Imagine yourself to be a University Dean in the position of creating a new course on blockchains.

To which department would you assign the course?

• computer science or mathematics?
• economics or political science?
• sociology or philosophy?

In fact, any of these departments would be appropriate.

• blockchains today are still cutting edge and mysterious, but one day they will be as ubiquitous as Internet and Web
• one day many academic departments will offer courses on them, each with their own particular viewpoint

• a distributed system
• using cryptography
• to secure an evolving consensus
• about a token with economic value

• mathematics (cryptography)
• computer science (distributed systems)
• economics (exchange of tokens with economic value)
• politics (mechanisms for reaching consensus)

Blockchains are both technological and social movements, yet very few people have both backgrounds.

• those who come from technical backgrounds sometimes fall in love with the novel technology inside blockchains and ignore the social aspects entirely
• this leads to projects that solve useless problems that no one actually has
• those who come from social backgrounds are sometimes unable (or unwilling) to understand the technological aspects of blockchains
• this leads to projects that are fundamentally unsound

• libertarism: a collection of political philosophies and movements that uphold liberty as a core principle. Libertarians seek to maximize political freedom and autonomy, emphasizing freedom of choice, voluntary association and individual judgement

• Laissez-faire (listen): an economic system in which transactions between private parties are absent any form of government intervention

• Anarcho-capitalism: a political philosophy and economic theory that advocates the elimination of centralized states in favor of self-ownership, private property and free markets

• Crypto comes from the Ancient Greek kruptós, meaning hidden or secret

• Crypto-anarchism: a form of anarchy accomplished through computer technology. Crypto-anarchists employ cryptographic software for confidentiality and security while sending and receiving information over computer networks, in an effort to protect their privacy, their political freedom, and their economic freedom (Crypto Anarchist Manifesto, Timothy C. May, 1988)

• Cypherpunk: any activist advocating widespread use of strong cryptography and privacy-enhancing technologies as a route to social and political change (A Cypherpunk’s Manifesto, Eric Hughes, 1993)

We the Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money. […] Cypherpunks write code. We know that software can’t be destroyed and that a widely dispersed system can’t be shut down. A Cypherpunk’s Manifesto by Eric Hughes (9 March 1993)

Blockchain is much more than a technology, it is also a culture and community that is passionate about creating a more equitable world through decentralization.

We are now entering a radical evolution of how we interact and trade because, for the first time, we can lower uncertainty not just with political and economic institutions but with technology alone. Bettina Warburg

A cryptographic token is a quantified and tradable unit of value recorded on the blockchain.

• fungible tokens are cryptocurrencies (Bitcoin and alternative coins); they are interchangeable and can be split in smaller pieces whose sum makes the whole
• non-fungible tokens represent something unique (for instance, a digital work of art); think of them like rare, one-of-a-kind collectibles. They are not interchangeable and cannot be divided

A cryptocurrency (or digital currency) is a digital asset designed to work as a medium of exchange that uses strong cryptography to secure financial transactions, control the creation of additional units, and verify the transfer of assets.

• cryptocurrencies use decentralized control as opposed to centralized digital currency and central banking systems
• they work through a blockchain that serves as a public financial transaction database
• Bitcoin, first released in 2009, is generally considered the first decentralized cryptocurrency
• since the release of bitcoin, over 4,000 altcoins (alternative variants of bitcoin) have been created

• B-money was an early proposal created by Wei Dai for an anonymous, distributed electronic cash system (Wei Dai’s proposal)

• Bitcoin: A Peer-to-Peer Electronic Cash System, Satoshi Nakamoto, 2009

The message of Satoshi Nakamoto (creator of Bitcoin) embedded into the very first Bitcoin block:

The Times 03/Jan/2009 Chancellor on brink of second bailout for banks

Considering the context in which they appear – during the bank-driven financial crisis of 2009, the worst after the economic recession of 1929 – these words are calling for revolution.

Here is the original post of Satoshi Nakamoto proposing a peer-to-peer electronic cash system called Bitcoin.

Fiat money is a currency without intrinsic value that has been established as money, often by government regulation.

The term fiat derives from the Latin fiat (“let it be done”) used in the sense of an order, decree or resolution.

• a cryptocurrency exchange is a business that allows customers to trade cryptocurrencies for other assets, such as conventional fiat money or other digital currencies
• Coinbase is a popular digital currency exchange exchanging Bitcoin, Bitcoin Cash, Ethereum, Ethereum Classic, and Litecoin with fiat currencies
• as of 2019, cryptocurrency and digital exchange regulations in many countries remain unclear as regulators are still considering how to deal with these types of businesses

The numerous components of blockchain technology can make it challenging to understand.

However, each component can be described simply and used as a building block to understand the larger complex system.

1. blocks
2. hash
3. chain
4. proof of work
5. transactions
6. digital signature
7. peer-to-peer

The building blocks of a blockchain are… blocks.

A block is a container for data

In its simplest form it contains:

• an identification number
• a timestamp of block creation
• a bunch of data (usually, transactions)

genesis_block = list(number = 0,
                     timestamp = "2009-01-03 18:15:05",
                     data = "The Times 03/Jan/2009 
                     Chancellor on brink of second bailout for banks")

• each block has a fingerprint called hash that is used to certify the information content of the block
• hashes of blocks are created using cryptographic hash functions, that are mathematical algorithms that maps data of arbitrary size to a bit string of a fixed size
• a popular hash algorithm is SHA-256, designed by the United States National Security Agency (NSA)
• it uses a hash of 256 bits (32 bytes), represented by an hexadecimal string of 64 figures
• \(2^{256} \approx 10^{77}\) is huge (more or less the estimated number of atoms of our universe), an infinite number for any practical purposes

The ideal cryptographic hash function has five main properties:

• it is deterministic so the same message always results in the same hash
• it is quick to compute the hash value for any given message
• a small change to a message should change the hash value extensively
• it is infeasible (but not impossible) to generate a message from its hash value
• it is infeasible (but not impossible) to find two different messages with the same hash value

# load library
library(digest)

# hash a string
digest("Così tra questa immensità s'annega il pensier mio: 
       e il naufragar m'è dolce in questo mare", "sha256")

## [1] "721956f9e4d4a31524ec94bc9926445c81228b96129132745a362eca8d016154"

# hash a slightly different string
digest("Così tra questa infinità s'annega il pensier mio: 
       e il naufragar m'è dolce in questo mare", "sha256")

## [1] "0095d410ee1935a163891970ee2606f2031238ac7adf839fe02d3353162cf5a0"

• blocks are chronologically concatenated into a chain by adding to the block a field with the hash of the previous block in the chain
• it follows that the hash of each block is computed using also the hash of the previous block
• this means if you alter one block you need to modify not only the hash of it but that of all following blocks for the chain to be valid
• the first block of the chain is called the genesis block and represents the initial state of the system (Bitcoin genesis block, Ethereum genesis block)

mine <- function(previous_block, genesis = FALSE){
  if (genesis) {
    # define genesis block
    new_block <- list(number = 0,
                      timestamp = Sys.time(),
                      data = "I'm genesis block",
                      parent_hash = "0")  
  } else {
    # create new block
    current_number = previous_block$number + 1
    new_block <- list(number = current_number,
                      timestamp = Sys.time(),
                      data = paste0("I'm block ", current_number),
                      parent_hash = previous_block$hash)
  }
  # add hash 
  new_block$hash <- digest(new_block, "sha256")
  return(new_block)
}

chain = function(nblocks) {
  # mine genesis block
  block_genesis <- mine(NULL, TRUE)   
  
  # first block is the genesis block
  blockchain <- list(block_genesis)

  if (nblocks >= 2) {
    # add new blocks to the chain
    for (i in 2:nblocks){
      blockchain[[i]] <- mine(blockchain[[i-1]], FALSE) 
    }
  }
  
  return(blockchain)
}

chain(nblocks = 3)

## [[1]]
## [[1]]$number
## [1] 0
## 
## [[1]]$timestamp
## [1] "2019-11-20 11:29:21 CET"
## 
## [[1]]$data
## [1] "I'm genesis block"
## 
## [[1]]$parent_hash
## [1] "0"
## 
## [[1]]$hash
## [1] "8c80781dc1edf148577d65c62fcf22c0b05e3cc996e2212bcf00bdf689843f81"
## 
## 
## [[2]]
## [[2]]$number
## [1] 1
## 
## [[2]]$timestamp
## [1] "2019-11-20 11:29:21 CET"
## 
## [[2]]$data
## [1] "I'm block 1"
## 
## [[2]]$parent_hash
## [1] "8c80781dc1edf148577d65c62fcf22c0b05e3cc996e2212bcf00bdf689843f81"
## 
## [[2]]$hash
## [1] "ca704285eaf95c172fa151bfbfea9979b28c5ce5605d1faafd1fe49f72b718be"
## 
## 
## [[3]]
## [[3]]$number
## [1] 2
## 
## [[3]]$timestamp
## [1] "2019-11-20 11:29:21 CET"
## 
## [[3]]$data
## [1] "I'm block 2"
## 
## [[3]]$parent_hash
## [1] "ca704285eaf95c172fa151bfbfea9979b28c5ce5605d1faafd1fe49f72b718be"
## 
## [[3]]$hash
## [1] "57e8f432bbce2a703fbbd5fcb8a0ab1aaed02032d1b3f27694582af600a1a77a"

• hash alone is not enough to prevent tampering, since hash values can be computed fast by computers
• a proof of work method is needed to control the difficulty of creating a new block
• to mine (create) a new block you have to find a solution to a computational problem that is hard to solve and easy to verify
• this is a cryptographic puzzle that can be attacked only with a brute-force approach (trying many possibilities), so that only computational power counts
• one CPU one vote is blockchain democracy

• typically, the proof of work problem involves finding a number (called nonce) that once added to the block is such that the corresponding block hash starts with a string of leading zeros of a given length called difficulty
• the average work that a miner needs to perform in order to find a valid nonce is exponential in the difficulty, while one can verify the validity of the block by executing a single hash function
• miners tend to organize themselves into pools whereby they work together in parallel and split the reward
• available computing power increases over time, as does the number of miners, so the puzzle difficulty is generally increasing, so that the mining frequency is approximately constant
• the amount of energy used for the mining process is not trivial: it is estimated that Bitcoin mining consumes as much electricity as Denmark

proof_of_work = function(block, difficulty) {
  block$nonce <- 0
  hash = digest(block, "sha256")
  zero <- paste(rep("0", difficulty), collapse="")
  while(substr(hash, 1, difficulty) != zero) {
      block$nonce = block$nonce + 1
      hash = digest(block, "sha256")  
  }
  return(list(hash = hash, nonce = block$nonce))
}

proof_of_work(genesis_block, 1)

## $hash
## [1] "047a64e2b4e9b1a410e3000137388b87bd5a81cc4f123e31b955165e9f43696d"
## 
## $nonce
## [1] 6

proof_of_work(genesis_block, 2)

## $hash
## [1] "003722bfa5f44c1feb4cb378c3c9ef81c296aad19b45cb276895205445cf52db"
## 
## $nonce
## [1] 456

proof_of_work(genesis_block, 3)

## $hash
## [1] "0001d5bd9509cf12da2fece9045768d474064bc7b587332c8b19cd57b937aab4"
## 
## $nonce
## [1] 2222

proof_of_work(genesis_block, 4)

## $hash
## [1] "00009859981b96f9db1ef9ad0b231579859d40f793dc76436adf9f20d5042112"
## 
## $nonce
## [1] 98060

mine <- function(previous_block, difficulty = 3, genesis = FALSE){
  
  if (genesis) {
    # define genesis block
    new_block <-  list(number = 0,
                       timestamp = Sys.time(),
                       data = "I'm genesis block",
                       parent_hash = "0")  
  } else {
    # create new block
    current_number <- previous_block$number + 1
    new_block <- list(number = current_number,
                      timestamp = Sys.time(),
                      data = paste0("I'm block ", current_number),
                      parent_hash = previous_block$hash)
  }
  
  # add nonce with proof of work
  new_block$nonce <- proof_of_work(new_block, difficulty)$nonce
  
  # add hash 
  new_block$hash <- digest(new_block, "sha256")
  return(new_block)
}

chain = function(nblocks, difficulty = 3) {
  # mine genesis block
  block_genesis = mine(NULL, difficulty, TRUE)   
  
  # first block is the genesis block
  blockchain <- list(block_genesis)

  if (nblocks >= 2) {
    # add new blocks to the chain
    for (i in 2:nblocks){
      blockchain[[i]] <- mine(blockchain[[i-1]], difficulty) 
    }
    
  }
  
  return(blockchain)
}

chain(nblocks = 3)

## [[1]]
## [[1]]$number
## [1] 0
## 
## [[1]]$timestamp
## [1] "2019-11-20 11:29:26 CET"
## 
## [[1]]$data
## [1] "I'm genesis block"
## 
## [[1]]$parent_hash
## [1] "0"
## 
## [[1]]$nonce
## [1] 362
## 
## [[1]]$hash
## [1] "000e5ee72128f8307466596cba155b217d7b3e344096ec701046d469ed78bf75"
## 
## 
## [[2]]
## [[2]]$number
## [1] 1
## 
## [[2]]$timestamp
## [1] "2019-11-20 11:29:26 CET"
## 
## [[2]]$data
## [1] "I'm block 1"
## 
## [[2]]$parent_hash
## [1] "000e5ee72128f8307466596cba155b217d7b3e344096ec701046d469ed78bf75"
## 
## [[2]]$nonce
## [1] 4576
## 
## [[2]]$hash
## [1] "000c897976b5d3a7c64c978828f1a51561bc2fe923ae3370fd597c7cfb94e2ff"
## 
## 
## [[3]]
## [[3]]$number
## [1] 2
## 
## [[3]]$timestamp
## [1] "2019-11-20 11:29:27 CET"
## 
## [[3]]$data
## [1] "I'm block 2"
## 
## [[3]]$parent_hash
## [1] "000c897976b5d3a7c64c978828f1a51561bc2fe923ae3370fd597c7cfb94e2ff"
## 
## [[3]]$nonce
## [1] 9799
## 
## [[3]]$hash
## [1] "00070075af88d78ba128512881a114634befe86ca38b406e4d98c30b660189bb"

• an alternative, less energy-consuming consensus mechanism is proof of stake
• the proof of stake model is based on the idea that the more stake a user has invested into the system, the more likely they will want the system to succeed, and the less likely they will want to subvert it
• stake is an amount of cryptocurrency that once staked is no longer available to be spent
• the likelihood of a user mining a new block is tied to the ratio of their stake to the overall staked cryptocurrency
• with this consensus model, there is no need to perform resource intensive computations
• however, the rich gets richer phenomenon may arise

• a block contains a header with metadata (like block number and timestamp) and a data field with a certain number of transactions
• a transaction represents an interaction between parties, typically a transfer from sender to receiver of cryptocurrencies or of any other token
• each transaction has a fee that must be payed by the sender
• each potential miner includes in its block a subset of pending transactions
• the miner of the block gets the fees of all blocked transactions plus a fixed, newly minted amount of crypto coins (this is how new coins are introduced in the blockchain economy)
• here is a transaction on the Ethereum blockchain selling an artwork against cryptocurrency (2.5 Ether)

• blockchain uses asymmetric cryptography (also known as public-key cryptography) to implement digital signatures of transactions
• asymmetric cryptography uses a pair of keys: a public key and a private key
• the public key is made public, but the private key must remain secret
• even though there is a mathematical relationship between the two keys, the private key cannot efficiently be determined from the public key

• asymmetric cryptography enables a trust relationship between users who do not trust one another
• it provides a mechanism to verify the integrity and authenticity of transactions while at the same time allowing transactions to remain public
• each transaction is signed with the sender’s private key and anyone can verify the authenticity of the transaction using the sender’s public key
• alternately, one can encrypt data with a user’s public key such that only users with access to the private key can decrypt it
• this contrasts with symmetric cryptography in which a single pre-shared secret key is used to both encrypt and decrypt
• with symmetric cryptography users must already have a trust relationship

• RSA (Rivest–Shamir–Adleman) is one of the first asymmetric cryptography algorithms and is widely used for secure data transmission
• in RSA, the asymmetry between private and public keys is based on the practical difficulty of the factorization of the product of two large prime numbers, the factoring problem
• there are currently no published methods to defeat the system if a large enough key is used

## Digital signature

# load library
library(openssl)

# generate a private key (key) and a public key (pubkey)
key <- rsa_keygen()
pubkey <- key$pubkey

# build a transaction
trans = list(sender = "A", receiver = "B", amount = "100")

# serialize data
data <- serialize(trans, NULL)

# sign (a hash of) the transaction with private key
sig <- signature_create(data, sha256, key = key)

# verify the message with public key
signature_verify(data, sig, sha256, pubkey = pubkey)

## [1] TRUE

## Encryption

# load library
library(openssl)

# generate a private key (key) and a public key (pubkey)
key <- rsa_keygen(512)
pubkey <- key$pubkey

# message
msg <- charToRaw("Blockchain is magic!")

# cipher the message with public key
ciphermsg <- rsa_encrypt(msg, pubkey)

# decrypt the message with private key
rawToChar(rsa_decrypt(ciphermsg, key))

## [1] "Blockchain is magic!"

• blockchain users must manage and securely store their own private keys
• instead of recording them manually, they often use software, called wallet, to securely store them
• if a user loses a private key, then any digital asset associated with that key is lost, because it is computationally infeasible to generate the private key from the public one
• if a private key is stolen, the attacker will have full access to all digital assets controlled by that private key
• on blockchain there is no central authority to restore a lost password
• one popular wallet on Ethereum blockchain is metamask

• some blockchains make use of an address, which is a short, alphanumeric string of characters that identify a user of the blockchain
• an address is derived from the user’s public key using a cryptographic hash function
• most blockchain implementations make use of addresses as the to and from endpoints in a transaction
• a user can generate as many asymmetric-key pairs, and therefore addresses as desired, allowing for a varying degree of anonymity

• the cryptographic algorithms utilized within most blockchain technologies for asymmetric pairs (digital signature) will need to be replaced
• the hashing algorithms used by blockchain networks are much less susceptible but are still weakened

Finally, the blockchain ledger is distributed over a peer-to-peer network.

The steps to run the network are as follows:

1. new transactions are broadcast to all nodes
2. each node collects some transactions into a block
3. each node works on finding a difficult proof of work for its block
4. when a node finds a proof of work, it broadcasts the block to all nodes
5. nodes accept the block only if all transactions in it are authentic and not already spent
6. nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash (hence notice that uncompleted proof of work of miners is lost and all miners need to restart a new proof of work)

• it is possible that multiple blocks will be published at approximately the same time
• this can cause differing versions of a blockchain to exist at any given moment
• these must be resolved quickly to have consistency in the blockchain network
• blockchain nodes will wait until the next block is published and use the longer blockchain as the official blockchain

• an attacker might garner enough resources (more than half) to outpace the block creation rate of rest of the blockchain network
• she can now play with her rules, for instance defraud people by stealing back her payments
• why is this attack deemed to fail?

The incentive of rewards may help encourage nodes to stay honest.

If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins.

He ought to find it more profitable to play by the rules (generate new coins), such rules that favor him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth. Satoshi Nakamoto (Bitcoin white paper)

• a hard fork is a change to a blockchain implementation that is not backwards compatible
• at a given point in time (usually at a specific block number), all nodes will need to switch to using the updated protocol
• nodes that have not updated will reject the newly formatted blocks and only accept blocks with the old format
• this results in two incompatible versions of the blockchain existing simultaneously
• a popular hard fork separated Ethereum blockchain from Ethereum Classic after The DAO scam

• the traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party
• the necessity to announce all transactions publicly precludes this method
• but privacy can still be maintained by keeping public keys anonymous
• this is similar to the level of information released by stock exchanges, where the time and size of individual trades, the tape, is made public, but without telling who the parties were

• how blockchain will comply with General Data Protection Regulation (GDPR)?
• any company storing personal data of EU citizens should follow the regulation
• mind that your digital wallet address might be personal data because it can link to your identity if for instance you bought crypto currency using a credit card or a digital exchange using the Know Your Customer (KYC) process
• there are three articles in the GDPR that conflicts with blockchain:
  1. Article 16: right to rectification
  2. Article 17: right to be forgotten
  3. Article 18: right to restrict processing
• but who is the data controller (the company that stores the personal data and is responsible for it) on the blockchain?

1. encrypt the personal data before you store it on blockchain
   • however encryption is in theory reversable
2. store the personal data in a permissioned blockchain, where access is restricted to only few trusted parties
   • we can comply with Article 18 (right to restrict processing)
   • but a permissioned blockchain is still immutable, hence we can’t comply with Articles 16 and 17
3. store the personal data somewhere else, on a secure server, and put on the blockchain the hash of the personal data
   • you partially centralize the blockchain
4. use zero-knowledge proofs (ZKP), which allows you to prove that something is true without revealing the actual data, in case of blockchain you can prove that the transaction has happened without disclosing the data (parties and amount)
   • this technology is used by crypto currency Zcash

Ethereum blockchain is enriched with smart contracts. The term smart contract dates to 1994, defined by Nick Szabo as:

A computerized transaction protocol that executes the terms of a contract. The general objectives of smart contract design are to satisfy common contractual conditions (such as payment terms, liens, confidentiality, and even enforcement), minimize exceptions both malicious and accidental, and minimize the need for trusted intermediaries.

The user issuing a transaction to a smart contract will have to pay a fee proportional to the complexity of the code executed.

• odometers, Bosch IoT Lab
• digital voting, Agora
• food supply chain, IBM and Walmart
• global trade platform, IBM and Maersk
• digital art, Pixura

Crypto art (or rare digital art) is limited-edition, collectible, and tradable art registered with a token on a blockchain.

We illustrate the typical workflow of crypto art with a real example from the digital gallery SuperRare.

1. an artist creates a digital artwork (an image or animation) and uploads it to the gallery
2. the smart contract of the gallery creates a non-fungible token on the Ethereum blockchain associated with the artwork and transfers the token to the artist’s wallet
3. also, the gallery distributes the artwork file over the IPFS peer-to-peer network; hence nor the token nor the artwork are on any central server
4. collectors can place valued bids on the artwork by transferring a bidden amount to the smart contract of the gallery (the collector can withdraw bids at anytime)
5. eventually the artist accepts one of the bids: the smart contract of the gallery transfers the artwork’s token to the collector’s wallet and the agreed cryptocurrency to the artist’s wallet
6. the artwork remains tradable on the market

“Ownership does not include intellectual property rights such as copyright claims, ability to produce commercially, and create merchandise therefrom, etc. The intellectual property remains the possession of the creator” SuperRare Terms of Service

• the corpus mysticum of a protectable artwork is the intellectual and immaterial creation of the work
• to be perceivable the corpus mysticum must materialize in some material medium, namely the canvas of a painting, the stone for a sculpture, a CD for a musical work, the paper of the book for a novel, or a file for a digital work. This is the corpus mechanicum
• the artist transfers to the buyer the corpus mechanicum and not the corpus mysticum
• in particular, the possibility of commercial exploitation of any reproduction of the artwork remains with its author
• read more here (in Italian)

• the InterPlanetary File System (IPFS) is a protocol and peer-to-peer network for storing and sharing hypermedia in a distributed file system
• IPFS uses content-addressing storage to uniquely identify each file, a way to store information so it can be retrieved based on its content, not its location
• each file is identified by the hash of its content; when you look up a file to view or download, you’re asking the network to find the nodes that are storing the content behind that file’s hash
• you don’t need to remember the hash, though — every file can be found by human-readable names using a decentralized naming system called IPNS
• each network node stores only content it is interested in, plus some indexing information that helps figure out which node is storing what
• IPFS lets you address large amounts of data and place the immutable, permanent links into blockchain transactions. This timestamps and secures content without having to put the data itself on the chain (which would be much expensive)

Any sufficiently advanced technology is indistinguishable from magic. Arthur C. Clarke

• Bitcoin: A Peer-to-Peer Electronic Cash System, Satoshi Nakamoto, 2009
• Blockchain Technology Overview, National Institute of Standards and Technology, 2018
• Why It’s Hard to Get Bitcoin: The Blockchain Spectrum, Dhruv Bansal, 2017