Blockchain Primitives
SPEAKER Dan Boneh, Stanford University Important Disclosures
The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation.
This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at https://a16z.com/investments/.
Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.
©2020 Andreessen Horowitz. All rights reserved worldwide. What Is a Blockchain?
LAYER 3 User Interface (e.g., web3)
LAYER 2 Applications (Solidity, Move, Motoko)
LAYER 1.5 Compute Layer (blockchain computer)
LAYER 1 Consensus Layer
©2020 Andreessen Horowitz. All rights reserved worldwide. LAYER 1: Consensus Layer (Informal) A public data structure (ledger) that provides:
Persistence: once added, data can never be removed*
Consensus: all honest participants have the same data**
Liveness: honest participants can add new transactions
Open(?): anyone can be a participant (no authentication)
LAYER 1 Consensus Layer
©2020 Andreessen Horowitz. All rights reserved worldwide. This Not a New Problem …
State machine replication: studied since the New1980s aspect: open consensus
Google, Amazon, Bank• ofAnyone America, can write new data to the all have lots of servers: blockchain (no auth, unknown #) • need to ensure state is consistent • Was shown to be impossible! across all servers [Barak, Canetti, Lindell, Pass, Rabin ’05] • Known # of servers, and all are authorized.• Nakamoto [2008]: • a way to bypass the lower bound using proof-of-work
©2020 Andreessen Horowitz. All rights reserved worldwide. How Are Blocks Added to Chain?
BLOCKCHAIN
SIGNED I AM THE LEADER skA
2 ETH VERIFY VERIFY BLOCK BLOCK skB
skC
©2020 Andreessen Horowitz. All rights reserved worldwide. How Are Blocks Added to Chain?
BLOCKCHAIN
skA
2 ETH I AM THE LEADER skB
2 ETH
skC
©2020 Andreessen Horowitz. All rights reserved worldwide. Open Consensus: How?
PROOF-OF-WORK PROOF-OF-STAKE PROOF-OF-SPACE MANY MORE IDEAS
First party to solve puzzle Fast block creation creates next block No energy waste • sybil resistant selection of a random party But more complex Problems: • slow, wastes energy
©2020 Andreessen Horowitz. All rights reserved worldwide. Any Andreessen Horowitz investments and portfolio companies described or referred to above are not representative of all investments in vehicles managed by the firm and there can be no assurance that the investments described are or will be profitable or that other investments made in the future will have similar character or results. See Important Disclosures at the outset for more information LAYER 1.5: the Blockchain Computer
APP logic is encoded in a program that runs on blockchain
• Rules are enforced by a public program (public source code)
➔ transparency: no single trusted 3rd party
• The APP program is executed by parties who create new blocks
➔ public verifiability: anyone can verify state transitions
LAYER 1.5 Compute Layer (blockchain computer)
LAYER 1 Consensus Layer
©2020 Andreessen Horowitz. All rights reserved worldwide. Running Programs on a Blockchain (APPs)
BLOCKCHAIN receive event receive event
state0 state1 state2
Program Code
Create an APP
LAYER 1.5 Compute Layer (blockchain computer)
LAYER 1 Consensus Layer
©2020 Andreessen Horowitz. All rights reserved worldwide. Execution Environment
BITCOIN SCRIPT ETHEREUM
A LIMITED COMPUTING GENERAL PROGRAMMING ENVIRONMENT ENVIRONMENT (SOLIDITY, WEB3)
• Limited instruction set (no loops) • EVM is a general purpose computing environment • Sufficient for some tasks: • atomic swaps, • APP code updates internal state in • payment channels, … response to transactions • Calling APP costs fees (gas) • prevents DoS on miners • storing on-chain state costs fees
©2020 Andreessen Horowitz. All rights reserved worldwide. General Execution Environments
Recent projects
Web development WebAssembly tools can be as the bytecode used to develop format blockchain APPs
©2020 Andreessen Horowitz. All rights reserved worldwide. Decentralized Applications (APPs)
Run on blockchain computer
LAYER 2 Applications (Solidity, Move, Motoko)
LAYER 1.5 Compute Layer (blockchain computer)
LAYER 1 Consensus Layer
©2020 Andreessen Horowitz. All rights reserved worldwide. Common APP Architecture Layer 4: user facing servers End User
APP APP APP
on-chain state BLOCKCHAIN COMPUTER
LAYER 1 Consensus Layer
©2020 Andreessen Horowitz. All rights reserved worldwide. Ethereum’s DeFi
PAYMENTS INFRASTRUCTURE KYC & IDENTITY STABLECOINS INSURANCE
DERIVATIVES EXCHANGES & LIQUIDITY
ot CREDIT & LENDING
CUSTODIAL SERVICES
PREDICTION MARKETS INVESTING MARKETPLACES
Source: https://www.theblockcrypto.com/genesis/15376/mapping-out-ethereums-defi ©2020 Andreessen Horowitz. All rights reserved worldwide. Detailed APPs in Coming Lectures… Cryptographic Primitives Blockchain Crypto Primitives Blockchains are a consumer of advanced cryptographic primitives
Digital signatures Merkle Succinct + commitments Zero-Knowledge aggregation proof systems
Important Primitives
©2020 Andreessen Horowitz. All rights reserved worldwide. Digital Signatures Physical Signatures Goal: bind transaction to author
Bob agrees to pay Alice $1 Bob agrees to pay Alice $100
Problem in the digital world…anyone can copy Bob’s signature from one doc to another
©2020 Andreessen Horowitz. All rights reserved worldwide. Digital Signatures Solution: make signature depend on document SIGNER VERIFIER
‘ACCEPT’ Bob agrees to pay Alice $1 VERIFY ALGORITHM or 01100101101101011 ‘REJECT’
SIGN SIGNATURE ALGORITHM
Secret Signing Public Verification Key (sk) Key (pk) ©2020 Andreessen Horowitz. All rights reserved worldwide. Signatures on the Blockchain: Used Everywhere
• Ensure Tx authorization • Governance votes • Consensus protocol votes VERIFY Tx VERIFY Tx VERIFY Tx
sk1 Data Signature
sk2 Data Signature
©2020 Andreessen Horowitz. All rights reserved worldwide. BLS Signature Aggregation Anyone can compress n signatures into a single signature
To verify need: Tx1 Signature1
PK1 PK2 PK3
Tx2 Signature2 AGGREGATION sig* Tx1 Tx2 Tx3
Tx3 Signature3 sig*
No need to store list of signatures on the blockchain
©2020 Andreessen Horowitz. All rights reserved worldwide. Aggregation on the Blockchain
Tx1 Tx2 Tx3
Data Signatures Data Signatures Data Signatures
SIGNATURE SHRINK AGGREGATION BLOCKCHAIN
Data Data Data Aggregate
©2020 Andreessen Horowitz. All rights reserved worldwide. Merkle Commitments Commitments Cryptographic commitment: emulates an envelope
Many applications: e.g., an APP for a sealed bid auction
• Every participant commits to its bid,
• Once all bids are in, everyone opens their commitment
DATA DATA
©2020 Andreessen Horowitz. All rights reserved worldwide. Crypto Commitments
Syntax: a commitment scheme is two algorithms
• Commit (data) ⟹ (com, open)
• Verify (data, com, open) ⟹ ‘accept’ or ‘reject’
Security properties (informal):
• Binding: Bob cannot produce two valid openings
• Hiding: com reveals nothing about committed data
©2020 Andreessen Horowitz. All rights reserved worldwide. Committing to a Tuple of Values: Merkle Trees
h
• Commit to tuple S GOAL: SUCCINCT • COMMITMENT • Commit to tuple S • Later, provide a short proof that is the 4th element in S �4 Proof length = 0(log |S|)
�1 �2 �3 �4 �5 �6 �7 �8
Tuple of values S
©2020 Andreessen Horowitz. All rights reserved worldwide. Many Applications: 1) Short Proof of Payment
h1 h2 h3
Bob: has all block hashes Alice: wants to prove she paid Bob 2ETH Merkle Tree commitment to all Tx in block • Alice sends a short Merkle proof to Bob • 1000 Tx in block ➔ short proof
ALICE ➔ BOB: 2 ETH DAVID ➔ CAROL: 2 ETH
©2020 Andreessen Horowitz. All rights reserved worldwide. 2) Keeping State off the Chain Database of account balances
Alice 10 pkA off-chain servers store balances, on-chain: Bob 5 pkB h1 Merkle tree only short commitment commitment Carol 12 pkC Alice can prove her balance (10) to anyone with a short proof
Zoe 8 pkZ
©2020 Andreessen Horowitz. All rights reserved worldwide. 2) Keeping State off the Chain Database of account balances
Alice 8 pkA off-chain servers A➔B:2 store balances, on-chain: Bob pkB h1 7 only short commitment
Carol 12 pkC Updated Merkle Tree Tx Alice can prove her commitment h2 balance (10) to anyone with a short proof
Tx can update committed Zoe 8 pkZ state. Chain validates Tx.
©2020 Andreessen Horowitz. All rights reserved worldwide. Zero Knowledge Proof Systems What Is a Proof System? (Informal) GOAL: prover wants to convince a verifier that a statement is true
STATEMENT I have a signature on Tx STATEMENT WITNESS prover has signature on Tx signature
Proof: � ACCEPT OR REJECT PROVER VERIFIER What is a statement: program(statement, witness) ➔ ‘0’ or ‘1’
©2020 Andreessen Horowitz. All rights reserved worldwide. Properties of a Proof System
Complete: if statement is true, prover can convince verifier Succinct proof: proof is short (logarithmic in statement size) Fast verification: verification is fast (logarithmic in statement size) Efficient proof generation: generating the proof takes linear time SNARK SECURITY: Sound: prover cannot convince verifier of a false statement Zero knowledge (optional): verifier learns nothing about the witness zkSNARK
©2020 Andreessen Horowitz. All rights reserved worldwide. Application 1: Scalability (Rollup) … no ZK TODAY: every miner must verify every posted Tx VERIFY ALLπ TX VERIFY ALL TX ⇒ SUCCINCT PROOF π
VERIFY VERIFY ALLπ TX ALLπ TX SUMMARY, π
ROLLUP SERVER
©2020 Andreessen Horowitz. All rights reserved worldwide. Application 2: Private Data on a Public Blockchain TODAY: Data on blockchain is public ➔ Businesses cannot use for private B2B applications PUBLIC Tx1 Tx2 Tx3 VERIFIABILITY
A different approach: only post hiding commitments to blockchain
com(APP code), com(Tx1), com(Tx2), ZKP1 ZKP2 com(state0) com(state1) com(state2)
ZKP: ZK proof that [statei, Txi ➔ Statei+1] is consistent with APP code state transition
©2020 Andreessen Horowitz. All rights reserved worldwide. Final Thoughts When To Use a Blockchain?
BLOCKCHAIN ≠ DATABASE
Always ask: why not use a centralized system?
• Blockchain positives: - used when there is no single party trusted by everyone
• Negatives: slower and more complex than a centralized system
©2020 Andreessen Horowitz. All rights reserved worldwide. Trends
©2020 Andreessen Horowitz. All rights reserved worldwide. The End Excited To See Your Blockchain Apps!!