# <span style="color:blue">Bitcoin and Cryptocurrency Technologies</span>
Platform: Coursera

Institutions: Princeton University

Instructors: Arvind Narayanan

### <span style="color:red">Week 1</span>
##### <span style="color:green">Cryptographic Hash Functions</span>
Hash function:
- takes any string as input
- fixed-size output
- efficiently computable

properties:
- collision-free
- hiding
- puzzle-friendly

Collision-free:

Nobody can find $x,y$ such that $x\neq y$ and $H(x)=H(y)$.

Collisions do exist. No function has been proven to be collision-free.

So if we know $H(x)=H(y)$, it's safe to assume $x=y$. To recognize a file that we saw before, just remember its hash.

Hiding:

Given $H(x)$, it's infeasible to find $x$.

If $r$ is chosen from a probability distribution that has high min-entropy, then given $H(r|x)$, it is infeasible to find $x$. High min-entropy means that the distribution is very spread out, so that no particular value is chosen with more than negligible probability.

Puzzle-friendly:

For every possible output $y$, if $k$ is chosen from a distribution with high min-entropy, then it is infeasbile to find $x$ such that $H(k|x)=y$.

Given $id$ from a high min-entropy distrubution and a target set $Y$, try to find an $x$ such that $H(id|x)\in Y$. Puzzle-friendly property implies that no solving strategy is much better than trying random values of $x$.

SHA-256 hash function
##### <span style="color:green">Hash Pointers and Data Structures</span>
Hash pointer:
- pointer to where some info is stored
- (cryptographic) hash of the info

With a hash pointer, we can
- ask to get the info back
- verify that it hasn't changed

Linked list with hash pointers: Blockchain

Binary tree with hash pointers: Merkle Tree

$O(\log n)$ to prove a membership in a Merkle tree

$O(\log n)$ to prove a non-membership in a Merkle tree

Hash pointers can be used in any pointer-based data structure that has no cycles.
##### <span style="color:green">Digital Signatures</span>
Properties of signatures:
- Only you can sign, but anyone can verify
- tied to a document, can't be cut-and-pasted to another document.

Digital signature APIs:

secret_key, public_key := generateKeys(size)

signature := sign(secret_key, message)

isValid := verify(public_key, message, signature)

Adversary who knows the public key gets to see signatures on messages of his choice can't produce a verifiable signature on another message.

Bitcoin uses ECDSA (Elliptic Curve Digital Signature) standard
##### <span style="color:green">Goofycoin</span>
Goofy can create new coins. (Signed by public_key)

A coin's owner can spend it. (A Hash pointer pointing to the original transaction and signed by the owner)

The recipient can pass it on to someone else.
##### <span style="color:green">Scroogecoin</span>
Scrooge publishes a history of all transactions (a block chain, signed by Scrooge)

CreateCoins transaction (with an ID) creates new coins.

Each coin has a coin id, value, and recipient.

PayCoins transaction consumes (destroys) some coins, and creates new coins of the same total value.

A PayCoin transaction is valid if
- consumed coins are valid
- coins have not already been consumed
- total value out equals to total value in
- signed by owners of all consumed coins

Scrooge coins are immutable and can't be transferred, subdivided, or combined.

### <span style="color:red">Week 2</span>
##### <span style="color:green">Centralization V.S. Decentralization</span>
Scroogecoin relies on centralization (Scrooge).

Decentralization is not all-or-nothing (E-mail: decentralized protocol, centralized web services).

Aspects of decentralization in Bitcoin
- Peer-to-Peer network: open to anyone, low barrier to entry.
- Mining: open to anyone, but inevitable concentration of power.
- Updates to software: core developers trusted by community, have great power.
##### <span style="color:green">Distributed Consensus</span>
Distributed consensus:
- The protocol terminates and all correct nodes decide on the same value.
- The value must have been proposed by some correct node.

Bitcoin is a peer-to-peer system.

A payment broadcasts the transaction to all Bitcoin nodes.

- All nodes have a sequence of blocks of transactions they've reached consensus on.
- Each node has a set of outstanding transactions it's heard about.

Bitcoin introduces incentives and embraces randomness.
##### <span style="color:green">Consensus without Identity: The Blockchain</span>
Nodes have no long-term identities.
- Identity is hard in a P2P system.
- Pseudonymity is a goal of Bitcoin.

Implicit consensus
1. In each round, a random node is picked.
2. This node proposes the next block in the chain.
3. Other nodes implicitly accept (extend it) / reject (ignore it and extend chain from earlier blocks) the block.
4. Every block contains hash of the block it extends.

Consensus algorithm:
1. New transactions are broadcast to all nodes.
2. Each node collects new transactions into a block.
3. In each round a random node gets to broadcast its block.
4. Other nodes accept the block only if all transactions in it are valid (no double-spending, valid signatures).
5. Nodes express their acceptance of the block by including its hash in the next block they create.

Honest nodes will extend the longest valid branch.

Double-spend probability decreases exponentially with the number of confirmations.

Most common heuristic in the Bitcoin community: 6 confirmations

Protection against double-spending is purely by consensus. You're never 100% sure a transaction is in consensus branch. Guarantee is probablistic.
##### <span style="color:green">Incentives and proof of work</span>
We can't penalize faulty nodes as they don't have identities. We can reward honest nodes.

Incentive 1: Block reward

Creator of block gets to
- include special coin-creation transaction in the block.
- choose recipient address of the transaction.

Block creator gets to collect the reward only if the node ends up on long-term consensus branch.

There's a finite supply of bitcoins. (Total supply 21 million. Runs out in 2140.

Incentive 2: Transaction fee

Creator of transaction can choose to make output value less than input value. Remainder is a transaction fee and goes to block creator.

Proof of work: Select nodes in proportion to a resource that no one can monopolize.

Equivalent views of proof of work
- Select nodes in proportion to computing power.
- Nodes compete for right to create block.
- Moderately hard to create new identities.

Proof of work in Bitcoin: Hash puzzles

To create block, find nonce such that $H(nonce||prev_hash||tx||...||tx)$ is very small

Properties of proof of work:
1. difficult to compute (Only some nodes bother to compete - miners)
2. parameterizable cost (Nodes automatically re-calculate the target every two week).
3. trivial to verify (Nonce must be published as part of block).

Key security assumption: Attacks infeasible if majority of miners weighted by hash power follow the protocol.