Mastering Bitcoin(掌握比特币)读书笔记
Mastering Bitcoin
介绍
比特币如何工作
miner(矿工)约每10分钟产生一个block,confirm所有事务(?),同时获得25BTC奖励
比特币Client
$ bitcoin-cli getaddressesbyaccount ""
... after confirmation , the txid is immutable and authoritative
$ bitcoin-cli decoderawtransaction ... //vin/vout?
asm字段是什么意思?
block的height:genesis块为0
scriptSig:转账事务的签名(by signrawtransaction)
自己给自己转账?
sendrawtransaction:向比特币网络提交事务,返回一个txid(这个id又是谁生成的?)
其他的Clients、Libs and Toolkits
libbitcoin与sx 工具
pycoin
btcd(Go语言实现,不包含wallet,后者由btcwallet/btcgui提供)
密钥、地址、钱包
密钥:256位,~= 10^77(对比:可见宇宙包含10^80原子)
dumpprivkey:Base58 checksum-encoded WIF
公钥:K = k * G,ECC,G:generator point
ECC:secp256k1标准?(这里居然解释了一下ECC,晕)
比特币地址:“1”开始
公钥 --> SHA256 --> RIPEMD160 --> Base58Check?
Base58:Base64,without 0,O,l,I,+,/
Base58Check:checksum = SHA256(SHA256(prefix+data)),取前4个字节
关于不同类型地址的‘前缀’:
bitcoin:1
Pay-to-Script Hash:3
Bitcoin Testnet:m/n
Private Key WIF:5/K/L
BIP38加密的私钥:6P
BIP32扩展的公钥:xpub
压缩的公钥
如果知道x,则可以通过y^2 mod p = (x^3 +7) mod p解出y
没有压缩的前缀是04,压缩的02或03(y有正负2个取值,在模p有限域上有奇偶2个取值)
靠,还不是所有的客户端都支持?这说明当初的设计也太粗糙了点
Ironically,WIF-压缩的私钥比无压缩的版本多一个字节,这是因为它添加了01后缀
钱包:私钥的容器
第一版 Type-0 非确定式(私钥是随机生成的,——因此理论上可能有冲突?)
缺点:必须经常备份?
确定式(seeded)
我怎么感觉这种更容易被追踪?因为假如seed可以被定位的话
Mnemonic Code Words:代表一随机数种子,#see BIP0039
只是个草稿建议,不是规范
层次式的确定式钱包(BIP0032/0044)
可以映射到一个组织机构???
root seed --> HMAC-SHA512 --> master private key(m) and master chain code
导出Private child key(CKD)
我个人觉得HD钱包其实并不安全,它的安全性建立在别人不知道parent key以及一路哈希计算的不可逆上
Extended keys:可导出children key
从Public parent key直接导出public child key,不需要私钥(?扩展的public key包含了chain code)
风险:
一个泄漏的child private key可以导出全部其他的child private keys
一个泄漏的child private key再加上parent chain code可以导出parent private key
==> Hardend CKD
使用parent private key导出child chain code,而不是从parent public key(利用一路hash的不可逆性)
缺点?
最佳实践:第1级children都通过加固的CKD导出?
HD path表示(略)
Advanced Keys and Addresses
Pay-to-Script Hash(P2SH)与Multi-Sig地址(BIP0016)
A P2SH地址从一个transaction script创建,定义了谁可以spend a transaction output(有主的钱包?)
注意,向P2SH地址支付需要多方参与!
多签名地址与P2SH:M-of-N
Vanity地址(包含了人类可读的信息)
由于SHA256,找到这么个地址并不容易(取决于子模式的长度)
Paper Wallets:印在纸上的私钥?
BIP0038增强
一旦收到支付后,只能一次性用光,或者转移到另一个新的Paper Wallet(这让我想到了现在的礼品卡了)
事务(交易)
由funds的拥有者签名
不需要认证发送者的身份(直接转发即可,直到被miner放到blockchain中)
数据结构
版本?
input、ouput
locktime?
UTXO(没有balance的概念,有点类似于数据库里的‘物化视图’的概念)
不是实物,不可切割;input等于output;“change”
Transactions consume UTXO by unlocking it with the signature of the current owner,
and create UTXO by locking it to the bitcoin address of the new owner.
coinbase事务:block中的第一个transaction,由挖矿竞争胜利的矿工创建,支付给他自己
Transaction outputs(UTXO):
An amount of bitcoin, denominated in satoshi s(1/100000000 BTC)
A locking script, 指定谁才能接受这个UTXO
... requests.get('https://blockchain.info/unspent?active=%s' % address)
Transaction Inputs
In simple terms, transaction inputs are pointers to UTXO .
unlocking script:通常是拥有者对其比特币地址的签名
事务费用
Transaction fees are calculated based on the size of the transaction in kilobytes, not the value of the transaction in bitcoin.
隐含的
事务链结与孤儿事务
orphan transaction pool:临时存放引用了parent,但parent还未知的child事务
Transaction Scripts
类似与Forth?
DUP CHECKSIG OP_CHECKMULTISIG ...
locking:scriptPubKey;unlock:scriptSig
原来是顺序执行的,有安全漏洞,...
现在,executed separately with the stack transferred between the two executions
the Script:
Turing Incompleteness:无循环,复杂的flow control(只有条件分支)
无状态的(?)
5种标准事务:
pay-to-public-key-hash (P2PKH),
public-key,
multi-signature (limited to 15 keys),
pay-to-script-hash (P2SH),
p132 2 <Mohammed's Public Key> <Partner1 Public Key> <Partner2 Public Key> <Partner3 Public Key> <Attorney Public Key> 5 OP_CHECKMULTISIG
With P2SH payments, the complex locking script is replaced with its digital fingerprint , a cryptographic hash.
==> redeem script (为了节省blockchain的存储!)
即使redeem script有可能是invalid,P2SH本身仍然会被接受(???)
备注:Script Hash有点类似于我设想的‘兴趣路由’
data output (OP_RETURN):用于证明某样东西在指定日期起已经存在?滥用??
这个增加了其他存储blockchain的client的负担。。。(不过,可以用于私有链?)
更糟糕的是,使用20byte的虚假目标地址来存储信息,导致unspent UTXO,溢出节点的临时内存池...
OP_RETURN:创建了一个provably unspendable的output,这增加了块链的大小,但不会bloat内存池(compromise?版本0.9+)
40bytes:32 byte的SHA256,加上一个DOCPROOF前缀?
比特币网络
Stratum网关代理?
网络发现
TCP 8333端口?
BestHeight:节点当前的块链高度
seed nodes
消息:inventory, getblocks,getdata
SPV节点(瘦客户端)
SPV nodes download only the block headers and do not download the transactions included in each block.
需要用到时再向peer请求?
The SPV node establishes the existence of a transaction in a block by requesting a merkle path proof and by validating the proof of work in the chain of blocks.
检查事务所在的block是否被6个以上的新block所引用,且其中事务unspent?
注意这里的事务一般是SPV节点钱包中已知的比特币地址
==> 隐私风险!#see 'Bloom Filters'
可以证明存在,但是不能verify它的unspent状态 ==> double-spending attack
随机 连接到多个其他nodes?期望其中至少有一个honest节点
==> SPV nodes also are vulnerable to network partitioning attacks or Sybil attacks
getheaders消息
Bloom Filters(这让我想起了密码学里的零知识证明)
offer an efficient way to express a search pattern (搜索模式) while protecting privacy.
filterload消息
交互式的filteradd
Transaction Pools
Alert Messages
块链
linked-back list
“previous block hash”(块链概念的精髓所在)
metadata in LevelDB
Although a block has just one parent, it can temporarily have multiple children. (Fork)
when different blocks are discovered almost simultaneously by different miners
80个字节的Block Header
The second set of metadata, namely the difficulty, timestamp, and nonce,(挖矿竞争)
Merkle树根
Block Identifiers: Block Header Hash(2次SHA256) and Block Height
例如,第一个块头部的hash:000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f
The Genesis Block
Linking Blocks in the Blockchain
检查新block的previousblockhash域
Merkle Trees
double-SHA256
技术细节:如果奇数个事务,最后一个重复!
?证明某个transaction在指定block中(仅有根hash怎么做?by retrieving a small merkle path?)
与SPV
peer的merkleblock消息(包含了tranaction所在的block头部,以及merkle path)——哦,需要‘计算’来验证!
挖矿与Consensus
miner:构造一个candidate block(候选块)
事务优先级:age,fees(size)
高优先级:>57600000
初始的50KB事务空间,regardless of fee?(注意,矿工本身挖到矿有25BTC奖励)
注意:这里的blockchain确认过程与数据库的WAL日志有点类似之处
generation/coinbase事务:不消耗UTXO,creates bitcoin from nothing
out value = 25BTC + 块内所有事务的手续费
reward计算:初始50BTC,每210000块减半,当前是25BTC,但2016年某个时候就会变成12.5BTC
input:32B Transaction Hash=0(不代表UTXO引用), 4B Output Index=-1, 2~100B Coinbase Data(可被miner随意使用), 4B Sequence Number=-1
BIP0034,version-2 blocks MUST contain the height index as a script "push"
以#277316为例,03(push)-443b04(小端编码的height index)-03858402062(extra nonce)-2f503253482f(‘/P2SH/’,#BIP0016)
BIP0017:‘p2sh/CHV’
构造块头部
4B Version
32B Prev Block Hash
32B Merkle Root
4B Timestamp
4B Diffiulty Target(mantissa指数编码?)
以#277316为例,0x1903a30c,19是指数,3a30c是系数
target = coefficient * 2 ^ (8 * (exponent-3)),大约相当于前缀60bit=0
4B Nonce(用于Proof-of-Work算法的计数器)
头部构造完之后,可以开始‘挖矿’:寻找一个Nonce值(最多尝试2^32次),使得头部Hash<difficulty target(?)
Proof-of-Work算法
先解释了一下SHA256的特性...
降低target(这意味着要求SHA256输出结果有更多的前缀0),则难度增加
备注:所谓的比特币挖矿专用ASIC其实就是SHA256的硬件实现?
... 幸运的是,整个网络的处理能力是100 petahashes per second(PH/sec)
Difficulty retargeting
网络必须保证每10分钟产生一个block,不多也不少?
自动地,每2016个块:
度量最近的2016个块的产生时间,与20160分钟比较,比率用来调整Difficulty
啊,太神奇啦
Validating a New Block
CheckBlock(对比之前针对Transaction的CheckInputs)
main chain:具有最高的累积困难度,在大多数情况下也是拥有最多块的链
branch chain可以临时保留,如果它将来的累积困难度超过了main chain
orphan block
最终的network-wide consensus
?Mining nodes “vote” with their power by choosing which chain to extend(感觉这里可能是个漏洞?因为涉及到分布式系统的一致性选举...)
Blockchain Forks
Forks are almost always resolved within one block.
(理论上可能)一个Fork扩展到2个blocks,——然而发生的可能性很小!
Extra Nonce
遍历所有Nonce都没有找到?增加Timestamp!==>使用Coinbase事务的额外空间
Mining Pools:这在技术上意味着需要拆分Nonce的遍历空间?
set an easier target?
Managed Pools
P2Pool:share chain(一个困难度小于比特币的块链)?
51% attack问题
Consensus Attacks
只能影响最近的块,导致针对future blocks创建的DoS破坏
A 51% attack允许double-spend in the new chain...
To prevent,大笔支付必须等待至少6个确认
对于特定事务的DoS攻击(只需忽略这些事务即可)
其他链、币与应用
Meta Coins:implemented on top of bitcoin
Colored Coins:同时也作为其他资产(股份?)的标记
Mastercoin:?
“exodus”address (1EXoDusjGwvnjZUyKkxZ4UHEf77z6A5S4P)
Counterparty:都使用OP_RETURN来编码metadata?
Alt Coins:从比特币源代码基础上定制修改的
IXCoin:降低了难度,并把奖励提高到96BTC?
Tenebrix:另一个PoW算法scrypt,内存密集,用于抵抗GPU/ASIC挖矿?Litecoin的基础
Litecoin:更快的块生成时间:10m -> 2.5m
touted as “silver to bitcoin's gold”
囧:Creating an alt coin is easy, which is why there are now more than 500 of them
Evaluating an Alt Coin
Monetary Parameter Alternatives: Litecoin, Dogecoin, Freicoin
Litecoin
Consensus algorithm: Scrypt proof of work
Dogecoin:Litecoin的修改版
块生成时间:60s?靠
Freicoin:demurrage currency ;鼓励消费,不鼓励守财奴?通货膨胀??
Consensus Innovation: Peercoin, Myriad, Blackcoin, Vericoin, NXT
Proof of stake is a system by which existing owners of a currency can “stake” currency as interest-bearing collateral. (存钱能收利息???囧)
Peercoin
Myriad:同时使用5个不同的PoW:SHA256d, Scrypt, Qubit, Skein, or Myriad-Groestl(疯了,有这个必要吗)
抵御ASIC挖矿???
Blackcoin:introducing “multipools”
VeriCoin:可变利率???
NXT:单独的实现,非比特币fork,2.0 cryptocurrency?
Dual-Purpose Mining Innovation: Primecoin, Curecoin, Gridcoin
比特币的PoW被批评为‘wasteful’??
Primecoin
PoW:computing Cunningham and bi-twin prime chains?
Curecoin
PoW:protein-folding research through the Folding@Home project
Gridcoin:Proof-of-work with BOINC grid computing subsidy
Anonymity-Focused Alt Coins:
Zerocash/Zerocoin:理论研究,not released yet
CryptoNote
has a built-in periodic reset mechanism that makes it unusable as a currency itself ?
Bytecoin(BCN)
Monero
Darkcoin
使用11轮不同的hash函数:blake, bmw, groestl, jh, keccak, skein, luffa, cubehash, shavite, simd, echo
Noncurrency Alt Chains
Namecoin
名字空间:d/用于.bit域名,id/用于PGP,u/
Namecoin registrations need to be updated every 36,000 blocks,更新没有费用?
Bitmessage:a server-less encrypted email system
Ethereum
a Turing-complete contract processing and execution platform based on a blockchain ledger
‘图灵完全’的合同契约,什么鬼
完全独立的设计/实现?
contract:运行在每一个node上,acting as decentralized autonomous software agents
Namecoin可用Ethereum来实现?
安全
decentralization
用户安全最佳实践
?Holding bitcoin on a computer serves to focus the user's mind on the need for improved computer security.
Physical Bitcoin Storage
Hardware Wallets:bitcoin key的加密存储太复杂,而最终又丢失了master key,.... 蠢货
Diversifying Risk
Multi-sig and Governance
Survivability
A Transaction Script Language Operators, Constants, and Symbols
B BIP
C pycoin, ku, and tx
D Available Commands with sx Tools
更多精彩内容