Free and easy week review 丨 US government agencies research fiat cryptocurrencies through fork BTC

Introduction: This week's academic topic section, we will share a fiat cryptocurrency research paper from the National Institute of Standards and Technology (NIST), a new currency system between fiat digital currencies and cryptocurrencies .

In the weekly selection of hardcore technical articles, we will also see the five major new Bitcoin technologies of 2019, BDoS , zero-knowledge proof algorithm Bulletproofs , Bitcoin system cryptography, and quantum computing.

In addition, the preliminary audit results of the Ethereum 2.0 Phase 0 specifications will be postponed to February next year, and the official launch may be postponed to July. Ethereum 1.0 will soon execute the "Muir Glacier (Muir Glacier) at a block height of 9,200,000. Glacier) "hard fork to remove the difficulty bomb.

btc (Picture from:

The following is a selection review of last week's content, enjoy ~

I. NIST studies fiat cryptocurrencies to avoid currency spam

In the academic theme of this week, we share a research paper from the US Department of Commerce's National Institute of Standards and Technology (hereinafter referred to as NIST), a new currency system between fiat digital currencies and cryptocurrencies, Interestingly, it is currently implemented by forking bitcoin, and it may be implemented in the future by forking the cryptocurrency of the account model.

At first glance, it looks like a somewhat illegitimate "altcoin" project, but it is actually very serious academic research.

The architecture uses a public, unlicensed blockchain approach where managers' operations are completely transparent.

In addition, maintaining a public set of miners on the blockchain can prevent managers from performing unauthorized operations. At the same time, this cryptocurrency is designed to prevent public miners from taking control from managers, so this structure establishes a "balance of power" between managers and public miners, which provides for the issuance of currency by power agencies such as governments New possibilities. (Reminder: Before reading this research, you need to understand the concept of Bitcoin)

Does it feel amazing? Let's take a closer look at it:

Back at the end of 2018, NIST computer scientist Peter Mell came up with this idea, and in his first paper he outlined a supervised cryptocurrency architecture that has many of the characteristics of fiat digital currencies, including a Manage entities while possessing some of the characteristics of cryptocurrencies. In implementing it, concepts such as central banks, law enforcement agencies, and authentication accounts are introduced, thus deviating from the goals of most cryptocurrencies.

And what makes this idea really stand out is that it negates the absolute power of money managers over financial control (preventing currency overruns).

This can promote public trust in currency issuance, as restrictions on the authority of managers are immutably recorded on the associated blockchain.

However, Yogi Berra once said:

"In theory, there is no difference between theory and practice, but in practice, there is a difference between the two."

After practical tests, Peter Mell found that his theoretical work was generally correct, but he also found some vulnerabilities and security issues that needed to be mitigated.

After nearly a year of research and discussion, Peter Mell, together with the three other scientists at NIST, Aurelien Delaitre, Frederic de Vaulx and Philippe Dessauw, recently published a research paper entitled "Cryptocurrency for Protocol Management ", and In this new research paper, they started building prototype application research and actually tested the supervised cryptocurrency system they envisioned. ( Continuous research, and the number of people involved in the research increased, which shows that NIST attaches importance to this research project )

Ultimately, they believe that a cryptocurrency approach that achieves this "balance of power" by modest modification of Bitcoin is feasible, and it requires relatively low programming effort.

In this new paper, they describe the changes and their final prototype implementations that are publicly released on GitHub.

1.Theoretical architecture and related Bitcoin architecture features

In this architecture, anyone can create an account, but an account cannot do anything without an authorized role. The initial block of the blockchain has a "originating transaction" that grants roles to the root manager account, and all future role assignments come from the initial root account. This account can grant roles to other accounts, and then these role-granted accounts can be granted to other account roles.

This will set up a hierarchy of accounts in a tree structure where the root account (or node) is the most authoritative.


This initial root node is given all possible roles, the most important of which is the role of "M" currency manager, which can modify cryptocurrency policies. Other roles include "U" user, "A" account manager, "C" central banker, and "L" law enforcement officer. Their capabilities are summarized as follows:

  1. "U" users: Allow accounts to receive and consume system cryptocurrencies, and accounts with the "U" user role removed will have their funds frozen;
  2. "A" Account Manager: Allows a node to create an account with the "U" user role (and only that role), and it can also delete the "U" user tags of its children;
  3. "C" Central Banker: Create new currency (except for block mining rewards);
  4. "L" Law Enforcement Officer: Allows accounts to forcibly move funds between accounts, delete the "U" label, and restore previously deleted "U" labels. But these operations can only be used for roles other than "M";

Note that in this model, the currency manager controls the permissions of all other nodes participating in the system, so it can ensure that law enforcement departments can identify individual transactions within the system if the court orders them.

Finally, there are two possible security models, one of which is an independent mining model in which miners are truly independent of currency managers, but they can act as a community that refuses to include management transactions (i.e. role changes and policy changes ).

This is similar to a 51% attack on Bitcoin!

To prevent this, there is also a dependent mining model in which miners must include a certain number of management transactions in every n blocks.

This prevents a large group of miners from resisting and ruling out management transactions like independent mining models.

However, this tilted the balance of power slightly towards currency managers, which allowed them to pass a small financial advantage to their preferred miners. This risk can be reduced by developing certain permanent policy settings.

2. Vulnerabilities in the system structure, security issues and solutions

In practice, researchers have discovered some vulnerabilities and security issues in their original theoretical framework, which need to be mitigated in order to implement the prototype system. These loopholes have led to disruption of power balance, replay attacks, and attacks on miners. Security issues include improper scoping of regulators and law enforcement powers, and the establishment of insecure guidance for cryptocurrency policies.

Maintenance of power balance:

The initial research included a "dependent mining model", in which the manager can specify that every y block interval must include x management transactions. Managers can set policy x and y by publishing policy transactions. This model forces miners to periodically include management transactions.

But in practical research, they found a loophole that managers can use to take over the entire blockchain.

The administrator can first set y to a high value, and then wait for the community to fully adopt and use this cryptocurrency. Once a large amount of capital is invested in this cryptocurrency, managers can issue a policy transaction that changes y to a very low value.

For example, managers can require management transactions to be published for each block, and only send those transactions to miners they like or control. The miners receiving these transactions will not propagate them to other miners, thus preventing other miners from mining any blocks (since all blocks must include management transactions according to the policy).

Therefore, managers can effectively take over the entire blockchain with an effect similar to a 51% attack.

The mitigation measures proposed by the researchers simply limit the degree to which managers can set y. If the code written rejects policy transactions that set the y value below a certain threshold, then managers will not be able to use this method to control the blockchain.

Managers can also use permanent policy transactions issued by the root manager node to automatically set minimum thresholds for these values ​​to create public trust in the cryptocurrency. Even if a minimum value is set, it should be noted that managers can still perform this attack on a regular basis, and if they refuse to publish management transactions in the intervention block, every y block will benefit their own miners.

This will bring periodic financial advantages to the miners favored by managers, but will be highly visible in the community, resulting in managers' inability to control the blockchain.

In order to minimize the possibility of such an attack, the code should be required to be high enough so that the relevant financial advantages are minimal. Another option is to use an independent mining model, but this opens up possibilities for miners to resist managers.

More vulnerabilities and solutions found in research, interested readers can read the original paper:

3. Architectural obstacles that must be overcome

In addition to reducing the loopholes in the original design, the researchers also encountered some architectural challenges, some of which were not even directly implemented. Therefore, they made architectural design changes and described how to implement these changes.

  1. Dual-signature requirements for currency transfer transactions:
  2. Node movement:
  3. Determine the transaction type:
  4. transaction fee:

4.How to create a prototype system

The researchers built this prototype of a usnistgov/managedcryptocurrencies-bitcoin by forking the Bitcoin code and using the project name " usnistgov/managedcryptocurrencies-bitcoin ".

The link is as follows:

In the test, NIST only used a single virtual machine to execute the entire distributed network. In a virtual machine, it uses the Docker engine to run a set of containers to represent the nodes on the modified network, thereby achieving the task of testing the blockchain.

After artificially reducing the difficulty of mining, the researchers quickly tested it. Finally, they implemented a visual node hierarchy tree using the GraphViz library.

An example output tree is shown below (each node in parentheses lists the roles and states activated for that node):


The tags and corresponding roles are: M (manager), C (central banker), L (enforcer), U (registered user), A (account manager), D (banned account), where node 0 Is the root node created in the founding block.

For security reasons, the root node should generally not be used as the "active manager", so node 1 was created for this role.

Node 3 is the central banker. In practice, it is very useful to use it as a child node under node 0.

Node 2 is the law enforcement department, and its scope of supervision is node 1 and all nodes derived from it (that is, all nodes except nodes 0, 3, and 11).

Nodes 4 and 5 are account managers.

Node 6 is a user account that has been disabled by law enforcement, and nodes 7, 8 and 10 are ordinary users.

Node 9 is a node that has been deleted from all its roles (it can be completed by the node itself, or it can be its account manager node 5, or its manager node 0 or 1).

Node 11 is a node that has been active in the cryptocurrency, but it has no role at all, and it has never had any role. It represents an account created by miners to store coinbase coins, which can be used without any role.

5. Related work and future plans

It seems that this balance of power for a fiat cryptocurrency is being proposed for the first time.

The digital currency schemes proposed by other governments are usually not subject to public supervision or do not consider the balance of power.

Multichain is a very similar system that includes management features, but it is actually a permission chain system that specifies which entities have mining rights, and NIST proposes an open mining prototype.

In addition, Fed researchers have also suggested the use of Fedcoin (Fedcoin). This permission chain design is based on RS-Coin, a cryptocurrency scheme proposed to support central banks and commercial banks in international transactions.

In future iterative research, NIST will have two major changes: the use of an account model and better handling of damaged nodes .

Because Bitcoin uses the UTXO model, coins are not stored in the user account, but are stored in the transaction itself. All transactions have output and unspent output. This is very effective for Bitcoin, but for For the implementation of NIST's cryptocurrency prototype, it will become very embarrassing.

In the future, NIST will implement the system it envisions by forking the public chain of the account model (its theoretical architecture is not tied to any specific cryptocurrency), one of the possible options will be Ethereum (due to its maturity) ), But this choice will bring unnecessary complexity to the system, because Ethereum's code base supports smart contracts.

Without a smart contract function, using an account model and a very mature cryptocurrency will be a more suitable fork for NIST.

Free and easy comments: The concept of supervised cryptocurrency proposed by NIST researchers lies between conventional fiat digital currencies and cryptocurrencies, which we can call fiat cryptocurrencies (that is, managers and public miners jointly control a cryptocurrency ), It runs counter to the goals and efforts of most cryptocurrencies. The legal digital currency adopting this concept will theoretically be more popular. Therefore, it may help the government to research the future electronic currency methods.

Currently, NIST is still exploring a blockchain solution that uses an account model, but does not enable smart contracts.

Second, hard core technical articles of the week

2 , 1 Summary of Bitcoin Technology Development in 2019 (Part 1)

Bitcoin's technological development is progressing at full speed. Some large technical projects (Taproot, Stratum V2, OP_CHECKTEMPLATEVERIFY, and Drivechain, etc.) have made great progress in 2019. Under optimism, some of them can be officially released. At the same time, throughout 2019, the use of SegWit transactions has been increasing, and more and more coins are mixed each month through the Chaumian CoinJoin tool. A large number of wallets and service providers have adopted the bech32 address standard.

In addition to these technologies, what other new technologies have involved Bitcoin in the past year?

Aaron van Wirdum, a popular science bull who focuses on Bitcoin technology, mentioned the following 5 technologies in his newly published article:

Original link:

Guix: a binary verification system

It allows users to check whether the Bitcoin Core client they downloaded is completely consistent with the code written by the developer. In July 2019, the Bitcoin Core project merged the Guix solution proposed by Chaincode Labs engineer Carl Dong, which could eliminate another layer of trust.

2.Side chain adds asset issue function

As of 2019, the Bitcoin sidechain is increasingly used for a wider range of assets, especially Liquid. Some project parties have begun to issue stablecoins (such as Tether) on Liquid. At the beginning of 2019, Dubai-based cryptocurrency exchanges BTSE also announced an asset issuance activity relying on the sidechain.

Shamir backups for secure storage

Hardware wallets are generally considered to be a secure solution for storing bitcoin, but they can also be damaged, lost, stolen and other unexpected situations. In August 2019, SatoshiLabs launched a solution: Shamir Backup. Now, hardware wallets can "split" a wallet seed into several different shares using this technology, and a subset of them can restore the wallet. SatoshiLabs' Shamir backup technology allows the creation of up to 16 shares, while Individual shares can even be divided into sub-shares.

4. Pay-to-Endpoint (P2EP) privacy technology

In short, P2EP is a trick that can break the assumptions that blockchain analysis relies on, even if only a small percentage of users make use of it. It does this by having the recipient of the transaction participate in the transaction through CoinJoin.

In August 2019, the privacy-focused Samourai wallet released its own P2EP version and named it "Stowaway".

5.Miniscript makes Bitcoin programming easier

Bitcoin's Script language has some complexities. The most obvious is that it is not always easy for humans to understand, which makes it difficult to use.

To improve this, Andrew Poelstra, Pieter Wuille, and Sanket Kanjalkar of Blockstream designed a "lite" scripting language: Miniscript.

Although the current version of Miniscript is not actually the final version, Blockstream already uses this language internally.

Free and easy comments: Let's popularize 5 bitcoin technologies that have not been widely paid attention to, and there are 3 of them that I haven't learned before. It can be seen that bitcoin technology is actually developing very fast, not what many people think Like that.

2.2 BDoS: Denial of Service Attack on Blockchain

A new attack on the Satoshi consensus blockchain proposed by the selfish mining proposer Professor Ittay Eyal in conjunction with several professors and scholars at Cornell University and IC3. It believes that an attacker with 20% computing power can induce rationality Miners stop mining by publishing a block header first, and then rational miners have three options:

  1. Ignore the block header and continue to extend the main chain: At this time, the attacker uses selfish mining and spreads the complete block corresponding to its block header, which leads to competition between the two groups of miners. Under a certain probability, the rational miner will lose the game , Thereby reducing expected returns;
  2. Extend the block header (actually the most unlikely option): At this time, the attacker does not publish the complete block, which results in the expected return of the block being zero;
  3. Stop mining without consuming electricity or winning rewards;

In other words, the best choice for a rational miner is 1 or 3. If the expected reward is not enough to pay its electricity bill, then the miner faces the choice of whether to choose to shut down.

Article link:

Free and easy comments: Many people may think that this research is meaningless, because attackers still need to master a lot of computing power, and this kind of attack is not profitable inside the system. It seems that no one will choose to do this, but the actual In addition, incentives are not only internal to the system, but external incentives can also cause rational miners to perform malicious acts (such as margin transactions, competition between two currencies, etc.).

2, 3 Popular Science | The Cryptography of Bitcoin System and the Impact of Quantum Computing

This is a popular science article written by Gao Chengshi, a PhD in cryptography and a member of the Blockchain Professional Committee of the Chinese Computer Society. This article introduces three cryptographic technologies involved in Bitcoin or blockchain technology systems: asymmetric cryptographic algorithms, hashing Functions, secure multiparty calculations. It also introduced in detail the principles of Bitcoin mining, quantum computing and quantum algorithms, and the impact of quantum computing on the blockchain.

Article link:

Free and Easy Comment: A very objective and comprehensive science popularization article on the relationship between quantum computing and blockchain. In general, although the current development progress of quantum computing is far from threatening the existing blockchain system, but This requires everyone to pay attention, because one day, cryptocurrencies such as Bitcoin will need to replace cryptographic algorithms to resist the threat of quantum computing.

2,4 Understanding Bulletproofs of Zero Knowledge Proof Algorithms: Range Proof III & Arithmetic Circuits

The Bulleproofs algorithm has two applications, one is Range proof, and the other is general arithmetic circuits. The zero-knowledge researcher Jiang Xiaobai shared them in the two newly published articles. The specific implementation details of the Range proof and the arithmetic circuit of the Bulletproofs algorithm are described. The relationship between the size of the generated proof and the number of multiplication gates of the arithmetic circuit is: the larger the circuit, the larger the proof size.

Article link:

Article link:

Free and easy comments: Bulletproofs encryption algorithm has been widely studied and adopted. Compared with the original white paper, Teacher Jiang Xiaobai simplified the introduction of this algorithm with 4 graphic articles. However, these "hard to not "Friends" are all geared towards developers.

Technical Progress of Mainstream Blockchain Projects

3, 1 Ethereum 2.0 code audit will be completed in February next year, the main contract of the storage contract may be launched in July

According to the latest revealed by Ethereum 2.0 coordinator Danny Ryan, the preliminary report of Ethereum 2.0 Phase 0 specifications is expected to be released in early February next year, and the official release may need to wait until June or July next year.


Free and easy comments: The development progress of Ethereum 2.0 has been repeatedly delayed, and it seems that it is also expected by everyone. We can simply refer to the expected time given by individual developers. The official time point is to wait for the official Ethereum Foundation. Announced.

3, 2 Ethereum will conduct a "Mul Glacier" hard fork at a block height of 9,200,000

In order to solve the difficulty bomb buried by Ethereum, the Ethereum Foundation decided to implement the "Muir Glacier" hard fork at a block height of 9,200,000, which is expected to be around January 1, 2020.

Easy and Easy Comment: The third difficulty bomb removal activity in the history of Ethereum, well, developers hope this will be the last one.

3, 3 Bitcoin weekly technical updates

Last week, LND released the 0.8.2-beta version. Developers discussed the extensive support for basic multi-path payment in the Lightning Network (LN) and provided an update on the reliability of bech32 error detection. In addition, the developer also updated OP_CHECKTEMPLATEVERIFY opcode.

In addition, developers also discussed the impact of the Eclipse attack on the Lightning Network (LN) channel.


Free and easy comments: Bitcoin's technology is in a state of steady progress. Many new technologies will gradually show their influence in 2020 and 2021, giving people a sense of stability.

This week's exciting content is here, see you next week ~