Embed Size (px)
Citation preview
Blockchain Hackathon, Nov `16
Blockchain For Developers
Alexander Chepurnoy(aka kushti)
@chepurnoyIOHK Research
Background
● Nxt core developer
● smartcontract.com cofounder (left)
● Scorex since late 2014
● IOHK Research
The talk is about
● How a developer can view a blockchain system
● What are open problems in blockchains
Environment
● P2P network
● No central party
● Probabilistic broadcast
P2P network
● Each node has own view
● The goal is to have replicated subset of it across the network
● In the presence of Byzantine adversaries!
● (so only honest nodes agree on the state)
● (and only eventually)
A transaction
● Atomic state modifier
● Authenticated
Minimal State
● Can answer the question „whether a transaction is valid and so applicable“
● apply(min_state, tx): (MinimalState | Error)
● apply(apply(min_state, tx), tx) is always Error
● In Bitcoin UTXO set
Minimal State
● Transaction application is deterministic
● There's some initial (genesis) state hardcoded
● By applying the same sequence of transactions to the genesis state, two honest nodes got the same minimal state
● Thus we need for a guarantee every pair of honest nodes is eventually applying the same sequence of transactions!
Blockchain
● Transactions packed into blocks
● Blocks are linked
Blockchain
Block Generator Election
● random party
● sybil-resistant
● efficient(min communication)
solution
● each party has limited queries to random oracle
● random oracle answers „yes“ with adjustable probability
● replace random oracle with a hash function
Bitcoin's Proof-of-Work
● hash(blockheader) < target
● target T = 1 / difficulty
GKL Model
● „The Bitcoin Backbone Protocol:Analysis and Applications“
by Garay / Kiayias / Leonardos
● slides: https://bitcoinschool.gr/slides/session2.pdf
Bitcoin consensus protocol properties:
● Common Prefix
● Chain Quality
● Chain Growth
Common Prefix
no matter the strategy of the adversary, the chains of two honest parties will fork in the last k blocks with probability exponentially decreasing with k
Chain Quality
any sequence of blocks in an honest party’s chain will contain some number of honest blocks with overwhelming probability
Chain Growth
honest party's chain grows with some minimal pace with an overwhelming probability
Bitcoin
● digital cash
● transaction is a set of token transfers
Bitcoin: Transaction
Bitcoin Script
output: OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
input: <sig> <pubKey>
Bitcoin: UTXO set
● unspent outputs set
● enough to validate any transaction
● application is about removing outputs spent and add new ones
Memory Pool
● contains unconfirmed transaction
● inconsistent across a network
Vault (Wallet)
● node-specific information
● e.g. transactions for selected pubkeys
Node view
(MinimalState, Blockchain, MemoryPool, Wallet)
(MinimalState, Blockchain) is eventually the same for all the honest nodes
What app developer should know
● Rollbacks are possible!
● Transaction is always visible before inclusion
● Frontrunning / replay attacks
● Malleability
Modifications
● alternative consensus protocols (Proof-of-Stake etc)
● richer transactional models (NameCoin, Ethereum, ZCash)
● alternative log structures (Bitcoin-NG, GHOST, TwinsChain)
● incentivization of certain activities (Permacoin, Rollerchain)
Scalability
Bitcoin's Troughput (TPS)
● 7 ??? no
● 2-3 in fact
● 1/600 in worse case
https://www.reddit.com/r/Bitcoin/comments/3cgft7/largest_transaction_ever_mined_999657_kb_consumes/
Basic assumption
● It should be possible to run a fullnode on a commodity hardware
● HDD
● 1-2 GB RAM
● 1 Mbps at most
● Ethereum lost
● Bitcoin is doing hard to hold the assumption
Better throughput
● Bitcoin-NG
● GHOST/SPECTRE
Blockchain Pruning
Rollerchain
● Chepurnoy, Larangeira, Ozhiganov
http://arxiv.org/abs/1603.07926
„Rollerchain, a Blockchain With Safely Pruneable Full Blocks“
Rollerchain
● Only last n full blocks to be stored collectively
and n state snapshots
● Each miner stores k state snapshots
Rollerchain
● New node can download a historical snapshot
● Fullblocks not needed for mining could be thrown away
● Blockheaders are to be stored forever, so must be small
Unload the chain
● Move things off-chain
● Sidechains
● Avoid all the transactions execution(RsCoin)
Offchain
● Lightning Network
● Offchain contracts(SMC/SMP)
Smart Contracts
● Ethereum isn't scalable
● Hawk
● Enigma
Dark side of an open blockchain
Slowing down processing
● Bitcoin: CVE-2013-2293 (fetching outputs from hdd)
● Ethereum: most of recent attacks (fetching account states)
Asymmetric schemes
● Not neccessary to hold the whole state
● Full security guarantees
● Reyzin, Meshkov, Chepurnoy, Ivanov
„Improving Authenticated Dynamic Dictionaries, with Applications to Cryptocurrencies“
https://eprint.iacr.org/2016/994
Asymmetric vs Symmetric
AVL+ trees vs Ethereum‘s tries
Rational Behaviour
● Why store blocks for years after processing?
● Why to validate blocks (in PoW)?
● Why to work on a single chain (in PoS)?
Validationless (SPV) mining
● Start to mine on a header
● Trust other nodes regarding transactions
● https://bitcoin.org/en/alert/2015-07-04-spv-mining - 6 blocks starting with an invalid one
If no block reward
Carlsten, Kalodner, Weinberg, Narayan
„On the Instability of Bitcoin Without the Block Reward“
http://randomwalker.info/publications/mining_CCS.pdf
