1

Course Name: Block Chain and Crypto Currency Technologies

Course Code: CSE1006

Faculty In-Charge : Dr. Ganesan R, Professor

Resource Material Courtesy

Narayanan, A., Bonneau, J., Felten, E., Miller, A., and Goldfeder, S.
(2016). Bitcoin and Cryptocurrency technologies: a comprehensive
introduction. Princeton University Press
 Assessment

Component Weightage
CAT1 15
CAT2 15
DA 30
TERM End Exam 40

---------
Total 100
 3
CSE1066 Block Chain and Crypto Currency Technologies LTPJC 30003
Pre-requisite: Nil

Module:1 Introduction to Cryptography and Cryptocurrencies 5 hours

Cryptographic Hash Functions, Hash Pointers and Data Structures, Digital Signatures, Public Keys as Identities, A Simple
Cryptocurrency.
Module:2 How Blockchain Achieves and How to Store and Use 7 hours
Decentralization-Centralization vs. Decentralization-Distributed consensus, Consensus with-out identity using a blockchain,
Incentives and proof of work. Simple Local Storage, Hot and Cold Storage, Splitting and Sharing Keys, Online Wallets and
Exchanges, Payment Services, Transaction Fees, Currency Exchange Markets.
Module:3 Mechanics of Bitcoin 5 hours
Bitcoin transactions, Bitcoin Scripts, Applications of Bitcoin scripts, Bitcoin blocks,The Bit-coin network, Limitations and
improvements.
Module:4 Bitcoin Mining 5 hours
The task of Bitcoin miners, Mining Hardware, Energy consumption and ecology, Mining pools, Mining incentives and
strategies
Module:5 Bitcoin and Anonymity 5 hours
Anonymity Basics, How to De-anonymize Bitcoin, Mixing, Decentralized Mixing, Zerocoin and Zerocash.
Module:6 Community, Politics, and Regulation 9 hours
Consensus in Bitcoin, Bitcoin Core Software, Stakeholders: Who‟s in Charge, Roots of Bitcoin,
Governments Notice on Bitcoin, Anti Money Laundering Regulation, New York‟s Bit License Proposal. Bitcoin as a
Platform: Bitcoin as an Append only Log, Bitcoins as Smart Property, Secure Multi Party Lotteries in Bitcoin, Bitcoin as
Public Randomness, Source-Prediction Markets, and Real World Data Feeds
 4

Module:7 Altcoins and the Cryptocurrency Ecosystem 7 hours

Altcoins: History and Motivation, A Few Altcoins in Detail, Relationship Between Bitcoin and Altcoins, Merge
Mining-Atomic Crosschain Swaps-6 BitcoinBacked Altcoins, Side Chains, Ethereum and Smart Contracts
Module:8 Recent Trends and applications 2 hours
Total Lecture hours: 45 hours
Text Book(s)
1. Narayanan, A., Bonneau, J., Felten, E., Miller, A., and Goldfeder, S. (2016). Bitcoin and
Cryptocurrency technologies: a comprehensive introduction. Princeton University Press.
Reference Books
1. Antonopoulos, A. M. (2014). Mastering Bitcoin: unlocking digital cryptocurrencies. OReilly Media, Inc.”.

2. Franco, P. (2014). Understanding Bitcoin: Cryptography, engineering and economics. John Wiley and
Sons.
Mode of Evaluation: CAT/ Assignment / Quiz / FAT / Project /Seminar
 5
Expected Outcome
Course Objectives
 To understand the mechanism of Blockchain and Cryptocurrency.
 To understand the functionality of current implementation of blockchain technology
 To understand the required cryptographic background.
 To explore the applications of Blockchain to cryptocurrencies and

understanding limitations of current Blockchain.

 An exposure towards recent research.
 6

Expected Course Outcome

 To Understand and apply the fundamentals of Cryptography in Cryptocurrency

 To gain knowledge about various operations associated with the life cycle of
Blockchain and Cryptocurrency
 To deal with the methods for verification and validation of Bitcoin transactions
 To demonstrate the general ecosystem of several Cryptocurrency
 To educate the principles, practices and policies associated Bitcoin business
 7

Introduction to Cryptography and Crypto Currencies

 8

 All Currencies should enforce various security properties

 These security features raise the bar for an attacker, but they
don’t make money impossible to counterfeit
 Cryptocurrency – Tampering and equivocating
 Cryptocurrencies make heavy use of cryptography
 Hashes and Digital Signatures are the two primitive in cryptocurrency
 9
Cryptographic Hash Functions

Properties of Hash Function

 Its input can be any string of any size
 It produces a fixed size output
 It is easy to compute the hash value for any given message
 It is infeasible to generate a message from its hash
 It is infeasible to modify a message without changing the hash
 It is infeasible to find two different messages with the same hash
 It is impossible to find the same message have different hash
 10
Collision Resistance

 The first property that we need from a cryptographic hash function is that
it’s collision‐resistant
 A collision occurs when two distinct inputs produce the same output.
 A hash function H(.) is collision‐resistant if nobody can find a collision
 Collision‐resistance: A hash function H is said to be collision resistant if it
is infeasible to find two values, x and y , such that x ≠ y , yet H(x) = H(y) .
 11

Figure depicting hash Collision

 12

 It is guaranteed to have collision

 We’ll find a collision with high probability long before examining 2256 + 1 inputs

 If we randomly choose just 2130 + 1 inputs, it turns out there’s a 99.8% chance that

at least two of them are going to collide

 We can find a collision by only examining roughly the square root of the number of
possible outputs results from a phenomenon in probability known as the birthday paradox
 Collision‐detection algorithm works for every hash function , but it take very

long time to do
 For a hash function with a 256‐bit output, you would have to compute the hash function

2256 + 1 times in the worst case, and about 2128 times on average
 If a computer calculates 10,000 hashes per second, it would take more than one octillion

(1027 ) years to calculate 2128 hashes!

 13

SHA1- Collision Detection

https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
 14
Hiding

 Given H(x), it is infeasible to find x

 15

 Hiding. A hash function H is hiding if: when a secret value r is chosen

from a probability distribution that has high min‐entropy , then given
H(r ‖ x) it is infeasible to find x
 High min-entropy means the distribution is “very spread out”, so that no
particular value is chosen with more than negligible probability
Example: If r is chosen uniformly from among all of the strings that are 256
bits long, then any particular string was chosen with probability 1/2 256 , which
is an infinitesimally small value.
 16
Application Commitment - Envelope
 Want to “seal a value in an envelope” and “open the envelope” later
 Commit to a value, revel it later
 17
 Commitment scheme. A commitment scheme consists of two algorithms:

com := commit( msg, nonce ) The commit function takes a message and
secret random value, called a nonce, as input and returns a commitment.
verify( com, msg, nonce ) The verify function takes a commitment, nonce,
and message as input. It returns true if com == commit( msg , nonce ) and
false otherwise
 The following two security properties should hold:
 Hiding : Given com , it is infeasible to find msg
 Binding : It is infeasible to find two pairs (msg, nonce) and (msg’, nonce’)
such that msg ≠ msg’ and commit( msg, nonce ) == commit( msg’, nonce’ )
 Every time you commit to a value, it is important that you choose a new
random value nonce . In cryptography, the term nonce is used to refer to a
value that can only be used once
 18
Commitment API

 (com,key):= commit(msg)

match:= verify(com,key,msg)
 To seal message in envelope:

( com,key):= commit(msg) --- then publish com

 To open the envelope:

Publish key, msg

anyone can verify() to check validity
 19
Commitment API

 Commit(msg):= (H(key || msg),H(key))

where key is a random 256-bit value

verify(com,key,msg):= (H(key || msg) == com)
 Security Properties

Hiding: Given H(key||msg), infeasible to find msg

Binding: Infeasible to find msg!=msg’ such that H(key||msg) == H(key||msg’)
 20
Puzzle Friendliness

 A hash function H is said to be puzzle‐friendly if for every possible n ‐bit

output value y , if k is chosen from a distribution with high min‐entropy,
then it is infeasible to find x such that H(k ‖ x) = y in time significantly less
than 2n

 Intuition: If someone wants to target the hash function to come out to some
particular output value y , that if there’s part of the input that is chosen in a
suitably randomized way, it’s very difficult to find another value that hits
exactly that target.
 21
Application Search Puzzle

Search puzzle. A search puzzle consists of

 a hash function, H ,
 a value, id (which we call the puzzle‐ID ), chosen from a high min‐
entropy distribution and a target set Y
 A solution to this puzzle is a value, x , such that H( id ‖ x ) ∈ Y .
 22

Intuition :
 If H has an n‐bit output, then it can take any of 2n values
 Solving the puzzle requires finding an input so that the output falls within
the set Y, which is typically much smaller than the set of all outputs
 The size of Y determines how hard the puzzle is ; if Y is the set of all n‐bit
strings the puzzle is trivial, whereas if Y has only 1 element the puzzle is
maximally hard
 The fact that the puzzle id has high min‐entropy ensures that there are no
shortcuts
 On the contrary, if a particular value of the ID were likely, then someone
could cheat, say by pre‐computing a solution to the puzzle with that ID.
 23

 If a search puzzle is puzzle‐friendly, this implies that there’s no solving

strategy for this puzzle which is much better than just trying random values
of x
 And so, if we want to pose a puzzle that’s difficult to solve, we can do it
this way as long as we can generate puzzle‐IDs in a suitably random way
 Used in Bitcoin mining, which is a sort of computational puzzle
 24
SHA-256
 Hash Pointers 25

 Hash pointer is a pointer to an information stored

 It is a cryptographic hash of a data
 Helps to get the information back
 One can verify that information is intact
26
27
28
29
 30
Merkle Tree
 31
Hash Pointers – Merkle Tree
 32
Proving Membership in Merkle Tree
 33
Advantage of Merkle Tree

 Even though the Merkle tree hold many items, it is important to remember
root hash
 Can verify membership in O(log n) time/space

Variant: Sorted Merkle Tree

 Can verify non membership in O(log n )

Video lecture youtube: https://www.youtube.com/watch?v=s0fruNfgW30

 34

Digital Signature
 Need of Digital Signature 35

 Message authentication protects two parties who exchange messages from

any third party. However, it does not protect the two parties against each
other. Several forms of dispute between the two parties are possible
 Assume Mr. Ben sends an authenticated message to Mrs. Clara using one of
the schemes discussed in Message Authentication Protocol.

The following dispute could arise now:

 Clara may forge a different message and claim that it came from Ben.

Clara would simply have to create a message and append an authentication code
using the key that Ben and Clara share.
 Ben can deny sending the message. Because it is possible for Clara to forge a
message, there is no way to prove that Ben did in fact send the message.
 Both scenarios are of legitimate concern. Ex: Electronic Fund transfer, Stock
broker transaction
 36
Digital Signature Properties
 In situations where there is not complete trust between each other (sender
and receiver), something more than authentication is needed; an elegant
solution is the digital signature
Properties of digital signature:
 It must verify the author and the date and time of the signature and
verifiable by third parties in case of disputes
 It must authenticate the contents at the time of the signature
 Digital Signature Requirements 37

 The signature must be a bit pattern that depends on the message being signed.
 The signature must use some information only known to the sender to prevent

both forgery and denial

 It must be relatively easy to produce, recognize and verify the digital signature
 It must be computationally infeasible to forge a digital signature, either by

constructing a new message for an existing digital signature or by constructing

a fraudulent digital signature for a given message.
 It must be practical to retain a copy of the digital signature in storage.
 38
Digital Signature Scheme

 (sk, pk) := generateKeys( keysize )

 sig := sign( sk , message )
 isValid := verify( pk , message , sig )

The following two properties should uphold

Valid signatures must verify
 verify ( pk , message , sign ( sk , message )) == true
 Signatures are existentially unforgeable
 39

Verify
 If I sign a message with sk , my secret key, and someone later tries to
validate that signature over that same message using my public key, pk ,
the signature must validate correctly
Unforegeability
 an adversary who knows your public key and gets to see your signatures
on some other messages can’t forge your signature on some message for
which he has not seen your signature
 40
Unforgeability Game
 41

 A signature scheme is unforgeable if and only if, no matter what algorithm the
adversary is using, his chance of successfully forging a message is extremely
small
 42
Practical Concerns

 Many signature algorithms are randomized (in particular the one used in
Bitcoin) and we therefore need a good source of randomness
 The importance of this really can’t be underestimated as bad randomness
will make algorithm insecure
 It is better to use a cryptographic hash function with a 256‐bit output, then
we can effectively sign a message of any length as long as our signature
scheme can sign 256‐bit messages
 It’s safe to use the hash of the message as a message digest in this manner
since the hash function is collision resistant
 43
Elliptic Curve Digital Signature Algorithm (ECDSA)

 Bitcoin uses Elliptic Curve Digital Signature Algorithm (ECDSA)

 Bitcoin uses ECDSA over the standard elliptic curve “secp256k1” which is
estimated to provide 128 bits of security
 ECDSA can technically only sign messages 256 bits long, this is not a
problem: messages are always hashed before being signed, so effectively any
size message can be efficiently signed
 No encryption mechanism in bit coin , Commitment, Signing schemes etc.,
involve hiding information in some way, but they are distinct from
encryption
 Private key:256 bits; public key uncompressed 512 bits; public key
compressed 257 bits; message to be signed 256 bits; signature 512 bits
 44
Public Key as Identities

 Public key is an identity ( user or actor in a system)

 If you see sig such that verify(pk,msg,sig) = = true, think of it as pk says, [“msg”]

 To “speak for “ pk one should know the corresponding sk

 In practice, you may use the hash of pk as your identity since public keys are large
 In order to verify that a message comes from your identity, one will have to check
(1) that pk indeed hashes to your identity, and (2) the message verifies under public
key pk .
 45
Decentralized Key Management

 Rather than having a central authority that you have to go to in order to

register as a user in a system, you can register as a user all by yourself
 If you want a new identity, you can just generate one at any time, and you
can make as many as you want
 If you prefer to be known by five different names, no problem! Just make
five identities. If you want to be somewhat anonymous for a while, you can
make a new identity, use it just for a little while, and then throw it away
 All of these things are possible with decentralized identity management,
and this is the way Bitcoin, in fact, does identity
 These identities are called addresses, in Bitcoin jargon
 46
Anonymity & Privacy

 Addresses not directly connected to real-world entity : create a random-

looking identity all by yourself without telling anyone your real world
identity
 But observer can link together an address's activity over a time and make
inferences

 Two simple Cryptocurrencies: Goofycoin, Scroogecoin

47
 48
Creation of GoofyCoin
 49

 To create a coin, Goofy generates a unique coin ID that he’s never generated before
and constructs the string “CreateCoin [ uniqueCoinID ]”
 He then computes the digital signature of this string with his secret signing key

 The string, together with Goofy’s signature, is a coin

 Anyone can verify that the coin contains Goofy’s valid signature of a CreateCoin
statement, and is therefore a valid coin
50
 51
Double Spending Attacks

 Goofy coins are prone to double spending attacks

 It is a main design challenge in digital currency, which has to be removed
 52
Goofy in NutShell

 Goofy can create new coins by simply signing a statement that he’s making
a new coin with a unique coin ID
 Whoever owns a coin can pass it on to someone else by signing a
statement that saying, “Pass on this coin to X” (where X is specified as a
public key)
 Anyone can verify the validity of a coin by following the chain of hash
pointers back to its creation by Goofy, verifying all of the signatures along
the way
53
 54
Scoorge Coin

 To solve the double‐spending problem, we’ll design another

cryptocurrency, which we’ll call ScroogeCoin
 ScroogeCoin is built off of GoofyCoin, but it’s a bit more complicated in
terms of data structures
 Scoorge digitally signs the final hash pointer, and any one can verify the
same
 Double spending can be detected – everyone can refer the history and
finally the digital signature of Scoorge
55
56
 57

 Since Scoorge add this value of coin and recipient in to the history, hence it
is valid
58
 Immutable Coins 59

 Coins in this system are immutable — they are never changed, subdivided,
or combined
 Each coin is created, once, in one transaction and later consumed in some
other transaction
 But we can get the same effect as being able to subdivide or combine coins
by using transactions
 Example, to subdivide a coin, Alice create a new transaction that consumes
that one coin, and then produces two new coins of the same total value;
those two new coins could be assigned back to her
 60
Problem on Scoorge Coin

 Need a crypto currency with decentralized trusted system