Chapter 1 Introduction to Cryptography and Cryptocurrencies

In fiat currencies, law enforcement is necessary for stopping people from breaking the rules of the system.Howerver,Cryptocurrencies need to be enforced purely technologically and without relying on a central authority.

• 传统法定货币(fiat currencies)，使用法律手段来确保安全性。但加密货币(cryptocurrencies)采用存粹的技术手段来保证安全性。

Bitcoin relies on only a handful of relatively simple and well-known cryptographic constructions: cryptographic hashes and digital signatures,zero-knowledge proofs.

• 比特币依赖哈希(hashes), 数字签名(digital signitures)以及零知识证明(zero-knowledge proofs).

1.1 CRYPTOGRAPHIC HASH FUNCTIONS

Properties of a hash fuction:

1. Its input can be any string of any size.
2. It produces a fixed-sized output.
3. It is efficiently computable.More technically, computing the hash of an n-bit string should have a running time that is O(n).

• 哈希函数(Hash function)属性:
  输入可以是任何长度的字符串；
  产生固定长度的输出；
  时间复杂度O(n),即n位的输入所需要的计算时间是O(n).

Three additional properties to be secure for a hash function:

1. collision resistance
2. hiding
3. puzzle friendliness

• 三个额外的属性
  collision resistance
  hiding
  puzzle friendliness

1.1.1 Collsion resistance

Collsion resistance:
A hash function H is said to be collision resistant if it is infeasible to find two values, x and y, such that x ≠ y, yet H(x) = H(y).
A collision occurs when two distinct inputs produce the same output.
Consider the following simple method for finding a collision for a hash function with a 256-bit output size: pick 2256 + 1 distinct values, compute the hashes of each of them.

• collision resistance :
  除了穷举遍历，没有人能找到高效(efficient)的方法去实现 : x ≠ y, 有 H(x) = H(y)。但碰撞(collision)对于每个哈希函数都是客观存在的。因为，给定 2^256 + 1^ 个不同的输入，对于一个结果长度固定在256位的哈希函数而言，一定会产生碰撞。
  关于高效(efficient)的理解，哈希函数: H(x)= x mod 2²⁵⁶ 可以很容易推算出3和**3 + 2²⁵⁶**会映射到相同的结果，所以不符合这一属性。

APPLICATION: MESSAGE DIGESTS
To ensure file integrity:
the file people download is the same as the one he uploaded to a online file storage system.
That is, Compare the hash of the downloaded file to the local copy.

• 应用：通过比较网络文件和本地文件的哈希值，来验证二者是否相同。

1.1.2 Hiding

Hiding:
A hash function H is said to be hiding if when a secret value r is chosen from a probability distribution that has high min-entropy, then, given H(r ‖ x), it is infeasible to find x.
The hiding property asserts that if we’re given the output of the hash function y = H(x), there’s no feasible way to figure out what the input, x, was

• r和x做链接，得到H(r || x)，其中 r 符合high min-entropy的概率分布，这样则没有可行的方法在已知输出的情况下推算出输入x是什么。

APPLICATION: COMMITMENTS
commitment：
the digital analog of taking a value, sealing it in an envelope, and putting that envelope out on the table where everyone can see it.
---------------------------------------------------
Commitment scheme：
com := commit(msg, nonce) ： The commit function takes a message and secret random value, called a nonce, as input and returns a commitment.
verify(com, msg, nonce) ： The verify function takes a commitment, nonce, and message as input. It returns true if com == commit(msg, nonce) and false otherwise.
-------------------------------------------------------
Two security peoperties:
Hiding: Given com, it is infeasible to find msg.
Binding: It is infeasible to find two pairs (msg, nonce) and (msg′, nonce′) such that msg ≠ msg′ and commit(msg, nonce) == commit(msg′, nonce′).

• Commitment: 将一个数据放在封好的信封里，并且放在桌子上向人们展示。
  -------------------------------
  Commitment scheme：
  com := commit(msg, nonce) ： 函数commit以msg和nonce为参数，返回一个commitment
  verify(com, msg, nonce) ： 函数verify以commitment, nonce, message为参数。返回 com == commit(msg, nonce).
  ------------------------------------
  Two security peoperties:
  Hiding: 对于给定的com，无法找到msg。
  Binding: 当msg != msg’时，commit(msg, nonce) != commit(msg’,nonce’)

To use a commitment scheme ：
We first need to generate a random nonce. We then apply the commit function to this nonce together with msg, the value being committed to, and we publish the commitment com. This stage is analogous to putting the sealed envelope on the table. At a later point, if we want to reveal the value that we committed to earlier, we publish the random nonce that we used to create this commitment, and the message, msg. Now anybody can verify that msg was indeed the message committed to earlier. This stage is analogous to opening the envelope.

• commitment的流程

1. 生成随机nonce
2. 使用com:=commit(nonce,msg)
3. 公布com

Implemetation of a commitment scheme：
commit(msg, nonce) := H(nonce ‖ msg).
Nonce is a random 256-bit value.
Then, concatenate the nonce and the message.
Return the hash of this concatenated value as the commitment.

• commit(msg, nonce) := H(nonce ‖ msg).
  nonce 是一个256位的值
  然后将nonce 和 msg连接
  最后返回计算好的哈希值，作为commitment

1.1.3 Puzzle Friendliness

Puzzle friendliness. A hash function H is said to be puzzle friendly if for every possible n-bit output value y, if k is chosen from a distribution with high min-entropy, then it is infeasible to find x such that H(k ‖ x) = y in time significantly less than 2ⁿ.

• Puzzle friendliness：对于如果每一个的n位的结果，如果k符合high min-entropy分布，则不能在2ⁿ的时间找到x使得H(k ‖ x) = y 。

Intuitively, if someone wants to target the hash function to have some particular output value y, and if part of the input has been chosen in a suitably randomized way, then it’s very difficult to find another value that hits exactly that target.

• 已知y，已知k(符合随机分布)，很难找到x。

APPLICATION: SEARCH PUZZLE
A search puzzle consists of
• a hash function, H,
• a value, id (which we call the puzzle-ID), chosen from a high min-entropy distribution
• a target set Y.

A solution to this puzzle is a value, x, such that
H(id || x) ∈ Y

• 一个search puzzle包括
  一个哈希函数H ;
  一个符合high min-entropy分布的puzzle-ID ;
  一个目标集Y ;

If a hash funtion is puzzle friendly, then there’s no solving strategy for this puzzle that is much better than just trying random values of x.

• 对于一个puzzle friendly的哈希函数，一个个随机地试x的值是最好的求解方法。

1.1.4 SHA-256

Merkle-Damgård transform
As long as we can build a hash function that works on fixed-length inputs, there’s a generic method to convert it into a hash function that works on arbitrary-length inputs.

• Merkle-Damgård transform
  只要我们能构建一个可以处理定长输入的哈希函数，则就可以转换成一个可以处理随意长度的哈希函数。

Compression function
the underlying fixed-length collision-resistant hash function is called the compression function.

• Compression function
  可以处理定长输入的collision-resistant的哈希函数。

The process of Merkle-Damgård transform
Suppose that the compression function takes inputs of length m and produces an output of a smaller length n.
The input to the hash function, which can be of any size, is divided into blocks of length m – n.
The construction works as follows: pass each block together with the output of the previous block into the compression function.
Input length will then be (m – n) + n = m.

• 首先，我们有一个compression function, 它接受长度为m的输入，产生长度为n的输出。
• 接下来，对于任意长度的输入，我们将它划分为多个长度为(m - n)的块。
• 将每个(m - n)的块连带着上个块的输出(长度为n)传递给compression function，即(m - n)+n = m, 满足了compression输入要以m为长度的要求。

1.2 HASH POINTERS AND DATA STRUCTURES

Hash pointer：
A hash pointer is a pointer to where data is stored together with a cryptographic hash of the value of this data at some fixed point in time.
Whereas a regular pointer gives you a way to retrieve the information, a hash pointer also allows you to verify that the information hasn’t been changed

• 哈希指针：
  不仅指明了地址，还能去查看当前地址的内容是否被更改过。

Block Chain
Similat to a linked list
Each block not only tells us where the value of the previous block was, but it also contains a digest of that value, which allows us to verify that the value hasn’t been changed.

• 区块链
  每一个块指明了前一个块的值，同时包含了这个值的摘要。这个摘要可以帮助我们判断这个值是否被改变过。

If an adversary modifies data anywhere in the block chain, it will result in the hash pointer in the following block being incorrect

• 如果其他人修改了区块里的数据，将会导致后面区块里的哈希指针出错。

Merkle Trees
In a Merkle tree, data blocks are grouped in pairs, and the hash of each of these blocks is stored in a parent node. The parent nodes are in turn grouped in pairs, and their hashes stored one level up the tree. This pattern continues up the tree until we reach the root node.

• Merkle Trees
  数据块成对分组，每个块的哈希值被存储在他们的父节点当中。向上往复，直至根节点。

Proof of membership
To prove that a data block is included in the tree only requires showing the blocks in the path from that data block to the root.
If there are n nodes in the tree,it takes about log(n) time for us to verify it.

• 去证明一个块属于这棵树，只要顺着路径遍历即可，对于n个节点的树，时间复杂度约为log(n).

1.3 DIGITAL SIGNATURES

Two properties of digital signatures
First, only you can make your signature.
Second, the signature is to be tied to a particular document, so that the signature cannot be used to indicate your agreement or endorsement of a different document.

• 数字签名的两个属性
  只有本人可以签名;
  每个签名绑定在固定的文件上, 当前这个签名不能代表其他的文件。

Digital signature scheme
three algorithms are consisted:
-----------------------------------------------------------------
First, (sk, pk) := generateKeys(keysize)
The generateKeys method takes a key size and generates a key pair. The secret key sk is kept privately and used to sign messages. pk is the public verification key that you give to everybody. Anyone with this key can verify your signature.
------------------------------------------------------------------
sig := sign(sk, message)
The sign method takes a message and a secret key, sk, as input and outputs a signature for message under sk.
------------------------------------------------------------------
isValid := verify(pk, message, sig)
The verify method takes a message, a signature, and a public key as input. It returns a boolean value, isValid, that will be true if sig is a valid signature for message under public key pk, and false otherwise.

• 数字签名的三个方法
  ------------------------------------------------------------
  (sk, pk) := generateKeys(keysize)
  产生一对给定长的的私钥(sk/secret key)和公钥(pk/ public key)。私钥的由当前用户个人保管，用来签名。公钥是对所有人公开的，别人可以用来检验签名的有效性。
  ------------------------------------------------------------
  sig := sign(sk, message)
  产生签名。以私钥(sk)和信息(message)为参数，产生产生与这个文件和私钥相对应的签名。
  ------------------------------------------------------------
  isValid := verify(pk, message, sig)
  检验有效性。当前签名(sig)如果和信息(message)以及公钥(pk)对应的起来则返回真。

Unforgeability game
If the attacker is able to successfully output a signature on a message that he has not previously seen, he wins.
If he is unable to do so, the challenger wins, and the digital signature scheme is unforgeable.

We give the secret key to the challenger, and we give the public key to both the challenger and the adversary. So the adversary only knows information that’s public, and his mission is to try to forge a message. The challenger knows the secret key. So he can make signatures.
we allow the adversary to try a number of guesses that is a polynomial function of the key size, but no more (e.g., he cannot try exponentially many guesses).
The challenger runs the verify algorithm to determine whether the signature produced by the attacker is a valid signature on M under the public verification key.

• Unforgeability game
         如果攻击者(attacker/adversary)能够伪造出签名，攻击者获胜。如果他不能，则挑战者(challenger)获胜。
         我们把私钥给挑战者，而公钥的话，为挑战者和攻击双方共有。私钥类似于密码，公钥类似于账号。
         攻击者可以多次尝试伪造签名，挑战者去检验该签名是否正确。

1.4 PUBLIC KEYS AS IDENTITIES

The idea is to take a public key, one of those public verification keys from a digital signature scheme, and equate it to an identity of a person or an actor in a system.

• 拿一个公钥，并将和一个人相对应。

1.5. TWO SIMPLE CRYPTOCURRENCIES

1.5.1 Goofycoin

The first rule of Goofycoin is that a designated entity, Goofy, can create new coins whenever he wants and these newly created coins belong to him.

• 一个特定的实体可以创建新的币，这个币为他所拥有。

The second rule of Goofycoin is that whoever owns a coin can transfer it to someone else.

• 第二个规则是，币可以转让。

Let’s say Goofy wants to transfer a coin that he created to Alice. To do this, he creates a new statement that says “Pay this to Alice” where “this” is a hash pointer that references the coin in question. And as we saw earlier, identities are really just public keys, so “Alice” refers to Alice’s public key. Finally, Goofy signs the string representing the statement. Since Goofy is the one who originally owned that coin, he has to sign any transaction that spends the coin. Once this data structure representing Goofy’s transaction is signed by him, Alice owns the coin. She can prove to anyone that she owns the coin, because she can present the data structure with Goofy’s valid signature. Furthermore, it points to a valid coin that was owned by Goofy. So the validity and ownership of coins are self-evident in the system.

• Goofy想要将他的币转给Alice, 他发起一个声明"我将这枚币转给Alice"。这个声明须由Goofy签名，则这枚币就属于Alice了。

double-spending attack
Someone spends a coin twice.
Goofycoin does not solve the double-spending attack, and therefore it’s not secure.

• double-spending attack*
  一个人将一枚币转让给多个人。Goofycoin未能解决这个问题。

1.5.2 Scroogecoin

The first key idea is that a designated entity called Scrooge publishes an append-only ledger containing the history of all transactions.
The append-only property ensures that any data written to this ledger will remain forever in the ledger.
If the ledger is truly append only, we can use it to defend against double spending by requiring all transactions to be written in the ledger before they are accepted.
That way, it will be publicly documented if coins were previously sent to a different owner.

• 设计一个只可以在后面添加内容而不可以再做其他修改的账本。将所有的交易记录下到账本里，便可以知道当前币是属于谁的，有没有转让给多个人。

To implement this append-only functionality, Scrooge can build a block chain, which he will digitally sign. It consists of a series of data blocks, each with one transaction in it (in practice, as an optimization, we’d really put multiple transactions in the same block, as Bitcoin does.) Each block has the ID of a transaction, the transaction’s contents, and a hash pointer to the previous block. Scrooge digitally signs the final hash pointer, which binds all the data in this entire structure, and he publishes the signature along with the block chain.

• 为实现这一功能，建立一个区块链，每一个区块对应一个交易信息(现实生活中，可能一个区块包含多个交易信息)。
  每个区块的数据结构是(ID, contents, hash pointer to previous block)。Scrooge 为最后一个哈希指针签名即可，然后连带着整个区块链公布他的签名。

Why do we need a block chain with hash pointers in addition to having Scrooge sign each block?
As long as someone is monitoring the latest hash pointer published by Scrooge, the change will be obvious and easy to catch.
A block chain makes it easy for any two individuals to verify that they have observed the same history of transactions signed by Scrooge.

• 为什么采用一个带有哈希指针的区块链？
  哈希指针: 方便人们察觉到到当前区块链发生的变化。
  区块链：方便人们查看交易的纪录。

1.5.2.1 Two kinds of transactions in Scrogecoin

CreateCoins：
to make new coins.
Datastructure：
(serial number, value, recipent)

TransID: to represent a transaction
num: Each coin has a serial number in the transaction.
value: it’s worth a certain number of scroogecoins.
recipient: a public key that gets the coin.

PayCoins
It consumes some coins (i.e., destroys them) and creates new coins of the same total value.
So if you’re the owner of one of the coins that’s going to be consumed in this transaction, then you need to digitally sign the transaction to say that you’re OK with spending this coin.

The problem here is centralization.much of the early research on cryptosystems assumed there would indeed be some central trusted authority.
The minting of new coins also needs to be decentralized. If we can solve these problems, then we can build a currency that would be like Scroogecoin but without a centralized party. In fact, this would be a system much like Bitcoin.

• 这个系统存在一个问题，即中心化。所有的交易都需要由Scrooge签名，Scrooge类似于现实中的政府。这个系统需要去中心化，则就有了比特币的概念。