Upload
alex-chepurnoy
View
278
Download
0
Embed Size (px)
Citation preview
Blockchain Hackathon, Nov `16
Blockchain For Developers
Alexander Chepurnoy(aka kushti)
@chepurnoyIOHK Research
Background
● Nxt core developer
● smartcontract.com cofounder (left)
● Scorex since late 2014
● IOHK Research
The talk is about
● How a developer can view a blockchain system
● What are open problems in blockchains
P2P network
● Each node has own view
● The goal is to have replicated subset of it across the network
● In the presence of Byzantine adversaries!
● (so only honest nodes agree on the state)
● (and only eventually)
Minimal State
● Can answer the question „whether a transaction is valid and so applicable“
● apply(min_state, tx): (MinimalState | Error)
● apply(apply(min_state, tx), tx) is always Error
● In Bitcoin UTXO set
Minimal State
● Transaction application is deterministic
● There's some initial (genesis) state hardcoded
● By applying the same sequence of transactions to the genesis state, two honest nodes got the same minimal state
● Thus we need for a guarantee every pair of honest nodes is eventually applying the same sequence of transactions!
Block Generator Election
● random party
● sybil-resistant
● efficient(min communication)
solution
● each party has limited queries to random oracle
● random oracle answers „yes“ with adjustable probability
● replace random oracle with a hash function
GKL Model
● „The Bitcoin Backbone Protocol:Analysis and Applications“
by Garay / Kiayias / Leonardos
● slides: https://bitcoinschool.gr/slides/session2.pdf
Bitcoin consensus protocol properties:
● Common Prefix
● Chain Quality
● Chain Growth
Common Prefix
no matter the strategy of the adversary, the chains of two honest parties will fork in the last k blocks with probability exponentially decreasing with k
Chain Quality
any sequence of blocks in an honest party’s chain will contain some number of honest blocks with overwhelming probability
Bitcoin Script
output: OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
input: <sig> <pubKey>
Bitcoin: UTXO set
● unspent outputs set
● enough to validate any transaction
● application is about removing outputs spent and add new ones
Node view
(MinimalState, Blockchain, MemoryPool, Wallet)
(MinimalState, Blockchain) is eventually the same for all the honest nodes
What app developer should know
● Rollbacks are possible!
● Transaction is always visible before inclusion
● Frontrunning / replay attacks
● Malleability
Modifications
● alternative consensus protocols (Proof-of-Stake etc)
● richer transactional models (NameCoin, Ethereum, ZCash)
● alternative log structures (Bitcoin-NG, GHOST, TwinsChain)
● incentivization of certain activities (Permacoin, Rollerchain)
Bitcoin's Troughput (TPS)
● 7 ??? no
● 2-3 in fact
● 1/600 in worse case
https://www.reddit.com/r/Bitcoin/comments/3cgft7/largest_transaction_ever_mined_999657_kb_consumes/
Basic assumption
● It should be possible to run a fullnode on a commodity hardware
● HDD
● 1-2 GB RAM
● 1 Mbps at most
● Ethereum lost
● Bitcoin is doing hard to hold the assumption
Rollerchain
● Chepurnoy, Larangeira, Ozhiganov
http://arxiv.org/abs/1603.07926
„Rollerchain, a Blockchain With Safely Pruneable Full Blocks“
Rollerchain
● Only last n full blocks to be stored collectively
and n state snapshots
● Each miner stores k state snapshots
Rollerchain
● New node can download a historical snapshot
● Fullblocks not needed for mining could be thrown away
● Blockheaders are to be stored forever, so must be small
Unload the chain
● Move things off-chain
● Sidechains
● Avoid all the transactions execution(RsCoin)
Slowing down processing
● Bitcoin: CVE-2013-2293 (fetching outputs from hdd)
● Ethereum: most of recent attacks (fetching account states)
Asymmetric schemes
● Not neccessary to hold the whole state
● Full security guarantees
● Reyzin, Meshkov, Chepurnoy, Ivanov
„Improving Authenticated Dynamic Dictionaries, with Applications to Cryptocurrencies“
https://eprint.iacr.org/2016/994
Rational Behaviour
● Why store blocks for years after processing?
● Why to validate blocks (in PoW)?
● Why to work on a single chain (in PoS)?
Validationless (SPV) mining
● Start to mine on a header
● Trust other nodes regarding transactions
● https://bitcoin.org/en/alert/2015-07-04-spv-mining - 6 blocks starting with an invalid one
If no block reward
Carlsten, Kalodner, Weinberg, Narayan
„On the Instability of Bitcoin Without the Block Reward“
http://randomwalker.info/publications/mining_CCS.pdf