10 — Criptografia em Criptomoedas e Blockchain

Visão geral focada nas primitivas e protocolos criptográficos. Compendium dedicado a blockchain (próximo) cobre arquitetura, consenso, smart contracts. Este arquivo: o que sustenta criptograficamente Bitcoin, Ethereum e variantes.


1. Pré-história: Hashcash, b-money, Bit Gold

Hashcash (Adam Back, 1997)

Anti-spam via proof-of-work em headers de email. Cliente computa hash com \(N\) zeros leading: $\(H(\text{header} \\\| \text{nonce}) < 2^{256-N}\)$

Custa CPU para cada email — atrito pra spammers em massa. Base do PoW de Bitcoin.

b-money (Wei Dai, 1998)

Proposta informal: cadastro distribuído, anonymous money, contracts em PoW.

Bit Gold (Nick Szabo, 1998–2005)

Conceito de moeda baseada em chains de PoW puzzles. Nunca implementado.

Satoshi cita Hashcash + b-money no whitepaper Bitcoin (não cita Bit Gold mas é evidente influência).


2. Bitcoin — primitivas

Whitepaper: Satoshi Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash System, 31out2008. Bloco gênesis: 03jan2009.

Hashes

  • SHA-256 dupla (HASH256): H(H(x)) — usada em block hashing, txid, merkle root.
  • RIPEMD-160 + SHA-256 (HASH160): RIPEMD160(SHA256(x)) — usada em addresses (P2PKH).

Razão para double-SHA256: defesa proativa contra length-extension (apesar de não-issue em uso atual; era cautela).

Curvas

  • secp256k1 — curva ECDSA do Bitcoin. \(y^2 = x^3 + 7\) sobre \(\mathbb{F}_p\) com \(p = 2^{256} - 2^{32} - 977\). Não-NIST; sem características aleatórias suspeitas.
  • Schnorr desde Taproot (BIP340, ativado nov/2021).

Endereços (formas)

Tipo Prefix Format
P2PKH (Pay-to-Public-Key-Hash) 1 Base58Check de HASH160(pubkey)
P2SH (Pay-to-Script-Hash) 3 Base58Check de HASH160(script)
Bech32 (SegWit v0) bc1q... BIP-173
Bech32m (Taproot, SegWit v1) bc1p... BIP-350

Base58Check

  • Alfabeto: 123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz (sem 0, O, I, l para evitar confusão).
  • Checksum: primeiros 4 bytes de SHA256(SHA256(payload)).

Bech32 / Bech32m

Christopher Allen, Pieter Wuille. BIP-173 / BIP-350. Base32 com BCH error-correcting code. Detecta typos. Bech32m fixa weakness do Bech32 com final-character.

ECDSA

Signing transações. Chave secreta 256 bits; pubkey ponto na curva, comprimida (33 bytes) ou descomprimida (65 bytes).

Risk histórico: ECDSA exige nonce \(k\) random; reutilização revela chave privada. RFC 6979 (deterministic nonce via HMAC) padronizado e adotado.

Schnorr (BIP340)

Adotado em Taproot (nov/2021):

  • Mais simples que ECDSA.
  • Signature aggregation via MuSig2.
  • Adaptor signatures: condicional signing.
  • Single-sig indistinguível de multi-sig N-of-N (privacy).

Transactions / scripts

  • OP_CHECKSIG: valida ECDSA/Schnorr.
  • OP_CHECKMULTISIG: legacy multi-sig (deprecated em Taproot).
  • OP_CHECKSIGADD: nova primitiva Taproot.
  • Script: stack-based, intencionalmente não-Turing-completa.

Merkle trees em blocks

  • Block merkle root = root de árvore de SHA256d(txid) das txs no bloco.
  • Bloom filters em SPV: header sync sem download de todas as txs (BIP-37, mas obsoleto por privacy issues; modern: Compact Block Filters BIP-157/158).

Wallets HD (Hierarchical Deterministic)

  • BIP-32: derivação hierárquica de chaves de seed. m/0'/0/0 extra derivation paths.
  • BIP-39: mnemonic seeds (1215182124 palavras de wordlist 2048). PBKDF2-HMAC-SHA512 com salt mnemonic[passphrase], 2048 iterations.
  • BIP-44: multi-account coin types. m/44'/coin_type'/account'/change/address_index.

Mining (PoW)

Hash do block header com 4 zero bytes (target ajustável):

H(version \\\| prev_block_hash \\\| merkle_root \\\| timestamp \\\| bits \\\| nonce) < target

Bitcoin difficulty ajusta a cada 2016 blocks (~2 semanas). 2026 hashrate global: ~700+ EH/s.


3. Ethereum — primitivas

Whitepaper: Vitalik Buterin, Ethereum: A Next-Generation Smart Contract and Decentralized Application Platform, 2013. Mainnet: 30jul2015.

Hashes

  • Keccak-256: não SHA-3-256. Keccak antes de NIST finalizar SHA-3 (que mudou padding em 2014). Ethereum manteve Keccak original. Confusão comum.

Curvas

  • secp256k1 (mesma do Bitcoin) para EOA (Externally Owned Accounts) signing.
  • BLS12-381 para Ethereum 2.0 consensus (BLS signatures).
  • BN254 legacy em pre-compiles (zk-SNARKs).

Endereços

  • EOA: últimos 20 bytes de Keccak-256(pubkey).
  • Contract: derivado de keccak256(rlp([sender, nonce])) ou em CREATE2 de keccak256(0xff \\\| sender \\\| salt \\\| keccak256(init_code)).

Assinatura EIP-155

Inclui chain ID na assinatura para evitar replay across chains.

EIP-712: typed structured signing

Schema permite UI mostrar campos legíveis ao usuário em vez de hex bytes opacos. Adoção em DApps.

EIP-1559

Base fee + tip. Hash do bloco inclui base fee. Não-crypto per se mas relevante.

Consensus crypto (Ethereum 2.0 / Beacon Chain)

BLS signatures (BLS12-381):

  • Cada validator tem BLS keypair.
  • Aggregate signatures: milhares de validators → 1 signature 96 bytes.
  • DKG (Distributed Key Generation): em pools como Lido, RocketPool.

Random Beacon: RANDAO + VDF (VDF planned, RANDAO entrega).


4. Privacy coins

Monero (XMR) — 2014

  • CryptoNote protocol base (BIP-style anonymous payments).
  • Ring signatures (Fujisaki-Suzuki, 2007): assinatura indistinguível entre \(N\) chaves. Atual: MLSAG (Multi-Layered Linkable Spontaneous Anonymous Group), CLSAG (2020), Seraphis (em pesquisa).
  • Stealth addresses: cada tx gera one-time address.
  • RingCT (Confidential Transactions): valores cifrados, Pedersen commitments + range proofs.
  • Bulletproofs+ (2020): range proofs \(O(\log n)\).

Zcash (ZEC) — 2016

  • zk-SNARKs para shielded transactions:
    • Versão 1 (Sprout): BCTV14 (Ben-Sasson-Chiesa-Tromer-Virza), trusted setup ceremony Pi.
    • Versão 2 (Sapling, 2018): Groth16, BLS12-381, new TS ceremony Powers of Tau.
    • Versão 3 (Orchard, 2022): Halo2 — no trusted setup, recursive proofs. Pasta curves.

Aztec Network, Tornado Cash (sancionada)

zk-rollups e mixers para privacy em Ethereum. Tornado Cash sancionada pelo US OFAC em 2022 — código de smart contract banido (controverso legalmente).


5. zk-SNARKs / zk-STARKs em rollups

zk-SNARKs

Succinct Non-interactive Argument of Knowledge.

  • BCTV14, Groth16: pequenos (~200 bytes), constante-time verify, trusted setup (toxic waste).
  • PLONK (2019): universal trusted setup; mais flex.
  • Halo / Halo2: recursive proofs, no trusted setup, Pasta curves (Pallas/Vesta).
  • Nova / SuperNova / HyperNova (2022–2024): folding schemes, very fast recursive accumulation.
  • Plonky2 (Polygon): STARK + PLONK híbrido.

zk-STARKs

Scalable Transparent. Sem trusted setup. Maiores (~50 KB). Post-quantum hash-based.

  • Cairo (StarkWare) — language → STARK proofs.
  • RISC Zero — RISC-V zkVM.
  • Polygon Zero.

L2 zk-rollups (2026)

  • StarkNet — Cairo, Stark proofs.
  • zkSync Era — LLVM-based, ZK-EVM type 4.
  • Polygon zkEVM — type 3 ZK-EVM.
  • Scroll — type 2 ZK-EVM, full EVM compat.
  • Linea (ConsenSys).
  • Taiko — type 1 (bit-perfect).

ZK-EVM types (Vitalik 2022)

Type Compat Performance
Type 1 bit-perfect Ethereum slow
Type 2 EVM-equivalent better
Type 3 EVM-almost-equivalent better
Type 4 Language-level (compile Solidity) best perf, low compat

6. Other consensus crypto

Proof-of-Stake

  • Tendermint / Cosmos: Ed25519 validators, BFT consensus.
  • Algorand: VRF (verifiable random function) baseado em RFC 9381 escolhe committee.
  • Cardano: VRF (Praos) + KES (Key Evolving Signatures, forward-secure).
  • Solana: Ed25519, PoH (proof-of-history) com SHA-256 sequential.
  • Avalanche: avalanche consensus, BLS opcional.
  • Polkadot: BABE (block production VRF), GRANDPA (finality, ECVRF + Schnorr).

Proof-of-Spacetime, Proof-of-Replication

  • Filecoin: PoRep + PoSt. Heavy crypto: SNARKs em massa para provar storage.
  • Chia: VDF (proof-of-time) + proof-of-space (plot files).

Proof-of-Authority, Proof-of-Burn, Proof-of-Coverage

Vários alts. Menos crypto-heavy.


7. DEX / DeFi crypto building blocks

AMMs

Não-crypto per se mas usam blockchain primitives.

Atomic swaps (HTLC)

Hashed Timelock Contract: contract pagável se receiver revela \(x\) com \(H(x) = h\), ou refundável após timeout.

Permite cross-chain swap trustless: ambos chains aceitam mesmo \(h\). Base de Lightning Network.

Lightning Network (Bitcoin L2)

  • Channel = multi-sig 2-of-2 entre Alice e Bob.
  • HTLC entre channels enable multi-hop payments.
  • Onion routing (Sphinx) para privacy do path.
  • Bolt-12 (em dev): offers, fewer privacy leaks.

MEV protection

  • Flashbots — bundle privacy via private mempool.
  • MEV-Share (Flashbots) — partial reveal.
  • CowSwap — batch auctions com signed off-chain orders.

8. Multisig + threshold

Bitcoin multisig

  • P2SH multisig: m-of-n OP_CHECKMULTISIG.
  • MuSig / MuSig2 (Taproot): aggregated Schnorr; multisig indistinguível de single-sig on-chain.
  • FROST: Flexible Round-Optimized Schnorr Threshold (Komlo-Goldberg 2020).

Threshold ECDSA

Mais difícil que threshold Schnorr (ECDSA tem \(s = k^{-1}(z + r \cdot d)\) que não composes naturalmente).

  • Lindell17, GG18/GG20 — interactive protocols com many rounds.
  • CGGMP21 (Canetti-Gennaro-Goldfeder-Makriyannis-Peled) — proactive refresh.
  • Doerner-Kondi-Lee-Shelat (2019/2020) — 2-party ECDSA, fewer rounds.

Usados em custodial wallets enterprise (Fireblocks, Anchorage, Coinbase Prime, Sepior, Curv).


9. Stablecoin crypto

Pouca crypto específica:

  • USDC, USDT — centralizados, baseados em smart contract ERC-20.
  • DAI — sobrecolateralizado em ETH/wBTC.
  • FRAX, LUSD — variantes algorithmic / overcollateralized.

Privacy stablecoins (Zk2-style) em pesquisa.


10. Bitcoin BIP highlights cripto-relevantes

BIP Conteúdo
BIP-32 HD wallets
BIP-39 Mnemonic seeds
BIP-44 Multi-account
BIP-66 Strict DER signatures
BIP-141 SegWit
BIP-173 Bech32 addresses
BIP-174 PSBT (Partially Signed Bitcoin Transaction)
BIP-340 Schnorr signatures
BIP-341 Taproot (P2TR)
BIP-342 Tapscript
BIP-350 Bech32m
BIP-374 (proposal) OP_VAULT

11. Ethereum EIPs cripto-relevantes

EIP Conteúdo
EIP-155 Replay protection com chain ID
EIP-191 / 712 Typed signed data
EIP-1559 Fee market
EIP-2098 Compact signature (no recovery id em y-coord)
EIP-2718 / 2930 Typed transactions, access lists
EIP-4337 Account Abstraction
EIP-4844 Proto-Danksharding (blobs)
EIP-7691 (proposed) Blob count increase

Account Abstraction (ERC-4337)

Smart contract wallets com:

  • Custom signature schemes (multisig, threshold, social recovery, post-quantum).
  • Paymasters (alguém paga gas pelo user).
  • Bundlers off-chain.
  • Crypto-flexibility: schemes futuros (BLS aggregation, PQC) sem hard fork.

12. PQC em blockchain

Maior preocupação: HNDL — atacantes podem coletar transações hoje, esperar quantum, e gastar coins de quem revelou pubkey (cada tx Bitcoin revela pubkey ao gastar).

Soluções discutidas

  • OPCHECKSIGPQ Bitcoin BIP draft (Bas Westerbaan, Filippo Valsorda 2024) — adicionar SLH-DSA, FN-DSA opcionalmente.
  • QuBic, QRL (Quantum Resistant Ledger) — coins PQC native, niche adoption.
  • Ethereum: Vitalik propôs migração via Account Abstraction (cada wallet pode escolher signature scheme).

Timeline realista: hard fork PQC para Bitcoin/Ethereum em 2028–2032 esperado.


13. Famous incidents

Ano Incidente Causa crypto
2010 CVE-2010-5139 Bitcoin overflow output value overflow (não crypto)
2013 Android RNG bug Reused \(k\) em ECDSA → wallets drained
2014 Mt. Gox collapse misc. — não crypto break
2016 The DAO hack reentrancy (não crypto)
2017 Parity multisig wallet bug accidental selfdestruct (não crypto)
2018 Bytom Counterfeit curve confusion bug
2020 KuCoin hack private key extraction (custodial)
2021 Poly Network $611M, returned. Cross-chain bridge bug.
2022 Ronin Bridge $625M. Validator key compromise.
2022 Wintermute profanity vanity address tool weak RNG
2022 Trail of Bits sgx bug em Secret Network enclave secret leak

14. Bibliotecas e tooling cripto-foco

  • libsecp256k1 (Bitcoin Core) — gold standard secp256k1 impl.
  • rust-secp256k1 — bindings.
  • k256 (Rust Crypto) — pure-Rust secp256k1.
  • noble-curves (paulmillr) — pure-JS ECC.
  • arkworks-rs — Rust ZK toolbox (curves, polynomials, snark frameworks).
  • gnark (Consensys) — Go zkSNARK toolkit.
  • Circom + snarkjs — circuit DSL para SNARKs.
  • Cairo / cairo-lang — StarkNet smart contract language.
  • Halo2 + plonky2 — production rust SNARK libs.

15. Resumo: o que segura blockchain (criptograficamente)

Camada Primitiva
Endereço Hash de pubkey
Assinatura tx ECDSA / Schnorr / BLS / EdDSA / future PQC
Tx integrity Merkle root + block hash
Consensus SHA256d PoW (Bitcoin) ou BLS+VRF (PoS)
Privacy Ring sig (Monero), zk-SNARKs (Zcash, rollups), CT
Cross-chain HTLC (atomic swap), bridges com multisig
Wallet HD wallets BIP-32/39, threshold (MPC custodial)
L2 scalability zk-rollups (Stark/Snark) ou optimistic rollups (fraud proofs)
Future PQC migration via Account Abstraction (ETH), BIP draft (BTC)

16. Referência cruzada

  • Hash primitives (SHA-256, Keccak, BLAKE3): 06-hash-e-mac.md.
  • ECC (secp256k1, BLS12-381, Curve25519): 05-assimetrica.md.
  • PQC migration: 08-pos-quantica.md.
  • Pessoas (Satoshi, Vitalik, Wuille, Maxwell, Zooko, Bowe, Wesolowski, Komlo): 12-pessoas.md.
  • Compendium dedicado a blockchain vive em diretório separado: meta/docs/blockchain/compendium/.