Lecture 8: Cryptocurrency Features

In more detail: we construct a Merkle tree as follows.

• Take the hash of each individual file \(f_i\).
• Then, take the hash of each pair of hashes.
• Only store the hash at the root of the tree.

If you store one 32-byte hash digest corresponding to the set of files \(f_1, f_2, \ldots, f_k\), then someone else can prove to you that one file (say, \(f_3\)) is contained within the set \(S\) represented by the Merkle tree.

Let’s consider the following scenario: suppose you are Alice, and you already have some Bitcoins. This means that you already have created secret/public keys for a digital signature scheme.

Then you have two interactions throughout the day.

• In the morning, you visit a coffee shop and pay its store owner Bob in Bitcoin. This requires posting your public key and a digital signature to the globally-viewable blockchain.

• In the afternoon, you talk to your friend Carol, and she decides to send you some money. To do so, she’s asking you to give her a public key that she can (hash and) use as a destination address for the transaction.

What should you tell Carol?

You already have the secret/public keys from your old wallet. It’s perfectly acceptable to reuse that one.

But there is a downside: now the entire world will see that the same person who went to the coffee shop in the morning is the person who is receiving coins right now. That is: the two transactions would be linkable.

A better approach is to run KeyGen again and generate a fresh secret/public key pair for this new transaction. This would provide some measure of pseudonymity.

Signing keys are quick and easy to create. But if you do this every day, quickly you will find yourself needing to remember a lot of signing keys, and that sounds cumbersome and error-prone. How can we make your life easier?

So here we reach a conundrum: we want a process that Alice can use to reliably and deterministically produce secret keys, but also one that “looks random” to an outsider.

Question. Is there anything in our cryptographic toolbox that allows us to do this?

A cryptographic hash function \(H\) provides this kind of property. Here’s one way that we can leverage it.

Suppose we have one single main key \(m\) that we ask Alice to memorize. She can use it to generate many child keys pseudorandomly.

• For her morning interaction with Bob, she can use \(H(m, 0)\) to generate the first secret signing key (and then calculate the public key from it using the digital signature scheme’s key generation algorithm).
• For her afternoon interaction with Carol, she can use \(H(m, 1)\) to generate the second signing key.

This idea is effective thanks to the properties of the underlying hash function.

• Due to preimage resistance, even if one signing key happens to be compromised and exposed to the world, nobody can use it to reverse-engineer the main key \(m\).

• Also, the rows of the truth table of \(H\) appear to be independent. So the two signing keys – and their associated public keys – have no discernible connection to each other.

We can take this idea one step further: from the main key \(m\), we can generate several keys for different cryptocurrencies like Bitcoin, Ethereum, ZCash, and more. Then we can apply the previous idea to those keys in order to generate many secret/public key pairs.

This is the basic idea of a Bitcoin Improvement Protocol, or BIP, called hierarchical deterministic wallets.

With HD wallets, you only have to remember the main key \(m\), from which you can (re)generate as many signing keys for as many cryptocurrencies as you want.

These kinds of string encodings:

• Are incredibly useful for computer programs to ingest, process, and output printable characters for other computer programs to use.

• But Alice is a person. This style of encoding is not meant for her. What we need is a better way to encode 256 bits of random data, but in a way that makes sense for people to remember or write down.

This technique uses the same principle that we discussed in Lecture 1:

all information is data, and all data can be encoded into bits.

Specifically, let’s think about the ways that we can store 12 bits worth of data.

• We can write the data in binary, for example \(0101 1010 0011\).
• We can write the data as hex characters as \(6a4\).
• We can write the data in base 64 as “Wj”

Or we can choose any other representation that gives us \(2^{12}\) possible values that the data can take… perhaps one that is even easier for humans to remember.

There is another Bitcoin Improvement Protocol standard made for this purpose: creating human-memorable seeds. It defines a set of \(2^{11} = 2048\) words and records every 11 bits of the main key using one word.

Let’s look at its set of words. I’ll use English in this example, although other languages are specified in the standard too.

We can create Alice’s main key by sampling 24 of these words at random, each of which encodes 11 bits of data. So collectively, they encode the 256 bits of entropy that we need.

A Bitcoin transaction is actually a computer script that looks like this.

In words, a Bitcoin transaction involves Alice posting her own public key and the hash of Bob’s public key. This hash is called Bob’s wallet “address.” The transaction can be thought of as a computer program that says:

“For anyone who shows up later with a public key and claims to be the recipient of this transaction, take the hash of their public key and check if it equals 8ec...b1. If so, give my coins to that person.”

In fact, there are several valid operations that can be performed in a Bitcoin transaction. However, the scripting language is not Turing-complete; that is, you can’t write any computer program.

Relatedly, this is why some Bitcoin transactions take up more space than others: they can be more complicated computer programs.

The Ethereum blockchain is essentially a global computer where everyone agrees on the state of this computer. The global state is replicated on all nodes that are in the Ethereum network. The Ethereum state can only be changed by users issuing transactions.

Similarities. Ethereum shares several features in common with Bitcoin, such as:

• a peer-to-peer network that connects users,
• a consensus algorithm to agree on state updates, and
• using cryptographic primitives like digital signatures and hashes.

Additionally, Ethereum also has its own digital currency, known as Ether.

Just like Bitcoin transactions:

• Ethereum transactions are grouped into blocks and broadcasted into the network.
• Any person can use the global computer by issuing transactions and paying the required fees in its Ether currency.
• Every few seconds a leader gets elected, and that leader chooses which transactions go in the next block.

Differences. However, Ethereum’s primary objective is not to function as a digital currency payment network, and Ether is not intended to be a conventional currency. Instead,

• Ether is designed to be a utility currency that pays for the use of the Ethereum world computer.
• Transactions on the Ethereum blockchain explain how to move from one state of the machine to the next.

Also, Ethereum’s scripting language is Turing-complete, unlike the one in Bitcoin. So, it can operate as a general-purpose computer and execute code with more complexity.

You can think of Ethereum as a state machine. Ethereum’s state is a large data structure which holds not only all accounts and balances, but a machine state, which can change from block to block according to a pre-defined set of rules, and which can execute arbitrary machine code.

The specific rules of changing state from block to block are defined by the Ethereum Virtual Machine (EVM). Every transaction causes the EVM to run which causes the global state to change. The order of the transaction is very important! The EVM is single threaded.

For example, you could post a Sudoku puzzle to Ethereum and create a smart contract that says:

“I will pay 1 coin to the first person who posts a solution to the Sudoku puzzle in the next 5 minutes. Otherwise, I will reclaim my money.”

You must currently own 1 coin for this smart contract to be valid. If so, your coin is “locked” in the smart contract until it gets paid out (either to the puzzle-solver, or back to you).

The smart contract itself must be written as a computer program. Ethereum supports several programming languages; a popular one is a language called Solidity that was developed for Ethereum. Solidity is an object oriented imperative programming language with a syntax similar to Python and C++.

Going one step further: you can even create new coins on top of Ethereum!

• Ethereum contains a standard interface for fungible tokens on the Ethereum blockchain, called ERC20. It is a set of rules that define how a token contract should behave and interact with other contracts and wallets on the Ethereum network.

• For instance, you could create a new kind of coin called Sudokoin and say that anyone who solves a Sudoku puzzle earns 1 Sudokoin. Here is open-source Solidity code to do exactly this! (Whether or not this coin has any value is a different matter…)