Learning contents

1. Cryptographic hash function

2. Hash pointers and Data structures

3. Digital Signatures

4. Two simple cryptocurrencies

Learning goals

Upon completion of this lesson, students will be able to:

1. explain how Bitcoin and other cryptocurrencies work,

2. explain how cryptocurrencies support anonymity

1. Cryptographic hash function

1.1. Property 1: Collison Resistance

1.2. Property 2: Hiding
Application: Commitments
1.3. Property 3: Puzzle Friendliness
Application: Search Puzzle
1.2. SHA256
Hash function

- Its input can be any string of any size.

- It produces a fixed-sized output
- we will assume a 256-bit output size
- It is efficiently computable
- computing the hash of an n-bit string should h
ave a running time that is O(n).

$ du -h Bitcoin_book.pdf
18M Bitcoin_book.pdf
$ time shasum -a 256 Bitcoin_book.pdf
4371b745c56c9c71e6876234c0d37881204507465ac0fed0da35a753150bbcc7
0.19s user 0.05s system 93% cpu 0.261 total
Property 1: Collision Resistance

Def. A hash function H is said to be collision resistant

if it is infeasible to find two values, x and y, such that
x ≠ y and H(x) = H(y).
Inevitability of collisions

- For a hash function with a 256-bit output, you woul

d have to compute the hash function 2256 + 1 times
in the worst case,
- and about 2128 times on average.
Example

Consider the hash function:

H(x)= x mod 2256
This function
- accepts inputs of any length
- returns a fixed-sized output (256 bits)
- is efficiently computable.

But it is not collision resistant. One collision would

be the values 3 and 3 + 2256
In reality

Is there a faster way to find collisions?

For some possible H’s, yes.
For others, we don’t know of one.

No H has been proven collision-free.

Application: Message Digest
Property 2: Hiding

We want something like this:

Given H(x), it is infeasible to find x.

H(“heads”)

H(“tails”)

easy to find x!
Property 2: Hiding

Def. A hash function H is said to be hiding if when a

secret value r is chosen from a probability distribution
that has high min-entropy, then,
given H(r ‖ x), it is infeasible to find x.

Application: Commitment (digital analog of taking

a value)
• sealing it in an envelope, and
• putting that envelope out on the table where
everyone can see it.
Commitment
API:
• (com, key) := commit(msg)
• match := verify(com, key, msg)
Sealing message in an envelope:
• (com, key) := commit(msg)
• publish the commitment com

Opening the envelope:

• Publish the (key, msg)
• Now anybody can verify that msg was the
message
Security

API:
• (com, key) := commit(msg)
• match := verify(com, key, msg)

• Hiding: Given H(nonce ‖ msg), it is infeasible to find msg

• Binding: It is infeasible to find two pairs
(msg, nonce) and (msg′, nonce′)
such that
msg ≠ msg′ and H(nonce ‖ msg) == (nonce′ ‖ msg′)
Property 3: Puzzle Friendliness

Def. For every possible output value y,

if k is chosen from a distribution with high min-entropy,
then it is infeasible to find x such that H(k | x) = y.
Application: Search puzzle

Given a “puzzle ID” id (from high min-entropy distrib.),

and a target set Y:
Try to find a “solution” x such that
H(id | x) ∈ Y.

Bitcoin mining is a sort of computational puzzle.

Puzzle-friendly property implies that no solving strategy is

much better than trying random values of x.
SHA-256 hash function
Padding (10* | length)

512 bits
Message Message Message
(block n)
(block 1) (block 2)

256 bits 256 bits

c c c
IV Hash

Theorem: If c is collision-free, then SHA-256 is collision-free.

2. Hash pointers and Data structures

2.1. Blockchain
2.2. Merkle Tree
Hash pointer

Hash pointer is:

• pointer to where some info is stored, and
• (cryptographic) hash of the info

if we have a hash pointer, we can

• ask to get the info back, and
• verify that it hasn’t changed
Hash pointer

H( )
(data) will draw hash pointers
like this
Linked list with hash pointers = “block chain”

H( )

prev: H( ) prev: H( ) prev: H( )

data data data

Detecting tampering

H( )

prev: H( ) prev: H( ) prev: H( )

data data data

Binary tree with hash pointers = “Merkle tree”

H( ) H( )

H( ) H( ) H( ) H( )

H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( )

(data) (data) (data) (data) (data) (data) (data) (data)

Proving membership in a Merkle tree

H( ) H( )

H( ) H( )
show O(log n) items

H( ) H( )

(data)
Advantages of Merkle trees

Tree holds many items

but just need to remember the root hash
Can verify membership in O(log n) time/space

Variant: sorted Merkle tree

can verify non-membership in O(log n)
(show items before, after the missing one)
3. Digital Signatures

3.1. Definition
3.2. Security
3.3. Public key as Identities
Digital signature

Properties:
• only you can make your signature, but anyone
who sees it can verify that it’s valid.
• the signature to be tied to a particular document

API:
• (sk, pk) := generateKeys(keysize)
• sig := sign(sk, message)
• isValid := verify(pk, message, sig)
Requirements for signatures

Valid signatures verify:

verify(pk,message,sign(sk,message))==true

Can’t forge signatures:

• Adversary Evil who knows pk gets to see signatures
on messages of his choice
• Evil can’t produce a verifiable signature on another
message
 (sk, pk)

challenger attacker
m0
sign(sk, m0)

m1

sign(sk, m1)
...
M, sig

M not in { m0, m1, … }

verify(pk, M, sig)

if true, attacker wins

ECDSA

• Bitcoin uses ECDSA standard

Elliptic Curve Digital Signature Algorithm
• Specifically, Bitcoin uses ECDSA over the standard
elliptic curve secp256k1: 128 bits of security

Private key: 256 bits

Public key, uncompressed: 512 bits
Public key, compressed: 257 bits
Message to be signed: 256 bits
Signature: 512 bits
Useful trick: public key == an identity

If you see sig such that verify(pk, msg, sig)==true,

think of it as
pk says, “[msg]”.

to “speak for” pk, you must know secret key sk.

How to make a new identity

Create a new, random key-pair (sk, pk)

pk is the public “name” you can use
[usually better to use Hash(pk)]
sk lets you “speak for” the identity

you control the identity, because only you know sk

if pk “looks random”, nobody needs to know who you
are
Decentralized identity management

• Anybody can make a new identity at any time

make as many as you want!
• No central point of coordination
• These identities are called “addresses” in Bitcoin.
Privacy

• Addresses not directly connected to real-world

identity.
• But observer can link together an address’s
activity over time, make inferences.
5. Two Simple Cryptocurrencies

5.1. Goofycoin
5.2. Scroogecoin
GoofyCoin
Goofy can create new coins
New coins belong to
me.

signed by pkGoofy
CreateCoin [uniqueCoinID]
A coin’s owner can spend it

Alice owns it now.

signed by pkGoofy
Pay to pkAlice : H( )

signed by pkGoofy
CreateCoin [uniqueCoinID]
The recipient can pass on the coin again

signed by pkAlice Bob owns it now.

Pay to pkBob : H( )

signed by pkGoofy
Pay to pkAlice : H( )

signed by pkGoofy
CreateCoin [uniqueCoinID]
Double-spending attack

signed by pkAlice signed by pkAlice

Pay to pkBob : H( ) Pay to pkChuck : H( )

signed by pkGoofy
Pay to pkAlice : H( )

signed by pkGoofy
CreateCoin [uniqueCoinID]
ScroogeCoin
Scrooge publishes a history of all transactions
(a block chain, signed by Scrooge)

H( )

prev: H( ) prev: H( ) prev: H( )

transID: 71 transID: 72 transID: 73

trans trans trans

CreateCoins transaction creates new coins
Valid, because I said so.
transID: 73 type:CreateCoins

coins created
num value recipient
0 3.2 0x... coinID 73(0)
coinID 73(1)
1 1.4 0x...
coinID 73(2)
2 7.1 0x...
PayCoins transaction consumes (and destroys) some coins,
and creates new coins of the same total value

transID: 73 type:PayCoins

consumed coinIDs:
Valid if:
68(1), 42(0), 72(3)
-- consumed coins valid,
coins created -- not already consumed,
-- total value out = total value in,
num value recipient and
-- signed by owners of all consum
0 3.2 0x... ed coins
1 1.4 0x...

2 7.1 0x...

signatures
Immutable coins

• Coins can’t be transferred, subdivided, or combined

• But: you can get the same effect by using
transactions
to subdivide: create new trans
consume your coin
pay out two new coins to yourself
Crucial question

Can we descroogify the currency, and operate wi

thout any central, trusted party?

Don’t worry, I’m honest.

 Quiz Number 1 Quiz Type
Quiz 2
Let H be a hash function that is both hiding and puzzle‐friendl
y. Consider G(z) = H(z) ǁ zlast where zlast represents the last
bit of z. Is G puzzle-friendly and hiding?
Question 1. No, G is not puzzle-friendly but hiding.
2. No, G is puzzle-friendly but not hiding.
3. No, G is not puzzle-friendly and not hiding.
4. Yes, G is puzzle-friendly and hiding.

Example

Answer 2

Feedback
 Quiz Number 2 Quiz Type
Quiz 2
If you generate numerous identities (public keys) for yourself
and interact online using those different identities, what might
happen? (there is more than one correct answer )
1. Others might be able to take over your identities if your
Question randomness is bad
2. Others may be able to link your identities because public
keys generated on the same computer look similar
3. Others may be able to de-anonymize you by analyzing
your activity patterns

Example

Answer 1,3

Feedback
Summary

Cryptographic Hash Function

Collison Resistance, Hiding, Puzzle Friendliness, SHA256
Hash pointers and Data structures
Blockchain, Merkle tree
Digital Signatures
Security, ECDSA, Public key as Identities
Two simple cryptocurrencies
Goofycoin, Scroogecoin
Next time guide

Next time Lesson 8

Introduction to Cryptocurrency 2

References
Book:
1. Arvind Narayanan et al. (2016). Bitcoin and Cryptocurrency Technologies:
A Comprehensive Introduction, Princeton University Press.
1. Satoshi Nakamoto (2009), Bitcoin: A Peer-to-Peer Electronic Cash System.

Online Course:
• “Bitcoin and Cryptocurrency Technologies” on Coursera.org.
Link: https://www.coursera.org/learn/cryptocurrency