COMP90088: Cryptocurrencies and decentralised ledgers Semester 1 2022
Practice Final Exam (v 1.00)
Due: Tuesday 2022-06-14 at 15:00 AEST (no extensions)
● The exam is open-book and open-notes. You can read papers assigned from class, the class notes and papers assigned in class, and generally look up any other information that is publicly available online.
Copyright By PowCoder代写 加微信 powcoder
● Please cite any additional sources beyond assigned reading.
● You may not consult with any other human beings except course staff. This includes
talking with other students in the class and posting questions to online forums.
● Any questions should be posted privately to course staff only. Your questions may be
made public by course staff if they are generally relevant.
● Please submit your answers in PDF form. Do not submit any other format (e.g. a Word
document or Pages document)
1. Short answer questions (3 marks each) Please answer any six of the following eight questions (and only six), with at most 1-2 paragraphs for each question. Include any mathematical workings (if any) and state any assumptions you make clearly.
a. Provide one reason why anonymity is stronger in practice with Zcash than with Monero, and one reason why anonymity is better in practice with Monero than with Zcash.
b. A major unsolved question in modeling attacks on Bitcoin is how much the market would react to a successful double-spending attack on the blockchain. Suppose you knew that Bitcoin’s exchange rate to the US dollar would fall to a fraction 0 ≤ ⍴ ≤ 1 of its original value after a successful double-spend was demonstrated. Why would this be a useful number for researchers to know in modeling the security of Bitcoin? Suppose you knew that ⍴ was very close to 1. Explain why this would be a problem. Suppose you knew that ⍴ was very close to 0. Explain why this would be a problem.
c. Some large Bitcoin miners now directly connect (or “peer”) and share transactions and blocks they’ve heard, in addition to using the public Bitcoin P2P network. Why do these miners do this? Do you think the existence of non-public communication like this conflicts with the spirit of a decentralized system? Would it be possible for a fork of Bitcoin to ban this and require all miners to only use the public P2P network?
d. Confidential Transactions represents transaction inputs and outputs using Pedersen commitments for privacy and uses range proofs, a special type of zero-knowledge proof, to prove that each transaction output value is within a finite range. What is the purpose of this check? For Bitcoin, what range should be used? Why is this proof only needed for transaction outputs, not transaction inputs?
e. Bitcoin transaction fees usually correlate to total transaction size, meaning the sender pays more to include more inputs or more outputs. Alice thinks this is a mistake, and to encourage diligent use of state in Bitcoin transaction fees should increase with the number of outputs and decrease with the number of inputs. Bob disagrees and thinks transaction fees should increase with the number of inputs and decrease with the number of outputs. Who is right?
f. When a smart contract is running in EVM, any negative gas operations (e.g. freeing storage) are accumulated in a special “gas refund” counter and only returned once the transaction has finished. Explain what could go wrong if EVM instead credited the value of the negative gas cost directly to the current “gas remaining” counter.
g. said of potential 51% attacks: “[A miner] ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.” Do you think this is more true for Bitcoin, in which most miners use dedicated ASICs to mine, or Ethereum in which most miners use general-purpose GPUs?
h. If Bitcoin introduced a hard fork tomorrow to double the block size, would you expect transaction fees to go up, go down, or stay the same? How else might the system change?
2. Protocol design (18 marks) (Randomized micropayments on top of Ethereum) Say, Bob runs a news site and Alice wants to micropay Bob for every article she reads. Processing all these micro-transactions on the blockchain would be inefficient. An approach to reducing the load on the block chain is called randomized micropayments. Here, each micropayment from Alice to Bob is worth 𝑥 ether with probability p, and worth zero with probability 1-p. in expectation, Bob receives 𝑥 · 𝑝 ether from each such micropayment. Because the worthless payments never hit the block chain, this enables significant transaction fee savings.
The protocol works as follows:
1. Alice sends 100𝑥 ether to an escrow contract along with her public key KA.
2. When Bob wants to request a micropayment from Alice, he sends Alice the
commitment c = SHA3(nB, r) for a random d-bit value nB and a random 128-bit value r. Bob
keeps nB and r to himself, sending only c to Alice.
3. Alice then responds with her own random d-bit value nA and a signature SignKA(nA, c, B) on her
nonce, Bob’s commitment, and Bob’s address B.
4. Bob now checks if nA=nB. If so, he has a winning payment and can send (B, nA, nB, c, r, sigA) to the
contract to receive 𝑥 ether from the contract. If not, this is a worthless payment.
5. The contract ensures that a winning nonce nB can only be redeemed once.
The benefit of this approach over the serial micropayment scheme we saw in the lecture, is that this single contract can be used by Alice to micropay multiple vendors.
A. How many micropayments can be processed in expectation until the contract runs out of funds? How many of these micropayments, in expectation, require writing to the block chain?
B. Explain why Alice can’t cheat Bob by choosing nA in a way that causes Bob not to be paid. What property of SHA3 does this rely on?
C. Why is it necessary for Alice to sign Bob’s address B in step (3) of the protocol? What would go wrong if Alice’s signature did not include B?
D. Describe how Alice can execute the protocol, but then maliciously try to reclaim her own funds before Bob, whenever Bob receives a winning payment.
Hint: in this attack, Alice simply interacts with the contract. Because of your attack, this protocol is insecure and should not be used.
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com