CS765 Final Examination

Duration: 3 hours ; Max. Marks: 65

1. (8 marks) The figure below shows part of a Bitcoin transaction graph. Each transaction has
inputs and outputs. The public keys corresponding to inputs and outputs are shown (P1,
P2,P3,etc.). Now a detective knows that transaction T4 was used by person "A" to purchase
something from person "B". Among all the outputs, the detective finds that only P8, P12,
P14, P17, and P18 are new public keys used for the first time in the blockchain in the
transactions shown below. Keys corresponding to other outputs were used earlier in the
blockchain, in transactions not shown here.

a. (4 marks) Make an intelligent guess about which keys in the figure are public keys of
“A”. You may use the heuristics discussed in class (such as wallets generating new
“change addresses” etc.) and also state any additional heuristics of your own.
Explain the reasons for your guess.
b. (4 marks) Make an intelligent guess about which keys in the figure are public keys of
“B”. You may use the heuristics discussed in class and also state any additional
heuristics of your own. Explain the reasons for your guess.
2. (10 marks) In PBFT, suppose an honest replica i sends out a PREPARE message
<PREPARE,v,n,D(m),i> ​, where v is the view, n is the sequence number, D(m) is the
digest (hash) of message m, and indicates that the message is signed by replica i. Let
us assume that the total number of replicas in the system is N=3f+1 where f is the
maximum allowed number of Byzantine replicas in the system. State if each of the following
are True or False, and explain why (state rule(s) in the protocol and/or give a
counter-example).
a. (3 marks) Replica i will never (under no circumstances) receive a P-certificate for
tuple (n,v,m′) where m′≠m.
b. (3 marks) Replica i will never receive a P-certificate for (n,v′,m) where v′≠v
c. (4 marks) Replica i will never receive a C-certificate corresponding to (n,v′,m′).
where v′≠v and m′≠m. (Let us assume here that a COMMIT message explicitly
contains its corresponding message digest, sequence number and view number.)
3. (6 marks) Answer the following related to Byzantine Fault Tolerance. Answer to the point.
a. (3 marks) State the 3 requirements (Agreement, Validity, Termination) for Strong
Consensus in the Byzantine General’s problem.

b. (3 marks) State the FLP Impossibility theorem for distributed consensus.

4. (8 marks) In Zyzzyva, suppose there are N=3f+1 replicas in the system. Suppose a client
sends a request and then by the time the client’s timer expires, it gets between(2f + 1)
and 3f consistent speculative responses from nodes.
a. (4 marks) Give the format of a typical speculative response sent by replica-i to the
client and state what each field in the message refers to, and which part of the
message is signed, and signed by whom.
b. (4 marks) What message does the client send out after its timer expires in the
scenario described above, and to which nodes in the system? Explain what each
field in the message contains.
5. (5 marks) Commitment Transactions in the Bitcoin Lightning Network use a special type of
output called Revocable Sequence Maturity Contract (RSMC). Suppose two parties A and B
have a payment channel and have created a commitment C1a which has an output “RSMC
(A|B) (PKA3, PKB4); 0.4 BTC; 1000 blocks". The secret keys associated with
public keys PKA3 and PKB4 are SKA3 and SKA4 respectively. PKA3 belongs to A and
PKB4 belongs to B.
Explain the different ways in which the RSMC output can be spent in case C1a gets onto the
blockchain. You should clearly state which keys are used to sign the transaction(s) which
take as input the RSMC output of C1a. Also state when the transactions can be included in
the blockchain.
6. (8 marks) Suppose a hash time-locked contract is represented as HTLC(X,Y,a,p,t). The
logic that the contract implements and the meaning of the various parameters are given
below. (Note: we are not bothered with the exact implementation of the logic in Bitcoin
transactions using commitments etc. We are only concerned with the logic of the contracts in
this question.)

Contract HTLC(X,Y,a,p,t) between nodes X and Y:

Lock "a" BTC of X

if Y gives secret R, such that Hash(R)=p, to X before "t"

days

Transfer X's locked "a" BTC to Y

else

unlock "a" BTC of X

Consider the following 4 node path in the Lightning network.

A ----------- B --------------C --------------D

Suppose A wants to pay D a total of 5 BTC. At the same time, B and C want some “routing
fees” (0.1 BTC) since they are helping make the payment. Hence, they set up the following
hashed time-locked contracts: HTLC(A, B, 5.2, p, 3); HTLC(B, C, 5.1, p, 2); HTLC(C, D, 5.0,
p, 1).

In the normal (honest) working of the Lightning Network, D reveals R (where p=Hash(R)) to
C before 1 day, C reveals R to B before 2 days, and B reveals R to A before 3 days. As a
result, the “if” clause of the contracts gets executed in all payment channels on the path.

Money Locking Attack: Suppose that D is malicious. D is not really interested in receiving
the payment from A. Its goal is to lock up 5.2 BTC of A, 5.1 BTC of B, and 5.0 BTC of C in
the payment channels for 3 days, 2 days, and 1 day respectively so that this money cannot
be used for making other payments. It hence does not reveal secret R to anyone. As a
result, the “else” clause is executed in all smart contracts, D is not penalised in any way, and
the money of the others on the path is locked up for some time.

Modify the above smart contracts in order to (i) deter such an attack by D, assuming D is
rational and does not want to lose money, and (ii) compensate all of A, B, and C in case D
performs this attack. All other nodes, besides D, are assumed to be honest.

In your answer, write out the new logic of the contracts and explain how it addresses
both the requirements stated above.
7. (12 marks) Explain the following about Algorand.
a. (3 marks) Explain what a Verifiable Random Function (VRF) is by stating what its
inputs and outputs are, and what the properties of the outputs are. Give a practical
example using signatures and hash functions.
b. (3 marks) Give the pseudocode for the Sortition procedure. State clearly what the
inputs and outputs of the Sortition function are. You need not give any lengthy
explanation, just the pseudocode is sufficient.
c. (2 marks) Explain how Sortition reduces the ability of an adversary to launch a
denial-of-service (DoS) attack on the committee selected by Sortition.
d. (4 marks) Explain the two steps of Reduction. You should explain what any honest
node, which is part of a committee in any of these steps, broadcasts in the network
based on what it has heard in the previous step(s).
8. (8 marks) In class, we studied Bitcoin-NG which used two types of blocks: key-blocks (which
have PoW and no transactions, except possibly a coinbase) and microblocks (which don’t
have PoW, but have transactions). Assume that network delays are zero and that all
miners are honest.

Consider a modified version of Bitcoin-NG in which each microblock is now required to

have proof-of-work (PoW) equal to a fraction of the PoW of a key-block. We
neglect coinbase transactions for simplicity.

The protocol is best explained with an example. Suppose a miner A has just mined a
key-block. Now “A” tries to mine a key-block or a micro-block simultaneously using a 2-for-1
mining scheme as described next. “A” creates a potential bitcoin block consisting of at most
100 transactions (say this equals a size of 100KB), which has the last block in the heaviest
chain as its parent, and then repeatedly replaces the Nonce in the header, as in Bitcoin
mining. If the hash of the header becomes less than T, then he has mined a key-block and
releases only the header and discards the transactions. Thus the key-block effectively has
only PoW and no transactions. If on the other hand, the hash of the header is between T and
then he has mined a micro-block. He releases the entire block (header and
transactions) which together constitute a micro-block. Note that mining a micro-block is
much easier for A than mining a key-block, since the target space for mining a micro-block is
times larger than that for mining a key-block. “A” continues this 2-for-1 mining scheme
until some other miner creates a key-block. We assume that all miners release blocks
immediately after mining them.

Consider any other miner, say B. Since the last key-block in the chain was mined by A,
miner B is not allowed to mine micro-blocks. B can only try to mine a key-block. It does so by
creating an empty bitcoin block consisting of only a header, which points to the last block in
the heaviest chain visible to it. B changes the Nonce in the header, and if the hash of the
header becomes less than T, then it has mined a key-block. Note that total chain weight is
measured in the same way as in Bitcoin. The figure below depicts the chain structure and
mining process.
a. (6 marks) Suppose the most recent key-block is created by a miner “A” who has
hashing power equal to fraction of the total hashing power in the network. Here
is between 0 and 1. How many microblocks will A generate on average before the
next key-block is created (Note: the next key-block could be mined by A or any other
miner)? Explain how you got your answer.
b. (2 marks) Suppose a microblock has a maximum size which can accommodate only
100 transactions, and that key-blocks are generated every 10 minutes on average. In
what scenario will this modified Bitcoin-NG have a throughput very small, say even
less than in Bitcoin? By throughput, we mean the average number of transactions
entering the blockchain over time. A qualitative answer will do here. Hint: Consider
the distribution of hashing power among miners.