individual records together with its hash & signature.
Solution 2:
How about we group the records into blocks, then hash each group and sign the hash?
No. (i) Someone can still delete a whole block, together with its hash & signature
without being noticed.
(ii) When a user wants to check a particular record, we may need to disclose all
records in the whole group (violate the privacy requirement too).
Solution 3:
How about we hash each record, concatenate the hash sequence, sign the hash
sequence?
Seems ok.
(i) The owner can recompute the hash sequence based on *all* records and check it so
that if one of the records has been tampered or deleted, he knows.
(ii) When a user wants to check a particular record, send him the record and hashes
of other records, he can re-create the hash sequence, then check the signature of
hash sequence. No need to give him other records (only hashes).
But overhead is large:
Every time if we need to verify a record,
- we need to send the record together with (n-1) hashes assuming we have n records
- # of hashes to be sent is O(n) or the length of the hash sequence is proportional to
O(n)
- So, the overall complexity for checking is O(n).
Q: Can we do better?
Ans: use a Merkle tree
R = H(x5x6) – public (sign it too)
x5 = H(x1x2) x6 = H(x3x4) Owner can easily
recompute R based
on all records to
x1 = H(H(y1)H(y2)) x2 = H(H(y3)H(y4)) make sure that no
x3 = … x4 = … records have been
deleted/tempered.
y1 y2 y3 y4 y5 y6 y7 y8
y1..y8: data
Q: How about individual users? E.g. What to provide to verify the integrity of y3, y6?
For y3, we need H(y4), x1, x6; for y6, we need H(y5), x4, x5 (R is known).
Only log n hashes need
Merkle proof Merkle proof
to be sent! 4
A brief technical details in bitcoin:
Block structure
Bitcoin Block Header Recall that multiple
transactions are in the
Previous block same block
Timestamp
header hash
Q: How about only odd
Merkle Tree # of transactions?
Nonce
Root
When computing the last
root = Hash( H12, H34 ) Tr, we double the Tr to
compute the hash:
H12 = Hash( H1, H2 ) H34 = Hash( H3, H4 )
Hash(H(Tr), H(Tr))
* Example from bitcoin.org (most of the examples are from this website, unless otherwise stated)
Q: Where are the transactions? Remarks:
Outpoint (TXID (hash) + Sequence #)
80 bytes header - Which output of which previous transaction
# of transactions
Total has a 1 bitcoin = 100,000,000 satoshis
Coinbase Tr
limit, say Total input – total output => transaction fee!
Transaction 2
1M
…….
Transaction x
Sign script needs to
Raw transaction: Each input has 2 key fields: match the
Outpoint, Signature script corresponding
4 bytes version # outpoint pubkey
# of inputs Outpoint reference Allows spending
script!
Input 1 a previous output the input
…….. E.g. OP_CHECKSIG
# of outputs Each output has 2 key fields: - Check signature using
Output 1 Value (how much), Pubkey script a public key
………. In unit of satoshis Set conditions for further spent
Which version of transaction
data structure used
Raw transaction:
TXID (hash) – (from a
4 bytes version # previous transaction)
# of inputs
Input 1 Which output in
…….. Transaction TXID
# of outputs
Output 1
……….
Signature
Raw transaction:
(Value)
4 bytes version #
# of inputs
Input 1
……..
# of outputs
Output 1 (Pubkey script)
……….
Conditions
Hash of
public key
Unspent transaction
outputs (UTXO):
NO concept of
accounts
How about the coinbase transaction created by
miner to get reward for a block?*
Exactly one input: coinbase
Normal transaction input vs coinbase
TXID (hash) 32 bytes null (no previous outpoint)
Seq # (which output in TXID) 4 bytes null (no previous outpoint)
# of bytes in Sign script # of bytes in coinbase script
Script block height (do you remember?) – 4 bytes
Script
Seq # Seq #