bitcoin script
TRANSCRIPT
![Page 1: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/1.jpg)
Class 12:Script
Cryptocurrency Cabalcs4501 Fall 2015
David Evans and Samee ZahurUniversity of Virginia
![Page 2: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/2.jpg)
2
Plan for TodayHash Collisions (Checkup 2 Revisions)Bitcoin Script
LanguageTransactions
RemindersPS2 is due Friday at 8:29pmProject IdeasMidterm October 19
Monday: Guest lecture from Tom Dukes
![Page 3: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/3.jpg)
3
Cryptographic Hash DesiderataPre-image resistance:
given a z, hard to find any x such that H(x) = z.
Collision resistance: hard to find any pair of different values x, y such that H(x) = H(y).
Efficient to compute (?)
![Page 4: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/4.jpg)
4
Hash Functions in BitcoinA. Producing the public bitcoin address by hashing the public key.
B. Producing a transaction digest for use as the input in signing a transaction.
C. Producing the Merkle tree root for authenticating the transactions in a block (using hashes all the way up the tree).
D. Producing the hash of the previous block to use in the block header.
E. Producing the double hash of the block (with nonces) to find a block that satisfies the difficult needed in mining.
![Page 5: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/5.jpg)
5
Generating a Bitcoin Address
generate random secret key k
Image: http://spectrum.ieee.org/computing/hardware/behind-intels-new-randomnumber-generator 256 random bits
![Page 6: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/6.jpg)
6
Generating a Bitcoin Address
generate random secret key k
256 random bits
Ux Uy
Compute point Gk on spec256k1 curveG = 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8
![Page 7: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/7.jpg)
7
Generating a Bitcoin Address
generate random secret key k
256 random bits
Ux Uy
Compute point Gk on spec256k1 curveG = 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8RIPEMD160(SHA256(Ux || Uy))
![Page 8: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/8.jpg)
generate random secret key k
256 random bits
Ux Uy
Compute point Gk on spec256k1 curve
RIPEMD160(SHA256(Ux || Uy))1
SHA256(SHA256( - ))RIPEMD160(SHA256(Ux || Uy))14 bytes
Public Bitcoin Address
Base58 encoding (unambiguous printable characters)
![Page 9: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/9.jpg)
generate random secret key k
256 random bits
Ux Uy
Compute point Gk on spec256k1 curve
RIPEMD160(SHA256(Ux || Uy))1
SHA256(SHA256( - ))RIPEMD160(SHA256(Ux || Uy))14 bytes
Public Bitcoin Address
Base58 encoding (unambiguous printable characters)
How dangerous are RIPEMD160 collisions?
![Page 10: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/10.jpg)
generate random secret key k
256 random bits
Ux Uy
Compute point Gk on spec256k1 curve
RIPEMD160(SHA256(Ux || Uy))1
SHA256(SHA256( - ))RIPEMD160(SHA256(Ux || Uy))14 bytes
Public Bitcoin Address
Base58 encoding (unambiguous printable characters)
How dangerous are RIPEMD160 + SHA256 collisions?
![Page 11: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/11.jpg)
generate random secret key k
256 random bits
Ux Uy
Compute point Gk on spec256k1 curve
RIPEMD160(SHA256(Ux || Uy))1
SHA256(SHA256( - ))RIPEMD160(SHA256(Ux || Uy))14 bytes
Public Bitcoin Address
Base58 encoding (unambiguous printable characters)
How dangerous are RIPEMD160 + SHA256 pre-image break?
![Page 12: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/12.jpg)
12
Is there anywhere a SHA-256 collision break would be exploitable?
A. Producing the public bitcoin address by hashing the public key.
B. Producing a transaction digest for use as the input in signing a transaction.
C. Producing the Merkle tree root for authenticating the transactions in a block (using hashes all the way up the tree).
D. Producing the hash of the previous block to use in the block header.
E. Producing the double hash of the block (with nonces) to find a block that satisfies the difficult needed in mining.
![Page 13: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/13.jpg)
13
Is there anywhere a SHA-256 pre-image break would be exploitable?
A. Producing the public bitcoin address by hashing the public key.
B. Producing a transaction digest for use as the input in signing a transaction.
C. Producing the Merkle tree root for authenticating the transactions in a block (using hashes all the way up the tree).
D. Producing the hash of the previous block to use in the block header.
E. Producing the double hash of the block (with nonces) to find a block that satisfies the difficult needed in mining.
![Page 14: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/14.jpg)
14
SHA-256 Collisions?
Do there exist two different values, x and y, such that: SHA256(x) = SHA256(y)
![Page 15: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/15.jpg)
15
SHA-256 Collisions?
Do there exist two different values, x and y, such that: SHA256(x) = SHA256(y)
Recall birthday attack: probability of finding collision negligible with less than 2128 inputs.
![Page 16: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/16.jpg)
16
SHA-256 Collisions?
Do there exist two different values, x and y, such that: SHA256(x) = SHA256(y)
Does anyone actually know such values today?
![Page 17: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/17.jpg)
17
What about RIPEMD160?
Do there exist two different values, x and y, such that: RIPEMD160(x) = RIPEMD160(y)
Does anyone actually know such values today?
![Page 18: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/18.jpg)
18
Xiaoyun Wang
![Page 19: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/19.jpg)
19
Differential Cryptanalysis
Discovered openlyin 1991
![Page 20: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/20.jpg)
20
Differential Cryptanalysis
Discovered openlyin 1991
Known secretly to IBM and NSA in 1974(DES design strengthened against it)
![Page 21: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/21.jpg)
21
Differential Cryptanalysis
![Page 22: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/22.jpg)
22
How worried should we be about SHA-256?
![Page 23: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/23.jpg)
23
How worried should we be about SHA-256?
Best known collision attacks: work on reduced round version (31 instead of 64 rounds) and have high complexity (265 instead of 2128)
![Page 24: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/24.jpg)
24
Bitcoin Transactionshttp://blockexplorer.bitcoin-class.org/rawtx/f2d90b4ee862c328f42fb24ca5a84051a495af1de0f8d129a5b33cd98822719a
Transaction outputs include programs written in “Script”
![Page 25: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/25.jpg)
25
Script Language
Stack-based (similar to JVML)~80 opcodes (many have been deprecated)Late addition to bitcoin design
Lots of limitations in what nodes will accept: altcoins are taking different approaches
![Page 26: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/26.jpg)
26
Interpreting Script
OP_1OP_DUPOP_ADDOP_DUPOP_SUBOP_VERIFY
![Page 27: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/27.jpg)
27
Is Script Turing-Complete?
![Page 28: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/28.jpg)
28
![Page 29: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/29.jpg)
29
![Page 30: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/30.jpg)
30
Interpreting Script
![Page 31: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/31.jpg)
31
https://github.com/bitcoin/bitcoin/blob/v0.1.5/script.cpp#L41
![Page 32: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/32.jpg)
32
https://github.com/bitcoin/bitcoin/blob/v0.1.5/script.cpp#L58
![Page 33: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/33.jpg)
33
Interpreting Scripthttps://github.com/bitcoin/bitcoin/blob/41e6e4caba9899ce7c165b0784461c55c867ee24/src/script/interpreter.cpp#L524
![Page 34: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/34.jpg)
34
https://github.com/bitcoin/bitcoin/blob/41e6e4caba9899ce7c165b0784461c55c867ee24/src/script/interpreter.cpp#L524
Version 0.1
Project idea: look at how bitcoin core code has evolved over time
Latest
![Page 35: Bitcoin Script](https://reader035.vdocuments.site/reader035/viewer/2022062904/5872e8bc1a28abfa548b690d/html5/thumbnails/35.jpg)
35
ChargePS2 Due FridayMonday’s class:
Tom DukesUVa CyberlawState Department
Tom Dukes