10 criptomoeda

10 — Criptografia em Criptomoedas e Blockchain

Visão geral focada nas primitivas e protocolos criptográficos. *ompendium dedicado a blockchain*(próximo) cobre arquitetura, consenso, smart contracts. Este arquivo: o que sustenta criptograficamente Bitcoin, Ethereum e variantes.

1. Préhistória: Hashcash, bmoney, Bit Gold

Hashcash (Adam Back, 1997)

Antispam via proofof-work em headers de email. Cliente computa hash com \(N\) zeros leading: $\(H(\text{header} \\\| \text{nonce}) < 2^{256-N}\)$

Custa CPU para cada email — atrito pra spammers em massa. *ase do PoW de Bitcoin*

b-money (Wei Dai, 1998)

Proposta informal: cadastro distribuído, anonymous money, contracts em PoW.

Bit Gold (Nick Szabo, 1998–2005)

Conceito de moeda baseada em chains de PoW puzzles. Nunca implementado.

Satoshi cita Hashcash + b-money no whitepaper Bitcoin (não cita Bit Gold mas é evidente influência).

2. Bitcoin — primitivas

*hitepaper* Satoshi Nakamoto, Bitcoin: A PeertoPeer Electronic Cash System, 31out2008. Bloco gênesis: 03jan2009.

Hashes

  • *HA-256 dupla (HASH256)* H(H(x)) — usada em block hashing, txid, merkle root.
  • *IPEMD160 + SHA256 (HASH160)* RIPEMD160(SHA256(x)) — usada em addresses (P2PKH).

Razão para doubleSHA256: defesa proativa contra lengthextension (apesar de não-issue em uso atual; era cautela).

Curvas

  • *ecp256k1*— curva ECDSA do Bitcoin. \(y^2 = x^3 + 7\) sobre \(\mathbb{F}_p\) com \(p = 2^{256} - 2^{32} - 977\). Não-NIST; sem características aleatórias suspeitas.
  • *chnorr*desde Taproot (BIP340, ativado nov/2021).

Endereços (formas)

Tipo Prefix Format
*2PKH*(PaytoPublicKeyHash) 1 Base58Check de HASH160(pubkey)
*2SH*(PaytoScript-Hash) 3 Base58Check de HASH160(script)
*ech32 (SegWit v0)* bc1q... BIP-173
*ech32m (Taproot, SegWit v1)* bc1p... BIP-350

Base58Check

  • Alfabeto: 123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz (sem 0, O, I, l para evitar confusão).
  • Checksum: primeiros 4 bytes de SHA256(SHA256(payload)).

Bech32 / Bech32m

Christopher Allen, Pieter Wuille. BIP173 / BIP350. Base32 com BCH errorcorrecting code. Detecta typos. Bech32m fixa weakness do Bech32 com finalcharacter.

ECDSA

Signing transações. Chave secreta 256 bits; pubkey ponto na curva, comprimida (33 bytes) ou descomprimida (65 bytes).

*isk histórico* ECDSA exige nonce \(k\) random; reutilização revela chave privada. *FC 6979*(deterministic nonce via HMAC) padronizado e adotado.

Schnorr (BIP340)

Adotado em *aproot*(nov/2021):

  • Mais simples que ECDSA.
  • *ignature aggregation*via *uSig2*
  • *daptor signatures* condicional signing.
  • *inglesig indistinguível de multisig NofN*(privacy).

Transactions / scripts

  • *P_CHECKSIG* valida ECDSA/Schnorr.
  • *P_CHECKMULTISIG* legacy multi-sig (deprecated em Taproot).
  • *P_CHECKSIGADD* nova primitiva Taproot.
  • *cript* stackbased, intencionalmente nãoTuring-completa.

Merkle trees em blocks

  • *lock merkle root*= root de árvore de SHA256d(txid) das txs no bloco.
  • *loom filters em SPV* header sync sem download de todas as txs (BIP37, mas obsoleto por privacy issues; modern: *ompact Block Filters BIP157/158*.

Wallets HD (Hierarchical Deterministic)

  • *IP-32* derivação hierárquica de chaves de seed. m/0'/0/0 extra derivation paths.
  • *IP39* mnemonic seeds (1215182124 palavras de wordlist 2048). PBKDF2HMAC-SHA512 com salt mnemonic[passphrase], 2048 iterations.
  • *IP44* multiaccount coin types. m/44'/coin_type'/account'/change/address_index.

Mining (PoW)

Hash do block header com 4 zero bytes (target ajustável):

H(version \\\| prev_block_hash \\\| merkle_root \\\| timestamp \\\| bits \\\| nonce) < target

Bitcoin difficulty ajusta a cada 2016 blocks (~2 semanas). 2026 hashrate global: ~700+ EH/s.

3. Ethereum — primitivas

Whitepaper: Vitalik Buterin, Ethereum: A Next-Generation Smart Contract and Decentralized Application Platform, 2013. Mainnet: 30jul2015.

Hashes

  • *eccak256* *ão SHA3256* Keccak antes de NIST finalizar SHA3 (que mudou padding em 2014). Ethereum manteve Keccak original. Confusão comum.

Curvas

  • *ecp256k1*(mesma do Bitcoin) para EOA (Externally Owned Accounts) signing.
  • *LS12-381*para Ethereum 2.0 consensus (BLS signatures).
  • *N254*legacy em precompiles (zkSNARKs).

Endereços

  • *OA* últimos 20 bytes de Keccak-256(pubkey).
  • *ontract* derivado de keccak256(rlp([sender, nonce])) ou em CREATE2 de keccak256(0xff \\\| sender \\\| salt \\\| keccak256(init_code)).

Assinatura EIP-155

Inclui chain ID na assinatura para evitar replay across chains.

EIP-712: typed structured signing

Schema permite UI mostrar campos legíveis ao usuário em vez de hex bytes opacos. Adoção em DApps.

EIP-1559

Base fee + tip. Hash do bloco inclui base fee. Não-crypto per se mas relevante.

Consensus crypto (Ethereum 2.0 / Beacon Chain)

*LS signatures (BLS12-381)*

  • Cada validator tem BLS keypair.
  • *ggregate signatures* milhares de validators → 1 signature 96 bytes.
  • *KG (Distributed Key Generation)* em pools como Lido, RocketPool.

*andom Beacon* RANDAO + VDF (VDF planned, RANDAO entrega).

4. Privacy coins

Monero (XMR) — 2014

  • *ryptoNote*protocol base (BIP-style anonymous payments).
  • *ing signatures*(FujisakiSuzuki, 2007): assinatura indistinguível entre \(N\) chaves. Atual: *LSAG*(MultiLayered Linkable Spontaneous Anonymous Group), *LSAG*(2020), *eraphis*(em pesquisa).
  • *tealth addresses* cada tx gera one-time address.
  • *ingCT (Confidential Transactions)* valores cifrados, Pedersen commitments + range proofs.
  • *ulletproofs+*(2020): range proofs \(O(\log n)\).

Zcash (ZEC) — 2016

  • *k-SNARKs*para shielded transactions:
    • Versão 1 (Sprout): BCTV14 (BenSassonChiesaTromerVirza), trusted setup ceremony Pi.
    • Versão 2 (Sapling, 2018): Groth16, BLS12-381, new TS ceremony Powers of Tau.
    • Versão 3 (Orchard, 2022): *alo2*— no trusted setup, recursive proofs. Pasta curves.

Aztec Network, Tornado Cash (sancionada)

zk-rollups e mixers para privacy em Ethereum. Tornado Cash sancionada pelo US OFAC em 2022 — código de smart contract banido (controverso legalmente).

5. zkSNARKs / zkSTARKs em rollups

zk-SNARKs

Succinct Non-interactive Argument of Knowledge.

  • *CTV14, Groth16* pequenos (~200 bytes), constante-time verify, *rusted setup*(toxic waste).
  • *LONK (2019)* universal trusted setup; mais flex.
  • *alo / Halo2* recursive proofs, no trusted setup, Pasta curves (Pallas/Vesta).
  • *ova / SuperNova / HyperNova (2022–2024)* folding schemes, very fast recursive accumulation.
  • *lonky2 (Polygon)* STARK + PLONK híbrido.

zk-STARKs

Scalable Transparent. Sem trusted setup. Maiores (~50 KB). Postquantum hashbased.

  • *airo*(StarkWare) — language → STARK proofs.
  • *ISC Zero*— RISC-V zkVM.
  • *olygon Zero*

L2 zk-rollups (2026)

  • *tarkNet*— Cairo, Stark proofs.
  • *kSync Era*— LLVMbased, ZKEVM type 4.
  • *olygon zkEVM*— type 3 ZK-EVM.
  • *croll*— type 2 ZK-EVM, full EVM compat.
  • *inea*(ConsenSys).
  • *aiko*— type 1 (bit-perfect).

ZK-EVM types (Vitalik 2022)

Type Compat Performance
Type 1 bit-perfect Ethereum slow
Type 2 EVM-equivalent better
Type 3 EVMalmostequivalent better
Type 4 Language-level (compile Solidity) best perf, low compat

6. Other consensus crypto

ProofofStake

  • *endermint / Cosmos* Ed25519 validators, BFT consensus.
  • *lgorand* VRF (verifiable random function) baseado em RFC 9381 escolhe committee.
  • *ardano* VRF (Praos) + KES (Key Evolving Signatures, forward-secure).
  • *olana* Ed25519, PoH (proofofhistory) com SHA-256 sequential.
  • *valanche* avalanche consensus, BLS opcional.
  • *olkadot* BABE (block production VRF), GRANDPA (finality, ECVRF + Schnorr).

ProofofSpacetime, ProofofReplication

  • *ilecoin* PoRep + PoSt. Heavy crypto: SNARKs em massa para provar storage.
  • *hia* VDF (proofoftime) + proofofspace (plot files).

ProofofAuthority, ProofofBurn, ProofofCoverage

Vários alts. Menos crypto-heavy.

7. DEX / DeFi crypto building blocks

AMMs

Não-crypto per se mas usam blockchain primitives.

Atomic swaps (HTLC)

*ashed Timelock Contract* contract pagável se receiver revela \(x\) com \(H(x) = h\), ou refundável após timeout.

Permite cross-chain swap trustless: ambos chains aceitam mesmo \(h\). Base de *ightning Network*

Lightning Network (Bitcoin L2)

  • *hannel*= multisig 2of-2 entre Alice e Bob.
  • *TLC*entre channels enable multi-hop payments.
  • *nion routing*(Sphinx) para privacy do path.
  • *olt-12*(em dev): offers, fewer privacy leaks.

MEV protection

  • *lashbots*— bundle privacy via private mempool.
  • *EV-Share*(Flashbots) — partial reveal.
  • *owSwap*— batch auctions com signed off-chain orders.

8. Multisig + threshold

Bitcoin multisig

  • *2SH multisig* m-of-n OP_CHECKMULTISIG.
  • *uSig / MuSig2 (Taproot)* aggregated Schnorr; multisig *ndistinguível de singlesig*onchain.
  • *ROST* Flexible RoundOptimized Schnorr Threshold (KomloGoldberg 2020).

Threshold ECDSA

Mais difícil que threshold Schnorr (ECDSA tem \(s = k^{-1}(z + r \cdot d)\) que não composes naturalmente).

  • *indell17, GG18/GG20*— interactive protocols com many rounds.
  • *GGMP21*(CanettiGennaroGoldfederMakriyannisPeled) — proactive refresh.
  • *oernerKondiLeeShelat*(2019/2020) — 2party ECDSA, fewer rounds.

Usados em custodial wallets enterprise (Fireblocks, Anchorage, Coinbase Prime, Sepior, Curv).

9. Stablecoin crypto

Pouca crypto específica:

  • *SDC, USDT*— centralizados, baseados em smart contract ERC-20.
  • *AI*— sobrecolateralizado em ETH/wBTC.
  • *RAX, LUSD*— variantes algorithmic / overcollateralized.

Privacy stablecoins (Zk2-style) em pesquisa.

10. Bitcoin BIP highlights cripto-relevantes

BIP Conteúdo
BIP-32 HD wallets
BIP-39 Mnemonic seeds
BIP-44 Multi-account
BIP-66 Strict DER signatures
BIP-141 SegWit
BIP-173 Bech32 addresses
BIP-174 PSBT (Partially Signed Bitcoin Transaction)
BIP-340 Schnorr signatures
BIP-341 Taproot (P2TR)
BIP-342 Tapscript
BIP-350 Bech32m
BIP-374 (proposal) OP_VAULT

11. Ethereum EIPs cripto-relevantes

EIP Conteúdo
EIP-155 Replay protection com chain ID
EIP-191 / 712 Typed signed data
EIP-1559 Fee market
EIP-2098 Compact signature (no recovery id em y-coord)
EIP-2718 / 2930 Typed transactions, access lists
EIP-4337 Account Abstraction
EIP-4844 Proto-Danksharding (blobs)
EIP-7691 (proposed) Blob count increase

Account Abstraction (ERC-4337)

Smart contract wallets com:

  • Custom signature schemes (multisig, threshold, social recovery, post-quantum).
  • Paymasters (alguém paga gas pelo user).
  • Bundlers off-chain.
  • Crypto-flexibility: schemes futuros (BLS aggregation, PQC) sem hard fork.

12. PQC em blockchain

Maior preocupação: *NDL*— atacantes podem coletar transações hoje, esperar quantum, e *astar coins de quem revelou pubkey*(cada tx Bitcoin revela pubkey ao gastar).

Soluções discutidas

  • *PCHECKSIGPQ*Bitcoin BIP draft (Bas Westerbaan, Filippo Valsorda 2024) — adicionar SLHDSA, FNDSA opcionalmente.
  • *uBic, QRL (Quantum Resistant Ledger)*— coins PQC native, niche adoption.
  • *thereum* Vitalik propôs migração via Account Abstraction (cada wallet pode escolher signature scheme).

Timeline realista: hard fork PQC para Bitcoin/Ethereum em 2028–2032 esperado.

13. Famous incidents

Ano Incidente Causa crypto
2010 *VE20105139 Bitcoin overflow* output value overflow (não crypto)
2013 *ndroid RNG bug* Reused \(k\) em ECDSA → wallets drained
2014 *t. Gox collapse* misc. — não crypto break
2016 *he DAO hack* reentrancy (não crypto)
2017 *arity multisig wallet bug* accidental selfdestruct (não crypto)
2018 *ytom Counterfeit* curve confusion bug
2020 *uCoin hack* private key extraction (custodial)
2021 *oly Network* $611M, returned. Cross-chain bridge bug.
2022 *onin Bridge* $625M. Validator key compromise.
2022 *intermute* profanity vanity address tool weak RNG
2022 *rail of Bits sgx bug em Secret Network* enclave secret leak

14. Bibliotecas e tooling cripto-foco

  • *ibsecp256k1*(Bitcoin Core) — gold standard secp256k1 impl.
  • *ust-secp256k1*— bindings.
  • *256*(Rust Crypto) — pure-Rust secp256k1.
  • *oblecurves*(paulmillr) — pureJS ECC.
  • *rkworks-rs*— Rust ZK toolbox (curves, polynomials, snark frameworks).
  • *nark*(Consensys) — Go zkSNARK toolkit.
  • *ircom*+ *narkjs*— circuit DSL para SNARKs.
  • *airo / cairo-lang*— StarkNet smart contract language.
  • *alo2*+ *lonky2*— production rust SNARK libs.

15. Resumo: o que segura blockchain (criptograficamente)

Camada Primitiva
Endereço Hash de pubkey
Assinatura tx ECDSA / Schnorr / BLS / EdDSA / future PQC
Tx integrity Merkle root + block hash
Consensus SHA256d PoW (Bitcoin) ou BLS+VRF (PoS)
Privacy Ring sig (Monero), zk-SNARKs (Zcash, rollups), CT
Cross-chain HTLC (atomic swap), bridges com multisig
Wallet HD wallets BIP-32/39, threshold (MPC custodial)
L2 scalability zk-rollups (Stark/Snark) ou optimistic rollups (fraud proofs)
Future PQC migration via Account Abstraction (ETH), BIP draft (BTC)

16. Referência cruzada

  • Hash primitives (SHA256, Keccak, BLAKE3): `06hashemac.md`.
  • ECC (secp256k1, BLS12381, Curve25519): `05assimetrica.md`.
  • PQC migration: 08-pos-quantica.md.
  • Pessoas (Satoshi, Vitalik, Wuille, Maxwell, Zooko, Bowe, Wesolowski, Komlo): 12-pessoas.md.
  • Compendium dedicado a blockchain vive em diretório separado: meta/docs/blockchain/compendium/.

Source: ../home/koder/dev/koder/meta/docs/cryptography/compendium/10-criptomoeda.md