# Blockchain: answers Exam questions [ufora] **Explain how tampering with a transaction’s data in an old block in the bitcoin blockchain (e.g., claiming that a transaction was different from what it actually was) results in observable changes in data throughout the chain?**  This Merkle root is than included in the blockheader and also the hash of the header of the previous block in the chain. The only way this block could be included in the blockchain is that a miner found a correct nonce that makes the Hash(blockheader) <= difficulty. If someone tampers with a transaction included in this block, the Merkle root will be different so the blockheader will also be different. This makes that the solution of the puzzle Hash(blockheader) <= difficulty is not correct anymore. But the hash of this blockheader is included in the header of the next block. This puzzle will also be incorrect and the same will happen for all following blocks. **Explain how the difficulty of bitcoin puzzles is determined?** the puzzle: Hash(prevBlockHash | merkleRoot | nonce | ...) < *target_value* This puzzle becomes more difficult when *target_value* is smaller. In the code of each miner: *target_value* = (0xffff << 208) / difficulty with difficulty *= 1209600 / mining time (s) of previous 2016 blocks 1209600 = 2 weeks in seconds This means that difficulty should make sure that approx 1 new block every 10 minutes is mined. This clearly depenends on the available hashpower **Explain the role of the coinbase nonce in the bitcoin mining code**  If this coinbase_nonce was not used, there were only MAX_INT = 2^32 attempts to find a solution of the puzzle which is likely not enough. Therefor also the coinbase_nonce is added in the header to give much more possibilities. 2^32 * 2^32 combinations assuming 32 bit integers. **Explain how UXTO works?** UXTO = Unspent Transaction Output Bitcoin doesn't use accounts that accumulate money but instead they accumulate transaction results. <span style="background-color: #FF0000">TODO: more in depth explanation</span> Those results can be spent again, yielding new transaction results. This principle is called "unspent transaction output" or UTXO. We can ensure that only received money is being spent by using a signature and including pre-existing transaction results. If in-transactions have more value than the amount to be spent in some transaction, the remainder is transferred to the owner as additional out-transaction result, so it can be spent in future transactions. **Explain how micro-payments can be implemented in Bitcoin without needing one transaction per payment** Example: Alice wants to call and needs to pay Bob per minute calling 1. Alice pays max amount of call minutes to ==escrow== party with a transaction that can only be unlocked by ==2-2 Multisignature script== 2. Bob sends a refund transaction with a lock_time parameter 3. After 1 min of calling, Alice signs 2-2 multisignature transaction that passes small amount of money from Escrow to Bob and returns the rest to herself. She DOESN'T PUBLISH this transaction but sends it to Bob together with her signature. 4. Bob receives this transaction and has 2 options - sign transaction and publish it and get small amount of money for 1 minute calling but if Alice is calling longer Bob will not be able to get this money - Bob waits for similar next transactions. - if Bob never received a transaction, he loses small amount of money for 1 min calling but can stop Alice calling steps 3 and 4 are repeated but second time with value of 2 min calling, ... 5. Alice stopped calling, she sends a transaction that passes total amount of money for calling to Bob and returns rest to herself. She also mentions that this is the last message 6. Bobs receives this message, signs it and publishes it => he gets money and rest is returned to Alice **Explain how miners express their votes for any of forked chains in Bitcoin** by including the hash of the blockheader of the last block of one of the chains, in the next block the miner creates. longest chain is "true" **Explain how the choice for the next voter is randomized in Bitcoin** The first node that solves the cryptographic puzzle gets the reward and transaction fee. This is not really random because a miner has more chance to solve the puzzle if he/she has more hash power = better hardware. **Explain how an eclipse attack works in Bitcoin** eclipse attack = prevent 1 participant to be well connected Attackers set up malicious nodes which is easy by design of Bitcoin. These nodes send their address to the targeted node. This way the targeted node is only connected to malicious nodes. The malicious nodes can fake all trafic = "eclipse the true network". Best way is to combine this attack with other attacks, for example with selfish mining: the selfish miner send his unpublished chain to the targeted node(s) and they will mine for the selfish miner which makes him/her more powerful. **Explain how soft forks are different from hard forks in Bitcoin, and what the pros and cons are of each form**  Hard forks will soon result in a longest chain that contains blocks considered invalid by not-yet upgraded nodes, which will keep building on older, in their eyes valid nodes. So the longest chain will effectively fork **What are hierarchical wallets**  Bitcoin: public key g^y with y = private key => public address generation info k, g^y ==> g^{xi} => private address generation info k, y ==> xi = y + H(k|i) :warning: public keys shoud be non-linkable **Briefly summarize a scheme to create enough entropy for a brain wallet** randomly select 6 words from 10.000 most common words => 6 * log2(10.000) ~ 80 bits of entropy **What is key stretching?** use of a deliberatively slow key derivation algorithm. Example hash x times possible with different hash algorithms this is used to slow down guessing attacks **Explain how 2-out-of-N key sharing works.** The purpose is to split the key original key into N shares and that any 2 shares suffices to reconstruct this key but that its impossible if you have only 1 share. A way to do this is that the key is the point that crosses the y axis, coordinate (0, Key). We can make N shares by getting points on a straight line with (0, key) and (i,Key+i*R). If you have 2 points on this line, you can reconstruct the line and therefor the original key. **What risks (similar to those of banks) do exchanges come with?** 1. bank run due to limited fractional reserve 2. owners might be crooks running a Ponzi scheme 3. security might be lacking to prevent attacks from insiders or outsiders **How does a proof of fractional reserve work for an exchange?** TODO Bitcoin exchanges need to prove that they have some fractional reserve. Proof that the fractional reserve is above some percentage requires two parts: 1. Proof of reserve * Company publishes a valid payment-to-self blockchain transaction. * The company signs a challenge string (random string provided by trusted third party) with the same private key. * This provides an underclaim of the fractional reserve 2. Proof of liabilities * The company publishes and signs the root of a Merkle tree * The leaf nodes are the users, those nodes hold the deposit amount as an extra attribute. * Non-leaf nodes hold the sum of values of the children. * Clients individually ask the company for proof of their individual correct inclusion and check this proof. * This provides an over-claim of liabilities **How are the transactions fees specified in a Bitcoin transaction?** the initiator of a transaction chooses a fee amount. This amount will determine how fast this transaction will be included in a block by a miner => higher fee = higher chance rule but not specified: * no fee <=> transaction size < 1000, all outputs >= 0.01BTC and priority large enough * fee per byte => fluctuates **What are unlocking and locking scripts in Bitcoin?** TODO The unlocking and locking scripts are written in Bitcoin Scripting Language (BSL). This a simple, not-Turing complete stack-based language that supports relevant cryptographic operations. A transaction’s use of an input is validated by first running the unlocking scripts first, then running the locking script on top of it and then checking the results. The unlocking script contains two values, which are simply pushed onto the stack (signature and public key). After the unlocking script, the locking script is executed. **Does the difficulty of Bitcoin mining increase monotonically? Why (not)?** No, more hash power = higher difficulty general trend: more/better hardware => difficulty increases **At some point in time, does everyone in Bitcoin mining try to solve the same puzzle? Provide as many as possible reasons why multiple miners might be solving the same or different puzzles.** no different puzzles bcs 1. include different transactions in block to maximize profit 2. transactions received in different order => different Merkle root 3. use of own address in coinbase **Compare pay-per-share to proportional pool mining. What are their issues or advantages? Do you know alternatives?** pay-per-share = flat fee for each share => miners get paid whenever they deliver a share. The pool manager absorbs all the risks. Miners have no incentive to send valid blocks to the manager proportional payment = when pool mines valid block => income is distributed. Miners bear some risk: variance in income drops with increasing pool size. Problem is pool hopping **Briefly explain the differences between the three types of censorship attacks** 1. denylisting = blocklisting => exclude specific addresses from blocks you are mining 2. punitive forking => announce that you will not include blocks with transactions to certain address 3. feather forking => announce that if a denylisted transaction has K-confirmation, you will accept it **What is pool cannibalization? Explain why this may work.** when an attacker has for example 30% of the hashpower in his pool. Now he invests in 1% extra hardware to mine faster. He cas use this investment which will likely result in 0.31/1.01 outcome. Pool canibalization means that the attacker will use this 1% to participate in another pool and mine there but the attacker witholds valid blocks in that pool. His outcome is then 0.3/1.0 + 0.7/1.0 * 0.01/0.71 (= fraction of shares send in by the attacker) This is more than using the new hardware in his pool. **What is Uniform Tie Breaking? What is it used for/against?** It is a proposed defense against selfish mining: miners wait some time window and collect all new blocks received in this time window. From this collection, a random block is chosen. A selfish miner can than not send in his whole private chain at once. :warning: if attacker has more than 40% of hashpower, no tie breaking method will work **What is transaction graph analysis? What techniques and heuristics are used for clustering?** is used for de-anonymization. By extracting useful information from the blockchain history exploiting links of transaction inputs, change addresses, idioms of use, real-world knowledge, tagging by transacting, transivity. This graph can than be used to form clusters to link addresses to some identity. clustering: - merge inputs - change addresses: how to find change? smallest transaction or look at unspent outputs used as inputs in this transaction and other unspent outputs at the same address **What is plausible deniability? In what contexts does it matter?** It is important when you use mixing = use an intermediary that mixes coins from identities to increase anonymity. Plausible deniability means that the transaction history should not reveal the fact that you are mixing the money. **What is CoinJoin?** It is an example of a decentralized mixer (protocol)? It mixes coins from multiple entities in single n-of-n multisignature transaction Pros, contras not discussed **Order the following concepts from least to most anonymous. Zcash, Bitcoin, DASH, centralized mixers, altcoin exchange, decentralized mixing protocols, Monero. What additional techniques should a user of cryptocurrencies use to increase their anonymity?** Bitcoin < centralized mixers < decentralized mixing protocols < altcoin exchange < DASH < Monero < Zcash to have network anonymity you could use tor or VPN throwaway exchange accounts multiple exchanges **How does Ethereum’s protocol differ from Bitcoin UXTO?** Ethereum is account based => ether owners have private keys of account with a public address and a balance this allows for space saving and eases the development of smart contracts UXTO was used in Bitcoin to easily find double spending **What types of accounts does Ethereum have? How do they operate, what is their goal?** 1. EOA = Externally Owned Accounts: public address and balance owners can initiate transactions: money to EOA, invoke smart contracts functions on contract account 2. contract account: public address, balance, associated contract code and persistant storage of data functions invoked on receiving transactions **What are the four main purposes of a smart contract?** 1. store and maintain data 2. manage contracts and relationships between untrusted accounts 3. provide functions to other contracts 4. perform complex authentication **How does Ethereum solve the halting problem? Why is this problem relevant (i.e., what feature does the solution help to provide)?** halting problem => what if invocation of contract that does not terminate within limited amount of time. This problem is solved by including an amount gas and the price of gas. If more gas is consumed than the limit, an out-of-gas-error happens and and the state will be rolled back. This provides deterministic execution of contracts and prevents DoS attacks. **What is the link between insurance and prediction markets? How do smart contracts play a role in that application?** It's both gambling. TODO **What questions should a potential user of blockchain/smart contract technology ask to decide whether she should use that technology or some alternatives, such as standard databases?**  **Explain the differences between chain-based PoS and BFT PoS.** chain-based: validator *creates* new block with link to *some* previous block. The validator gets the block reward and transaction fee BFT: validator *proposes* new block with link to *some* previous block. All other validators vote on the validaty of the proposed block. The block is only accepted <=> 2/3 or more accept **What is the nothing at stake problem? Explain the behavior of an economically driven validator/miner that results from having nothing at stake and that is problematic for blockchain consensus protocol. Why is it problematic?** When Proof of Stake consensus is used, the best option for a validator is to vote for both chains instead of choosing one. This is possible because no hash power has to be distributed => without opportunity cost, rational minter maintaining forks are the majority <=> altruistic minters **Explain the different variations of slashing algorithms that solve the nothing at stake problem.** 1. simultaneous slasher 2. slasher on the wrong chain **What is a liveness denial attack? In what contexts does it matter?** if an attacker has more than 1/3 of voting power, he is able to completely prevent reaching consensus. This is because to reach consensus, 2/3 or more needs to vote "accept". **How does timelock cryptography help in PoS systems? What does it guarantee?** 1. sender creates transaction t but DOES NOT PUBLISH IT 2. instead he publishes: - C = encrypted version of t - data values to allow time-consuming decryption of C - zero-knowledge proof that data values were generated correctly 3. within 24h, validator needs to publish t, if not the sender will heavily penalized 4. t can be included in a block to finalize transaction => attackers with 1/3 <= voting power <= 2/3 is not able to prevent that blocks with certain transactions are accepted := censorship attack liveness denial attack is still possible **Explain how P+𝛆 bribing attacks work?**  In an honest situation, miners get reward if they vote the same as the other miners => get reward P. But now if someone credible announces that miners get reward P+𝛆 if they vote on 1 even if 0 is the "truth". This will cause the honest miners to vote 1 since this is best chance to make money. But if everyone votes 1 everyone gets reward P => attacker does not need to pay anything **How can the generation of vanity Bitcoin addresses be done faster than simply brute-forcing them by invoking the key generation algorithm on randomly selected values?** When we pick a starting point P, and a large m as private key, the public key is $P^m$. So if we want to compute another public key for a new private key without recomputing it completely, we can choose m+1 as the new private key. The new public key is then $P^{(m+1)}$, which means that we can simply multiply the previous public key by P. # booster sessie