10 — Criptografia em Criptomoedas e Blockchain
Visão geral focada nas primitivas e protocolos criptográficos. Compendium dedicado a blockchain (próximo) cobre arquitetura, consenso, smart contracts. Este arquivo: o que sustenta criptograficamente Bitcoin, Ethereum e variantes.
1. Pré-história: Hashcash, b-money, Bit Gold
Hashcash (Adam Back, 1997)
Anti-spam via proof-of-work em headers de email. Cliente computa hash com \(N\) zeros leading: $\(H(\text{header} \\\| \text{nonce}) < 2^{256-N}\)$
Custa CPU para cada email — atrito pra spammers em massa. Base do PoW de Bitcoin.
b-money (Wei Dai, 1998)
Proposta informal: cadastro distribuído, anonymous money, contracts em PoW.
Bit Gold (Nick Szabo, 1998–2005)
Conceito de moeda baseada em chains de PoW puzzles. Nunca implementado.
Satoshi cita Hashcash + b-money no whitepaper Bitcoin (não cita Bit Gold mas é evidente influência).
2. Bitcoin — primitivas
Whitepaper: Satoshi Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash System, 31out2008. Bloco gênesis: 03jan2009.
Hashes
- SHA-256 dupla (HASH256):
H(H(x))— usada em block hashing, txid, merkle root. - RIPEMD-160 + SHA-256 (HASH160):
RIPEMD160(SHA256(x))— usada em addresses (P2PKH).
Razão para double-SHA256: defesa proativa contra length-extension (apesar de não-issue em uso atual; era cautela).
Curvas
- secp256k1 — curva ECDSA do Bitcoin. \(y^2 = x^3 + 7\) sobre \(\mathbb{F}_p\) com \(p = 2^{256} - 2^{32} - 977\). Não-NIST; sem características aleatórias suspeitas.
- Schnorr desde Taproot (BIP340, ativado nov/2021).
Endereços (formas)
| Tipo | Prefix | Format |
|---|---|---|
| P2PKH (Pay-to-Public-Key-Hash) | 1 |
Base58Check de HASH160(pubkey) |
| P2SH (Pay-to-Script-Hash) | 3 |
Base58Check de HASH160(script) |
| Bech32 (SegWit v0) | bc1q... |
BIP-173 |
| Bech32m (Taproot, SegWit v1) | bc1p... |
BIP-350 |
Base58Check
- Alfabeto:
123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz(sem0,O,I,lpara evitar confusão). - Checksum: primeiros 4 bytes de
SHA256(SHA256(payload)).
Bech32 / Bech32m
Christopher Allen, Pieter Wuille. BIP-173 / BIP-350. Base32 com BCH error-correcting code. Detecta typos. Bech32m fixa weakness do Bech32 com final-character.
ECDSA
Signing transações. Chave secreta 256 bits; pubkey ponto na curva, comprimida (33 bytes) ou descomprimida (65 bytes).
Risk histórico: ECDSA exige nonce \(k\) random; reutilização revela chave privada. RFC 6979 (deterministic nonce via HMAC) padronizado e adotado.
Schnorr (BIP340)
Adotado em Taproot (nov/2021):
- Mais simples que ECDSA.
- Signature aggregation via MuSig2.
- Adaptor signatures: condicional signing.
- Single-sig indistinguível de multi-sig N-of-N (privacy).
Transactions / scripts
- OP_CHECKSIG: valida ECDSA/Schnorr.
- OP_CHECKMULTISIG: legacy multi-sig (deprecated em Taproot).
- OP_CHECKSIGADD: nova primitiva Taproot.
- Script: stack-based, intencionalmente não-Turing-completa.
Merkle trees em blocks
- Block merkle root = root de árvore de SHA256d(txid) das txs no bloco.
- Bloom filters em SPV: header sync sem download de todas as txs (BIP-37, mas obsoleto por privacy issues; modern: Compact Block Filters BIP-157/158).
Wallets HD (Hierarchical Deterministic)
- BIP-32: derivação hierárquica de chaves de seed.
m/0'/0/0extra derivation paths. - BIP-39: mnemonic seeds (1215182124 palavras de wordlist 2048). PBKDF2-HMAC-SHA512 com salt
mnemonic[passphrase], 2048 iterations. - BIP-44: multi-account coin types.
m/44'/coin_type'/account'/change/address_index.
Mining (PoW)
Hash do block header com 4 zero bytes (target ajustável):
H(version \\\| prev_block_hash \\\| merkle_root \\\| timestamp \\\| bits \\\| nonce) < targetBitcoin difficulty ajusta a cada 2016 blocks (~2 semanas). 2026 hashrate global: ~700+ EH/s.
3. Ethereum — primitivas
Whitepaper: Vitalik Buterin, Ethereum: A Next-Generation Smart Contract and Decentralized Application Platform, 2013. Mainnet: 30jul2015.
Hashes
- Keccak-256: não SHA-3-256. Keccak antes de NIST finalizar SHA-3 (que mudou padding em 2014). Ethereum manteve Keccak original. Confusão comum.
Curvas
- secp256k1 (mesma do Bitcoin) para EOA (Externally Owned Accounts) signing.
- BLS12-381 para Ethereum 2.0 consensus (BLS signatures).
- BN254 legacy em pre-compiles (zk-SNARKs).
Endereços
- EOA: últimos 20 bytes de Keccak-256(pubkey).
- Contract: derivado de
keccak256(rlp([sender, nonce]))ou em CREATE2 dekeccak256(0xff \\\| sender \\\| salt \\\| keccak256(init_code)).
Assinatura EIP-155
Inclui chain ID na assinatura para evitar replay across chains.
EIP-712: typed structured signing
Schema permite UI mostrar campos legíveis ao usuário em vez de hex bytes opacos. Adoção em DApps.
EIP-1559
Base fee + tip. Hash do bloco inclui base fee. Não-crypto per se mas relevante.
Consensus crypto (Ethereum 2.0 / Beacon Chain)
BLS signatures (BLS12-381):
- Cada validator tem BLS keypair.
- Aggregate signatures: milhares de validators → 1 signature 96 bytes.
- DKG (Distributed Key Generation): em pools como Lido, RocketPool.
Random Beacon: RANDAO + VDF (VDF planned, RANDAO entrega).
4. Privacy coins
Monero (XMR) — 2014
- CryptoNote protocol base (BIP-style anonymous payments).
- Ring signatures (Fujisaki-Suzuki, 2007): assinatura indistinguível entre \(N\) chaves. Atual: MLSAG (Multi-Layered Linkable Spontaneous Anonymous Group), CLSAG (2020), Seraphis (em pesquisa).
- Stealth addresses: cada tx gera one-time address.
- RingCT (Confidential Transactions): valores cifrados, Pedersen commitments + range proofs.
- Bulletproofs+ (2020): range proofs \(O(\log n)\).
Zcash (ZEC) — 2016
- zk-SNARKs para shielded transactions:
- Versão 1 (Sprout): BCTV14 (Ben-Sasson-Chiesa-Tromer-Virza), trusted setup ceremony Pi.
- Versão 2 (Sapling, 2018): Groth16, BLS12-381, new TS ceremony Powers of Tau.
- Versão 3 (Orchard, 2022): Halo2 — no trusted setup, recursive proofs. Pasta curves.
Aztec Network, Tornado Cash (sancionada)
zk-rollups e mixers para privacy em Ethereum. Tornado Cash sancionada pelo US OFAC em 2022 — código de smart contract banido (controverso legalmente).
5. zk-SNARKs / zk-STARKs em rollups
zk-SNARKs
Succinct Non-interactive Argument of Knowledge.
- BCTV14, Groth16: pequenos (~200 bytes), constante-time verify, trusted setup (toxic waste).
- PLONK (2019): universal trusted setup; mais flex.
- Halo / Halo2: recursive proofs, no trusted setup, Pasta curves (Pallas/Vesta).
- Nova / SuperNova / HyperNova (2022–2024): folding schemes, very fast recursive accumulation.
- Plonky2 (Polygon): STARK + PLONK híbrido.
zk-STARKs
Scalable Transparent. Sem trusted setup. Maiores (~50 KB). Post-quantum hash-based.
- Cairo (StarkWare) — language → STARK proofs.
- RISC Zero — RISC-V zkVM.
- Polygon Zero.
L2 zk-rollups (2026)
- StarkNet — Cairo, Stark proofs.
- zkSync Era — LLVM-based, ZK-EVM type 4.
- Polygon zkEVM — type 3 ZK-EVM.
- Scroll — type 2 ZK-EVM, full EVM compat.
- Linea (ConsenSys).
- Taiko — type 1 (bit-perfect).
ZK-EVM types (Vitalik 2022)
| Type | Compat | Performance |
|---|---|---|
| Type 1 | bit-perfect Ethereum | slow |
| Type 2 | EVM-equivalent | better |
| Type 3 | EVM-almost-equivalent | better |
| Type 4 | Language-level (compile Solidity) | best perf, low compat |
6. Other consensus crypto
Proof-of-Stake
- Tendermint / Cosmos: Ed25519 validators, BFT consensus.
- Algorand: VRF (verifiable random function) baseado em RFC 9381 escolhe committee.
- Cardano: VRF (Praos) + KES (Key Evolving Signatures, forward-secure).
- Solana: Ed25519, PoH (proof-of-history) com SHA-256 sequential.
- Avalanche: avalanche consensus, BLS opcional.
- Polkadot: BABE (block production VRF), GRANDPA (finality, ECVRF + Schnorr).
Proof-of-Spacetime, Proof-of-Replication
- Filecoin: PoRep + PoSt. Heavy crypto: SNARKs em massa para provar storage.
- Chia: VDF (proof-of-time) + proof-of-space (plot files).
Proof-of-Authority, Proof-of-Burn, Proof-of-Coverage
Vários alts. Menos crypto-heavy.
7. DEX / DeFi crypto building blocks
AMMs
Não-crypto per se mas usam blockchain primitives.
Atomic swaps (HTLC)
Hashed Timelock Contract: contract pagável se receiver revela \(x\) com \(H(x) = h\), ou refundável após timeout.
Permite cross-chain swap trustless: ambos chains aceitam mesmo \(h\). Base de Lightning Network.
Lightning Network (Bitcoin L2)
- Channel = multi-sig 2-of-2 entre Alice e Bob.
- HTLC entre channels enable multi-hop payments.
- Onion routing (Sphinx) para privacy do path.
- Bolt-12 (em dev): offers, fewer privacy leaks.
MEV protection
- Flashbots — bundle privacy via private mempool.
- MEV-Share (Flashbots) — partial reveal.
- CowSwap — batch auctions com signed off-chain orders.
8. Multisig + threshold
Bitcoin multisig
- P2SH multisig:
m-of-n OP_CHECKMULTISIG. - MuSig / MuSig2 (Taproot): aggregated Schnorr; multisig indistinguível de single-sig on-chain.
- FROST: Flexible Round-Optimized Schnorr Threshold (Komlo-Goldberg 2020).
Threshold ECDSA
Mais difícil que threshold Schnorr (ECDSA tem \(s = k^{-1}(z + r \cdot d)\) que não composes naturalmente).
- Lindell17, GG18/GG20 — interactive protocols com many rounds.
- CGGMP21 (Canetti-Gennaro-Goldfeder-Makriyannis-Peled) — proactive refresh.
- Doerner-Kondi-Lee-Shelat (2019/2020) — 2-party ECDSA, fewer rounds.
Usados em custodial wallets enterprise (Fireblocks, Anchorage, Coinbase Prime, Sepior, Curv).
9. Stablecoin crypto
Pouca crypto específica:
- USDC, USDT — centralizados, baseados em smart contract ERC-20.
- DAI — sobrecolateralizado em ETH/wBTC.
- FRAX, LUSD — variantes algorithmic / overcollateralized.
Privacy stablecoins (Zk2-style) em pesquisa.
10. Bitcoin BIP highlights cripto-relevantes
| BIP | Conteúdo |
|---|---|
| BIP-32 | HD wallets |
| BIP-39 | Mnemonic seeds |
| BIP-44 | Multi-account |
| BIP-66 | Strict DER signatures |
| BIP-141 | SegWit |
| BIP-173 | Bech32 addresses |
| BIP-174 | PSBT (Partially Signed Bitcoin Transaction) |
| BIP-340 | Schnorr signatures |
| BIP-341 | Taproot (P2TR) |
| BIP-342 | Tapscript |
| BIP-350 | Bech32m |
| BIP-374 (proposal) | OP_VAULT |
11. Ethereum EIPs cripto-relevantes
| EIP | Conteúdo |
|---|---|
| EIP-155 | Replay protection com chain ID |
| EIP-191 / 712 | Typed signed data |
| EIP-1559 | Fee market |
| EIP-2098 | Compact signature (no recovery id em y-coord) |
| EIP-2718 / 2930 | Typed transactions, access lists |
| EIP-4337 | Account Abstraction |
| EIP-4844 | Proto-Danksharding (blobs) |
| EIP-7691 (proposed) | Blob count increase |
Account Abstraction (ERC-4337)
Smart contract wallets com:
- Custom signature schemes (multisig, threshold, social recovery, post-quantum).
- Paymasters (alguém paga gas pelo user).
- Bundlers off-chain.
- Crypto-flexibility: schemes futuros (BLS aggregation, PQC) sem hard fork.
12. PQC em blockchain
Maior preocupação: HNDL — atacantes podem coletar transações hoje, esperar quantum, e gastar coins de quem revelou pubkey (cada tx Bitcoin revela pubkey ao gastar).
Soluções discutidas
- OPCHECKSIGPQ Bitcoin BIP draft (Bas Westerbaan, Filippo Valsorda 2024) — adicionar SLH-DSA, FN-DSA opcionalmente.
- QuBic, QRL (Quantum Resistant Ledger) — coins PQC native, niche adoption.
- Ethereum: Vitalik propôs migração via Account Abstraction (cada wallet pode escolher signature scheme).
Timeline realista: hard fork PQC para Bitcoin/Ethereum em 2028–2032 esperado.
13. Famous incidents
| Ano | Incidente | Causa crypto |
|---|---|---|
| 2010 | CVE-2010-5139 Bitcoin overflow | output value overflow (não crypto) |
| 2013 | Android RNG bug | Reused \(k\) em ECDSA → wallets drained |
| 2014 | Mt. Gox collapse | misc. — não crypto break |
| 2016 | The DAO hack | reentrancy (não crypto) |
| 2017 | Parity multisig wallet bug | accidental selfdestruct (não crypto) |
| 2018 | Bytom Counterfeit | curve confusion bug |
| 2020 | KuCoin hack | private key extraction (custodial) |
| 2021 | Poly Network | $611M, returned. Cross-chain bridge bug. |
| 2022 | Ronin Bridge | $625M. Validator key compromise. |
| 2022 | Wintermute | profanity vanity address tool weak RNG |
| 2022 | Trail of Bits sgx bug em Secret Network | enclave secret leak |
14. Bibliotecas e tooling cripto-foco
- libsecp256k1 (Bitcoin Core) — gold standard secp256k1 impl.
- rust-secp256k1 — bindings.
- k256 (Rust Crypto) — pure-Rust secp256k1.
- noble-curves (paulmillr) — pure-JS ECC.
- arkworks-rs — Rust ZK toolbox (curves, polynomials, snark frameworks).
- gnark (Consensys) — Go zkSNARK toolkit.
- Circom + snarkjs — circuit DSL para SNARKs.
- Cairo / cairo-lang — StarkNet smart contract language.
- Halo2 + plonky2 — production rust SNARK libs.
15. Resumo: o que segura blockchain (criptograficamente)
| Camada | Primitiva |
|---|---|
| Endereço | Hash de pubkey |
| Assinatura tx | ECDSA / Schnorr / BLS / EdDSA / future PQC |
| Tx integrity | Merkle root + block hash |
| Consensus | SHA256d PoW (Bitcoin) ou BLS+VRF (PoS) |
| Privacy | Ring sig (Monero), zk-SNARKs (Zcash, rollups), CT |
| Cross-chain | HTLC (atomic swap), bridges com multisig |
| Wallet | HD wallets BIP-32/39, threshold (MPC custodial) |
| L2 scalability | zk-rollups (Stark/Snark) ou optimistic rollups (fraud proofs) |
| Future | PQC migration via Account Abstraction (ETH), BIP draft (BTC) |
16. Referência cruzada
- Hash primitives (SHA-256, Keccak, BLAKE3):
06-hash-e-mac.md. - ECC (secp256k1, BLS12-381, Curve25519):
05-assimetrica.md. - PQC migration:
08-pos-quantica.md. - Pessoas (Satoshi, Vitalik, Wuille, Maxwell, Zooko, Bowe, Wesolowski, Komlo):
12-pessoas.md. - Compendium dedicado a blockchain vive em diretório separado:
meta/docs/blockchain/compendium/.