Mastering Bitcoin
目录
介绍
比特币代表了数十年密码学和分布式系统研究的高潮,包括四个关键创新:
1、去中心化的对等网络(比特币协议)
2、公共交易总帐(区块链)
3、独立交易确认
4、货币发行的一套规则(共识规则)
实现有效的区块链全球去中心化共识的机制(工作量证明算法)作为一名开发人员,我将比特币视为货币互联网,通过分布式计算传播价值和确保数字资产所有权的网络。比特币还有很多比起第一眼看到的更多的内容。在本章中,我们将介绍一些主要的概念和术语,获得必要的软件,并使用比特币进行简单的交易。在接下来的章节中,我们将开始展开使比特币成为可能的技术层次,并检查比特币网络和协议的内部工作。
比特币如何工作
- miner(矿工)约每10分钟产生一个block,confirm所有事务(?),同时获得25BTC奖励
比特币Client
-
$ bitcoin-cli getaddressesbyaccount ""
-
... after confirmation, the txid is immutable and authoritative
-
$ bitcoin-cli decoderawtransaction ... //vin/vout?
- asm字段是什么意思?
-
block的height:genesis块为0
-
scriptSig:转账事务的签名(by signrawtransaction)
- 自己给自己转账?
-
sendrawtransaction:向比特币网络提交事务,返回一个txid(这个id又是谁生成的?)
-
其他的Clients、Libs and Toolkits
- libbitcoin与sx工具
-
pycoin
-
btcd(Go语言实现,不包含wallet,后者由btcwallet/btcgui提供)
密钥、地址、钱包
-
密钥:256位,~= 1077(对比:可见宇宙包含1080原子)
- dumpprivkey:Base58 checksum-encoded WIF
-
公钥:K = k * G,ECC,G:generator point
- ECC:secp256k1标准?(这里居然解释了一下ECC,晕)
-
比特币地址:“1”开始
-
公钥 --> SHA256 --> RIPEMD160 --> Base58Check?
-
Base58:Base64,without 0,O,l,I,+,/
-
Base58Check:checksum = SHA256(SHA256(prefix+data)),取前4个字节
-
-
关于不同类型地址的‘前缀’:
-
bitcoin:1
-
Pay-to-Script Hash:3
-
Bitcoin Testnet:m/n
-
Private Key WIF:5/K/L
-
BIP38加密的私钥:6P
-
BIP32扩展的公钥:xpub
-
-
-
压缩的公钥
-
如果知道x,则可以通过y^2 mod p = (x^3 +7) mod p解出y
-
没有压缩的前缀是04,压缩的02或03(y有正负2个取值,在模p有限域上有奇偶2个取值)
-
靠,还不是所有的客户端都支持?这说明当初的设计也太粗糙了点
-
Ironically,WIF-压缩的私钥比无压缩的版本多一个字节,这是因为它添加了01后缀
-
-
钱包:私钥的容器
- 第一版 Type-0 非确定式(私钥是随机生成的,——因此理论上可能有冲突?)
- 缺点:必须经常备份?
-
确定式(seeded)
- 我怎么感觉这种更容易被追踪?因为假如seed可以被定位的话
-
Mnemonic Code Words:代表一随机数种子,#see BIP0039
- 只是个草稿建议,不是规范
-
层次式的确定式钱包(BIP0032/0044)
- 可以映射到一个组织机构???
-
root seed --> HMAC-SHA512 --> master private key(m) and master chain code
-
导出Private child key(CKD)
-
我个人觉得HD钱包其实并不安全,它的安全性建立在别人不知道parent key以及一路哈希计算的不可逆上
-
-
Extended keys:可导出children key
-
从Public parent key直接导出public child key,不需要私钥(?扩展的public key包含了chain code)
-
风险:
-
一个泄漏的child private key可以导出全部其他的child private keys
-
一个泄漏的child private key再加上parent chain code可以导出parent private key
-
-
==> Hardend CKD
-
使用parent private key导出child chain code,而不是从parent public key(利用一路hash的不可逆性)
-
缺点?
-
最佳实践:第1级children都通过加固的CKD导出?
-
-
HD path表示(略)
-
Advanced Keys and Addresses
-
Pay-to-Script Hash(P2SH)与Multi-Sig地址(BIP0016)
- A P2SH地址从一个transaction script创建,定义了谁可以spend a transaction output(有主的钱包?)
- 注意,向P2SH地址支付需要多方参与!
-
多签名地址与P2SH:M-of-N
-
Vanity地址(包含了人类可读的信息)
- 由于SHA256,找到这么个地址并不容易(取决于子模式的长度)
-
Paper Wallets:印在纸上的私钥?
- BIP0038增强
-
一旦收到支付后,只能一次性用光,或者转移到另一个新的Paper Wallet(这让我想到了现在的礼品卡了)
事务(交易)
-
由funds的拥有者签名
-
不需要认证发送者的身份(直接转发即可,直到被miner放到blockchain中)
-
数据结构
-
版本?
-
input、ouput
-
locktime?
-
-
UTXO(没有balance的概念,有点类似于数据库里的‘物化视图’的概念)
-
不是实物,不可切割;input等于output;“change”
-
Transactions consume UTXO by unlocking it with the signature of the current owner,
and create UTXO by locking it to the bitcoin address of the new owner.
-
-
coinbase事务:block中的第一个transaction,由挖矿竞争胜利的矿工创建,支付给他自己
-
Transaction outputs(UTXO):
-
An amount of bitcoin, denominated in satoshis(1/100000000 BTC)
-
A locking script, 指定谁才能接受这个UTXO
-
... requests.get('https://blockchain.info/unspent?active=%s' % address)
-
-
Transaction Inputs
- In simple terms, transaction inputs are pointers to UTXO.
-
unlocking script:通常是拥有者对其比特币地址的签名
-
事务费用
- Transaction fees are calculated based on the size of the transaction in kilobytes, not the value of the transaction in bitcoin.
-
隐含的
-
事务链结与孤儿事务
- orphan transaction pool:临时存放引用了parent,但parent还未知的child事务
-
Transaction Scripts
- 类似与Forth?
- DUP CHECKSIG OP_CHECKMULTISIG ...
-
locking:scriptPubKey;unlock:scriptSig
-
原来是顺序执行的,有安全漏洞,...
-
现在,executed separately with the stack transferred between the two executions
-
-
the Script:
-
Turing Incompleteness:无循环,复杂的flow control(只有条件分支)
-
无状态的(?)
-
-
5种标准事务:
- pay-to-public-key-hash (P2PKH),
-
public-key,
-
multi-signature (limited to 15 keys),
-
pay-to-script-hash (P2SH),
-
p132 2 <Mohammed's Public Key> <Partner1 Public Key> <Partner2 Public Key> <Partner3 Public Key> <Attorney Public Key> 5 OP_CHECKMULTISIG
-
With P2SH payments, the complex locking script is replaced with its digital fingerprint, a cryptographic hash.
-
==> redeem script(为了节省blockchain的存储!)
- 即使redeem script有可能是invalid,P2SH本身仍然会被接受(???)
-
备注:Script Hash有点类似于我设想的‘兴趣路由’
-
-
data output (OP_RETURN):用于证明某样东西在指定日期起已经存在?滥用??
-
这个增加了其他存储blockchain的client的负担。。。(不过,可以用于私有链?)
-
更糟糕的是,使用20byte的虚假目标地址来存储信息,导致unspent UTXO,溢出节点的临时内存池...
-
OP_RETURN:创建了一个provably unspendable的output,这增加了块链的大小,但不会bloat内存池(compromise?版本0.9+)
- 40bytes:32 byte的SHA256,加上一个DOCPROOF前缀?
-
比特币网络
-
Stratum网关代理?
-
网络发现
-
TCP 8333端口?
-
BestHeight:节点当前的块链高度
-
-
seed nodes
-
消息:inventory, getblocks,getdata
-
SPV节点(瘦客户端)
-
SPV nodes download only the block headers and do not download the transactions included in each block.
- 需要用到时再向peer请求?
-
The SPV node establishes the existence of a transaction in a block by requesting a merkle path proof and by validating the proof of work in the chain of blocks.
-
检查事务所在的block是否被6个以上的新block所引用,且其中事务unspent?
-
注意这里的事务一般是SPV节点钱包中已知的比特币地址
-
==> 隐私风险!#see 'Bloom Filters'
-
-
-
可以证明存在,但是不能verify它的unspent状态 ==> double-spending attack
-
随机连接到多个其他nodes?期望其中至少有一个honest节点
- ==> SPV nodes also are vulnerable to network partitioning attacks or Sybil attacks
-
-
getheaders消息
-
-
Bloom Filters(这让我想起了密码学里的零知识证明)
-
offer an efficient way to express a search pattern(搜索模式) while protecting privacy.
-
filterload消息
- 交互式的filteradd
-
-
Transaction Pools
-
Alert Messages
块链
-
linked-back list
- “previous block hash”(块链概念的精髓所在)
-
metadata in LevelDB
-
Although a block has just one parent, it can temporarily have multiple children. (Fork)
- when different blocks are discovered almost simultaneously by different miners
-
80个字节的Block Header
-
The second set of metadata, namely the difficulty, timestamp, and nonce,(挖矿竞争)
-
Merkle树根
-
-
Block Identifiers: Block Header Hash(2次SHA256) and Block Height
- 例如,第一个块头部的hash:000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f
-
The Genesis Block
-
Linking Blocks in the Blockchain
- 检查新block的previousblockhash域
-
Merkle Trees
- double-SHA256
-
技术细节:如果奇数个事务,最后一个重复!
-
?证明某个transaction在指定block中(仅有根hash怎么做?by retrieving a small merkle path?)
-
与SPV
- peer的merkleblock消息(包含了tranaction所在的block头部,以及merkle path)——哦,需要‘计算’来验证!
挖矿与Consensus
-
miner:构造一个candidate block(候选块)
-
事务优先级:age,fees(size)
-
高优先级:>57600000
-
初始的50KB事务空间,regardless of fee?(注意,矿工本身挖到矿有25BTC奖励)
-
-
注意:这里的blockchain确认过程与数据库的WAL日志有点类似之处
-
generation/coinbase事务:不消耗UTXO,creates bitcoin from nothing
-
out value = 25BTC + 块内所有事务的手续费
- reward计算:初始50BTC,每210000块减半,当前是25BTC,但2016年某个时候就会变成12.5BTC
-
input:32B Transaction Hash=0(不代表UTXO引用), 4B Output Index=-1, 2~100B Coinbase Data(可被miner随意使用), 4B Sequence Number=-1
-
BIP0034,version-2 blocks MUST contain the height index as a script "push"
-
以#277316为例,03(push)-443b04(小端编码的height index)-03858402062(extra nonce)-2f503253482f(‘/P2SH/’,#BIP0016)
- BIP0017:‘p2sh/CHV’
-
-
-
-
构造块头部
-
4B Version
-
32B Prev Block Hash
-
32B Merkle Root
-
4B Timestamp
-
4B Diffiulty Target(mantissa指数编码?)
-
以#277316为例,0x1903a30c,19是指数,3a30c是系数
-
target = coefficient * 2 ^ (8 * (exponent-3)),大约相当于前缀60bit=0
-
-
4B Nonce(用于Proof-of-Work算法的计数器)
-
-
头部构造完之后,可以开始‘挖矿’:寻找一个Nonce值(最多尝试2^32次),使得头部Hash<difficulty target(?)
-
Proof-of-Work算法
- 先解释了一下SHA256的特性...
-
降低target(这意味着要求SHA256输出结果有更多的前缀0),则难度增加
-
备注:所谓的比特币挖矿专用ASIC其实就是SHA256的硬件实现?
-
... 幸运的是,整个网络的处理能力是100 petahashes per second(PH/sec)
-
Difficulty retargeting
- 网络必须保证每10分钟产生一个block,不多也不少?
-
自动地,每2016个块:
- 度量最近的2016个块的产生时间,与20160分钟比较,比率用来调整Difficulty
-
啊,太神奇啦
-
Validating a New Block
- CheckBlock(对比之前针对Transaction的CheckInputs)
-
main chain:具有最高的累积困难度,在大多数情况下也是拥有最多块的链
- branch chain可以临时保留,如果它将来的累积困难度超过了main chain
-
orphan block
-
最终的network-wide consensus
-
?Mining nodes “vote” with their power by choosing which chain to extend(感觉这里可能是个漏洞?因为涉及到分布式系统的一致性选举...)
-
Blockchain Forks
- Forks are almost always resolved within one block.
-
(理论上可能)一个Fork扩展到2个blocks,——然而发生的可能性很小!
-
Extra Nonce
- 遍历所有Nonce都没有找到?增加Timestamp!==>使用Coinbase事务的额外空间
-
Mining Pools:这在技术上意味着需要拆分Nonce的遍历空间?
- set an easier target?
-
Managed Pools
-
P2Pool:share chain(一个困难度小于比特币的块链)?
-
51% attack问题
-
Consensus Attacks
- 只能影响最近的块,导致针对future blocks创建的DoS破坏
-
A 51% attack允许double-spend in the new chain...
- To prevent,大笔支付必须等待至少6个确认
-
对于特定事务的DoS攻击(只需忽略这些事务即可)
其他链、币与应用
-
Meta Coins:implemented on top of bitcoin
-
Colored Coins:同时也作为其他资产(股份?)的标记
-
Mastercoin:?
- “exodus”address (1EXoDusjGwvnjZUyKkxZ4UHEf77z6A5S4P)
-
Counterparty:都使用OP_RETURN来编码metadata?
-
-
Alt Coins:从比特币源代码基础上定制修改的
-
IXCoin:降低了难度,并把奖励提高到96BTC?
-
Tenebrix:另一个PoW算法scrypt,内存密集,用于抵抗GPU/ASIC挖矿?Litecoin的基础
-
Litecoin:更快的块生成时间:10m -> 2.5m
-
touted as “silver to bitcoin's gold”
-
囧:Creating an alt coin is easy, which is why there are now more than 500 of them
-
-
Evaluating an Alt Coin
-
Monetary Parameter Alternatives: Litecoin, Dogecoin, Freicoin
-
Litecoin
- Consensus algorithm: Scrypt proof of work
-
Dogecoin:Litecoin的修改版
- 块生成时间:60s?靠
-
Freicoin:demurrage currency;鼓励消费,不鼓励守财奴?通货膨胀??
-
-
Consensus Innovation: Peercoin, Myriad, Blackcoin, Vericoin, NXT
-
Proof of stake is a system by which existing owners of a currency can “stake” currency as interest-bearing collateral. (存钱能收利息???囧)
-
Peercoin
-
Myriad:同时使用5个不同的PoW:SHA256d, Scrypt, Qubit, Skein, or Myriad-Groestl(疯了,有这个必要吗)
- 抵御ASIC挖矿???
-
Blackcoin:introducing “multipools”
-
VeriCoin:可变利率???
-
NXT:单独的实现,非比特币fork,2.0 cryptocurrency?
-
-
Dual-Purpose Mining Innovation: Primecoin, Curecoin, Gridcoin
- 比特币的PoW被批评为‘wasteful’??
-
Primecoin
- PoW:computing Cunningham and bi-twin prime chains?
-
Curecoin
- PoW:protein-folding research through the Folding@Home project
-
Gridcoin:Proof-of-work with BOINC grid computing subsidy
-
Anonymity-Focused Alt Coins:
- Zerocash/Zerocoin:理论研究,not released yet
-
CryptoNote
- has a built-in periodic reset mechanism that makes it unusable as a currency itself ?
-
Bytecoin(BCN)
-
Monero
-
Darkcoin
- 使用11轮不同的hash函数:blake, bmw, groestl, jh, keccak, skein, luffa, cubehash, shavite, simd, echo
-
Noncurrency Alt Chains
- Namecoin
-
名字空间:d/用于.bit域名,id/用于PGP,u/
- Namecoin registrations need to be updated every 36,000 blocks,更新没有费用?
-
-
Bitmessage:a server-less encrypted email system
-
Ethereum
-
a Turing-complete contract processing and execution platform based on a blockchain ledger
- ‘图灵完全’的合同契约,什么鬼
-
完全独立的设计/实现?
-
contract:运行在每一个node上,acting as decentralized autonomous software agents
-
Namecoin可用Ethereum来实现?
-
-
安全
-
decentralization
-
用户安全最佳实践
-
?Holding bitcoin on a computer serves to focus the user's mind on the need for improved computer security.
-
Physical Bitcoin Storage
-
Hardware Wallets:bitcoin key的加密存储太复杂,而最终又丢失了master key,.... 蠢货
-
Diversifying Risk
-
Multi-sig and Governance
-
Survivability
-