Professional Documents
Culture Documents
Unit 5 Slides
Unit 5 Slides
Blockchain
Text Book
Grokking Bitcoin
Authors
Kalle
Rosenbaum
Chapters 6
and 4
Introduction
• Considering the Cookie Token (CT) system, what if Lisa can alter or remove the
transaction record from the spreadsheet.
• This issue is discussed with the help of blockchain.
• Blockchain will provide cryptographic proof of fraud if Lisa deletes or replaces
transaction.
• It also introduces a lightweight wallet, or simplified payment verification (SPV)
wallet
Building the
Blockchain
• The idea is what if we could change the system to make it provable that Lisa has
fiddled with history?
• The solution is to replace the spreadsheet with the blockchain
2
1 ( 3
)
4
Zoomed View of
1. Previous Blockchain
1. Also called 5. Digital Signing 4. Merkle Root Hash
Block hash as block ID
2. Timestamp
3. First Transaction
Lisa Builds A
Block
• When Lisa is about to create a new block. She’ll do the following:
1. Create a block template
2. Sign the block template to make it complete
3. Publish the block
Step 1:
Creating a
block
template
for block
number 20
Lisa Builds A
Step 2 - Signing the block Block
• Lisa uses her private block-signing key to sign the block header. This digital
signature commits to
• The previous block ID, which means Lisa’s signature commits to the entire blockchain
before this new block
• The Merkle root, which means the signature commits to all transactions in this new
block
• The timestamp
1
Step 2:
Signing of 2
block
Lisa Builds A
Block
Step 3 – Publishing the block
Step 3:
Publishing
the block
number 20
Lisa Builds A
• Transaction Selection Block
• She can select anything from zero transactions to all unconfirmed transactions
• Transactions must be ordered in spending order. Otherwise, there are no restrictions.
These are valid transactions as they are in spending order. Meaning every
transaction in this block spends transactions which are already in blockchain.
14
Why
Blockchain?
• Blockchain used a complicated way to sign a bunch of transactions.
• Will not it be much simpler if Lisa just signed all transactions ever made in one
big chunk every 10 minutes?
• Will not this accomplish the same goal?
• But this approach has several problems:
• As the number of transactions grows, the time it takes for Lisa to sign the entire set will
increase.
• The same goes for verifiers—the time it takes to verify a signature increases with the total
number of transactions.
• It is hard for verifiers to know what’s new since the last signature. This information is
valuable when maintaining the UTXO set.
Why
• By using the blockchain, Lisa hasBlockchain?
to sign only the most recent block of transactions
• By doing so, Lisa still, indirectly via the previous block ID pointer, signing all historic
transactions.
Lightweight Wallets
17
Lightweight
• Some of the coworkers inWallets
the Lisa’s company wants to keep with them the valid
and up-to-date financial information
• They use software that downloads the entire blockchain and keeps a UTXO set
up-to-date at all times
• This software needs to run nearly all the time to stay up to date with newly
produced blocks. We call this running software (on a device) a full node
• A full node knows about all transactions since block 0 -- the genesis block
• The company and the cafe are typical full-node users
• Anyone is free to run this software as they please
Lightweight
Wallets
• Usually, the users make use of mobile app (wallet) to manage their private keys
and send or receive money.
• Most wallet users are on a mobile data plan so they do not want to waste
bandwidth on downloading all block data (i.e., blockchain database)
• Downloading all that data would only make their phones run out of data traffic
without providing useful information
• This is because only few blocks will have the transactions related to them
• Any wallet-based user is allowed to connect to any full node and request for
exclusively the data blocks related to that user
• For instance, consider a use John His wallet contains two addresses @a
and
@b
• Now, John’s wallet want to receive notifications from full node about the
transactions concerning his wallet (i.e., related to two addresses)
Information Exchanged Between Lightweight Wallet and Full
•Node
When the John’s wallet connects to the full node, following two steps are performed as a
synchronization phase:
• Step 1: John’s wallet send a request to the full node for sending following:
1. All the block headers which the wallet does not know since the last connection
• Example current block is 556 but wallet just knows 501 blocks pending updates are from 502 to 556
2. All the transactions which are related to the addresses belonging to John’s wallet
• Step 2: The full node responds by sending all the pending block headers plus (at least) all the
transactions related to the John’s addresses
Step 1
Step 1
Lightweight
Full Node Step 2 Wallet
Creation of Bloom
Step 1
public key for address @ and @
a
Filter • three
• Take the Public Key Hashes (PKH) of
b
Step 2
Pass the PKH of address @ from the
hash different functions
a
Step 3
• Now, repeat step 2 with PKH
for address @b
• Take three different hash functions • According to the output hash values • According to the output hash
(produces 3-bit output) set the corresponding index bit of values set the corresponding
• Initialize 8-bit bloom filter with all zeros bloom filter to 1 index bit of bloom filter to 1
How Full Node Determine which Transactions to Send Using Bloom
Filter?
Block Under Examination
by Full Node
1. There are three transactions
present in block
25
Merkle Tree (Recap From Unit
2)
Partial Merkle Tree – Proving a Transaction is in a
Block wallet needs a way to ensure
• The lightweight
that subset of relevant transactions sent by full
node are actually a valid part of a block
• Above validation is not possible by
just receiving block header and subset
of transactions
• One simple way is to send the full block (header
plus body) to the wallet but this will make the
job of wallet very difficult – thus not
lightweight
• The solution is that full node creates a Partial
Merkle Tree and sends this to wallet
• Partial Merkle tree contains only the parts of
the hash tree which are required to compute If we have Merkle Root (i.e., Hash1234) and we want to prove
Merkle Root and confirm that a given that Tx2 is part of this tree then we just need values which
transaction is a part of tree are encircled with red color.
• Having Hash1 and Hash2 we can compute Hash12
• Thus, partial Merkle tree is a pruned version • Then having Hash34 we can computer Hash1234
of We do not need Hash3 and Hash4 values
Creating Partial Merkle
Tree
1
Security of Lightweight Wallets
31
Facts About Lightweight
Wallets
• Usually, a lightweight wallet provides an easy way to interact with blockchain because
it need light processing and low bandwidth
• As discussed in previous slides, the capabilities of a lightweight wallet are following:
• A lightweight wallet knows the entire chain of block headers.
• When the wallet receives a transaction and a Merkle proof (i.e., partial Merkle Tree), it can verify
that that transaction is contained in the block and that block is correctly signed by the miner
• However, this lightweightness of wallet comes at some cost
• Lightweight wallet can not verify a lot of other things, these are as follows:
• That the script programs in the transaction all return “OK,” which usually means verifying the
signatures of all inputs
• That the spent outputs are not already spent since the wallet does not have the entire blockchain
• That it receives all relevant transactions (may be the full node is hiding and not sending some
relevant transactions)
Security of Lightweight
Wallets
• So we can say that full node does verification on behalf of the wallet
• Thus, the lightweight wallet has no option other than to trust the full node
• To overcome these issues wallet’s owner can implement two solutions:
Detailed View
Master
extended
private key
• The
rando
mly
generat
ed
seed is
hashed
Deriving a Child Extended Private
Key
• Recall that the parent extended private key is combination of private key plus chain code
• From the private key derive the public key and append the index of the child (here it is 1 since we are working for
m/1)
• The above appended number is hashed using HMAC-SHA512 and the seed value used here is the chain code
• The left 256 bits of the hash value are added to parent private key and the result is child private key
• The right 256 bits of the hash value becomes the child chain code
Extended Public Keys (xpub)
39
Extended Public Keys
• At times it is required(xpub)
to create different addresses for every new transaction made
• Generating addresses requires public keys which can easily done if private keys are known
• However, giving away or storing private keys on the server is not secure
Not
secure!
• The public key is appended with the index of the child (here this index is 1)
• The above appended number is hashed and the seed value used here is the chain code
• The left 256 bits of the hash value is considered as a private key and it public key is derived
• This derived public key is added with parent public key and the result is child public key
• The right 256 bits of the hash value becomes the child chain code
Security Issue With Extended Private Key
• There(xprv)
is security issue with the normal use of xprv keys. This is explained below.
• As we know from previous discussion, the xpub is kept on web server, whereas, the xprv is kept
securely in the HD wallet
• Suppose an attacker (named Mallory) somehow manages to steal two things: (i) xprv key -
m/1/1, and
(ii) xpub key of online sales account – M/1
• Loosing private key xprv m/1/1 does not matter much as it is just one transaction and thus less
loss
• In this case, the attacker can computer the private key (xprv) of the online sales
Security Issue With Extended Private Key
(xprv)
• The situation could be even worse if the attacker can somehow steal master xpub (public key)
• Then the attacker can computer master xprv (private key) using master xpub and m/1/1 xprv
• So the question arises that can the extended private key (xprv) made more secure?
• The answer is yes – using the hardened extended private key
Driving Hardened Extended Private Key
(xprv)
• Here, the children of master are hardened i.e. m/0’ and m/1’ (but not the children in next level)
• Even if the attacker steals the master xpub key - M and child extended private key - m/1’/1, the
attacker cannot compute the private key – m/1’