Lecture 2: Creating a digital currency
Desirable properties of a good digital ledger
- No deletion
- Temporal ordering
- Global consensus
- Semantic correctness
- Live - writable, no DOS, no censorship
Attempts to create a digital currency in the increasing order of sophistication.
- A signing key based approach can confirm the authenticity of the transaction but cannot prevent double-spend.
- Append-only ledger with signing keys ensures a temporal ordering and global consensus, thus, prevents double-spending. Sign “new transaction + hash of the previous transaction”. But if there is a single trusted signing authority, it can still give different signing blocks to the different parties and engage in double-spend. Or it can append invalid transactions to the ledger.
- To reduce the risk, we can have n signers and require k <= n signers required for a transaction to be a valid part of the ledger.
- Further safety can be ensured by rotating the trusted signers. The signers will build on (one of the) longest valid chain. The signer will reject any chain with a bad block in it. If the majority of the signers is honest, this works. Otherwise, it does not. A malicious actor can perform a Sybil attack on the system by generating tons of signers who are participating in the system and hence, a majority of signers might end up representing a single entity.
- Bitcoin (Nakamoto consensus) treats everyone as a trusted signer. The signer in round n is the first signer to solve a proof-of-work (PoW) puzzle. There are no signing keys anymore. The random nonce of the block which leads to H(block) <2256 - d suffices as the valid proof of signing. Two signers can end up signing simultaneously, but eventually, one of the chains will become longest and wins. Each block ~ 1MB and each transaction ~512 bytes. After your transaction ends up in a block, wait for up to 6 blocks to ensure that a different chain won’t become the longest one. Majority of the mining power should be honest though, 51% attack is possible on Bitcoin.