3.區塊鏈基礎知識與密碼學 (3. Blockchain Basics & Cryptography)

字幕列表影片播放

The following content is provided under a Creative
Commons license.
Your support will help MIT OpenCourseWare
continue to offer high quality educational resources for free.
To make a donation or to view additional materials
from hundreds of MIT courses, visit MIT OpenCourseWare
at ocw.mit.edu.
GARY GENSLER: I just want to say how
touched I am that you are all still here.
I really-- you know, there's a lot of shopping opportunities
in the MIT courses.
And that you have come back and not shaken
loose after reading Satoshi Nakamoto's
peer-to-peer Bitcoin paper, or maybe you just came back
to see whether I was going to crash and burn describing it.
But what we're going to try to do in the next three classes,
just to frame it, is really give you
some of the technical underpinnings
of blockchain technology through the lens of Bitcoin.
Bitcoin is just the first use case of blockchain technology.
So if I often say Bitcoin this or Bitcoin that,
it's really largely--
not entirely-- largely applicable
to blockchain technology.
My feeling is I'm only about eight or nine months ahead
of all of you.
I may have spent my whole professional life
around finance and public service,
and I can talk a lot about markets and about
public policy, but MIT has given me
the gift of thinking about blockchain technology.
And I'm trying to return that gift a little bit for you all.
And I have a few computer scientists
in the room that are going to bail me out
if I don't get this right.
Sabrina, and then, oh, I see Alin is putting up his--
do you all know Alin?
He's actually a PhD student at MIT, computer science.
So somebody gets to that part of their life--
AUDIENCE: Terrible life choice.
GARY GENSLER: Yeah, yeah.
What was that?
AUDIENCE: Terrible life choice.
GARY GENSLER: Terrible life choice.
Yeah.
But he's going to bail us all out.
But the reason that I think it's relevant not to just belabor
it, is I really believe the only way that any of us
can get to ground truths is to know a little bit about how
the inner workings of this technology are.
You're not going to have to do an algorithm
or actually do a hash function, but to know underneath it.
And then you can step away and say
I no longer need to know how the carburetor on the car works,
but I know what a carburetor is.
Or, you know, whatever analogy you want.
So with that little bit, as opposed
to sort of all of that Socratic cold calling
that I did last class, because money,
Fiat currency is something at the core,
and ledgers is at the core of a Sloan student's
either education or background, this a little less of the core.
If today's and the next couple of lectures,
if you can work with me then I want you to interrupt me
anytime you've got a question.
I'm not going to do much cold calling.
I don't want you to relax too much.
I still want you to do the readings the next three
classes.
But just raise your hand, stop me, say, well,
but what is that all about.
And that just sort of we can work
a little bit different on these next classes.
So, as I'm always going to be doing, consistency.
What are the study questions?
So really, what are the design features?
What are the key design features of this new technology,
blockchain.
And I put a few on the syllabus.
And we're going to go through all this today and next week.
Cryptography, append-only, timestamps
blocks, distributed consensus algorithms, and networking.
I list four.
Later in this lecture, you'll see 8 or 10 that--
I guess it's 10 that we're going to really dig dig into.
Can I just get a sense of the class and this
is not for Talita or Sabrina to write down
notes about participation.
Is it a decent assumption, did most or all of you
at least read Nakamoto's paper?
All right.
Good.
All right, great.
Just a sense, how many of you felt you got at least half
of it, maybe less than 2/3, but at least half of it?
All right, pretty good.
When I first read it, I was right with you.
So it's all right.
Alin you got more than half of it, right?
AUDIENCE: I read it five years ago, so.
GARY GENSLER: You read it five years ago.
Yeah, yeah, yeah.
Yeah, life choices, talk about it.
All right.
And you're taking this class.
Good, good.
So we'll go through each of those.
And then more specifically, we're
going to peel back the cryptography.
The two main cryptographic algorithms, or these words
that you'll hear sometimes, cryptographic primitives--
Alin, what is a cryptographic primitive?
AUDIENCE: Oh, it's a wild beasts.
There are so many of them.
GARY GENSLER: Yeah, but what's the two words together mean?
AUDIENCE: Well, that's I'm saying.
It could be anything.
It could be a hash function, could be encryption function,
could be a very powerful computation scheme,
it could be a data outsourcing scheme, could be a data access
privacy access.
GARY GENSLER: But it's anything that
basically protects the communication
in the presence of adversaries.
AUDIENCE: Well it's also something
that you can use to prove that computation was done correctly
on trusted servers.
It's not just communication, it's also computation.
GARY GENSLER: So communications and computation
that needs to be protected or verified,
have some form of cryptographic algorithm,
which happens to be called a cryptographic primitive.
The two main ones--
and there's a third one we'll talk about later
in the semester-- but the two main ones, hash functions,
just as a working knowledge of blockchain is worthy to know,
and we're going to get-- everybody's going to get there.
We're going to all get there to where
you have some sense of what a hash function is.
And then this whole concept of digital signatures,
which relates to asymmetric cryptography.
Those two are very fundamental to blockchain technology.
Later in the semester, we'll talk a little bit
about zero knowledge proofs, but they're not
as fundamental to the first application.
And so that's why they're kind of--
and they help make things verifiable and immutable.
And that's the business side, the market side.
Why does it matter?
Otherwise, like, who cares what's in the carburetor
if it doesn't matter?
And then how does this all relate to the double
spend problem?
I can cold call on this.
Isabella, do you remember what the double spending
problem was from?
AUDIENCE: It was when they would use the same coin,
I guess, and they would use it multiple places
and other digital wallets [INAUDIBLE]..
GARY GENSLER: All right.
So in essence, a double spend is when
you have a piece of information and you use it twice.
And we happen to call this piece of information "money,"
but you use it twice.
You can send an email to two people and that's OK.
I mean, it's a little embarrassing
if you're sending it to one friend telling them
you're available for dinner and the other friend
thought you told them you weren't available.
But you can still send it to two places.
But in the system of money, it's a critical thing
that you don't use it twice.
The readings, was the demo helpful?
I mean, we're going to do a lot more on that.
I watched that demo last November, December.
That was one of the first things I watched.
From an MIT student.
I don't know if you knew Bosworth.
And I found it very helpful, so I'm glad.
And I see it's actually that demo is on a Stanford
blockchain course as well, so the West Coast, one
of our competitors is using an MIT product.
And so we're going to just do a slight review of what
we did in class 2.
And then we're going to talk about the key design
features, hash functions, as I mentioned,
what is an append-only log, block headers and Merkle trees,
and asymmetric cryptography and digital signatures.
Crazy.
We're going to cover all five of those today.
And then you're going to tell me how we did.
Oh, Bitcoin addresses, which is just a small thing.
Six, actually.
So last time, for those of you that weren't with us,
we talked about money.
And again, money is just a social construct,
or an economic consensus mechanism.
We're going to talk a lot about consensus
next Tuesday when we talk about the consensus
protocol on Bitcoin.
But remember, money itself is just a consensus.
There was a question on Tuesday, I
think Alin actually had asked this question
about well, what does it mean to be
a liability in the central bank?
Why is money, what does that actually mean?
And I said it just means that somebody else will accept it.
It's a social consensus because it's not
that they're going to give you anything else.
It's just that you can get a bank deposit,
you can pay your taxes, you can use it at Starbucks,
if in fact, you've already gotten a cup of coffee.
If you remember, it's only legal tender for a debt.
And so forth.
Fiat money is just in that long line.
But it's had its challenges and instabilities.
It doesn't mean it's going to go away.
I'm not a Bitcoin maximalist who thinks that Fiat currencies are
going to go away.
But Fiat currencies have their instabilities, particularly
around weak monetary policy.
In essence, when you debase a currency and allow a lot of it
to be issued, or usually around unstable fiscal policy.
So either the government is spending a lot,
the King is off to foreign wars, and the Bank of England
was actually set up in the late 17th century in essence
to control the currency when the King was--
of England, I think--
was in wars with France, if I can recall.
A lot of banks, central banks, were set up right
about when a sovereign was off debasing a currency
and spending too much at war.
Ledgers, we talked about ledgers,
how critical ledgers are.
In essence, ledgers are a way to keep records.
And those records could either be transaction records
or balance records.
We'll see that Bitcoin is set up as a transaction ledger system.
Later we're going to be talking about other blockchain
technologies that are set up as balance ledgers.
So one should not just think immutability
that there's only one way to do this.
But transactions and ledgers are at the core of Bitcoin.
And central banking is of course, built on ledgers.
The master ledger of the central bank, and then
the commercial banks have sort of the sub-ledgers.
And then you can think sometimes your digital wallet,
maybe Starbucks has yet a third tier ledger.
We obviously live in an electronic age already.
We know this.
There's been many efforts, they've
all died until Bitcoin to crack that riddle
that we talked about, peer-to-peer money
without a central authority.
And later in the semester when we
talk about what are the use cases,
that's going to be the core thing.
It's why I'm not a maximalist.
I'm not sure in every circumstance
a central intermediary isn't necessarily so bad.
And this is not a value judgment.
It's just pure money and markets and so forth.
But in some circumstances, decentralization really
will compete and beat the centralized intermediary.
So let's talk about his little paper, which of course he
was modest, or she was modest.
Please remind me, we don't know who Nakamoto is or was,
or a group of people.
"I've been working on a new electronic cash
system that's fully peer-to-peer with no trusted third party."
So you've seen this slide before.
But a time stamped append-only log.
Just think blocks of data.
To kind of oversimplify, but it's got a name, blockchain.
And I don't think-- did Satoshi's paper,
you all read it in the last few days, I of course
read it again yesterday just to make sure I remembered it,
I don't remember that he ever used the word blockchain.
Am I right about that?
Right.
So the words blockchain are really--
have been sort of layered over his innovation.
So information, blocks going on.
And that leads to basically a database.
But it's the blocks of data.
Bitcoin right now is about 550,000 blocks,
and the blocks are added on average every 10 minutes.
And we'll talk about why it's every 10 minutes, and not
only why Satoshi Nakamoto made it every 10 minutes
but how they maintain that.
Other blockchains like Ethereum it's about every seven seconds.
So don't get too caught up that it's all the same.
And there's some technologists, here Silvio Micali
is working on Algorand and that's even tighter,
less than seven seconds.
So there's not one way.
There's multiple designs on how often blocks are added.
But let's start with Bitcoin.
Secured by yes, guess what, those two
cryptographic primitives, hash functions
and digital signatures.
Lose anybody yet?
Yeah?
Maybe.
And then there's a consensus for agreement.
The whole debate usually about databases
is who gets to change the data.
And this is true in all databases.
In its essence, it's usually centralized.
But in blockchain, it's all a sudden, well, maybe it's
not centralized.
Who gets to add that next bit of information, that next block?
And the consensus agreement is--
which we'll discuss next Tuesday--
is about that very issue.
And I think there was a little pretty picture
of that done in slides before.
But I'm going to I'm going to delay that discussion
until next Tuesday.
And hopefully you'll all come back.
So what are the key features?
And I might do a little cold calling.
Do you remember any key feature, Tom?
From the papers?
AUDIENCE: Oh, boy.
GARY GENSLER: It's all right.
AUDIENCE: Yeah.
You know, the hash function.
GARY GENSLER: Hash function.
Any other key features?
Let's see how many.
I'm going to have 10 on this page.
AUDIENCE: A private and a public key.
GARY GENSLER: What is that?
AUDIENCE: Private and public keys.
Private and public--
GARY GENSLER: Oh, private and public key.
Yes.
So asymmetric cryptography, or private and public keying.
Yes, hash functions, yes, private and public key.
Any other kind of key design features,
or words you didn't understand?
Maybe that's another way to put it.
Leandro.
AUDIENCE: Addresses.
GARY GENSLER: What's that?
AUDIENCE: Addresses.
GARY GENSLER: Bitcoin addresses.
Three.
AUDIENCE: Timestamp server.
GARY GENSLER: Timestamp server.
That's four of the things.
This is going well.
[INAUDIBLE]
AUDIENCE: Double payments.
GARY GENSLER: Double payment is something
that it's trying to address.
It's not really a design feature,
but it's a-- they have a solution for double payment,
so I'll give you a credit for it.
But it's--
AUDIENCE: Miners.
GARY GENSLER: All right.
So Hugo says miners, which is really the consensus.
So I'll say that the design feature is
the consensus or proof of work.
Kelly.
AUDIENCE: The full node versus the lightweight node.
GARY GENSLER: Right.
So very interesting, this concept of nodes.
And Satoshi actually talks about full nodes
or lightweight nodes.
In essence, how much information has to be stored.
I want to reserve that.
Kelly, please remind me when we talk about block
headers to come back to that.
But nodes in the network is a very important design feature.
Over here.
AUDIENCE: The Merkle tree structure.
The Merkle tree structure.
GARY GENSLER: Merkle tree structure.
So Merkle tree structure is a way to compress a lot of data,
and also to sort through that data.
Uh-oh.
No, Sabrina's not going to clean me out here.
Merkle tree structure is there.
We're going to talk about that.
Two more.
AUDIENCE: Nonce.
GARY GENSLER: What's that?
The
AUDIENCE: Nonce.
GARY GENSLER: Nodes.
All right.
What's that?
AUDIENCE: Nonce.
GARY GENSLER: Nonce.
The nonce.
OK.
So a nonce.
Anybody know what the word nonce is?
A year ago I didn't.
So this-- so we're all getting there.
What, do I have a look, do you know what a nonce is?
Yeah.
AUDIENCE: In the actual protocol,
it's essentially a guess for the miners to kind of--
GARY GENSLER: So the word "nonce"
means a random number that is used once.
N for number, and "once."
It's a number that's random and it's used once.
That's how I've learned it.
Whew.
And so one more, because this is great, actually.
AUDIENCE: Peer-to-peer.
GARY GENSLER: Remind me your first name.
AUDIENCE: Pria.
GARY GENSLER: Pria.
Peer-to-peer.
All right.
So this is what I have.
Cryptographic hash functions.
We're going to go through these in more detail.
Timestamped append-only logs, block headers and Merkle trees.
So Merkle trees were discussed.
But we need to actually say what information
is kept at the head of the block as opposed to all the body.
And some of that's just to make it more manageable.
Asymmetric cryptography, which is this public key,
private key, and signatures.
The Bitcoin addresses themselves,
which interestingly are a little bit different than public keys.
And then I breach break because in the next,
we're going to talk about next Tuesday, the proof of work,
the miners, the then the nodes, the nonces, they're
are all in that little topic.
There's actually in Bitcoin a really important protocol
is how information gets propagated on the internet.
Just the network communication.
It's not written about a lot.
You won't read a lot about it in Nathaniel Popper's Digital
Gold or all the other popular books,
but it is an important thing to remind ourselves
that information has to propagate around the internet
and all these transactions have to communicate with each other.
There's currently about 10,000 nodes on the Bitcoin network.
We don't know where all of them are,
but they're probably in 180 different countries.
And so it's just--
also the networking and communication matters.
And it matters to the economics a lot.
There's a native currency.
This is interesting that it was the one thing that no one said.
That's an actual technological design feature.
It's not only that he created a currency,
but the native currency is part of the economic incentive
system.
And we'll have some fun with that.
In essence, he said that when you
mine and did the proof of work, you created
and you've got some native currency called Bitcoin.
So he created an economic incentive system.
Whomever Satoshi Nakamoto was or is
knew a lot about economics, as well as technology.
Yes.
AUDIENCE: I just wanted to quickly add to what you said.
So it's not only that he created this native currency,
but wants the finite supply has reached, the currency can
be distributed as a transaction fee,
which I think is very important in [INAUDIBLE]..
GARY GENSLER: And remind me your first name?
AUDIENCE: Daniel.
GARY GENSLER: So what Daniel just said
is really interesting.
Not only to take light of this individual or individuals
that did this.
But this world of Bitcoin and other cryptocurrencies
creates a unit of account that could be valued.
And once it's valued, you have sort of a native currency.
But as Daniel said, Nakamoto also
said there would be a finite limit.
It happens to be 21 million Bitcoin
is the most that it can be, and we'll
get there around the year 2040.
Does anyone know how many Bitcoin there are right now?
About half of you were investing in it.
Hugh?
Hugo?
About 17 million Bitcoin right now.
And all 17 million have come from this process
of proof of work and mining.
Initially it was 50 Bitcoin every 10 minutes,
roughly every 10 minutes.
Then it went down to 25, and we're now
at 12 and a half Bitcoin.
And does anyone know what today's value purported--
I always should say purported value of Bitcoin,
because I don't know if we can trust
some of those websites that say with the values are.
What is it?
AUDIENCE: $6,500.
GARY GENSLER: So $6,500 of Bitcoin
at 12 and a half Bitcoin to mine a block.
So you see that it's about $80,000
US is the reward to mine a block, right?
So he created an incentive system
that initially, if you got 50 Bitcoin and they
weren't worth a penny, you would not commit that much.
You had to be a hobbyist, basically, in 2009,
or a cyberpunk, or just kind of curious.
Because you weren't getting much incentive.
If in fact it's worth 6,500 today,
you're getting $80,000 if you actually successfully mine
a block.
And then there's the transaction inputs and outputs.
Think about a check, who signs it, where you move money.
There's something called the unspent transaction ledger.
So this is the ledger part.
So when you think--
I think of the technology, I think
of cryptography, which is kind of all
that stuff at the top which we're going to discuss today.
Secondly, the consensus mechanism.
In essence, that's that key question
of any database, who gets to amend the database?
Who gets to decide to change the state of what we all agreed to?
And then thirdly, is the ledger, or the transaction ledger,
which we're not going to deep dive
into the scripting language, but we
are next Thursday going to talk a little bit
about the underlying scripting.
Does that give you a path that's all this cryptography,
the consensus, and then the transactions.
Yes.
AUDIENCE: I have a question.
GARY GENSLER: And your first name?
If everybody just says first name.
AUDIENCE: Oh.
I'm just curious, so you mentioned that--
GARY GENSLER: I'm curious about your first name.
AUDIENCE: Sean.
GARY GENSLER: All right.
AUDIENCE: So just curious, you mentioned
that the block value is roughly $80,000 US as of now.
So just curious, in terms of the CPU power,
the electricity that will be consumed to mine the block,
how much does that translate to equivalent US dollar terms?
GARY GENSLER: So the question that's asked
is how much electricity is being consumed for that miner
to get that reward, that $80,000.
And I'm going to try to answer in one minute.
But we'll come back to this later in the semester about
economics, and blockchain economics, and mining
economics.
But what has happened over these 10 years
is more and more computers are being used,
or are trying to mine for the Bitcoin.
And so today in the most recent research I've seen
is that the probability of winning a block--
there's so much-- is it measured in terahashes?
I can't remember the numbers.
But it's how many terahashes, which, is it 15 zeros
Is a terahash?
Is it that, or is it 12?
Well, in any event, there's so many hashes
being done a second, x number of terahashes,
that your probability of winning is quite low.
And so what's happened is most nodes and miners
have entered into agreements called mining pools, where
they smooth out the risk and everybody
shares in the rewards.
But those economics we'll talk about later,
it's thought to be that you need electricity
cost around $0.03 a kilowatt hour to be successful.
And in most parts of the world you
can't get electricity for $0.03 a kilowatt hour.
So you would put your mining rigs
where you can get low cost electricity
or where you possibly can--
you can get it legally low cost or illegally low cost.
So there are a lot of mining rigs
and in jurisdictions where there may be local officials that
are allowing those mining rigs, and instead
of $0.03 a kilowatt hour to the electric company
it's $0.01 to $0.02 cents a kilowatt hour
to the local government officials.
And the two largest mining pools are in China.
And the third is in Russia.
But we'll get into the sort of economics
and at least some theories about why some are where they are.
So cryptography.
So Alin's probably going to clean me up.
It's not just communication in the presence of adversaries,
it's also computation in the presence of adversaries.
That would be good.
And we talked about-- we're not going to deep dive.
If you remember, even in ancient times if you were going to war
there was this wonderful little way
that you could do cryptography.
And then anybody who's seen imitation games
about the British breaking into the German codes,
even though they should have probably
given more credit to the Polish government that had probably
broken into it in the 1930s, but Turing did great work.
And then we're going to talk about asymmetric cryptography
today.
All right.
What is a hash function?
A hash function, and these are just words that I think of it,
I think of it as a fingerprint for data.
But it has certain properties.
The one that you'll see throughout
is that it takes inputs of input x.
It maps that input of any size to a fixed size.
So one that we use here in the US,
one hash function we all use is zip codes, in a way.
It's five digits, it's a fixed size.
I know I'm doing this as a loose hand, how can I think of it.
But zip codes.
You might have 50,000 people or 5,000 people all living
in one postal district.
And you can map them to zip codes, and it's a fixed let.
Now, I don't know whether my friends in the computer science
departments-- but it's an early sense of a hash function.
I just wanted to say there are tangible things in our life
that act like hash functions.
Problem with zip codes is it will not in any way
be a secure hash function.
And you'll see that in a minute.
But it does take--
you can be a 300-pound person or a 30-pound kid
and you still map into the same zip code.
It's deterministic.
It's always the same.
So if you take a certain set of data,
it will always give you the same hash.
And that's relevant to the background.
And you can efficiently compute it.
You don't want to take a year to do this.
You've got to do it in short periods of time.
And in Bitcoin's case, it's done in nanoseconds
or less, because they're one computer, one CPU can do--
can't remember, probably-- how many millions a second?
AUDIENCE: Couple of terahashes a second.
GARY GENSLER: Couple of terahashes a second.
So it's a remarkably efficient algorithm.
And so a bunch of mathematicians-- and hashing
started in the 1950s and '60s, but the ones
that we're talking about here are much more recent.
But it's really terrifically talented
scientists, mathematicians, computer scientists,
and sometimes the National Institute Standards
of Technology here in the US working on hash functions.
So it takes a array of any size, puts it into a fixed number--
I think zip codes for a minute--
it's deterministic.
It's always-- you only live in one zip code, in a sense.
And it's very efficient.
But now what are its cryptographic properties?
Because a zip code wouldn't make it.
It just wouldn't.
Well, the computer scientists use
this term preimage resistant.
I would just say it's one way, you
can only go one way, meaning it's infeasible to determine
the input from the output.
It's infeasible to determine the x from the hash of x.
Does anybody know why I use the word infeasible rather than
impossible?
AUDIENCE: [INAUDIBLE]
GARY GENSLER: First name?
AUDIENCE: Brotish.
GARY GENSLER: Brotish
AUDIENCE: Because we can do it with brute force.
GARY GENSLER: So you might be able to use it brute force.
What do you mean by brute force, just so everybody--
AUDIENCE: Try all the options.
GARY GENSLER: Try all options.
But as I understand it, a sort of tenet of cryptography
for centuries is not to have it mathematically impossible,
the point is getting it so infeasible
that your adversary can't either get the communication
or so forth.
So hash functions, I just say this
because you can't assume that Bitcoin can't be broken.
We all call it immutable.
It is immutable.
Until the hash functions that are inside of Bitcoin
might be broken.
And even Satoshi wrote about this in 2010.
He got emails.
There's this wonderful book if any of you
want that I mentioned in the bookshelf at the end
of the syllabus, he said, well what if a SHA-256, which is
the hash function, gets broken?
And his answer, by the way, was well,
there will be a better hash function at that time.
Whatever that is, we'll hash the entire system,
whatever that is.
Because remember, you can take something of any size,
hash it with a new system, and move forward.
And so he or she felt in this wonderful email
is that Bitcoin actually could transition to a new hash
function as long as you had a little bit of time
before it was all corrupted.
Kelly.
AUDIENCE: Is this what his article called the Gambler's
Ruin problem?
Is that we you're describing?
GARY GENSLER: The Gambler's Ruin problem.
AUDIENCE: The probability that an attacker could catch up
to recreating it.
GARY GENSLER: OK.
AUDIENCE: That's something else.
That's--
GARY GENSLER: Will you speak a little louder?
AUDIENCE: Yeah.
So that's the-- you want to sort of assess
how hard it is to fork Bitcoin.
If I have a lot of computational power,
how hard is it for me to create a fork?
And Satoshi does an analysis at the end of the paper--
GARY GENSLER: Oh, I apologize.
You're talking about in his paper.
Yes.
In his paper, he's talking about how hard
it is computationally to do what some people call
a 51% attack, to basically take over all the nodes.
And that part of his paper we're going
to talk about next Tuesday.
But it's basically, can you take over the nodes?
I was talking about a separate thing,
can you break the cryptography.
And he doesn't write about that in his paper.
He writes about it in an email about 10 months later or so.
Second key cryptographic thing.
So we said one is it's one way.
The other thing is this concept of collision resistant.
I presume if everybody in this room told me your birthdays,
there's multiple people in this room
who have the same birthday.
And in fact, if we got it past 26 people in a room
it's over 50% chance that two of you have the same birthday.
We don't need to get to 183 people in the room, which is
half of the days of the year.
We can get to about 26 or 7.
And similarly, the key thing is is that two sets of data are--
it's again, infeasible that x and y would
hash to the same thing.
It's not impossible.
It's infeasible.
And if you look at the history of hash functions,
this is usually the thing, that at some point in time
these hash functions will not be collision resistant.
Some quantum computing will come along,
or something will come along.
But for now you can put something of any size in
and they're independent.
They also look terribly random.
It's called an avalanche effect, meaning
you change one little difference and the whole thing
looks different.
So when you noticed on that little video,
if you changed one thing, it all looked so different.
And why that's important is it makes it more secure.
And then there's something called puzzle friendliness.
Even if you know a little bit of the input,
it doesn't mean that you're going to get the output.
I put these up here not for you to know them.
You're not going to get tested.
If you go into business, as Elon,
you've started, when you probably haven't thought,
well, collision resistant this or that.
But I just wanted you to know there
is a bunch of cryptography underneath this.
And the key is it is not 100% immutable.
It's probably one in, you know, I don't know,
a quadrillion immutable.
But there's still-- these things could be broken.
And quantum computing and something else might--
Alin.
AUDIENCE: The actual probability should be actually 1 over 2
to the power of 128.
So much more than one quadrillion.
GARY GENSLER: So it's 1 over 10 to about the 40th.
How'd I do?
My math all right?
All right.
And anybody who's interested can come to office hours.
So it's highly unlikely to be broken.
But I think it's always worthwhile to say, well,
no, there's some outward--
it's not as bounded as you think.
So what is it used for?
In many places it's used for names, and references,
and pointers, and in something called commitments.
In Bitcoin, it's used for pointers because one block
points to another block.
But it's also used in commitments.
You'll hear these words.
We're not going to delve into them.
But the headers and the Merkle trees use something
called SHA 256, which is a standard which
is literally 256 bits long.
That's like zeros and ones for 256 registries.
But a Bitcoin address actually--
Satoshi Nakamoto threw on a loop.
I'm glad to debate why, but he uses two hash functions
for Bitcoin addresses.
The one thing I saw that he actually
wrote about it is he said if one of them
is broken at least the other one is less likely to be broken.
So as I've read about it, I think
in his own voice is you have to hash something twice.
And he was just making it that much more secure,
even knowing it was one out of 10 to the 40th chance.
AUDIENCE: Which is astronomically low, so.
GARY GENSLER: Right.
So.
So remember, where's Caroline?
I remember-- there we are.
You asked me about, I thought I had set it
up for today, which you were good to remind me
for Tuesday, what's the longest running hash,
time stamped hash?
AUDIENCE: That is a great question.
GARY GENSLER: Thank you for the compliment.
AUDIENCE: The answer is--
yeah, I don't know that phonetically,
so I'm not sure if I'm totally butchering this one.
But it came out of Bell Labs with Stuart Haber and Surety.
GARY GENSLER: There he is.
Yeah.
So Haber and his colleague-- yes.
You got it.
AUDIENCE: That's my roommate.
GARY GENSLER: That's you roommate.
Terrific.
So I'm just trying to say it wasn't Bitcoin that had it.
He did this in 1991.
But by 1995, they started a company called Surety.
I don't think it took off that much.
It's not competing with Apple for the largest market cap
or anything like that or Facebook.
But every week in the notices section,
you can see a hash literally.
It's time stamped because it's in the New York Times.
And it's a hash, all those funky digits and everything
of all the information came before it.
And they're basically hashing any document.
Any document that you want a timestamp in that week,
you put it in.
One follows another, and that's a blockchain.
It's not about money.
There's no native currency and so forth.
I believe that Haber and Stornetta
are three of the eight or nine footnotes in the Satoshi paper.
Maybe it's four of them.
So he gets his credit.
And if you go to his website, Stuart Haber,
I think he says, blockchain's co-founder
on his personal website.
Who knew?
So here, we get-- this was in the National
Institute, the NIST paper.
But timestamp append-only logs in Bitcoin or blockchain.
What is put together is the header, the top information.
And if I can go past the visual and just say, what's there?
There's five pieces of key information.
The version, it doesn't change that often.
But there is a version number.
The previous block's hash, so it's
some information about all the blocks that came before it.
The Merkle Root hash, which does anybody want to tell me what
that does, the Merkle Root?
AUDIENCE: So it essentially posts the transactions
in the bottom most layer of the tree
and then creates the [INAUDIBLE] hash
of each of the transactions.
GARY GENSLER: So if I go back to this nice little picture,
the yellow box at the bottom up each of these blocks
is all the transactions.
There could be upwards to 1,000, 2,000 transactions in a block.
So there's blockchain concept, 1,000, 2,000.
There's means and methods well before Nakamoto's paper
about how to compress that, how to keep that information
a little bit tidier.
And that uses this thing called Merkle Roots.
The five items right at the top, what's called the block header,
doesn't have the 1,000 transactions.
And earlier, Kelly, you had asked me
about full nodes and light nodes.
A light node or a wallet that anyone here
could download on your cell phone
probably does not download the millions
of transactions that have happened
in the history of Bitcoin.
You are unlikely to download what's called a full node.
But you might download all the headers,
this bit of information that's all of the headers.
All of the information in Bitcoin
is still not that large.
It's less than 200 gigs.
But all of the headers, I think, is single digit gigs.
I can't remember if it's four or six gigabytes right now.
What is the number?
AUDIENCE: The header is 80 bytes.
So it's 80 bytes times 500,000, which
is 50 megabytes, 60 megabytes of headers.
GARY GENSLER: So it's 60 megabytes,
so it's much smaller as opposed to like 180 gig.
So Satoshi was thinking in advance.
And every blockchain that you're going to work on,
likely, I mean, there might be some, this concept of it's
really keeping the security by a little bit of information
in something called a header and then pushing
all the meat of the transaction and data down.
And this is really important when
you get to like Ethereum where there's
a lot of data, a lot of computation
down in each of these blocks.
It's sort of like if Stuart Haber
had a lot of documents and pictures and everything.
You don't have to have all the picture
quality and a whole movie.
You can actually hash a whole movie,
and you still get these 256 bits.
So whoops.
So the header has the previous hash, this Merkle Root,
which is just a way to get all the transactions.
Just think of a Merkle Root as a way to grab
2,000 transactions in a way.
A timestamp, that one's easy.
We can get that.
Difficulty target, anybody know what blockchain,
Bitcoin tried to do to make it more
or less difficult over time?
No.
Brodish, we've heard.
AUDIENCE: [INAUDIBLE] time but such
that it stays with creating a block every 10 minutes.
So with more computational power,
it gets harder to find a block.
GARY GENSLER: So it's harder to find a block,
the more miners there are.
So every block header needs to have some what's
called a difficulty target.
How difficult is the mining going to be?
Since we're talking about mining next Tuesday,
these all bring me back to difficulty target.
And then what's a nonce?
AUDIENCE: [INAUDIBLE]
GARY GENSLER: What's that?
AUDIENCE: Just a random number.
GARY GENSLER: A random number that's used one.
Number once, nonce.
And that's hash functions.
How'd we do?
We're a little off the skids.
We are MIT.
Yes?
AUDIENCE: I have a question.
The number of characters in the hash is equal to your--
GARY GENSLER: The output, not the input.
AUDIENCE: No.
No.
They put the number of characters in the hash
is limited, right?
So that's a pool of functions that you have.
When you have many, many transactions,
that's like a flow, right?
So internally, you're just consuming and consuming hashes
up to a point where you're going going to repeat that hash,
right?
So how do you know for the same has,
you have two different information,
to which information you're referring to?
GARY GENSLER: So could you help me pronounce your first name?
AUDIENCE: Diermo.
GARY GENSLER: Diermo, has asked the right question.
He's say, well, how do you know?
Especially as you have more and more time and more and more
time, you might get the same output of a hash
from different inputs.
And if you recall--
wait.
Somebody does recall.
Now before Brodish, in front of Brodish.
AUDIENCE: The papers mentioned that it's
possible that two the hash of x equal to hash of y.
But if the miners are working at the same time,
if the same information are not treated at the same exact time,
it won't be a problem because then they just continue just
like two different--
GARY GENSLER: So you're correct as it relates to mining.
But there is another piece of it as well
is that the hash function, if it's
a good cryptographic secure hash function,
is what's called collision resistant where what you're
saying is so infeasible, in fact,
1 divided by 10 to the 40th, that's a 1 with 40 zeroes
after it.
It's so infeasible to happen, it's possible but infeasible
to happen.
What you're referencing is what if two parties
solve the cryptographic puzzle as opposed to a collision.
And because of the difficulty, they just got at the same time.
Please.
AUDIENCE: It seems like a dumb question but--
GARY GENSLER: No.
There's no dumb questions when it comes to this.
I really mean that.
AUDIENCE: The timestamps attributed, so is it
from the whole system or?
GARY GENSLER: So timestamps are not a particularly important
part of Bitcoin.
They are timestamped.
But sometimes if somebody puts something off
and it's off by a few minutes or even up to two hours,
there's a check in the technology
in the scripting function if the timestamp's off
more than a couple hours.
So literally, it's not that precise.
Having said that, the real way that timestamping happens is
if a block is mined and it's the 540,000th block and it's sort
of accepted in all the nodes, these 10,000 nodes start mining
the 540,000 and 1st block, in essence,
it's just think of it as almost like a stack.
And so what's, in essence, more relevant than the actual time
that's in the header, and they all
have a timestamp in the header, but what's
more relevant is the order of the blocks,
and, most importantly, the previous block hash.
Yes?
AUDIENCE: I would say that without the timestamps,
you cannot do this difficulty readjustment.
The timestamps are very important.
If you don't have timestamps on the block,
you cannot do the difficulty readjustment,
which is necessary to keep the rate of blocks 10 minutes after
[INAUDIBLE].
GARY GENSLER: I'm going to partially agree
with you because the difficulty adjustment happens every two
weeks.
So even if any one individual or five or six timestamps
are a little goofed up in the two weeks,
the algorithm is basically looking over the course
of about 2,000 blocks.
AUDIENCE: Yeah.
So a little goofed up is fine.
But you need the timestamp.
GARY GENSLER: You need the timestamps.
But it's more important is basically the--
here, I'll go back a slide.
It's the order of the blocks.
Please.
AUDIENCE: Going back to when we talked about collisions.
The paper didn't really go into detail,
but it said like in addition to how unlikely
it is with to the power of 128 that even if there were two
that hashed to the same kind of has digest
that it would be unlikely that they'd
both be valid in the context.
So given what's a valid blockchain transaction
that that could even further reduce
the likelihood of any problems, which there
wasn't a lot of detail as to why the blockchain context would
even make two hashes of the same value even more unlikely
because of the context.
GARY GENSLER: I want to hold that question for Tuesday.
But it has to do with rather than the collision issue, what
the paper is talking about is if two miners solve the puzzle.
And that doesn't mean that they got identical hashes
because the puzzle is not geared to getting an exact hash.
The Bitcoin puzzle is having a certain number
of leading zeros.
So it's literally started, I think,
it was nine or 10 leading zeros.
I'm talking about 10 years ago.
And now, you have to hash to something with, I think,
it's about 20 or 26 leading zeros.
Meaning it's gotten more and more difficult,
and the result of the hash has to have
a bunch of leading zeros, what you saw in that video.
I'm sorry.
AUDIENCE: I have a question on how the hash, the [INAUDIBLE]
hash comes about.
So if it's only hashing the transactions,
how does it change when the hash of the previous block changes?
GARY GENSLER: OK, so, Addy.
It reminds me of that old television
show with Johnny Carson.
And you just did a great setup for the comedian.
So thank you.
So I'm going to go to Merkle Roots.
So Merkle Roots, which are a binary data tree,
looks something like this.
If one had 1,000 transactions, I wouldn't have a pretty slide.
So this only goes to four levels.
But think of four transactions at the bottom.
They're each hashed.
And then you concatenate.
You put the two hashes together.
You hash that.
You keep going up the tray.
If you had 1,000 transactions, because that's 2 to the 10th
roughly, then you'd have 10 levels of this tray.
And so that's what happens.
And literally, the mining pull operators are doing this a lot
for the nodes.
But in the Bitcoin core application,
in software that anybody in this room
could download the software if you wished.
There is software that helps, takes transactions, puts them
basically into this binary tree called a Merkle tree,
uses hash functions, and basically skinnies it
all the way up to the top.
Does that--
AUDIENCE: I think what my question was
that given that this structure exists,
how does the root hash change with the previous block?
So basically, we saw that if you change
the hash of the previous block, all the blocks forward
will get invalidated because the hash changes.
But it doesn't seem to use the previous hash.
GARY GENSLER: So I'm going to repeat the question.
Does the Merkle Root that is basically
a summary of the 10,000 transactions
that are in a block change if the rest of the header changes
or the previous block change?
And the answer is no.
It only changes if some of the data in the 10,000 transactions
change.
And so a Merkle Root will change if you
put different transactions in the mix
or, as is really important, one of the incentives.
You get your 12 and 1/2 bitcoins today
in what's called a Coinbase transaction.
And so one of these 1,000 transactions
is the payment to the miner.
So the Merkle Root would be different
depending upon who wins.
But that wasn't your question.
I'm just saying.
But Merkle Roots are a very efficient way
to take thousands of transactions,
store it up, have one spot.
Please.
AUDIENCE: So the order of the different transaction
has to be exactly the same for everyone that
is hashing, right?
GARY GENSLER: No, actually not.
So if you're hashing, and you're running a mining rig,
and Elon's running a mining rig, if Elon solves the puzzle
and propagates it out on the network,
and people start mining on top of Elon's block
because they say, well, he's finished.
You're not-- you're just going to probably start mining
on the top of his block and look in something called the mem
pull.
The memory pull is this network of all
the free floating transactions.
You'll scoop up the next set of transactions.
AUDIENCE: And so how can we validate
that all the transaction he wrote are the real ones?
GARY GENSLER: All right, so validation,
which is more next Thursday, but I'll give it a shot.
No, no, no.
It's a good question.
Every transaction-- or actually, you're setting me up,
digital signatures.
There you go.
Thank you.
Did you have a question or I'm going to on to digital.
So the second cryptographic thing,
and we're going to keep going back and forth,
hash functions are basically a way to compress a lot of data,
have a fingerprint, make sure that it's basically commitment.
Digital signatures, well, remember that little graph
that we had Alice and Bob?
Alice wants to send a note to Bob and just say, hello, Bob.
She wants to encrypt it.
She encrypts it with Bob's public key, sends it to him.
He decrypts it with his private key.
You might say, oh my god, Gensler, what's a private key?
What's a public key?
In cryptography, it's a way to kind of scramble information.
I know.
I'm really making this like--
So if we went back to that little mechanism
the Romans used or we used what the Germans used in the Enigma
machine, they were symmetric cryptography.
Both people had the key.
The key was the Enigma machine with five rotors.
In the 1970s, some wonderful technologist here and elsewhere
basically said, well, what if the key isn't the same?
Because the adversary could steal the key.
What if it's not symmetric but it's asymmetric?
There's a private key and a public key.
In essence, there's two keys that have
some mathematical relationship.
And the math between these two keys
don't matter for a class like this.
But know that the public key and the private key link together.
They're bonded together.
But the critical thing is about digital signatures,
there's three functions.
You have to generate a key pair.
And when a key pair is generated,
a public key and a private key are generated at the same time.
And they need a random number to go into it.
And one of the things that makes a lot
of Bitcoin and other wallets insecure,
and it's probably why some have been hacked,
the wallets, not Bitcoin, is because they don't have
good random number generation.
Yes, Brodish?
I saw-- I was at a conference last week
where a technologist from the University of Pennsylvania
had done a survey of 150 hedge funds, mining
companies, and Bitcoin wallet companies and the like.
So they actually let a cybersecurity individual
get inside and do a survey of 150 what you would consider
really committed, high end users of Bitcoin, miners
and hedge funds and crypto exchanges.
And it was horrifying, their cyber security
as to what they're doing with their private keys.
Before he even got to the private keys, many of them
didn't really have a secure way to create the random numbers
to create their private keys.
So it's just a piece.
When somebody says they have really good private key,
public key, in the back of your mind,
just know there's got to be some way to do a random number
generation.
That's the only math that I'm going
to ask you to remember of that.
There is a signature function.
And the key thing is a signature creates.
You can create a digital signature
from a message and a private key.
So if Kelly has a private key and wants
to send a secret message to somebody across the room--
Isabella, you want a message from Kelly?
Kelly's going to take the message.
You got this, Kelly?
You're going to take the message,
and you're going to sign it with a private key.
You send it over to Isabella.
How's Isabella know that it was from you?
AUDIENCE: She has to decrypt it with her key.
GARY GENSLER: She's got to verify it.
So there's a function called a verification function,
and it comes back just yes, no.
I mean, it might say it differently.
But it's just a yes, no.
It's a verification function.
Isabella-- you want to do this with me--
is going to verify your signature
is valid for this message because you
have the public key.
So you're right.
Isabella has your public key.
But using your public key, she can verify that the signature.
It's magical math.
Well, it's not magical math.
It's real math.
But it's not math we need to study in this class.
Yes, Hugo?
AUDIENCE: Back to generating the key pair.
GARY GENSLER: Yeah?
AUDIENCE: So they're both generated
from the random number?
One is not-- like the private is not
determined by the public key or the other way around?
GARY GENSLER: The public--
you can think of it--
in Bitcoin, it uses an elliptic curve cryptography.
And you can think of it as that the private key
is based on the random number.
To be more technical, the random number
is what gets you to the public key.
But I think of it as the private key
is almost the random number, and then the public key
is generated along with it.
AUDIENCE: So [INAUDIBLE].
GARY GENSLER: Yes.
AUDIENCE: So you pick a random number actually
between 0 and 256, that's your private key.
To pick a public key, you derive it
directly from the private key.
In fact, all you do is you exponentiate another number
by the private key.
So you can think of the public key
as a one way function of the private key.
So given a public key, you cannot recover the private key.
If you could, then you could sign, potentially disastrous.
GARY GENSLER: And instead of exponentiation, in Bitcoin,
it uses a function called the elliptic curve.
So what properties?
And these are the key economic properties as well as
cryptographic properties.
Basically, it's infeasible.
And again, I use the word infeasible.
I didn't say impossible, even though Eileen
might want to tell me that it's 1 over 10
to the 40th of something.
But it's infeasible to find a private key from a public key,
so reverse engineer.
AUDIENCE: So even if you can't find the private key,
like in the case of Kelly and Isabella,
if I knew Kelly's public key, could I
send a message to Isabella impersonating Kelly?
GARY GENSLER: No.
You need to do a signature--
if you please just run your eye up there.
To do a digital signature, you need
a private key and a message.
And it's a function of the message and the private key.
Let's call it complex math.
That digital signature was created from the private key.
And the public key was created from the private key.
And to oversimplify the reason that the verify function
works is because both the digital signature
and the public key that Isabella has--
Isabella has this digital signature,
and she has the public key, and she has the message.
The math is such that, basically,
the private key, if you wish, almost like factors out.
But think of two functions.
Isabella has Kelly's public key, the message,
the digital signature.
It either verifies or it doesn't.
But she never has to see the private key.
And in fact, Kelly does not want her
to ever see the private key.
AUDIENCE: Eric, maybe just to simplify
the way the validation of the digital signature works
is Kelly's message is run through a hash function which
generates a hash.
And it's encrypted with her private key.
Then the message encrypted and the digital signature
goes to Isabella.
Isabella, what she does is using the same hash function
to run it with the document to generate the hash function
and uses the public key of Kelly to unencrypt the signature
and compare those two hashes.
If those two hashes correspond that
means that the message belongs to Kelly
and it hasn't been tampered with.
So that's the more or less the simplification
of the digital signature process.
AUDIENCE: I don't know if--
GARY GENSLER: So I mean, the key is basically
that there's a scheme unrelated to Bitcoin
that exists for many other reasons on the internet,
many other reasons in commerce and at war
that this public key, private key cryptography.
And it's not simply just going back,
it's not just simply Alice sending something.
It's also digital signatures.
You generate the key pair.
Everything in Bitcoin, everything in Ethereum
has key pairs, public key and private key,
a digital signature.
But, Kelly, never lose your private key.
You got that?
Do not.
And by the way, you have to create it with a good random
number generator because most sophisticated hedge funds
around the world aren't.
So you're going to be better than those.
That's what I learned at a conference I was at recently.
And then there's a verification function.
AUDIENCE: A quick question about the random number generator
and the verification function.
So is there any third party generating
the generator or the generator is a function already existing
and already there?
GARY GENSLER: So the question is, if random number generation
is so important, are there outside parties that
have good software, in essence, to produce the random number
generation?
And the answer is yes, and there's
some that are not so good.
And yes, some good laptops have it.
At the heart, I want to skip ahead.
Elliptic curve digital signature algorithm,
that's the actual algorithm that Bitcoin uses to take
the private key and so forth.
But many of the wallets, if you download a wallet application
to hold your Bitcoin, to hold your Litecoin,
to hold some other coin, that wallet application
has a random number generation software.
I can't attest to all the random number generation software.
I'm not a cyber security expert.
But there's probably a range of some
that are a little bit more.
There's stronger ones.
The key to random number generation
is if you're generating any length that it truly
is not clumpier, that there's let's
say it's what maximum entropy, and that you really
don't have any clumps.
If it all clumps in one area, then
that's not great randomness.
So I just want to finish because there's
one other thing we're going to chat about
to lay the groundwork is Bitcoin addresses.
I put that up.
You can look at the slides later.
The details don't matter much.
But the key thing is that when you hear somebody talk
about public keys and Bitcoin addresses, colloquially,
we all reference them the same.
They're actually not.
The technology that Nakamoto did was he uses the public key.
He literally hashed it twice, once with this hash function
called SHA256, another hash function,
then concatenates, and puts a little check sum at the end,
and then uses something called a base 58 to make
it even shorter.
I've gone back and read some of Nakamoto's emails
for the two years after he published all this
and I've read other things.
My understanding is the reason there is two hash functions
and actually two different ones was just
to make everything a bit more secure.
Also, a public key is very long.
It's about 512 bits.
And so you can shrink the data and make
the data more compressed by hashing it,
which took it to 256 bits.
He hashes it twice, and then he does this base 58
and makes it even a little tighter.
So for all purposes, you could go ahead and just use
public key and Bitcoin address is the same.
But remember back in the mind, oh, actually,
they're a little different.
Bitcoin addresses are a little bit more secure supposedly,
unless of course somebody has hacked into your wallet
and figured out all these little details.
A Bitcoin address is a little bit
like the signatures on these notes we talked about, right?
Remember what an-- half of you don't use checking accounts.
But these are early forms of checks.
And there's a signature on the bottom.
That's really kind of a Bitcoin address.
I'm sorry, the signature is the digital signature.
The address, the Bitcoin address is who it's paid for.
And I promise last slide.
We're going to be talking about this next week.
Transactions, all that stuff that
rolls up into the Merkle trees.
All that little itty bitty important information,
they basically have an input and an output, the input
and a lock time.
But the input is a previous transaction.
This uniquely identifies, basically, money.
And you're going to send value in Satoshis.
He named the unit of count for himself.
There's a lot of Satoshis in every one Bitcoin.
That's why we don't hear much about Satoshis.
But there's 10 to the 8th Satoshis in every one Bitcoin.
So when you actually enter in the computer
code in a transaction, you're doing it in Satoshis.
And it's sent to a public key.
That's a coin.
That is what the incentive system's all about.
Any other questions?
And this is just I know.
There's a lot.
I wonder how many of you are going to come back on Thursday.
No.
Let me say this.
It's not just that we're at MIT.
But we are at MIT.
Come on.
Everybody in this room can get these kind of key concepts.
The key questions that we talked about
were timestamped append-only logs.
Does anybody want to tell me what a--
if this class here in the next seven minutes
can get these two concepts, that's
all we talked about for the last hour.
So I don't know your name in the orange shirt.
AUDIENCE: Andrew.
GARY GENSLER: What's that?
Andrew?
Andrew, what's time append-only logs?
AUDIENCE: Timestamped append-only logs is essentially
a record of transactions or a block
as blockchain uses it with a time.
And that can't be changed in the future.
So you can only add on transactions.
GARY GENSLER: So it's kind of immutable because
of all this cryptography.
Stuart Haber was making it in a timestamped append-only log.
And he was placing it where?
Carolyn, you still with me?
Where was Haber putting it?
AUDIENCE: New York Times.
GARY GENSLER: New York Times.
There you go in the classified section.
So it's just it's a bunch of blocks of data compressed up.
So we talked about something called
Merkle trees and Merkle Roots.
Just think about as that's a way to take a lot of information
and compress it but also make it searchable later
because 1,000 transactions, when we talk next week,
you have to be able to verify.
Somebody asked me about how to verify, right?
When you go back to verify, you need an index number to find it
in that Merkle tree situation.
And it's secured through hash functions.
Anybody want to tell me that easiest lay definition
of the hash function?
Jennifer?
AUDIENCE: It's like a mapping can be
so members can get to just one.
GARY GENSLER: Right.
You could take a picture of this classroom and everybody exactly
and they could map it into something.
I don't know.
Would a QR code be a form of a hash?
Not cryptographically secure.
But is it a hash?
AUDIENCE: It's more of a different representation
of some data rather than binary you're using.
GARY GENSLER: All right, so I failed that one.
AUDIENCE: It often stores hashes.
GARY GENSLER: So cryptographic hash function
is a way to take not only a lot of information
and put it into a fixed form, but the key thing here
is the hash functions are what tie the blocks together
because hash functions can point to previous information.
And as the video showed, if you change any of the underlying
information, the hash changes.
So what does that give you?
It basically secures the data.
You know if somebody has tampered.
So the only reason to really learn about hash functions
is it's to say, oh, I get it.
This is one of the ways to make this data tamper proof.
Go on.
AUDIENCE: I have a question about a theoretical event where
a better hash function is found than the SHA256.
How would that be implemented into the Bitcoin network
practically?
There needs to be a consensus and--
GARY GENSLER: So how would any relevant change
be adopted into Bitcoin is always a challenge
because it's a decentralized network.
And all decentralized networks have a little bit
of a governance challenge.
The governance challenge is, how do you do software updates?
We all know that on our laptops, our iPhones,
there's probably software updates going on here now
unbeknownst to me, right?
They're probably just Apple has dropped.
I mean, who knows what they're doing in here, right?
And Uber, I really, one of my favorites, who knows what's
happening inside this phone.
But the commercial enterprise, the central authority
has a way to update the software.
We probably sign some terms of use
that allows them to do that.
In a decentralized network like this,
there has to be consensus.
And so the only way really to update
the software for a new hash function or for most everything
else is, in essence, that the nodes,
the operators of the software collectively in a consensus
form adopt it.
So it's another way that not only is the data
immutable because of these hash functions but the software is.
And that comes both with benefits and costs.
Some people would say that's a bug of blockchain.
Some people would say it's a feature.
You can come to your own judgment
over the course of this semester.
But the software is harder to update
than software in centralized authorities
because centralized authorities just say--
they just push the--
now sometimes you have to click and say update.
But don't be naive.
Not every software do you click.
I mean, there's some that's just happening.
But here, you've got to have consensus.
I know it didn't answer your question
about the hash function.
But if it were a hash function that had to be updated
and everybody said they had to quickly update it,
there's interesting debates about this,
but you wouldn't need to go back over all 540,000
previous blocks.
You could just hash all 540,000 blocks, 180 gigabytes to one
256 or maybe it's then a different,
and then you'd have that.
And it would be tamper proof.
So those are the key things.
That's what we covered really.
What we're going to cover next Tuesday is consensus protocol.
We've talked a lot about proof of work
here because everybody thinks of Bitcoin about proof of work.
But we're going to talk about proof of work, the nodes,
and the native currency.
And then next Thursday, we're going
to talk about transactions.
Again, I try to break down this technology.
If you want to forget about this lecture,
and you're going to go, oh my god, it
was like going to the dentist, you
can tell your friends that you actually know
something about cryptography.
It is called cryptocurrencies.
So how could we not know something about cryptography?
But it's basically those three things.
It's cryptography.
It's a consensus mechanism and the transactions.
So right?
Cryptography, consensus mechanism, transactions.
And we will get through it.
And then you'll see this matters to finance
and whether it's got any use cases.
So thank you.