Altcoins & Introduction to Ethereum
At least 500 altcoins have been derived from Bitcoin
Data from mapofcoins.com
Copyright By PowCoder代写 加微信 powcoder
Coins as of 2012
Bitcoin and Ethereum remain the two largest
Altcoin genealogy
Graphic from mapofcoins.com
Altcoins differ from hard forks in starting over
● Hard forks: Share a prefix of blockchain with a parent project
○ E.g. Bitcoin Cash, Bitcoin SV
○ Often claim original project lost its way
● Altcoins: Start from fresh genesis block
○ Fully independent from other projects
○ Though often they are forks of the codebase
Altcoins must bootstrap several challenges
● Founding vision/ethos:
○ Often laid out in a whitepaper. Many whitepapers go no further
● Code: Often based on a fork of Bitcoin ○ Testnets sometimes run before official launch
● Miners: Typically will join if the coins are worth something
● Nodes/P2P network: Miners have to do this at least
● Exchange rate: Need coins to have value
○ Also need major exchanges to list them, often only after they have value!
● Community/governance: Process for updates, patches
○ Many altcoins have a more explicit foundation or a for-profit company
Altcoins must offer some selling point over Bitcoin
● Consensus layer: Better (or at least different) consensus mechanism ○ Many different mining puzzles
○ Proof-of-stake
● Transaction layer: Richer functionality
○ Smart contract/better scripting features
○ Better scalability/cheaper tx fees
○ Improved privacy
● Economic/social layer: Appeal to different community
○ Different monetary policy/fee structures
○ Community-focused coins
Many coins attempt to improve in multiple areas at once
archive of http://coingen.bluematt.me/
Automated Altcoin Generator
Altcoin infrastructure
● Tipbots, faucets
● Logos, brand, marketing
● Exchanges, payment processors
● Developer tools, block explorer, testnet
● Steering foundation
Initial Allocation / Fundraising
Pre-mine: founders get a Altcoin stash Pre-sale: founders get a stash of Bitcoin or $ Proof-of-Burn: (One-way peg)
Destroy 1 unit of Bitcoin, earn one unit of Altcoin Airdrop: give coins to members of some group Ownership of Bitcoin “grandfathered” in
Similar to a hard fork
The Pump-and-Dump cycle
1. Begin with an altcoin about to launch or an existing low-value, declining altcoin
2. Attacker buys lots of coins
3. Attacker launches marketing campaign to convince the public that altcoin has grassroots support
4. Attacker sells coins once price rises
5. Marketing campaign ends, altcoin declines
Arguments against altcoins: they harm the ecosystem
● Divided mining power means weak security
● Dilution of scarcity
● Pump-and-Dump schemes undermine public confidence in cryptocurrency
Arguments for altcoins: an essential part of the ecosystem
● Competition leads to better systems
● Bitcoin community is too risk averse
○ Altcoins are a testbed for new features
● Hedging against uncertainty/failure ○ Multi headed hydra
● “Jubilee” – reset the allocation of wealth
Litecoin: one of the first successful altcoins
● Litecoin launched in Sep. 2011
● Memory-hard mining puzzle
○ Intended to be GPU-resistant,
○ when Bitcoin mining was GPU-based
○ FPGA, ASICs, arrived but later than BTC
● 2nd most popular, 1st most widely forked
● Block rate is 4x faster
Litecoin peaked in 2016
First altcoin (launched in April 2011) Feature: Domain Name Registration
http://example.bit/
New name costs 0.01 NMC (about 1 cent US)
No renewal fee: must “ping” every 6 months
Names (and subdomains) can be transferred/sold Can be “merge-mined” with Bitcoin – defined later
Peercoin (aka PPCoin)
Launched August 2012 Hybrid mining:
● First Proof-of-Stake algorithm
○ mine by spending “stake” which accumulates
● Proof-of-Work can earn mining rewards
○ … but aren’t counted for choosing the main chain
● Also uses regularly published “checkpoints” ○ acts as a safeguard, planned to remove in future
Peercoin (aka PPCoin)
Launched August 2012 Hybrid mining:
● First Proof-of-Stake algorithm
○ mine by spending “stake” which accumulates
● Proof-of-Work can earn mining rewards
○ … but aren’t counted for choosing the main chain
● Also uses regularly published “checkpoints” ○ acts as a safeguard, planned to remove in future
Auroracoin: a community-focused coin for Iceland
Airdrop begins, March 25
Founder holds keys to 50% (10.5M of 21M) Result: 3.5M in circulation
Uncertainty in money supply
Launched Jan 24, ‘14
Airdrop: Every Iceland citizen can claim 31.8 AUC, starting Mar 25, ‘14 Population: ~330k so 10.5M potential giveaway
Accountability?
Tether: a cryptocurrency with stable exchange rate
USDT has become very common for transfer Value preserved by reserves held by Tether Perpetual fear of insolvency
Shitcoins: altcoins without any legitimate selling point
● a cryptocurrency with little to no value or immediate, discernible purpose
● The true selling point is that different people are in charge
○ Pump-and-dump scams
● Typically this is obfuscated with techno-babble ● Commonly called snake oil
One person’s shitcoin is another person’s altcoin
Dogecoin: prototypical “memecoin”
Launched in December 2013
Culture – tipping, charity, sponsorship
Dogecoin “feature”: random block rewards
Goal: each block bonus is “random”
Implementation: block bonus is pseudorandom function of previous block hash Problem: miners know next reward in advance
switch to other altcoin when reward is low Feature removed in March 2014
Dogecoin: Mining reward half-life
Mining reward cut in half every two months
Several ways to measure if an altcoin is catching on
● Market cap/monetary base ○ Total value of all coins
● Transaction volume
○ Difficult to tell what are “real” transactions
○ Can be manipulated
● Exchange volume
○ Depends on nature of third party exchanges
○ Can be manipulated fairly easily
● Total hashpower
● Merchant support and usage
● Twitter following and buzz
Two ways of measuring market cap
● Basic formula: (current exchange rate) * (current # of coins)
● Full diluted formula: (current exchange rate) * (total planned # of coins)
Market cap is an imprecise formula
● Overestimates total value:
○ If everybody tried to sell, price would go down
○ Some coins may be illiquid
● Underestimates value:
○ Some coins are lost or unusable
○ Satoshi owns around 1M BTC-over 5% of total supply!
Bootstrapping & Merged Mining
Mining attacks and altcoin infanticide
New projects have little hash power and are vulnerable to 51% attacks
Attacks like this have been a problem since the early days: Jan 2012: CoiledCoin – by Eligius pool Jul 2013: TerraCoin – unknown
Nov 2013: WorldCoin – unknown
Merge mining: a defense against infanticide
Ordinarily, mining is exclusive
Each attempt either has a chance to be a Bitcoin block,
or has a chance to be an Altcoin block
Obstacle to bootstrapping
What if we could mine Altcoin blocks
AND Bitcoin blocks at once?
Merge mining: a defense against infanticide
● Goal: allow Bitcoin miners to mine an altcoin “for free”
● Evaluate one nonce for both a Bitcoin block and an Altcoin block
● Problem: this doesn’t work for a basic mining puzzle:
Previous Bitcoin block Bitcoin transactions
H(prev || merkl_root || nonce) < TARGET
Previous Altcoin block Altcoin transactions
H(alt_prev || alt_merkl_root || nonce) < TARGET
Solution: embed altcoin block in a Bitcoin block header
H(prev || merkl_root || nonce) < TARGET
H(prev || merkl_root || nonce) < TARGET
a valid Altcoin block
tx[0] (coinbase)
scriptSig:
scriptPubKey: ...
alt header
alt header alt_prev,
alt_merkl_root
Coinbase scriptSig is ignored by Bitcoin
valid Altcoin transactions
Merge mining is quite flexible
Can be mined at higher difficulty to Bitcoin:
Merge mining is quite flexible
Can be mined at lower difficulty to Bitcoin:
Merge mining is quite flexible
Can be mined even if some Bitcoin miners don’t participate
Merge mining is a mixed blessing
Advantages:
● Much more difficult to attack altcoins, can get hash power quickly
● Still have flexibility over difficulty, block frequency, transaction layer
● Large mining pools can participate automatically for participants
Downsides:
● Miners may be minimally invested in merge-mined coins
● Contribute to ecological impact of parent coin?
Atomic cross-chain swaps
Atomic cross chain swaps
with TierNolan’s protocol
: Alice has X BTC, Bob has Y LTC
They want to swap, but who goes first? An example of counterparty risk Goal: Either both transactions complete, or neither do
is an important property in many systems
Atom in Greek means “not cuttable” or “that which can’t be split”
Often we want to specify a series of steps as an atomic transaction-all happen or none do Common in database design (the A in ACID properties)
Atomic cross chain swaps
Step 1: Alice generates secret x, Alice&Bob sign RefundA x, h=H(x)
Either sigA and sigB
Or sigB and
reveal x where H(x)=h
Timelocked to T+2
Signed by by
- Alice generates DepositA, but doesn’t publish it yet
- Alice generates RefundA, and gets Bob’s signature on it - Once RefundA is signed, she publishes DepositA
- If Bob learns x before time T+2 , he can take the 1BTC
- If Alice does not reveal x, she can claim her refund at T+2
Atomic cross chain swaps
Step 2: Bob deposits 1LTC, Alice&Bob sign RefundB
- Bob generates DepositB, but doesn’t publish it yet
- Bob generates RefundB, and gets Alice’s signature on it - Once RefundB is signed, he publishes DepositB
- If Alice reveals x before time T+1 , she can take the 1LTC
- If Alice does not reveal x, Bob can claim his refund
Either sigA and sigB
Or sigA and
reveal x where H(x)=h
Timelocked to T+1
Signed by by
Atomic cross chain swaps
Step 3: Alice reveals x, both players claim their coins x, h=H(x)
Either sigA and sigB
Or sigB and
reveal x where H(x)=h
Either sigA and sigB
Or sigA and
reveal x where H(x)=h
Timelocked to T+2
Signed by by B
Timelocked to T+1
Signed by by
- If Alice does not reveal x, Bob can claim his refund at T+1
- If Alice takes the 1LTC she reveals x before time T+1
- If Bob learns x before time T+2, he can take the 1BTC
- If Alice does not reveal x, she can claim her refund at T+2
Atomic cross chain swaps
● This protocol could provide secure, decentralized exchange between Altcoins
● This has rarely been seen in the wild
○ Disadvantages: multiple transactions, DoS risk
● Third party exchanges are used instead
Bitcoin-pegged altcoins: “Side Chains”
Bitcoin-to-Altcoin value transfer
Launch an Altcoin, convince BTC users to join Options discussed so far are extremes:
● “Grandfather”: all BTC holders get one
no risk taken - Altcoin crashes, nothing changes
● Unilateral exchange: burn BTC, get ALT
full risk taken - Altcoin crashes, lost your BTC
Bitcoin as a reserve currency
Unilateral peg: 1 ALT worth at most 1 BTC
1 BTC deleted forever!
Bilateral peg: 1 ALT always worth 1 BTC
1 BTC held in escrow
1 BTC released
Side chains
Bitcoin transactions that describe Altcoin’s validation rules
1 BTC - Can only spend after presenting evidence that 1 ALT has been deleted
1 ALT destroyed
Naively, to support this transaction, every Bitcoin node must store all of the data for Altcoin
Side chains - Improving efficiency
Idea: Requires validating every transaction Only need to support SPV security
Instead of TX is in Longest Valid Blockchain, TX is in Longest Blockchain
1 BTC - Can only spend after presenting evidence that 1 ALT has been deleted
Only involves checking Block headers
Goal: compact SPV proofs
If an Altcoin has a very fast block rate, checking an SPV proof may still be slow O(N) time to check O(N) blocks
Instead of a chain, store blocks in a structure supporting probabilistic SPV proof O(polylog N) time to check O(N) blocks
● Blocktree
● Range ● Skiplist
Side Chains - Conclusion
● Altcoins that hold Bitcoin in reserve ○ Could smooth Altcoin launch risks
● Requires changes to Bitcoin for support
● Like other Altcoins, could be merge mined
... or avoid merge mining with an alternate puzzle
Summary of Altcoins
● Bitcoin coexists with hundreds of Altcoins in many flavors:
○ Hard forks
○ Independent chains
○ Tokens/Layer 2 projects (to be discussed)
● Ecosystem remains competitive
○ Majority of Altcoins have disappeared
○ Much harder to get attention for altcoin with real innovation
○ Many big altcoins competing on smart contract functionality
The road to smart contracts
Recall: BTC contains a simple scripting language
"tx_out":[ {
"value":"10.12287097",
"scriptPubKey":"OP_DUP OP_HASH160 69e...3d42e OP_EQUALVERIFY OP_CHECKSIG"
Addresses are really scripts
<30440220...> <0467d2c9...>
OP_DUP OP_HASH160 <69e02e18...> OP_EQUALVERIFY OP_CHECKSIG
scriptPubKey
TO VERIFY: Concatenated script must execute completely with no errors
Bitcoin script instructions
256 opcodes total (15 disabled, 75 reserved)
● Arithmetic
● Logic/data handling
○ Signature verification
○ Multi-signature verification
Bitcoin script is limited
Design goals
I am not impressed
● Built for Bitcoin (inspired by Forth)
● Simple, compact
● Support for cryptography
● Stack-based
● No looping
○ Not Turing-complete
● Time/memory usage bound by program size
image via . Amand
Some useful contracts can be done in Bitcoin
● Proof-of-burn
● MULTISIG/access control trees ● Pay-for-hash-preimage
○ Multi-party lotteries
○ Atomic cross-chain currency exchange
● Micropayment/payment channels
○ Greatly improved with OP_CHECKLOCKTIME
Extending Bitcoin functionality
Bitcoin script left developers wanting more
By adding a few opcodes to Bitcoin script, what if we could support:
● Distributed naming (Namecoin)
● Options, financial derivatives (OpenBazaar, MasterCoin) ● Prediction markets (Futurecoin)
● Open-ended, user-defined functionality?
Namecoin was the first fork of Bitcoin
Goal: distributed naming, similar functionality to DNS 3 new opcodes:
● NAME_NEW
● NAME_FIRST_UPDATE ● NAME_UPDATE
Case study: NameCoin
0x8ca3a9e8…
decentralized control
Zooko’s Triangle
Namecoin introduces three new opcodes NAME_NEW: H(r, “jbonneau”)
12 block delay (frontrunning)
NAME_FIRST_UPDATE: r, “jbonneau”, {“ip” : “68.178.254.235”}
NAME_UPDATE: “jbonneau”, {“ip6” : “2001:4860:0:1001::68”}
Namecoin introduces new global state
google → 172.217.18.110 [owner: Kg] reddit → 151.101.65.140 [owner: Kr]
NAME_NEW y
google reddit y
→ 172.217.18.110 [owner: Kg] → 151.101.65.140 [owner: Kr] → {pending} [owner: Kj]
NAME_FIRST_UPDATE jbonneau,r; 68…
google → 172.217.18.110 [owner: Kg] reddit → 151.101.65.140 [owner: Kr] jbonneau → 68.178.254.235 [owner: Kj]
NAME_UPDATE jbonneau, 2001:…
google → 172.217.18.110 [owner: Kg] reddit → 151.101.65.140 [owner: Kr] jbonneau → 2001:… [owner: Kj]
Namecoin introduces new fees, incentives
Side note: Namecoin got the incentives badly wrong
#Names claimed
An empirical study of Namecoin and lessons for decentralized namespace design
, Miles Carlsten, , and . WEIS 2015
% of all Namecoin registrations
Recap: several requirements for new functionality
new addition
in Namecoin
in Futurecoin
Global state
Track app-specific data
name → value map
list of markets, bets in each market
Express updates to global state
NAME_NEW etc.
OPEN_MARKET etc.
Limit computation & reads/writes to global state
Registration fees to limit squatting, maintenance fees
transaction fees per open market, exchange
Recap: Bitcoin itself implicitly defines state
new addition
in Bitcoin
Global state
Track app-specific data
Express updates to global state
transactions
Limit computation & reads/writes to global state
not required
This state is implicit
Bitcoin scripts only succeed/fail. No side effects on global state
Miners can produce blocks which are very costly to verify
Replicated State Machines
Replicated state machines are the classic abstraction
● Set of possible states S
● Set of possible inputs I
● Set of possible outputs O
● Transition function f: S × I → S × O
● Start state s ∈ S (genesis block)
“Blockchain” is an ordered list of inputs w/consensus
consensus info
consensus info
nonce=0x456…
A→B 17 signed(Alice)
consensus info
nonce=0x123…
B→C 11 signed(Bob)
“State” is really just a compression of history
Outputs: 25→Alice
Inputs: 1[0]
Outputs: 17→Bob, 8→ IGNED(Alice)
Inputs: 2[0]
Outputs: 8→Carol, 7→ IGNED(Bob)
Inputs: 2[1]
Outputs: 6→David, 2→ IGNED(Alice)
Efficient: track UTXO set
{1[0]: 25, A}
{2[0]: 17, B; 2[1]: 8, A}
Inefficient: Scan blockchain to check for validity
{2[1]: 8, A; 3[0]: 8, C, 3[1]: 7,B} is this valid?
Blockchains may include explicit state commitments
consensus info
state commitment
s = {A: 50}
consensus info
state commitment
nonce=0x456…
A→B 17 signed(Alice)
{A: 33, B:17}
consensus info
state commitment
nonce=0x123…
B→C 11 signed(Bob)
{A: 33, B:6, C: 11}
Explicit state commitments offer many advantages
consensus info
state commitment
nonce=0x123…
B→C 11 signed(Bob)
{A: 33, B:6, C: 11}
● Inconsistencies surface immediately
● Light clients can quickly get current state
● Can efficiently verify sequence between any two blocks
Ethereum: A universal RSM
To get Turing-completeness:
● Set of possible states S
● Set of possible inputs I
● Set of possible outputs O
● Transition function f: S × I → S × O
● Start state s ∈ S (genesis block)
Include arbitrary programs
Interpret programs
Universality brings on classic OS problems
● What state can a tx change?
○ memory protection
● How many resources can a contract use?
○ resource contention
Ethereum in one slide
● States S = a map from addresses to state
● Inputs I (transactions)
● Transition f:
○ validate signature
○ run to.code(from, data, value, startgas, gasprice)
● Start state: ∅
y affect the state of
value startgas gasprice
any address
The full* Ethereum blockchain structure
prev height nonce difficulty
state root
miner extra
transaction root receipt root
The full* Ethereum blockchain structure
prev height nonce difficulty
state root
miner extra
transaction root receipt root
The full* Ethereum blockchain structure
prev height nonce difficulty
state root
miner extra
transaction root receipt root
final state
log output
Ethereum addresses can be accounts or contracts
Note: no UTXOs in
H(pub_key)
H(creator, nonce)
Merkle storage root
ETH balance
#transaction sent
Volatile fields
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com