From d408675b2f08bace1179506510580e4f9427a925 Mon Sep 17 00:00:00 2001 From: asli Date: Thu, 13 Jun 2024 17:26:40 +0300 Subject: [PATCH 1/3] Add sybil attack glossary item [Fixes #12096] --- public/content/decentralized-identity/index.md | 2 +- public/content/developers/docs/consensus-mechanisms/index.md | 4 ++-- public/content/developers/docs/oracles/index.md | 2 +- public/content/glossary/index.md | 2 ++ public/content/whitepaper/index.md | 2 +- src/intl/en/glossary-tooltip.json | 2 ++ src/intl/en/glossary.json | 2 ++ 7 files changed, 11 insertions(+), 5 deletions(-) diff --git a/public/content/decentralized-identity/index.md b/public/content/decentralized-identity/index.md index 899850d0e60..9a152bf9b0d 100644 --- a/public/content/decentralized-identity/index.md +++ b/public/content/decentralized-identity/index.md @@ -73,7 +73,7 @@ Decentralized identity can help create online communities that are free of fake ### 4. Anti-Sybil protection {#sybil-protection} -Sybil attacks refer to individual humans tricking a system into thinking they are multiple people to increase their influence. Grant-giving applications that use [quadratic voting](/glossary/#quadratic-voting) are vulnerable to these Sybil attacks because the value of a grant is increased when more individuals vote for it, incentivizing users to split their contributions across many identities. Decentralized identities help to prevent this by raising the burden on each participant to prove that they are really human, although often without having to reveal specific private information. +Grant-giving applications that use [quadratic voting](/glossary/#quadratic-voting) are vulnerable to [sybil attacks](/glossary/#sybil-attack) because the value of a grant is increased when more individuals vote for it, incentivizing users to split their contributions across many identities. Decentralized identities help to prevent this by raising the burden on each participant to prove that they are really human, although often without having to reveal specific private information. ## What are attestations? {#what-are-attestations} diff --git a/public/content/developers/docs/consensus-mechanisms/index.md b/public/content/developers/docs/consensus-mechanisms/index.md index 56c39531967..b0d60545e60 100644 --- a/public/content/developers/docs/consensus-mechanisms/index.md +++ b/public/content/developers/docs/consensus-mechanisms/index.md @@ -4,7 +4,7 @@ description: An explanation of consensus protocols in distributed systems and th lang: en --- -The term 'consensus mechanism' is often used colloquially to refer to 'proof-of-stake', 'proof-of-work' or 'proof-of-authority' protocols. However, these are just components in consensus mechanisms that protect against Sybil attacks. Consensus mechanisms are the complete stack of ideas, protocols and incentives that enable a distributed set of nodes to agree on the state of a blockchain. +The term 'consensus mechanism' is often used colloquially to refer to 'proof-of-stake', 'proof-of-work' or 'proof-of-authority' protocols. However, these are just components in consensus mechanisms that protect against [sybil attacks](/glossary/#sybil-attack). Consensus mechanisms are the complete stack of ideas, protocols and incentives that enable a distributed set of nodes to agree on the state of a blockchain. ## Prerequisites {#prerequisites} @@ -68,7 +68,7 @@ Watch more on the different types of consensus mechanisms used on Ethereum: Proof-of-work and proof-of-stake alone are not consensus protocols, but they are often referred to as such for simplicity. They are actually Sybil resistance mechanisms and block author selectors; they are a way to decide who is the author of the latest block. Another important component is the chain selection (aka fork choice) algorithm that enables nodes to pick one single correct block at the head of the chain in scenarios where multiple blocks exist in the same position. -**Sybil resistance** measures how a protocol fares against a [Sybil attack](https://wikipedia.org/wiki/Sybil_attack). Sybil attacks are when one user or group pretends to be many users. Resistance to this type of attack is essential for a decentralized blockchain and enables miners and validators to be rewarded equally based on resources put in. Proof-of-work and proof-of-stake protect against this by making users expend a lot of energy or put up a lot of collateral. These protections are an economic deterrent to Sybil attacks. +**Sybil resistance** measures how a protocol fares against a sybil attack. Resistance to this type of attack is essential for a decentralized blockchain and enables miners and validators to be rewarded equally based on resources put in. Proof-of-work and proof-of-stake protect against this by making users expend a lot of energy or put up a lot of collateral. These protections are an economic deterrent to Sybil attacks. A **chain selection rule** is used to decide which chain is the "correct" chain. Bitcoin uses the "longest chain" rule, which means that whichever blockchain is the longest will be the one the rest of the nodes accept as valid and work with. For proof-of-work chains, the longest chain is determined by the chain's total cumulative proof-of-work difficulty. Ethereum used to use the longest chain rule too; however, now that Ethereum runs on proof-of-stake it adopted an updated fork-choice algorithm that measures the 'weight' of the chain. The weight is the accumulated sum of validator votes, weighted by validator staked-ether balances. diff --git a/public/content/developers/docs/oracles/index.md b/public/content/developers/docs/oracles/index.md index fa550987771..b04fbd59742 100644 --- a/public/content/developers/docs/oracles/index.md +++ b/public/content/developers/docs/oracles/index.md @@ -274,7 +274,7 @@ Some decentralized oracle networks require participants to vote or stake on the Nodes whose answers deviate from the majority answer are penalized by having their tokens distributed to others who provide more correct values. Forcing nodes to provide a bond before providing data incentivizes honest responses since they are assumed to be rational economic actors intent on maximizing returns. -Staking/voting also protects decentralized oracles from “Sybil attacks” where malicious actors create multiple identities to game the consensus system. However, staking cannot prevent “freeloading” (oracle nodes copying information from others) and “lazy validation” (oracle nodes following the majority without verifying the information themselves). +Staking/voting also protects decentralized oracles from [sybil attacks](/glossary/#sybil-attack) where malicious actors create multiple identities to game the consensus system. However, staking cannot prevent “freeloading” (oracle nodes copying information from others) and “lazy validation” (oracle nodes following the majority without verifying the information themselves). ##### Schelling point mechanisms diff --git a/public/content/glossary/index.md b/public/content/glossary/index.md index f8a40095356..b27365c60eb 100644 --- a/public/content/glossary/index.md +++ b/public/content/glossary/index.md @@ -420,6 +420,8 @@ lang: en + + diff --git a/public/content/whitepaper/index.md b/public/content/whitepaper/index.md index 646f92d5583..6063336c83a 100644 --- a/public/content/whitepaper/index.md +++ b/public/content/whitepaper/index.md @@ -24,7 +24,7 @@ Satoshi Nakamoto's development of Bitcoin in 2009 has often been hailed as a rad The concept of decentralized digital currency, as well as alternative applications like property registries, has been around for decades. The anonymous e-cash protocols of the 1980s and the 1990s, mostly reliant on a cryptographic primitive known as Chaumian blinding, provided a currency with a high degree of privacy, but the protocols largely failed to gain traction because of their reliance on a centralized intermediary. In 1998, Wei Dai's [b-money](http://www.weidai.com/bmoney.txt) became the first proposal to introduce the idea of creating money through solving computational puzzles as well as decentralized consensus, but the proposal was scant on details as to how decentralized consensus could actually be implemented. In 2005, Hal Finney introduced a concept of "[reusable proofs of work](https://nakamotoinstitute.org/finney/rpow/)", a system which uses ideas from b-money together with Adam Back's computationally difficult Hashcash puzzles to create a concept for a cryptocurrency, but once again fell short of the ideal by relying on trusted computing as a backend. In 2009, a decentralized currency was for the first time implemented in practice by Satoshi Nakamoto, combining established primitives for managing ownership through public key cryptography with a consensus algorithm for keeping track of who owns coins, known as "proof-of-work". -The mechanism behind proof-of-work was a breakthrough in the space because it simultaneously solved two problems. First, it provided a simple and moderately effective consensus algorithm, allowing nodes in the network to collectively agree on a set of canonical updates to the state of the Bitcoin ledger. Second, it provided a mechanism for allowing free entry into the consensus process, solving the political problem of deciding who gets to influence the consensus, while simultaneously preventing sybil attacks. It does this by substituting a formal barrier to participation, such as the requirement to be registered as a unique entity on a particular list, with an economic barrier - the weight of a single node in the consensus voting process is directly proportional to the computing power that the node brings. Since then, an alternative approach has been proposed called _proof-of-stake_, calculating the weight of a node as being proportional to its currency holdings and not computational resources; the discussion of the relative merits of the two approaches is beyond the scope of this paper but it should be noted that both approaches can be used to serve as the backbone of a cryptocurrency. +The mechanism behind proof-of-work was a breakthrough in the space because it simultaneously solved two problems. First, it provided a simple and moderately effective consensus algorithm, allowing nodes in the network to collectively agree on a set of canonical updates to the state of the Bitcoin ledger. Second, it provided a mechanism for allowing free entry into the consensus process, solving the political problem of deciding who gets to influence the consensus, while simultaneously preventing [sybil attacks](/glossary/#sybil-attack). It does this by substituting a formal barrier to participation, such as the requirement to be registered as a unique entity on a particular list, with an economic barrier - the weight of a single node in the consensus voting process is directly proportional to the computing power that the node brings. Since then, an alternative approach has been proposed called _proof-of-stake_, calculating the weight of a node as being proportional to its currency holdings and not computational resources; the discussion of the relative merits of the two approaches is beyond the scope of this paper but it should be noted that both approaches can be used to serve as the backbone of a cryptocurrency. ### Bitcoin As A State Transition System {#bitcoin-as-a-state-transition-system} diff --git a/src/intl/en/glossary-tooltip.json b/src/intl/en/glossary-tooltip.json index 6aea9058a46..1887a31b230 100644 --- a/src/intl/en/glossary-tooltip.json +++ b/src/intl/en/glossary-tooltip.json @@ -139,6 +139,8 @@ "staking-definition": "Depositing a quantity of ether (your stake) to become a validator and secure the network. A validator checks transactions and proposes blocks under a proof-of-stake consensus model. Staking gives you an economic incentive to act in the best interests of the network. You'll get rewards for carrying out your validator duties, but lose varying amounts of ETH if you don't. More on Ethereum staking.", "staking-pool-term": "Staking pool", "staking-pool-definition": "The combined ETH of more than one Ethereum staker, used to reach the 32 ETH required to activate a set of validator keys. A node operator uses these keys to participate in consensus and the block rewards are split amongst contributing stakers. Staking pools or delegating staking are not native to the Ethereum protocol, but many solutions have been built by the community. More on pooled staking.", + "sybil-attack-term": "Sybil attack", + "sybil-attack-definition": "Sybil attacks refer to individual humans tricking a system into thinking they are multiple people to increase their influence.", "terminal-total-difficulty-term": "Terminal total difficulty (TTD)", "terminal-total-difficulty-definition": "The total difficulty is the sum of the Ethash mining difficulty for all blocks up to some specific point in the blockchain. The terminal total difficulty is a specific value for the total difficulty that was used as the trigger for execution clients to switch off their mining and block gossip functions enabling the network to transition to proof-of-stake. It is no longer relevant because Ethereum moved to proof-of-stake.", "transaction-fee-term": "Transaction fee", diff --git a/src/intl/en/glossary.json b/src/intl/en/glossary.json index 12e8888d14d..040ccd4b7a2 100644 --- a/src/intl/en/glossary.json +++ b/src/intl/en/glossary.json @@ -349,6 +349,8 @@ "state-channels-definition": "A layer 2 solution where a channel is set up between participants, where they can transact freely and cheaply. Only a transaction to set up the channel and close the channel is sent to Mainnet. This allows for very high transaction throughput, but does rely on knowing number of participants up front and locking up of funds. More on state channels.", "supermajority-term": "Supermajority", "supermajority-definition": "Supermajority is the term given for an amount exceeding 2/3 (66%) of the total staked ether securing Ethereum. A supermajority vote is required for blocks to be finalized on the Beacon Chain.", + "sybil-attack-term": "Sybil attack", + "sybil-attack-definition": "Sybil attacks refer to individual humans tricking a system into thinking they are multiple people to increase their influence.", "syncing-term": "Syncing", "syncing-definition": "The process of downloading the entire latest version of a blockchain to a node.", "sync-committee-term": "Sync committee", From a40e568312aff9291b65e6eb5171b89118ad0878 Mon Sep 17 00:00:00 2001 From: asli Date: Fri, 14 Jun 2024 16:59:05 +0300 Subject: [PATCH 2/3] Capitalize the first letter of'Sybil attack' --- public/content/decentralized-identity/index.md | 2 +- public/content/developers/docs/consensus-mechanisms/index.md | 4 ++-- public/content/developers/docs/oracles/index.md | 2 +- public/content/whitepaper/index.md | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/public/content/decentralized-identity/index.md b/public/content/decentralized-identity/index.md index 9a152bf9b0d..15697634370 100644 --- a/public/content/decentralized-identity/index.md +++ b/public/content/decentralized-identity/index.md @@ -73,7 +73,7 @@ Decentralized identity can help create online communities that are free of fake ### 4. Anti-Sybil protection {#sybil-protection} -Grant-giving applications that use [quadratic voting](/glossary/#quadratic-voting) are vulnerable to [sybil attacks](/glossary/#sybil-attack) because the value of a grant is increased when more individuals vote for it, incentivizing users to split their contributions across many identities. Decentralized identities help to prevent this by raising the burden on each participant to prove that they are really human, although often without having to reveal specific private information. +Grant-giving applications that use [quadratic voting](/glossary/#quadratic-voting) are vulnerable to [Sybil attacks](/glossary/#sybil-attack) because the value of a grant is increased when more individuals vote for it, incentivizing users to split their contributions across many identities. Decentralized identities help to prevent this by raising the burden on each participant to prove that they are really human, although often without having to reveal specific private information. ## What are attestations? {#what-are-attestations} diff --git a/public/content/developers/docs/consensus-mechanisms/index.md b/public/content/developers/docs/consensus-mechanisms/index.md index b0d60545e60..2f9beca4247 100644 --- a/public/content/developers/docs/consensus-mechanisms/index.md +++ b/public/content/developers/docs/consensus-mechanisms/index.md @@ -4,7 +4,7 @@ description: An explanation of consensus protocols in distributed systems and th lang: en --- -The term 'consensus mechanism' is often used colloquially to refer to 'proof-of-stake', 'proof-of-work' or 'proof-of-authority' protocols. However, these are just components in consensus mechanisms that protect against [sybil attacks](/glossary/#sybil-attack). Consensus mechanisms are the complete stack of ideas, protocols and incentives that enable a distributed set of nodes to agree on the state of a blockchain. +The term 'consensus mechanism' is often used colloquially to refer to 'proof-of-stake', 'proof-of-work' or 'proof-of-authority' protocols. However, these are just components in consensus mechanisms that protect against [Sybil attacks](/glossary/#sybil-attack). Consensus mechanisms are the complete stack of ideas, protocols and incentives that enable a distributed set of nodes to agree on the state of a blockchain. ## Prerequisites {#prerequisites} @@ -68,7 +68,7 @@ Watch more on the different types of consensus mechanisms used on Ethereum: Proof-of-work and proof-of-stake alone are not consensus protocols, but they are often referred to as such for simplicity. They are actually Sybil resistance mechanisms and block author selectors; they are a way to decide who is the author of the latest block. Another important component is the chain selection (aka fork choice) algorithm that enables nodes to pick one single correct block at the head of the chain in scenarios where multiple blocks exist in the same position. -**Sybil resistance** measures how a protocol fares against a sybil attack. Resistance to this type of attack is essential for a decentralized blockchain and enables miners and validators to be rewarded equally based on resources put in. Proof-of-work and proof-of-stake protect against this by making users expend a lot of energy or put up a lot of collateral. These protections are an economic deterrent to Sybil attacks. +**Sybil resistance** measures how a protocol fares against a Sybil attack. Resistance to this type of attack is essential for a decentralized blockchain and enables miners and validators to be rewarded equally based on resources put in. Proof-of-work and proof-of-stake protect against this by making users expend a lot of energy or put up a lot of collateral. These protections are an economic deterrent to Sybil attacks. A **chain selection rule** is used to decide which chain is the "correct" chain. Bitcoin uses the "longest chain" rule, which means that whichever blockchain is the longest will be the one the rest of the nodes accept as valid and work with. For proof-of-work chains, the longest chain is determined by the chain's total cumulative proof-of-work difficulty. Ethereum used to use the longest chain rule too; however, now that Ethereum runs on proof-of-stake it adopted an updated fork-choice algorithm that measures the 'weight' of the chain. The weight is the accumulated sum of validator votes, weighted by validator staked-ether balances. diff --git a/public/content/developers/docs/oracles/index.md b/public/content/developers/docs/oracles/index.md index b04fbd59742..569008965e6 100644 --- a/public/content/developers/docs/oracles/index.md +++ b/public/content/developers/docs/oracles/index.md @@ -274,7 +274,7 @@ Some decentralized oracle networks require participants to vote or stake on the Nodes whose answers deviate from the majority answer are penalized by having their tokens distributed to others who provide more correct values. Forcing nodes to provide a bond before providing data incentivizes honest responses since they are assumed to be rational economic actors intent on maximizing returns. -Staking/voting also protects decentralized oracles from [sybil attacks](/glossary/#sybil-attack) where malicious actors create multiple identities to game the consensus system. However, staking cannot prevent “freeloading” (oracle nodes copying information from others) and “lazy validation” (oracle nodes following the majority without verifying the information themselves). +Staking/voting also protects decentralized oracles from [Sybil attacks](/glossary/#sybil-attack) where malicious actors create multiple identities to game the consensus system. However, staking cannot prevent “freeloading” (oracle nodes copying information from others) and “lazy validation” (oracle nodes following the majority without verifying the information themselves). ##### Schelling point mechanisms diff --git a/public/content/whitepaper/index.md b/public/content/whitepaper/index.md index 6063336c83a..60f25da489a 100644 --- a/public/content/whitepaper/index.md +++ b/public/content/whitepaper/index.md @@ -24,7 +24,7 @@ Satoshi Nakamoto's development of Bitcoin in 2009 has often been hailed as a rad The concept of decentralized digital currency, as well as alternative applications like property registries, has been around for decades. The anonymous e-cash protocols of the 1980s and the 1990s, mostly reliant on a cryptographic primitive known as Chaumian blinding, provided a currency with a high degree of privacy, but the protocols largely failed to gain traction because of their reliance on a centralized intermediary. In 1998, Wei Dai's [b-money](http://www.weidai.com/bmoney.txt) became the first proposal to introduce the idea of creating money through solving computational puzzles as well as decentralized consensus, but the proposal was scant on details as to how decentralized consensus could actually be implemented. In 2005, Hal Finney introduced a concept of "[reusable proofs of work](https://nakamotoinstitute.org/finney/rpow/)", a system which uses ideas from b-money together with Adam Back's computationally difficult Hashcash puzzles to create a concept for a cryptocurrency, but once again fell short of the ideal by relying on trusted computing as a backend. In 2009, a decentralized currency was for the first time implemented in practice by Satoshi Nakamoto, combining established primitives for managing ownership through public key cryptography with a consensus algorithm for keeping track of who owns coins, known as "proof-of-work". -The mechanism behind proof-of-work was a breakthrough in the space because it simultaneously solved two problems. First, it provided a simple and moderately effective consensus algorithm, allowing nodes in the network to collectively agree on a set of canonical updates to the state of the Bitcoin ledger. Second, it provided a mechanism for allowing free entry into the consensus process, solving the political problem of deciding who gets to influence the consensus, while simultaneously preventing [sybil attacks](/glossary/#sybil-attack). It does this by substituting a formal barrier to participation, such as the requirement to be registered as a unique entity on a particular list, with an economic barrier - the weight of a single node in the consensus voting process is directly proportional to the computing power that the node brings. Since then, an alternative approach has been proposed called _proof-of-stake_, calculating the weight of a node as being proportional to its currency holdings and not computational resources; the discussion of the relative merits of the two approaches is beyond the scope of this paper but it should be noted that both approaches can be used to serve as the backbone of a cryptocurrency. +The mechanism behind proof-of-work was a breakthrough in the space because it simultaneously solved two problems. First, it provided a simple and moderately effective consensus algorithm, allowing nodes in the network to collectively agree on a set of canonical updates to the state of the Bitcoin ledger. Second, it provided a mechanism for allowing free entry into the consensus process, solving the political problem of deciding who gets to influence the consensus, while simultaneously preventing [Sybil attacks](/glossary/#sybil-attack). It does this by substituting a formal barrier to participation, such as the requirement to be registered as a unique entity on a particular list, with an economic barrier - the weight of a single node in the consensus voting process is directly proportional to the computing power that the node brings. Since then, an alternative approach has been proposed called _proof-of-stake_, calculating the weight of a node as being proportional to its currency holdings and not computational resources; the discussion of the relative merits of the two approaches is beyond the scope of this paper but it should be noted that both approaches can be used to serve as the backbone of a cryptocurrency. ### Bitcoin As A State Transition System {#bitcoin-as-a-state-transition-system} @@ -91,7 +91,7 @@ The algorithm for checking if a block is valid, expressed in this paradigm, is a Essentially, each transaction in the block must provide a valid state transition from what was the canonical state before the transaction was executed to some new state. Note that the state is not encoded in the block in any way; it is purely an abstraction to be remembered by the validating node and can only be (securely) computed for any block by starting from the genesis state and sequentially applying every transaction in every block. Additionally, note that the order in which the miner includes transactions into the block matters; if there are two transactions A and B in a block such that B spends a UTXO created by A, then the block will be valid if A comes before B but not otherwise. -The one validity condition present in the above list that is not found in other systems is the requirement for "proof-of-work". The precise condition is that the double-SHA256 hash of every block, treated as a 256-bit number, must be less than a dynamically adjusted target, which as of the time of this writing is approximately 2187. The purpose of this is to make block creation computationally "hard", thereby preventing sybil attackers from remaking the entire blockchain in their favor. Because SHA256 is designed to be a completely unpredictable pseudorandom function, the only way to create a valid block is simply trial and error, repeatedly incrementing the nonce and seeing if the new hash matches. +The one validity condition present in the above list that is not found in other systems is the requirement for "proof-of-work". The precise condition is that the double-SHA256 hash of every block, treated as a 256-bit number, must be less than a dynamically adjusted target, which as of the time of this writing is approximately 2187. The purpose of this is to make block creation computationally "hard", thereby preventing Sybil attackers from remaking the entire blockchain in their favor. Because SHA256 is designed to be a completely unpredictable pseudorandom function, the only way to create a valid block is simply trial and error, repeatedly incrementing the nonce and seeing if the new hash matches. At the current target of ~2187, the network must make an average of ~269 tries before a valid block is found; in general, the target is recalibrated by the network every 2016 blocks so that on average a new block is produced by some node in the network every ten minutes. In order to compensate miners for this computational work, the miner of every block is entitled to include a transaction giving themselves 25 BTC out of nowhere. Additionally, if any transaction has a higher total denomination in its inputs than in its outputs, the difference also goes to the miner as a "transaction fee". Incidentally, this is also the only mechanism by which BTC are issued; the genesis state contained no coins at all. From d06a43e86753bf25c583006eaa5a008982958a0f Mon Sep 17 00:00:00 2001 From: aslikaya Date: Wed, 19 Jun 2024 10:59:52 +0300 Subject: [PATCH 3/3] Apply suggestions from code review Co-authored-by: Paul Wackerow <54227730+wackerow@users.noreply.github.com> --- public/content/whitepaper/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/public/content/whitepaper/index.md b/public/content/whitepaper/index.md index 60f25da489a..646f92d5583 100644 --- a/public/content/whitepaper/index.md +++ b/public/content/whitepaper/index.md @@ -24,7 +24,7 @@ Satoshi Nakamoto's development of Bitcoin in 2009 has often been hailed as a rad The concept of decentralized digital currency, as well as alternative applications like property registries, has been around for decades. The anonymous e-cash protocols of the 1980s and the 1990s, mostly reliant on a cryptographic primitive known as Chaumian blinding, provided a currency with a high degree of privacy, but the protocols largely failed to gain traction because of their reliance on a centralized intermediary. In 1998, Wei Dai's [b-money](http://www.weidai.com/bmoney.txt) became the first proposal to introduce the idea of creating money through solving computational puzzles as well as decentralized consensus, but the proposal was scant on details as to how decentralized consensus could actually be implemented. In 2005, Hal Finney introduced a concept of "[reusable proofs of work](https://nakamotoinstitute.org/finney/rpow/)", a system which uses ideas from b-money together with Adam Back's computationally difficult Hashcash puzzles to create a concept for a cryptocurrency, but once again fell short of the ideal by relying on trusted computing as a backend. In 2009, a decentralized currency was for the first time implemented in practice by Satoshi Nakamoto, combining established primitives for managing ownership through public key cryptography with a consensus algorithm for keeping track of who owns coins, known as "proof-of-work". -The mechanism behind proof-of-work was a breakthrough in the space because it simultaneously solved two problems. First, it provided a simple and moderately effective consensus algorithm, allowing nodes in the network to collectively agree on a set of canonical updates to the state of the Bitcoin ledger. Second, it provided a mechanism for allowing free entry into the consensus process, solving the political problem of deciding who gets to influence the consensus, while simultaneously preventing [Sybil attacks](/glossary/#sybil-attack). It does this by substituting a formal barrier to participation, such as the requirement to be registered as a unique entity on a particular list, with an economic barrier - the weight of a single node in the consensus voting process is directly proportional to the computing power that the node brings. Since then, an alternative approach has been proposed called _proof-of-stake_, calculating the weight of a node as being proportional to its currency holdings and not computational resources; the discussion of the relative merits of the two approaches is beyond the scope of this paper but it should be noted that both approaches can be used to serve as the backbone of a cryptocurrency. +The mechanism behind proof-of-work was a breakthrough in the space because it simultaneously solved two problems. First, it provided a simple and moderately effective consensus algorithm, allowing nodes in the network to collectively agree on a set of canonical updates to the state of the Bitcoin ledger. Second, it provided a mechanism for allowing free entry into the consensus process, solving the political problem of deciding who gets to influence the consensus, while simultaneously preventing sybil attacks. It does this by substituting a formal barrier to participation, such as the requirement to be registered as a unique entity on a particular list, with an economic barrier - the weight of a single node in the consensus voting process is directly proportional to the computing power that the node brings. Since then, an alternative approach has been proposed called _proof-of-stake_, calculating the weight of a node as being proportional to its currency holdings and not computational resources; the discussion of the relative merits of the two approaches is beyond the scope of this paper but it should be noted that both approaches can be used to serve as the backbone of a cryptocurrency. ### Bitcoin As A State Transition System {#bitcoin-as-a-state-transition-system} @@ -91,7 +91,7 @@ The algorithm for checking if a block is valid, expressed in this paradigm, is a Essentially, each transaction in the block must provide a valid state transition from what was the canonical state before the transaction was executed to some new state. Note that the state is not encoded in the block in any way; it is purely an abstraction to be remembered by the validating node and can only be (securely) computed for any block by starting from the genesis state and sequentially applying every transaction in every block. Additionally, note that the order in which the miner includes transactions into the block matters; if there are two transactions A and B in a block such that B spends a UTXO created by A, then the block will be valid if A comes before B but not otherwise. -The one validity condition present in the above list that is not found in other systems is the requirement for "proof-of-work". The precise condition is that the double-SHA256 hash of every block, treated as a 256-bit number, must be less than a dynamically adjusted target, which as of the time of this writing is approximately 2187. The purpose of this is to make block creation computationally "hard", thereby preventing Sybil attackers from remaking the entire blockchain in their favor. Because SHA256 is designed to be a completely unpredictable pseudorandom function, the only way to create a valid block is simply trial and error, repeatedly incrementing the nonce and seeing if the new hash matches. +The one validity condition present in the above list that is not found in other systems is the requirement for "proof-of-work". The precise condition is that the double-SHA256 hash of every block, treated as a 256-bit number, must be less than a dynamically adjusted target, which as of the time of this writing is approximately 2187. The purpose of this is to make block creation computationally "hard", thereby preventing sybil attackers from remaking the entire blockchain in their favor. Because SHA256 is designed to be a completely unpredictable pseudorandom function, the only way to create a valid block is simply trial and error, repeatedly incrementing the nonce and seeing if the new hash matches. At the current target of ~2187, the network must make an average of ~269 tries before a valid block is found; in general, the target is recalibrated by the network every 2016 blocks so that on average a new block is produced by some node in the network every ten minutes. In order to compensate miners for this computational work, the miner of every block is entitled to include a transaction giving themselves 25 BTC out of nowhere. Additionally, if any transaction has a higher total denomination in its inputs than in its outputs, the difference also goes to the miner as a "transaction fee". Incidentally, this is also the only mechanism by which BTC are issued; the genesis state contained no coins at all.