Bit-based system: bits can be copied (double spending)
Token-based representation: like actual coins
Account-based representation: like banks that store your value for you, you have to trust them
Bit-coin is still an account-based system, but it's distributed and less trust needs to be put in. No central authority.
Let's think of what an electronic system would look like
u
has some public key pk_u
and some secret key sk_u
.pk_b
and secret
key sk_b
and can certify user u
cert(u, pk_u) = sign_{sk_b}(u | pk_u)
sign_{sk_u}("Pay Bob $100, date, ser #")
u
multiple times using the same checkProperties that a currency or monetary system might have that the check system above does not? Or properties in general!
Can be hard to prevent system rollback, which can lead to double spending. Can you detect it?
What would an electronic coin look like?
Diagram:
TTP (bank accounts)
/ *
/ \
withdrawal / \ deposit
/ \
* \
Alice -------> Bob
payment
Coin:
R
that is the coin's ID with a digital signature from
the bank s = sign_{sk_bank}(R)
c = R,s
{r1, r2, ...,}
to prevent double spendingc = R, s
c
is unspent, until it's too latec
but the bank cannot
identify who is double spending the coin
c
he got from AliceMixes a few ideas:
The history of all transactions is public! Not maintained by trusted party, but via a broadcast system.
How do you identify parties? What are the identities?
Public ledger: for each account, how much value is there in it?
Money is created by those maintaining the public ledger (miners)
Transaction details:
Diagram:
head node (just added)
|---------------------| |------------------------|
-------> | Block n-1 | ------------> | Block n |
| --------- | | ------- |
| h_{n-2}, nonce | | h_{n-1}, nonce' |
| T1, T2, ..., Ti | | T1', T2', ..., Ti' |
|---------------------| |------------------------|
h_{n-1} = H(block_{n-1}) h_{n} = H(block_{n})
must have k leading 0's must also have k leading 0's
and note that block_{n}
includes the previous h_{n-1}
miner has to adjust nonce'
until h_{n} has k leading 0's
Diagram for forking:
|------------------------| |---------------------|
------------> | Block n-1 | --------------> | Block n |
| --------- | | ------- |
| h_{n-2}, nonce | ---\ | h_{n-1}, nonce |
| T1, T2, ..., Ti | \ | T1, T2, ..., Ti |
|------------------------| \ |---------------------|
\
\
\ |---------------------|
\----> | Block n' |
| |
| prev hash(n), nonce |
| T1', T2', ..., Ti' |
|---------------------|
It can happen that two miners came up with a block at the same time and both add it, forking the chain
[] -> [] -> [] -> [] -> []
\
A->B -> []
Rule of thumb: wait like 6 blocks to make sure the incorporated blocks are really there and are not part of a fork that died
Scalability: