bitcoin

发明人以及相关节点时间

1. 中本聪于2008-10-31号提出了比特币的设计白皮书
2. 2009年公布了最初的实现代码， 第一个比特币是2009-01-03(18:15:05)生成

secp256k1 elliptic curve

1. curve \[y^2 = x^3 + 7\]

2. params \(p = 0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F\) \(a = 0\) \(b = 7\) \(Gx = 0x79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798\) \(Gy = 0x483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8\) \(n = 0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141\) \(h = 1\) in general, the different point by given an X coordinate is \(2*(h + 1)\)

private key & public key

• private key generally, a private key is just a 32-bytes random number

• public key

1. uncompressed(65 bytes) 0x04 + x + y
2. compressed(33 bytes, which omit the y value) 0x02 or 0x03 (which means y is even or odd)

Elliptic curve(finite field) & ECDSA

• elliptic curve: \(y^2 = x^3 + ax + b\)

• finite field: $F_p = {0, 1, ... p-1} $ (usually p is a prime number)

  \(n^{p-1} = 1 mod p\) where p is prime \(n^{p-2} = n^{-1} = 1/n mod n\) where p is prime

  in python: it is easy to calculate \(n^{-1} = pow(n, p-2, p)\)

• group law

  \(P_1 = (x_1, y_1), P_2=(x_2, y_2) \to P_3 = (x_3, y_3)\) \(when x_1 \neq x_2\)

  \(s = (y_2-y_1)/(x_2-x_1)\) \(x_3 = s^2 - x_1 - x_2\) \(y_3 = s(x_1 - x_3) - y_1\)

• ECDSA
  1. public key
     • priv key: d (a randomly selected non-zero integer modulo the group order n)
     • base Pointer: G

  pub key: \(P = d * G\)

  2. signature
     • hash of message to sign: e
     • chooses a per-message secret random integer k such that 1 ≤ k ≤ n − 1(n is the order of subgroup)
     • random point \(RP = k * G\)

  signature: (r, s); \(r=x_{RP}\), \(s=(e+r * d)/k\)

  3. verify signature
     • calculate integer \(i_1 = s^{-1}*e\)
     • calculate integer \(i_2 = s^{-1}*r\)
     • calculate random point \(RP = i_1G + i_2P\)
     the signature is valid only if \(r = x_{RP}\)

recid(secp256k1) with ECDSA

0 <= recid <= 3

for signature(r, s): init recid = 0 - if r > n (overflow), recid |= 2 - if y_{r} is odd, recid |= 1 - if s is odd, recid ^= 1 - if low s, recid ^= 1

signature & DER encoding

BIP62

Hierarchical Deterministic Wallet

BIP32

pubkey script(or scriptPubkey in code)

• the output script(pubkey script) form is: OP_DUP OP_HASH160 Hash160(pubkey) OP_EQUALVERIFY OP_CHECKSIG

• the input script(signature script) form is: signature pubkey

• the check process

1. the whole thing is: signature pubkey OP_DUP OP_HASH160 Hash160(pubkey) OP_EQUALVERIFY OP_CHECKSIG
2. operate the ops on stack

note: script form can see in bitcoin source code by search "CScriptVisitor"

redeem script

• the output script(pubkey script) form is: OP_HASH160 Hash160(redeemscript) OP_EQUAL
• the redeem script form is: OP_2 pubkey1 pubkey2 pubkey2 OP_3 OP_CHECKMULTISIG //2 of 3 redeem script pubkey OP_CHECKSIG // single redeem script

• the input script(signature script) form is: OP_0 sig1 sig2 redeemScript

• the check process

1. the whole thing is: {OP_0 sig1 sig2 redeemScript}_stackcopy OP_HASH160 Hash160(redeemscript) OP_EQUAL
2. operate the ops on stack

witness

1. native witness program(currently all is version 0 witness)

• the output script(pubkey script) form is: version_byte witness_program
• the input script(signature script) is empty, which currently in winness script

2. p2sh witness program

• the output script(pubkey script) is p2sh
• the redeem script form is: version_byte witness_program
• the input script(signature script) like in redeem script

3. P2WPKH or P2WSH

• if witness program is 20 byte

  it is interpreted as a pay-to-witness-public-key-hash (P2WPKH) program

• if witness program is 32 byte

  It is interpreted as a pay-to-witness-script-hash (P2WSH) program

double spend

• 51% attack
• race attack
• finney attack: attacker make a block with certain tx in advance, then create another conflict tx to network