Mathematics for the Blockchain

Thomas Schmelzer
thomas.schmelzer@gmail.com
Faculté des hautes études commerciales
University of Lausanne

October 26, 2020

2
Contents

1 Warm-Up 7
1.1 Powers of base 2 . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2 Binary and hexadecimal numbers . . . . . . . . . . . . . . . . 9
1.3 The rice and the chessboard . . . . . . . . . . . . . . . . . . . 11
1.4 Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.5 Modular arithmetic . . . . . . . . . . . . . . . . . . . . . . . . 14
1.6 Shor’s algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.7 Elliptic curves . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.8.1 Further references and comments . . . . . . . . . . . . 21

2 Cryptography 23
2.1 Key pairs and identity . . . . . . . . . . . . . . . . . . . . . . 24
2.2 Cryptographic hash functions . . . . . . . . . . . . . . . . . . 24
2.3 Digital signatures . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.3.1 Creating the signature . . . . . . . . . . . . . . . . . . 26
2.3.2 Verifying the signature . . . . . . . . . . . . . . . . . . 27
2.3.3 Source code for digital signatures . . . . . . . . . . . . 27
2.4 A first blockchain . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.5 Symmetric cryptography . . . . . . . . . . . . . . . . . . . . . 31
2.6 Diffie–Hellman key exchange . . . . . . . . . . . . . . . . . . . 32

3
4 CONTENTS

2.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.7.1 Further references and comments . . . . . . . . . . . . 34

3 Distributed Ledger Technology 37

3.1 Centralized ledgers . . . . . . . . . . . . . . . . . . . . . . . . 37
3.2 Distributed ledgers . . . . . . . . . . . . . . . . . . . . . . . . 39
3.3 A toy blockchain . . . . . . . . . . . . . . . . . . . . . . . . . 40

4 Money 43
CONTENTS 5

Preface
My goal is to provide an introduction to distributed ledger technology, blockchains
and cryptocurrencies. The course focuses on the applications of these tech-
nologies in finance and banking.
Obviously there is a short-term goal lurking. You all want to maximize
the likelihood of passing the exam. There will be only one exam. Don’t
forget that exams are rare moments in your existence to shine. You should
be very excited.
There’s a simple and well tested strategy to maximize this likelihood.
You have to attend all the lectures. Attendance is not enough though. You
have to participate and engage. You do the exercises, you ask questions and
you discuss with your fellow students. You even start writing your own little
programs and run experiments.
This little script is not a replacement for your physical presence in my
lectures. It is not self-contained. It shall help you to prepare for the exam
and will point you to literature.
Whereas there is plenty of literature on introducing the blockchain with-
out any computer science or mathematics we will drill a few levels deeper.
The technology is touching many wonderful subjects such as cryptography,
efficient hash functions and the idea of creating consensus in a truly dis-
tributed network.
By the end you should have a much deeper understanding of the blockchain.
You may also gain some rather fragmented mathematical knowledge suitable
for showing off at cocktail parties.
Morges, August 2019
Thomas Schmelzer
6 CONTENTS
Chapter 1

Warm-Up

Et cette proposition est

généralement vraie en toutes
progressions et en tous nombres
premiers; de quoi je vous
envoierois la démonstration, si je
n’appréhendois d’être trop long.

Pierre de Fermat

It’s tradition to start with an introduction. However, in the spirit under-

lying bitcoin we ignore such conventions and start with a warm-up covering
some of the mathematics you need to master before you will be in a position
being able to digest the original whitepaper by Satoshi Nakamoto.
In this chapter we start with some rather trivial observations but later
talk about Galois fields over elliptic curves. You may find the underlying
learning curve steep but efforts will pay off soon.
Note that all content covered in the first two chapters goes far beyond
currencies. Cryptography is technology underlying your life today. The mo-
ment you pay with your credit card, use Facebook, do some banking or visit
your favorite webpage some cryptography is performed in the background.
We are in particular interested in binary and hexadecimal numbers. After
a little intermezzo we introduce the term group as a pair of a set and an
operation acting on element of this set with certain properties.

7
8 CHAPTER 1. WARM-UP

We introduce Modular arithmetic to enforce the closure of the aforemen-

tioned operation on a finite set of integers. It all reminds us of doing maths
on an analog watch where we don’t find it surprising that after 12 the next
number is a 11 .
Carefully chosen elliptic curves over finite fields are underlying the digital
signatures used for all transactions recorded in the Bitcoin ledger. We use ex-
tremely potent trapdoor functions. On the way we touch some contemporary
mathematics.

1.1 Powers of base 2

Remember that
23 = 2 × 2 × 2 = 8

and
210 = 1024 ≈ 1000 = 103 .

Note that for any two integer numbers a and b we have

2a+b = 2a × 2b

and therefore
20 = 1

to avoid any conflict here. Also note that

b
2a = (2a )b = 2a×b

Using our (not so new) skills we can now estimate big powers of 2.

6
6
264 = 24 × 210×6 = 16 × 210 ≈ 16 × 103 = 1.6 × 1019

1
Mathematicians find this annoying. A correct way to label an analog watch would be
. . . , 10, 11, 0, 1, 2, . . .
 1.2. BINARY AND HEXADECIMAL NUMBERS 9

Exercise 1: Power operations

• Compute 20 + 21 + 22 + 23 .

• Prove that 20 + 21 + . . . + 2n−1 = 2n − 1.

• Compute 24000 /16999 .

• Your new favourite prime number shall be p = 2256 − 232 − 29 −

28 − 27 − 26 − 24 − 1. Estimate the number of digits.

1 # In Python use t h e ∗∗ n o t a t i o n
2 2∗∗256

1.2 Binary and hexadecimal numbers

We all understand
42 > 24.
The notation 42 is a shortcut for
42 = 4 × 101 + 2 × 100 > 2 × 101 + 4 × 100 = 24
We tend to live among the set of puny integers (in base 10)2 . It’s all about
the position of a digit within a number. We are used to do all computations
within base 10. There is no deeper mathematical reason to compute (only)
in base 10. An anthropologist would probably claim it’s because we have 10
fingers. Computers operate in base 2. They only know the digits 0 and 1.
The largest digit within in base b is always b − 1.
Consider the binary number:
1001012 = 1 × 25 + 1 × 22 + 1 × 20 = 32 + 4 + 1 = 3710

We are in particular interested in 4 digit numbers in base 2. There are 16

such numbers. Hence every 4 digit number in base 2 is a one-digit number
in base 16. We introduce the new digits A, B, C, D, E and F and render the
first 24 natural numbers in Table 1.1.
2
See Peter D. Schumer, Mathematical Journeys, Wiley, 2004
10 CHAPTER 1. WARM-UP

Base 10 Base 2 Base 16

0 0000 0
1 0001 1
2 0010 2
3 0011 3
4 0100 4
5 0101 5
6 0110 6
7 0111 7
8 1000 8
9 1001 9
10 1010 A
11 1011 B
12 1100 C
13 1101 D
14 1110 E
15 1111 F

Table 1.1: Small binary and hexadecimal numbers

The numbers 2n − 1 are called the Mersenne numbers. Such numbers are
popular candidates for prime numbers. The largest known prime numbers
today are Mersenne numbers. There’s the GIMPS project (Great Internet
Mersenne Prime Search) to check for primality. Note that the biggest known
prime number today is 282589933 − 1 and comes with 24862048 digits (in base
10). Large Mersenne numbers also play a crucial role in the context of random
number generators, see Mersenne Twister.
1.3. THE RICE AND THE CHESSBOARD 11

Exercise 2: Binary and hexadecimal numbers

• Render the hexadecimal number AF F E16 as a binary number.

• Compute 810 × 1101101001012 . State the result as a binary num-

ber.

• Read about the French mathematician Marin Mersenne. Read

about the GIMPS project.

• The biggest known prime number today is p = 282589933 − 1. How

many digits has p if expressed as a binary number.

1.3 The rice and the chessboard

This is a little intermezzo using some of the concepts introduced above.
If a chessboard were to have rice placed upon each square such that one
grain were placed on the first square, two on the second, four on the third,
and so on (doubling the number of grains on each subsequent square), how
many grains of rice would be on the chessboard at the finish?

20 + 21 + . . . 263 = 264 − 1 = 18446744073709551615 ≈ 1.84 × 1019

We are not too far off the 1.6 × 1019 we have estimated by hand above. The
accuracy is certainly good enough for your interviews in strategy consulting
firms.
Note that 264 − 1 is the 64th Mersenne number, however, it is not a prime
number.
Exercise 3: The rice problem
• Estimate the number of container ships you would need to trans-
port the 264 −1 grains of rice. Note that 1000 grams of rice contain
approximately 50000 grains. Before you start the computation
submit a guess. Make sure you carefully state your assumptions.

• Express 264 − 1 as a binary number and as a hexadecimal number.

12 CHAPTER 1. WARM-UP

1.4 Groups
One of the most familiar groups is the set of integers Z which consists of the
numbers
. . . , −4, −3, −2, −1, 0, 1, 2, 3, 4, . . .
together with the familiar addition. The addition has the following proper-
ties:

• For any two integers a and b, the sum a + b is also an integer. That is,
addition of integers always yields an integer. This property is known
as closure under addition.

• For all integers a, b and c, (a + b) + c = a + (b + c). Expressed in

words, adding a to b first, and then adding the result to c gives the
same final result as adding a to the sum of b and c, a property known
as associativity.

• If a is any integer, then 0 + a = a + 0 = a. The zero 0 is called the

identity element of addition (or neutral element) because adding it to
any integer returns the same integer.

• For every integer a, there is an integer b such that a+b = b+a = 0. The
integer b is called the inverse element of the integer a and is denoted
a.

All groups share similar structural aspects. Each group is a pair of an under-
lying set and an operation (e.g. an addition or a multiplication) with the same
properties introduced above. Once demonstrated that a set and a suitable
operation are a group all results for groups carry over.
The order of a group is the number of elements in the underlying set. A
subgroup of G is the pair of a subset of set underlying G and the operation
of G, e.g. G is a subgroup of G. But also set only containing the neutral
element induces a subgroup.
Of particular interest for the blockchain are cyclic subgroups, generated
by an element g of a larger group G:

hgi = {kg | k ∈ Z} .
1.4. GROUPS 13

Note that a cyclic subgroups induces an order on the elements, as we end

up with . . . , −1g, 0, 1g, 2g, 3g, . . .. We call this an enumerated set. Later we
meet huge cyclic groups. It will be trivial to check that an element a is a
member of such group but it is a hard problem to quantify its position in
an enumerated set generated by g. So, although we know that a = k × g
for some k it is impossible to compute k. This is what we call a trapdoor
function. Of course, given k ∈ Z and g ∈ G it is trivial to solve for a ∈ G.
But given a and g this problem is out of reach for modern computers.
A simple brute force approach may only work if the set of possible can-
didates for k is reasonable small.
Exercise 4: Groups
• Are the natural numbers N with the standard addition a group?

• Are the integer numbers Z \ {0} with the standard multiplication

a group?

• Construct a group with exactly two elements. Call them 0 and 1.

What can you say for 1 + 1?

• Is there a group with only one element? If so, what element is

generating this group?

• Lagrange’s Theorem: Assume G is a finite group. The order of

any finite subgroup of G is a divisor of the order of G.

• Assume a finite group G is of prime order. The group H is a

subgroup of G. What can you say about the order of H.

• Are the even integer numbers a cyclic subgroup of Z?

• Is there a group based on an empty set?


• Are the powers 2k | k ∈ Z a group with the standard addition?
How about the multiplication?

Our approach follows a standard path in mathematics. We define con-

cepts such as groups and study only then examples and consequences of the
definitions we have made. Obviously, it would be interesting to attempt the
inverse route, e.g. we start with the familiar numbers and try to extract un-
14 CHAPTER 1. WARM-UP

derlying laws. Once we have done so, we can see whether we can identify
other pairs of sets and operations that behave like groups. Only then we can
start to perform arithmetic. We love arithmetic.

1.5 Modular arithmetic

We try to construct some tiny finite groups. Let’s start with the set

S = {0, 1, 2, 3}

and let’s study the addition. We immediately notice that 2 + 3 = 5 ∈ /

S. Rather than increasing S we could modify the operation. We take an
inspiration from an analog watch and argue that 3 + 1 = 0 ∈ S and 3 + 2 =
1 ∈ S.
We make this more precise. Rather than using the standard addition we
take the remainder
a + b ≡ (a + b) mod 4
to enforce closure of our operation over S. This new addition fulfills all
desired properties to make it together with S a group. Note that S 0 = {0, 2}
together with the addition is a subgroup.
What about the standard multiplication. Again we face the problem that
the standard multiplication is not closed. Hence we reuse the standard trick
and define
a × b ≡ (a × b) mod 4
We get closure, associativity and the identity element (here the 1) but strug-
gle with the inverse. Let’s try to find an inverse for 2, e.g. we try to find
a ∈ S such that a × 2 ≡ 1 mod 4. There are only 4 candidates and we can
quickly check them all

2 × 0 ≡ 0 mod 4
2 × 1 ≡ 2 mod 4
(1.1)
2 × 2 ≡ 0 mod 4
2 × 3 ≡ 2 mod 4

Hence we are unable to identify an inverse for 2 ∈ S.

 1.5. MODULAR ARITHMETIC 15

There is a deeper mathematical reason why we failed. We have found a

Nullteiler, e.g. 2 × 2 ≡ 0 despite both factors being not 0. This was possible
because 2 is a prime factor of 4. We need to avoid such situations.
We continue our hack with

S = {0, 1, 2, 3, 4}

and now use

a + b ≡ (a + b) mod 5
and
a × b ≡ (a × b) mod 5.
Because 5 is prime we can not find two numbers 0 = 6 a ∈ S and 0 6= b ∈ S
such that a × b ≡ 0 mod 5. There are no Nullteiler. For each a ∈ S \ {0} we
can find an x ∈ S such that a × x ≡ 1 mod 5.
We can even derive an explicit formula for this inverse. To find the
reciprocal of a we need Fermat’s little theorem, which states

ap−1 ≡ 1 mod p

if (the number) a is not divisible by p. Hence the reciprocal of a is ap−2 mod

p.
1 from mod import Mod
2
3 def i n v ( a , modulus ) :
4 # There e x i s t s no i n v e r s e f o r m u l t i p l e s o f p
5 a s s e r t not Mod( a , modulus ) == 0
6 # We a p p l y t h e L i t t l e Theorem o f Fermat
7 return Mod( a∗∗ ( modulus −2) , modulus=modulus )

We introduce some further notation. We define

Z/pZ = {0, 1, . . . , p − 1}

as replacement for S and equip it with the operations

a + b ≡ (a + b) mod p
16 CHAPTER 1. WARM-UP

and
a × b ≡ (a × b) mod p.

The pair Z/pZ and the addition are a group for all p ≥ 1. The pair
Z/pZ \ {0} and the multiplication are a group if and only if p is prime. In
this lecture we are only interested in situations when p is prime. In that
situation, mathematicians call the triple of a set Z/pZ, the addition and the
multiplication (over the reduced set) a finite field.
Exercise 5: Modular arithmetic
We consider the field K = Z/7Z.

• Read about the life of Fermat.

• Determine a ∈ K such that a × 4 ≡ 1 mod 7.

• Compute 3n mod 7 for n ∈ {1, 2, 3, 4, 5, 6}. Do the same for 4n .

Do you notice a difference?

1.6 Shor’s algorithm

Shor’s algorithm is an idea demonstrating the power of quantum computing.
We could easily get lost here but we discuss only one aspect of this idea
following a video by Umesh Vazirani. Given N = 21 we want to find the
prime factors 3 and 7. In reality the numbers involved are obviously a lot
larger. We now pick a random integer x, e.g. x = 2 (as in the video) and
note that the function
fx (a) = xa mod N
is periodic (if the gcd(x, N ) = 1, if this condition is not met we have already
found a non-trivial factor for N ).
Using the brute-force approach of Table 1.2 we have computed in partic-
ular
26 = (23 )2 = 82 ≡ 1 mod 21
We remark that 8 is non-trivial square root of 1 mod 21. Shor’s algorithm
relies on a Fourier transform used to detect the period length r of fx . If r
1.6. SHOR’S ALGORITHM 17

a 2a mod 21
0 1
1 2
2 4
3 8
4 16
5 11
6 1
7 2
.. ..
. .

Table 1.2: The function 2a mod 21 is periodic with period length r = 6.

is even and if xr/2 6= 1 mod 21 we have found a non-trivial root of 1 mod 21.
Trivial roots would be 1 and −1.
Given
82 ≡ 1 mod 21

we have found
82 − 1 ≡ 0 mod 21.

But 82 − 1 = (8 − 1) × (8 + 1) = 7 × 9.
Obviously 7 × 9 6= 21 but we see

21 = gcd(7, 21) × gcd(9, 21) = 7 × 3

as desired. As there is a powerful Fourier transform for Quantum computing

available the ideas of Shor are a prime candidate for that field.
Note that on a conventional computer one would never attack this prob-
lem via the Fourier route. Fourier works extremely well for quantum com-
puters as the function f can essentially be evaluated with 1 operation using
the superposition of qbits. Their deconstructive interference will erase states
we are not interested in.
 18 CHAPTER 1. WARM-UP

1.7 Elliptic curves

Bitcoin is making heavily use of the finite Galois field Fp with p = 2256 −
232 − 977 over an elliptic curve. Pairs (x, y) ∈ F2p that solve the Weierstraß
equation y 2 ≡ x3 + 7 mod p are of interest.
There are N such points. The N points include the point at infinity which
is the origin of the group law and has x = y = ∞. So it’s not quite the same
as the number of solutions of y 2 ≡ x3 + 7 mod p.
The computation of N is far beyond the scope of this lecture. Generally,
Schoof’s point counting algorithm is used for this purpose3 . We have to
accept the result is
1 N = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE
2 BAAEDCE6 AF48A03B BFD25E8C D0364141$ {16} $

Schoof’s algorithm was the first deterministic polynomial time (in the size
of the elliptic curve group) algorithm for counting points on elliptic curves.
The algorithm was improved by Elkies and Atkin. We are touching here
bleeding edge mathematics.
So using this particular elliptic curve over this particular finite Galois
fields guarantees results in N being prime. The idea is now to show that those
N points equipped with a suitable addition are a group, e.g. to define the
addition such that the sum of two pairs is still a pair solving the Weierstraß
equation y 2 ≡ x3 + 7 mod p. There is both an algebraic and a geometric
approach to this problem. Any non-trivial cyclic subgroup of this group of
order N has therefore N elements. Hence any element of the group (expect
the neutral element, which is actually the point at infinity) can be used to
generate the entire group.
We need to agree on a pair g = (x, y), e.g. an element of the group and
therefore solution of the Weierstraß equation. The discrete logarithm of this
element will then be 1. For any other element of the cyclic group g 0 = n ∗ g
the discrete logarithm is n. It has been agreed to choose
1 x = 79BE667E F9DCBBAC 55 A06295 CE870B07
3
Elliptic Curves over Finite Fields and the Computation of Square Roots mod p, Math.
Comp., 44(170):483–494, 1985.
 1.8. SUMMARY 19

2 029BFCDB 2DCE28D9 59 F2815B 16 F81798$ {16} $

3 y = 483ADA77 26A3C465 5DA4FBFC 0E1108A8
4 FD17B448 A6855419 9C47D08F FB10D4B8$ {16} $

The parameters underlying the standard used by bitcoin are carefully

chosen. Both, the characteristics p of the underlying finite Galois field and
the number N of solutions are huge prime numbers. This makes it very hard
to invert the function computing f (n) = n × g where g is the generating
element.
Exercise 6: Elliptic curves
We consider the field K = Z/37Z.

• Using brute force compute all solutions (x, y) ∈ K 2 such that

y 2 ≡ x3 + 7 mod 37. Hint: Do not forget the neutral element

• One solution is given by the point (8, 1). Compute all points of
the group generated by this point. Hint: To perform the addition
use the fastecdsa Python package. What can you say about the
order of this group?

• Discuss how would you compute the 16 × g where g is a solution

of the Weierstraß equation?

1.8 Summary
It seems we haven’t seen a lot of Blockchain yet. However, our efforts will
soon pay off. Your patience will be rewarded.
We have seen our first elliptic curve in Figure 1.1. It doesn’t look exactly
like a curve and there is no ellipse. Already the name seems to be misleading.
If we would change the underlying field we may get closer to what the name
suggests. For us, an elliptic curve is a huge discrete set of enumerated points.
For the Bitcoin network a first point g has been chosen. To get to the second
point we perform the addition g + g, etc. There are N such points. However,
given a point n × g it is out of question to compute n. There are just too
many points to compute them all and run a brute force attack.
20 CHAPTER 1. WARM-UP

Figure 1.1: A cyclic group based on the N = 39 solutions on the elliptic

curve y 2 ≡ x3 + 7 over Z/37Z. Readers will count only 38 points in total
as the point at infinity is too far out. The cyclic group is generated by the
point (8, 1). Follow the path from there visiting 12 points. The 12th point
is connected to the first point via the 13th point at infinity. Note that the
cyclic group is not touching 26 points and therefore offers even less security
than a cyclic group visiting all N solutions. However, such tiny groups are
not useful for any real life cryptography.
1.8. SUMMARY 21

1.8.1 Further references and comments

• Algebra is a term used across mathematics. Algebraic structures such
as groups, rings and fields are studied in a field called abstract algebra.

• Finite prime fields with p elements ”can be identified” with Z/pZ.

Hence it’s a good idea to study Z/pZ in great detail. To avoid overflow
when computing an mod p we recommend to use dedicated software for
such problems. The point is not to compute an and then reduce the
result by applying the mod function. For our experiments we use the
mod package and the fastecdsa package.

• Elliptic curves are a hot branch of mathematics and played in a central

role in the proof of Fermat’s Last Theorem by Andrew Wiles. You may
find the book by Simon Singh entertaining and accessible.

• There’s fantastic material out there on Youtube. For this week I rec-
ommend Computerphile on elliptic curves.

• I have done my private experiments with elliptic curves using this app.
22 CHAPTER 1. WARM-UP
Chapter 2

Cryptography

Ne pleure pas, Alfred! J’ai

besoin de tout mon courage
pour mourir à vingt ans!

Evariste Galois

We embrace elliptic curves to solve the digital signature problem. Elliptic

curves over finite fields are discrete set of enumerated points.
A random point K of the elliptic curve will serve as a public key. It
will be the kth point where k has been chosen by a process creating random
numbers. Knowing the point K it is not possible to compute k. We call k
the private key. Having a public and a private key defines identity for us.
Losing access to a private key or leaking it is a tragedy.
Hash functions are tools to convert any message into a number. We love
numbers as we can do arithmetic with them. We love arithmetic.
Using the hash digest of the message and the private key a sender can
compute a digital signature. The person(s) receiving a signed message has
the chance to verify its validity. The message is here not encrypted. In fact,
privacy on the Bitcoin network is a somewhat sensitive topic.
In a bonus adventure we discuss elliptic curve Diffie-Hellman key-exchange.
This kind of machinery is not used for the Bitcoin network. It’s all about
sending encrypted messages between two parties in the most secure way.
We finish the chapter by constructing a little container linking blocks via

23
24 CHAPTER 2. CRYPTOGRAPHY

hash codes. This already resembles some of the properties of the Bitcoin
network.
Everything you learn in this chapter is useful in a context going far beyond
crypto-currencies.

2.1 Key pairs and identity

Questions of identity on the blockchain boil down to secure random number
generation. Remember the elliptic curve is a set of N enumerated points.
The first point G is the generating base point (of the cyclic group). The
N th point is the neutral element at infinity. We select a random number k
contained in [1, N − 1]. This number is the private key.
The choice of k is typically done by a wallet and often supported by some
artistic talent of the user (e.g. moving your mouse around, etc.).
The private key is a very large integer number. We compute the public
key as K = k × G. Again, it is impossible to go back from K to k. The most
promising route for an attack is probably the random number generator. The
public key is not an integer. The public key is a point (x, y) on the elliptic
curve.
Note that any other user could copy the public key. It is crucial to avoid
any leakage of the private key. Once a private key is out in the wild control is
lost (or given to everybody). Some users have managed to loose their private
keys. They can no longer compile valid signatures and hence have lost all
control.

2.2 Cryptographic hash functions

A hash function converts text, numbers, files, etc. of arbitrary length (the
message) into a number of fixed length. Computer scientists call the resulting
number the digest. This may emphasize that once a piece of chicken has been
digested it is impossible to reconstruct the piece let alone the chicken. Hash
functions are trapdoor functions.
Hash functions are deterministic and the digest can be computed quickly
for any value. It is infeasible to generate a message resulting in a given digest
2.2. CRYPTOGRAPHIC HASH FUNCTIONS 25

Figure 2.1: The Merkle-Damgård construction. A message is split into n

blocks of length w. To final digest (here called hash) is the result of the hash
function applied to the concatenation of the last block with the previous
digest.

or to compute two different messages resulting in the same hash value. As

often the weak link is the human here. A frequency analysis may crack some
hash values1 .
The popular Merkle-Damgård construction relies on breaking a padded
message into a series of blocks of size w (say w = 256). The digest for the
first block is computed. The digest for the first two blocks is the digest of
a concatenation of the hash of the first block and the message of the second
block.
We have seen that a public address is the kth point on an elliptic curve.
From there it’s a tiny step to a Bitcoin address. Two hash functions are
applied and the resulting number is rendered with respect to base 58.
Being a poet deep down in my heart some of my poems have leaked and
have been used by a German band. It’s hard to prove being the actual author
of my own poems. I therefore publish the digest of my poems on twitter. In
my message serving as an input I include the poem, the date and my name.
Users can not see my poem yet and later have to buy the book.
Note that I store the original message locally. It’s important to store
exactly the input message. Even the most tiny modification on the input
will lead to a very different hash.

1
Germany’s cryptography in WW2 was cracked by their habit to sign messages with
the same phrases
26 CHAPTER 2. CRYPTOGRAPHY

2.3 Digital signatures

The goal here is not to encrypt a message but rather to send the message
m with a signature (r, s) and the public key K (which is a function of the
private key k) such that the receiver can verify that this message has indeed
been compiled by the user with the public key K. An evil man in middle
may alter m (e.g. transferring to a different (his or her) account). However,
s contains information derived both from the digest of m and the private key
k.

2.3.1 Creating the signature

The message m is available as plain text. It could be a brief statement, an
entire book or a transaction. To generate the signature we need to render
m as a number of fixed length, hence we apply a hash function h, e.g. t =
h(m). We also need a second random integer i. It’s important to use this
number only once. Computer scientists call such numbers nonce. Often its
construction would involve the systemtime (e.g. the number of milliseconds
having passed since the 70ies have started). Here in this context i is often
called the ephemeral key.

• Pick random number i between [1 and N-1], (the nonce) or ephemeral

key.

• Compute the ith point of the elliptic curve P = iG

• Let r be the x coordinate of this point modulo N 6= p, e.g. r = xp mod

N.

• The value s combines the hash of the message and the private key
s = [i−1 (t + rk)] mod N . It is infeasible to extract k given s.

• Publish m, the pair (r, s) and the public key K

This algorithm is somewhat dangerous as k could be computed by using the

same value for i twice.
 2.3. DIGITAL SIGNATURES 27

2.3.2 Verifying the signature

The receiver can verify the message by computing a combination of the public
key and the generator G

(x1 , y1 ) = u1 G + u2 Kp

where the receiver chooses the coefficients as u1 = ts−1 and u2 = rs−1 . Note
that the receiver recomputes the hash digest t for the message m. It would
not make sense to send t as it is not possible to convert t back into the
message m. The signature is valid if r ≡ x1 mod N , invalid otherwise.
This algorithm is indeed correct as the definition of the public key K = kG
and the choice of coefficients yields

(x1 , y1 ) = (ts−1 + rs−1 k)G

We multiply this equation with 1 = ii−1 and hence

(x1 , y1 ) = ii−1 (t + rk)s−1 G = iss−1 G = iG.

The point (x1 , y1 ) is the familiar ith point of the elliptic curve the receiver
reconstructed without the explicit knowledge of i.

2.3.3 Source code for digital signatures

Here’s a more explicit version of the digital signature algorithm:
1 from f a s t e c d s a . c u r v e import s e c p 2 5 6 k 1 a s c u r v e
2 from mod import Mod
3
4 # e v e r y message ne e ds t o be hashed i n t o a number
5 def e n c r y p t s t r i n g ( h a s h s t r ) :
6 return int ( h a s h l i b . sha256 ( h a s h s t r . encode ( ) ) . h e x d i g e s t ( ) ,
16)
7
8 # The p r i v a t e key i s a random number from [ 1 , p − 1 ] where
9 # p i s the order of the underlying Galois f i e l d
10 p r i v a t e k e y = keys . g e n p r i v a t e k e y ( curve )
11

12 # The p u b l i c key i s
13 p u b l i c k e y = c u r v e .G∗ p r i v a t e k e y
 28 CHAPTER 2. CRYPTOGRAPHY

14
15 # There a r e n s o l u t i o n s on t h e e l l i p t i c c u r v e
16 # including the point at ” i n f i n i t y ”
17 n = curve . q
18
19 # We send t h e c l e a r message . . .
20 message = ” I l o v e t h i s l e c t u r e ”
21

22 # nonce
23 i = keys . g e n p r i v a t e k e y ( curve )
24
25 # nonce on e l l i p t i c c u r v e
26 P = c u r v e .G∗ i
27

28 # compute t h e s i g n a t u r e
29 r = Mod(P . x , n )
30 i n v i = Mod( i , n ) . i n v e r s e ( )
31 s = ( i n v i ∗ ( e n c r y p t s t r i n g ( message )+r ∗ p r i v a t e k e y ) ) . v a l u e
32 # The s e n d e r t r a n s m i t s ( r , s ) , t h e c l e a r message and h i s p u b l i c
key
33 # s depends on t h e p r i v a t e key and t h e h a s h c o d e o f t h e message .
34 # However i t i s not p o s s i b l e t o e x t r a c t t h e p r i v a t e key from s
35
36 # check the signature
37 w = Mod( s , n ) . i n v e r s e ( )
38 u1 = e n c r y p t s t r i n g ( message ) ∗w
39 u2 = r ∗w
40
41 # a d d i t i o n o f two r e s i d u e c l a s s e s and m u l t i p l i c a t i o n w i t h P o i n t
42 ( c u r v e .G∗u1 + p u b l i c k e y ∗u2 ) . x == r

Listing 2.1: Digital Signature explicit

Now that you understand the concept it’s feasible to treat the digital signa-
ture as a black-box and implement it in a terser way:
1 from f a s t e c d s a . c u r v e import s e c p 2 5 6 k 1 a s c u r v e
2 import f a s t e c d s a . k e y s a s k e y s
3 from h a s h l i b import sha256
4
5 p r i v a t e k e y = keys . g e n p r i v a t e k e y ( curve )
6 p u b l i c k e y = keys . g e t p u b l i c k e y ( private key , curve )
7
8 # We send t h e c l e a r message . . .
9 message = ” I l o v e t h i s l e c t u r e ”
10
 2.4. A FIRST BLOCKCHAIN 29

11 # s t a n d a r d s i g n a t u r e , r e t u r n s two i n t e g e r s
12 r , s = e c d s a . s i g n ( message , p r i v a t e k e y , curve , h a s h f u n c=sha256 )
13
14 # s h o u l d r e t u r n True as t h e s i g n a t u r e we j u s t g e n e r a t e d i s v a l i d
.
15 v a l i d = e c d s a . v e r i f y ( ( r , s ) , message , p u b l i c k e y , curve ,
h a s h f u n c=sha256 )
16 assert valid

Listing 2.2: Digital Signature terse

2.4 A first blockchain

A blockchain doesn’t really make any sense when applied outside a network.
Here for educational purposes only we create an append-only container that
resembles some of the concepts underlying a blockchain.
A block here is a little unit storing a message m and a time t. It’s
important to have all blocks being distinct. No two blocks should contain
exactly the same message m and the same time t. The first block is typically
called the Genesis block. Of course we could now store all those containers
in a lengthy list but each block could be attacked. We create a strong link
in between all those blocks via their hash values.
So the second block will store the hash digest of the first block as a
reference. And the third block will store a reference to the second block.
However, the digest for the second block will contain the digest of the first
block as an input. The chain is only consistent if the hash values stored
as reference can be recomputed. As soon as the message in the nth block
is tampered with it is impossible to confirm the new hash digest with the
reference in the (n + 1)th block which triggers an avalanche. All subsequent
blocks further downstream have to be recomputed.
Of course, this all reminds us of Arya Stark killing the Night King. As
a direct consequence all white walkers and all wights died, too. In our
blockchain there is no hierarchy other than the order induced by the chain
though.
Once the state of a block can no longer be modified we call such a block
immutable. One could argue that successfully modifying a block becomes a
lot harder the more blocks are following this block.
 30 CHAPTER 2. CRYPTOGRAPHY

1 import j s o n
2 from h a s h l i b import sha256
3
4 c l a s s Block ( object ) :
5 def i n i t ( s e l f , message , time , r e f e r e n c e=None ) :
6 s e l f . message = message
7 s e l f . time = time
8 self . reference = reference
9
10 @property
11 def hash ( s e l f ) :
12 x = { ” message ” : s e l f . message , ” time ” : s e l f . time ,
13 ” reference ” : self . reference }
14 return sha256 ( j s o n . dumps ( x ) . encode ( ) ) . h e x d i g e s t ( )
15
16
17 c l a s s Chain ( object ) :
18 def init ( self ) :
19 s e l f . chain = [ ]
20
21 def append ( s e l f , message , time ) :
22 # append a b l o c k t o t h e c h a i n
23

24 # i f t h e r e i s a t l e a s t one b l o c k i n t h e c h a i n
25 i f len ( s e l f . c h a i n ) >= 1 :
26 # compute t h e hash d i g e s t o f t h e l a s t b l o c k
27 r e f e r e n c e = s e l f . c h a i n [ − 1 ] . hash
28 else :
29 r e f e r e n c e = None
30
31 # compute t h e B l o c k
32 b l o c k = Block ( message=message , time=time , r e f e r e n c e=
reference )
33
34 # append i t t o t h e c h a i n
35 s e l f . c h a i n . append ( b l o c k )
36
37 def g e t i t e m ( s e l f , item ) :
38 return s e l f . c h a i n [ item ]
39
40 @property
41 def v a l i d ( s e l f ) :
42 f o r a , b in zip ( s e l f . c h a i n [ : − 1 ] , s e l f . chain [ 1 : ] ) :
43 i f a . hash != b . r e f e r e n c e :
44 return F a l s e
 2.5. SYMMETRIC CRYPTOGRAPHY 31

45
46 return True
47
48 c h a i n = Chain ( )
49 c h a i n . append ( message=”A” , time =1)
50 c h a i n . append ( message=”B” , time =2)
51 c h a i n . append ( message=”C” , time =3)
52 c h a i n . append ( message=”D” , time =4)
53
54 # t h e c h a i n i s v a l i d b e c a u s e t h e recomputed hash code
55 # f o r b l o c k n i s matching t h e r e f e r e n c e i n b l o c k n+1
56 a s s e r t chain . valid
57
58 # we c h a i n t h e message o f t h e 3 rd b l o c k
59 # and t h e r e f o r e t h e hash code f o r B l o c k 3
60 # i s not matching t h e r e f e r e n c e i n B l o c k 4
61 c h a i n [ 2 ] . message = ”Thomas was h e r e ”
62 a s s e r t not c h a i n . v a l i d

Listing 2.3: A simple Blockchain

2.5 Symmetric cryptography

The classic problem of cryptography hasn’t been discussed yet. We do that
here. However, this and the next section are not of any relevance for the
blockchain.
Assume A wants to send a message to B — and only to B. Over the years
people have tried numerous ideas and gimmicks, e.g. invisible ink. Caesar’s
cipher is about shifting the alphabet by a fixed offset, e.g. an A would be a
C, a B becomes a D, . . ., Y maps to A and finally Z is an B. Of course, such
tricks are not exactly safe. One popular strategy was to share a key before-
hand. Of course, whenever we send data we send essentially binary numbers.
Let’s assume Thomas sends his fav. binary number to Maud. Thomas likes
the number
100111012 .

However, only Maud shall be able to read this message. Therefore Thomas
sends Maud a key 01112 and encrypts his message using the XOR operation
32 CHAPTER 2. CRYPTOGRAPHY

(exclusive OR) and some padding:

1001 11012
0111 01112

1110 10102

Hence Thomas sends Maud (obviously using two messages) the key 01112
and the encrypted message 1110 10102 Maud is decrypting the message of
Thomas using the same operation used by Thomas:

1110 10102
0111 01112

1001 11012

The problem here is that Thomas has to send the key to Maud. As soon as
an evil man in the middle has the key they can read (or even worse: alter the
message) sent from Thomas to Maud or vice versa. The idea of Diffie and
Hellman was to established a key between two parties without ever sending
the key.

2.6 Diffie–Hellman key exchange

A and B may communicate on a dirty channel. To encrypt all communication
between them they perform a key-exchange. A sends its public key kA × G to
B and B sends the public key kB × G to A. Hence A can compute kA kB × G
without knowing kB . B computes kB kA × G without knowing pA , they both
end up with the same key as

kA kB × G = kB kA × G

This idea is at the heart of the Elliptic curve Diffie–Hellman (ECDH)

algorithm. Both A and B now share a common key that has never been sent
across a channel.
 2.6. DIFFIE–HELLMAN KEY EXCHANGE 33

This shared key can be used to perform more standard symmetric en-
cryption. The message m will be encrypted and decryption is only possible
for A or B.

1 from f a s t e c d s a . c u r v e import s e c p 2 5 6 k 1 a s c u r v e
2 import f a s t e c d s a . k e y s a s k e y s
3
4 c l a s s User ( object ) :
5 def init ( self ) :
6 # g e n e r a t e a p r i v a t e key i n [ 1 , N−1] where N i s
7 # t h e number o f p o i n t s on t h e e l l i p t i c c u r v e
8 s e l f . p r i v a t e k e y = k e y s . g e n p r i v a t e k e y ( c u r v e=c u r v e )
9
10 def dh ( s e l f , p u b l i c k e y ) :
11 # D i f f i e Hellman key−e x c h a n g e
12 # p u b l i c k e y i s h e r e t h e p u b l i c key o f t h e c o u n t e r p a r t y
13 return s e l f . p r i v a t e k e y ∗ p u b l i c k e y
14
15 @property
16 def p u b l i c k e y ( s e l f ) :
17 # t h e p u b l i c key i s not ( ! ) a random number
18 # t h e p u b l i c key i s t h e $ k $ t h p o i n t on t h e c u r v e
19 # where k i s t h e t h e p r i v a t e key
20 return s e l f . p r i v a t e k e y ∗ c u r v e .G
21
22 A=User ( )
23 B=User ( )
24
25 print (A. dh (B . p u b l i c k e y ) )
26 print (B . dh (A. p u b l i c k e y ) )
27
28 X: 0 xcb414a3d5 . . .
29 Y: 0 xb3d94d167 . . .
30 (On c u r v e <secp256k1 >)
31 X: 0 xcb414a3d5 . . .
32 Y: 0 xb3d94d167 . . .
33 (On c u r v e <secp256k1 >)

Listing 2.4: Diffie–Hellman key exchange

34 CHAPTER 2. CRYPTOGRAPHY

2.7 Summary
We have developed machinery to create valid transactions. Valid is a tech-
nical term here. It does not imply that the sender has actually the required
assets. Validity implies that the message m has indeed been sent by the user
with the public key K, e.g. nobody else has tampered with the message or
is pretending to be the user K.
At no stage the private key k should be revealed to a third party. If so,
the third party can indeed successfully pretend to be K.
The digital signature reflects the private key, the content of a message
and an ephemeral key i. It’s most important to never reveal the private key
(or lose it) or apply a weak random number generator (or none if you are
Sony).
Bitcoin is not applying any key-exchange ideas as no encrypted message
are sent around. Bitcoin is surprisingly transparent. Once a public address
of a particular user is known all his or her transactions can be searched for.
Privacy is certainly an issue here.
Key-exchange is useful when sending secret messages across a dirty chan-
nel. Only the receiver and the sender can decrypt the message. No private
keys have to be sent around.

2.7.1 Further references and comments

We scratched the surface of modern cryptography. It’s a fascinating exercise
to dig through this area with the eyes of an historian. I recommend to start
at the famous Zimmermann telegram sent by the Germans to the Mexicans
to encourage them to start war against the US in 1917. Their encryption
was based on a big telephone book-like dictionary of words. Every word had
a number. The Russians managed to get hold of two copies of the book and
gave one to the British Marine. Germany had no idea that their efforts to
encrypt messages were useless.
In the second World War the Germans used a refined but similar technique
based on a mechanical device (the Enigma machine). A few rotors had to
be brought into the correct position to read encrypted messages. England’s
best mathematicians helped to decipher German messages. Alan Turing is
2.7. SUMMARY 35

probably the most famous of the thousands of people2 working at Bletchley

Park near Milton Keynes.
The paradigm shift could have started already in 1973 when Clifford
Cocks invented public key cryptography working for the British Government.
The UK decided to classify the algorithm and only revealed its existence in
1997. Meanwhile others had brought forward the same idea in 1977 (RSA,
Diffie-Hellman, etc.).
The US tried to stop the celebrated PGP algorithm and classified it as a
weapon going after its inventor Phil Zimmermann. He published the entire
source code as a book as exporting books was easier than dealing weapons.

2
Most of them were women
36 CHAPTER 2. CRYPTOGRAPHY

Exercise 7: Summary
• Given the private key 2254 + 264 − 1 compute the public key based
on the secp256k1 curve.

• You run a huge online dating site. You maintain an internal

database. For every user you store a hashed version of their pass-
word. Hence your staff can not see a clear version of any password.
However, at some point you notice plenty of users have exactly the
same hash digest stored. How could that be attacked and plain
text could be constructed? Discuss how such an (dictionary) at-
tack could be prevented?

• Explain how using the same nonce twice for a digital signature
explain how the private key could be computed from public data.
In fact, the Sony Playstation 3 used a hard-coded ephemeral key
to avoid the hassle of creating secure random numbers.

• You create a company. The company creates random private keys

in [1, N − 1], computes the public key linked to the private key,
hashes the private key twice and checks whether the resulting pub-
lic address is in use and if so, how many bitcoins are linked to this
address. Once you hit a valid address already in use (a collision)
you transfer all coins to your account where all sorts of launder-
ing is going on. Leaving aside ethical and legal questionsa aside
argue whether that’s a good approach or how many addresses you
should generate per second to have at least one hit per year. Any
company providing wallets using a weak random number genera-
tor can be attacked this way. A famous incident is the GateHub
attack.

• Thomas and Maud are sending each other secret messages. They
are using the elliptic curve from Fig. 1.1. Thomas is sending
Maud his public key (23, 1). Maud is sending Thomas her public
key (18, 20). What is their shared secret key? Hint: Determine
first by careful inspection of the figure the private keys both for
Thomas and Maud.
a
Better discuss this with my friend Eelco Fielo.
Chapter 3

Distributed Ledger Technology

A purely peer-to-peer version of

electronic cash would allow
online payments to be sent
directly from one party to
another without going through
a financial institution. Digital
signatures provide part of the
solution, but the main benefits
are lost if a trusted third party
is still required to prevent
double-spending. We propose a
solution to the double-spending
problem using a peer-to-peer
network.

Satoshi Nakamoto

3.1 Centralized ledgers

Our little baby blockchain introduced in Section 2.4 could already serve as
a simple ledger. Each user could operate a little client (e.g. a program)
producing signatures which are sent with the message and public key of the
user to a central server where the ledger lives. The centralized blockchain
could verify the message and only append valid ones.

37
38 CHAPTER 3. DISTRIBUTED LEDGER TECHNOLOGY

In fact, this approach is used heavily today. Companies such as Guard-

time run essentially logging services in the cloud. There are problems with
this approach. A blockchain isn’t really required. You can store all incoming
messages in a more standard database maintained by Guardtime. However,
the main problem is that the central authority (Guardtime) has far too much
power to apply the same concept for currencies. They can decide to manip-
ulate the ledger at any time.
This is a genuine pattern in the startup space. Numerous companies
claim to rely on Bitcoin technology but note that a centralized chain does
not make any sense and should always be replaced with a more standard
database. Replacing a centralized database with a blockchain may serve as
a clever way to attract money of less sophisticated investors though.
Our new centralized database (which is replacing the centralized chain)
could be attractive though. It would be easy to refuse double-spending at-
tacks, block evil actors, enforce all sorts of constraints or collect some mem-
bership fees. However, it’s against all underlying principles of the Bitcoin
network. Having only one central authority also opens the door wide for
attacks. As soon as the central server burns down no further entries into the
ledger can be made. The central authority is therefore the Night King! With
his death the ledger dies and nobody would doubt that central authorities
can be evil.
A deep mistrust on central authorities was the motivation to create Bit-
coin in the first place. Satoshi Nakamoto1 express his/her/their concerns

The root problem with conventional currency is all the trust thats
required to make it work. The central bank must be trusted not
to debase the currency, but the history of fiat currencies is full of
breaches of that trust. Banks must be trusted to hold our money
and transfer it electronically, but they lend it out in waves of
credit bubbles with barely a fraction in reserve. We have to trust
them with our privacy, trust them not to let identity thieves drain
our accounts.

Bitcoin fans call the centralized authority typically the mint.

1
The name used by the pseudonymous person or persons who developed bitcoin.
3.2. DISTRIBUTED LEDGERS 39

3.2 Distributed ledgers

Bitcoin is opposing the idea of a centralized ledger. It’s relying on the idea
that every node maintains its own ledger — not just a copy of a centralized
ledger. It’s therefore most important that the ledgers are kept in synchro-
nization, e.g. the nodes need to find consensus. Finding consensus in a peer-
to-peer network was a problem that has been solved before but somewhat
Nakamoto managed to pull it all together and create not just a little gem of
a paper but also the first version of the software underlying all nodes.
Nakamoto published the paper in an obscure online forum but he/she/they
failed to give credit to all those academics that have worked on various of the
sub-problems before. The paper and the way it was given to the world was
certainly radical and new. Unlike many academics he/she/they didn’t care
about the publication within a prestigious journal and delivered the paper
with a first version of the product rather than just describing the idea.
Every node will accumulate transactions submitted by other nodes to the
network. A node will verify signatures and only forward valid transactions
to his peers. A node is starting to pile up transactions that do not contradict
each other or spend coins the submitting node wouldn’t have. A node is
trying to compile a block. Each node may compile a slightly different block.
In particular, the block will contain a link to the previous node as a reference.
This could easily result in mayhem. Assume thousands of nodes submit
their blocks in parallel. Here’s a hack to resolve this problem. Each block
contains a Nonce field i. The node creating a block can fill this field with
an arbitrary number! The network will only accept blocks where the hash
digest of the block stays below a threshold. Remember, a hash digest is just
a number. Hence every node will test numerous integer values for i until the
node has found a suitable i. Once the node has found such a nonce such that
the hash digest of the block is below the threshold the miner may or may
not share this block with the network. A miner may decide to hold back the
block, try to mine a second block following his/her block in order to attack
the latest block that just got added. For now we have a somewhat naive
trust in the honesty of actors and assume the miner is publishing the new
block instantaneously to secure his/her coins. Other nodes will then verify
this new block and the game starts again.
The nodes will continue to mine but obviously they have to start from
40 CHAPTER 3. DISTRIBUTED LEDGER TECHNOLOGY

scratch again as now a new reference is included in the block. In particular,

it doesn’t make any sense to produce multiple blocks and store them for later
usage.
This idea is called proof-of-work. Given that thousands of nodes are ex-
perimenting with different values for i and compute hash digests this process
is causing the horrendous and widely criticized energy consumption of the
bitcoin network. In reality only a small fraction of nodes is actively trying
to mine blocks and the days you could mine from your private PC are long
gone.
Note that there are other protocols to establish consensus. Currently the
Casper protocol relying on a Proof of Stake is a hot topic.
Miners are racing to establish the next block but also verify the suggested
blocks by their competitors to reenter the race for the next block. Today there
are variations of this idea but we shall not discuss them yet.
Note that there are various rather dubious companies out there trying to
sell you access to their mining infrastructure.
The difficulty for the mining race is controlled by the threshold level which
is adjusted on a regular basis.
This year we have also seen a bitcoin halving.

3.3 A toy blockchain

Let’s create a tiny network (or a graph) with Thomas, Maud, Heloise, Peter
(Abelard) and Fulbert. To simplify our discussion we assume that each of
them is a full node and is participating in the mining process.
We have already learnt how to sign transactions. Such signatures are
used to verify authenticity of any transaction, e.g. Thomas can not create
a transaction such as Fulbert is sending n = 1000 coins to Thomas. Only
Fulbert can transfer coins of Fulbert.
Fulbert owns n = 1000 coins. He wants to transfer 800 coins to his nice
Heloise and 300 coins to Abelard. Note that at least one of these transactions
is not possible and should be rejected. Fulbert can’t go negative with his
node.
The classic answer to solve this problem would be a central authority,
3.3. A TOY BLOCKCHAIN 41

e.g. Michael Rockinger who is not evil (yet). The core idea of the ideology
underlying Bitcoin is to refuse such central authorities. Satoshi Nakomoto
introduced a powerful idea to address this problem without such an authority.
Fulbert sends first 800 coins to Heloise. Maud spots the transaction
and can confirm (using its signature) it is valid. She could confirm the
transaction. A second later Fulbert sends 300 coins to Peter. Thomas detects
the transaction without having seen the transaction for Heloise. He could
confirm the transaction. The order of incoming transactions is somewhat
arbitrary as they do not propagate instantaneously. Speed on the network
depends on geography and the technology used. If both Maud and Thomas
confirm the transactions the situation will be a mess. The entire network
needs to reach consensus.
We have to first abolish the idea of an approach going transaction by
transaction. We go block by block and each block shall consist of hundreds
or thousands of transactions. On average a new block is added every 10
minutes.
We quickly address transaction fees. Fulbert sending 800 coins to Heloise
will actually send 801.5 coins away. The difference of 1.5 coins is a transaction
fee and it will go to the node releasing the block with Fulbert’s transaction.
If Fulbert is not sending any transaction fee, no other node would be keen
to include Fulbert’s transaction in a block. Each block can take only a very
limited number of transactions. Note that Fulbert can decide how much
transaction fee he is offering. There is no automatic rate.
Each node maintains a mempool of valid transactions. Typically all those
pools are slightly different. As indicated above Thomas has seen the trans-
action for Peter before the transaction for Heloise. He may miss certain
transactions Maud is aware of or vice versa. Also Thomas may consider only
transaction with a more healthy transaction fee.
Thomas may hold enough transactions for 3 blocks in his pool. Maud
could even fill 4 blocks. A block consists of

• a version number
• a reference to a previous block.
• a timestamp
• the threshold parameter
42 CHAPTER 3. DISTRIBUTED LEDGER TECHNOLOGY

• an integer picked by the node releasing the block

• the Merkle root of all transactions

The mining problem is simple. Each node is trying to find an integer such
that the Hash digest of the entire block is below the threshold. Over the
years the threshold got smaller and therefore the mining problem got a lot
harder.
Let’s assume the block k = 1211 has just been released by Maud. All the
other nodes need to erase transactions from their lists that are contained in
Maud’s block. In an ideal world they all start to work on block k = 1212.
In fact, they certainly couldn’t precompute the block k = 1213 as this block
will need a reference to the block k = 1212 which does not exist yet.
Thomas now takes the transactions that haven’t been covered by Maud
and are still in his list and computes a Hash Digest for them. For the next
few minutes Thomas is busy computing hash values until he manages to stay
below the threshold. All transactions that pop up while Thomas is computing
hash values are for now ignored but make it on his private list of pending
trades.
As we all know Fulbert is a somewhat evil character he will ignore Maud’s
recent block and will not try to compute block k = 1212. Indeed, he decides
to compute an alternative block k = 1211 which may not contain a huge
transaction he has made to poor Peter.
Let’s assume Fulbert succeeds and a few seconds after Maud publishes
his block k = 1211. Most other participants still try to compute k = 1212
based on Maud’s block but Fulbert is very powerful. He is now racing to
compute k = 1212 based on his k = 1211 block. Fulbert may release a valid
k = 1212 block before everybody else. He is attacking Maud’s 1211 block
by releasing two blocks. Since Fulbert is so much richer he has a lot more
hashpower and the network essentially becomes centralised.
Chapter 4

Money

Its gold for nerds.

Stephen Colbert

Drawbacks of cash?
Should transactions be transparent?
What is money? Is Bitcoin money?
What 3 properties define money Is US Dollar a good store of value

43