COMS 6998-006: Foundations of Blockchains

Announcements

• Sept 2: Welcome to COMS 6998-006!
• Sept 15: Notes for Lecture 1 posted.
• Sept 15: HW1 posted.
• Sept 20: Lecture room changed to CSG 451 (starting with lecture 4).
• Sept 28: HW2 posted.
• Nov 12: HW6 posted.
• Nov 12: Note the deadline for final reports is December 17th.
• Nov 19: HW7 posted.

• Tim Roughgarden (Office hours: Tuesdays 5-6pm by Zoom. Email: tr@cs.columbia.edu.)

Course Assistants:

• Maryam Bahrani (Office hours: Mondays 3-5pm by Zoom. Wednesdays 12:30-2:30pm in the CS TA room on the first floor of Mudd.) Email: m.bahrani@columbia.edu.

Time/location: 8:40-9:55 AM Tue/Thu in Mudd 834 CSB 451.

Discussion site: ed.

Prerequisites: Undergraduate algorithms (COMS 4231) or equivalent mathematical maturity. The intended audience is first-year graduate students with a strong interest in and affinity for theoretical computer science.

Course outline (subject to change):

• Classical permissioned consensus.
  • Types of adversaries and synchrony models, Dolov-Strong Byzantine broadcast protocol, FLP impossibility result for asynchronous consensus, tight fault-tolerant bounds in the partially synchronous model.
• Permissionless consensus.
  • Nakamoto (longest-chain) consensus, guarantees for the Bitcoin backbone protocol, committee-based reductions to BFT-type permissioned protocols, the CAP theorem.
• Sybil-resistance.
  • Proof-of-work, difficulty adjustment, selfish mining; proof-of-stake, VRFs and VDFs, etc.
• Bitcoin deep dive.
  • Block structure, Merkle trees, UTXOs, light clients, scaling Bitcoin via payment channels and the Lightning network.
• Ethereum deep dive.
  • Block structure, gas and the EVM, the EIP-1559 transaction fee mechanism, scaling Ethereum via optimistic and zk-rollups, plans for ETH 2.0.
• Newer-generation layer-1 consensus protocols (e.g., Solana and Avalanche).
• The multi-chain vision: interoperability and bridges.
• DeFi (decentralized finance) primitives.
  • Stablecoins, oracles.
• DeFi applications.
  • Borrowing, lending, trading via automated market makers.
• Miner extractable value (MEV) and interactions between the consensus and application layers.
• (Time permitting) Approaches to protocol governance.
• (Time permitting) A look ahead: DAOs, NFTs, Web3, etc.

Lecture notes: (posted only sporadically, complete set should be ready in early 2022)

• Lecture 1 (Introduction and Overview) [unedited 0th draft]

Coursework

• Problem Sets (60%): There will be a number of problem sets, around 8-9 in total. Problem sets can be completed in pairs.
  • Homework #1 (Due Thu Sept 23.) (Due Mon Sept 27.)
  • Homework #2 (Due Thu Oct 7.)
  • Homework #3 (Due Thu Oct 14.)
  • Homework #4 (Due Tue Oct 26.)
  • Homework #5 (Due Thu Nov 4.)
  • Homework #6 (Due Thu Nov 18.)
  • Homework #7 (Due Tue Nov 30.)
  • Homework #8 (Due Thu Dec 9.)

• Problem Set Policies:
  • To be submitted in groups of 2 (all students of the group receive the same score).
  • You can form different pairs for different exercise sets.
  • You can discuss exercises with students from other groups verbally and at a high level only.
  • Except where otherwise noted, you may refer to your course notes, the textbooks and research papers listed on the course Web page only. You cannot refer to textbooks, handouts, or research papers that are not listed on the course home page. If you do use any approved sources, make you sure you cite them appropriately, and make sure that all your words are your own.
  • You are strongly encouraged to use LaTex to typeset your write-up. Here's a LaTeX template that you can use to type up solutions. Here and here are good introductions to LaTeX.
  • Honor code: We expect you to abide by the computer science department's policies and procedures regarding academic honesty.
  • Submission instructions: We are using Gradescope for the homework submissions. Go to www.gradescope.com to either login or create a new account. Use the course code 6PN7NP to register for this class. Only one group member needs to submit the assignment. When submitting, please remember to add all group member names onto Gradescope.
• Late Days:
  • One late day equals a 24-hour extension.
  • Each student has three free late days.
  • At most two late days can be applied to a single assignment.
  • Each late day used after the first two will result in a 25% penalty.
    • Example: a student had one free late day remaining but their group uses two late days on a Problem Set. If the group's write-up earns p points, the student receives a final score of .75*p points for the assignment.

• Research project (40%): To be completed in teams of 3-4 students. The project can be theoretical or application-focused, and should relate to the course content but otherwise can be on a topic of your choosing. A single report of 15-20 pages will be due shortly after the final lecture. Two example reports from last year:
  • Large Ethereum Contracts and Gas Fee Non-linearity by Maryam Bahrani, Miranda Christ, Daniel Jaroslawicz, Eric Neyman
  • Decentralized Prediction Markets by Jianxiong Zhan, Chi Wai Lau, Lawan Rahim, Quoc Le
• Deadline: Friday, December 17.

• Final Project Reports:
  • Proof of Space with VDF: An Alternative Permissionless BFT Consensus Protocol, by Yuxuan Luo.
  • An Initial Framework for NFT Auction Mechanism Design: Impossibility Results and Solutions, by Andy Arditi, Pranav Garimidi, Dean Hirsch, and Iason Milionis.
  • Alternative Sybil Resistance Methods, by Marcus Daly, Nathan Cuevas, Griffin Klett, and Lynn Zhu.
  • A Review of Zero Knowledge Proofs, by Thomas Chen, Abby Lu, Jern Kunpittaya, and Alan Luo.
  • A Survey of DeFi Lending, by Alex Brenebel, Lynsey Haynes, Vaibhav Kapur, and Jonathan Larkin.
  • DAOs, by Utkarsh Sinha, Sofia Bianchi, Ian Macleod, and Imanol Uribe.
  • Proof of Participation Voting for On-Chain Governance, by Terry Chung, Sandip Nair, Uttara Ravi, and Pranav Kajgaonkar.
  • A Technical Deep Dive Into and Implementation of Non-Fungible Tokens in a Practical Setting, by Julia Martin and Carrie Hay Kellar.
  • Privacy when Everyone is Watching: Anonymity on the Blockchain, by Nilaksh Agarwal and Roy Rinberg.
  • MEV on L2 by FlashBabies (Huy Ha, Vasiliki Vlachou, Quintus Kilbourn, and Cesare De Michellis).

Lecture Schedule

• Lecture 1 (Thu Sept 9): Course overview and main themes. The blockchain stack and its layers. Ideal digital signature schemes. The SMR (state machine replication) problem. Defining consensus, consistency, and liveness. Supplementary reading:
  • Lecture notes
  • Consensus for SMR (Decentralized Thoughts)

• Lecture 2 (Tue Sept 14): The synchronous model and the Dolev-Strong protocol for Byzantine broadcast. Supplementary reading:
  • Dolev-Strong Authenticated Broadcast (Decentralized Thoughts)
  • Lecture notes from Jonathan Katz's advanced crypto course (see Section 3).
  • Chapters 3 and 6 of Elaine Shi's book draft, Foundations of Distributed Consensus and Blockchains.
  Historical readings:
  • L. Lamport, R. Shostak, and M. Pease, The Byzantine Generals Problem, ACM Transactions on Programming Languages and Systems, 1982.
  • D. Dolev and H. R. Strong, Authenticated Algorithms for Byzantine Agreement, SIAM Journal on Computing, 1983.

• Lecture 3 (Thu Sept 16): Necessity of PKI for synchronous consensus with dishonest majority. Proof themes: simulation and indistinguishability. Supplementary reading:
  • Byzantine Agreement Is Impossible for n≤3f if the Adversary Can Simulate (Decentralized Thoughts)
  • Lecture notes from Jonathan Katz's advanced crypto course (see Section 2).
  • Chapter 4 of Elaine Shi's book draft, Foundations of Distributed Consensus and Blockchains.
  Historical readings:
  • M. Pease, R. Shostak, and L. Lamport, Reaching Agreement in the Presence of Faults, Journal of the ACM, 1980.
  • M. J. Fischer, N. A. Lynch, and M. Merritt, Easy Impossibility Proofs for Distributed Consensus Problems, Distributed Computing, 1986.

• Lecture 4 (Tue Sept 21): The asynchronous model. Start proof of FLP impossibility theorem. Supplementary reading:
  • Consensus Lower Bounds via Uncommitted Configurations (Decentralized Thoughts)
  • Chapter 12 of Elaine Shi's book draft, Foundations of Distributed Consensus and Blockchains.
  Historical readings:
  • M. J. Fischer, N. A. Lynch, and M. S. Paterson, Impossibility of Distributed Consensus with One Faulty Process, Journal of the ACM, 1985.
  • H. Völzer, A Constructive Proof for FLP, Information Processing Letters, 2004.

• Lecture 5 (Thu Sept 23): Finish proof of FLP impossibility theorem. Supplementary reading: same as Lecture 4, and also:
  • The FLP Impossibility, Asynchronous Consensus Lower Bound via Uncommitted Configurations (Decentralized Thoughts)

• Lecture 6 (Tue Sept 28): The partially synchronous model. The Tendermint protocol. Supplementary reading:
  • Notes by Andrew Lewis-Pye.
  • Synchrony, Asynchrony and Partial synchrony (Decentralized Thoughts)
  • Also related: The Lock-Commit Paradigm (Decentralized Thoughts)
  • Tendermint Core documentation.
  Historical readings:
  • C. Dwork, N. Lynch, and L. Stockmeyer, Consensus in the Presence of Partial Synchrony, Journal of the ACM, 1988.
  • E. Buchman, J. Kwon, and Z. Milosevic, The latest gossip on BFT consensus, 2018.

• Lecture 7 (Thu Sept 30): Properties of Tendermint. The CAP theorem. Supplementary readings same as above, and also:
  • The CAP FAQ (Paper Trail)

• Lecture 8 (Tue Oct 5): Longest-chain consensus. Supplementary reading:
  • The Bitcoin white paper, 2008.
  • Nakamoto's Longest-Chain Wins Protocol (Decentralized Thoughts)
  • Chapters 14 and 17 of Elaine Shi's book draft, Foundations of Distributed Consensus and Blockchains.
  • Lecture notes from David Tse's Internet-Scale Consensus in the Blockchain Era course
  • I. Abraham and D. Malkhi, The Blockchain Consensus Layer and BFT, Bulletin of the EATCS, 2017.
  • J. A. Garay, A. Kiayias, and N. Leonardos, The Bitcoin Backbone Protocol: Analysis and Applications, EUROCRYPT, 2015.
  • R. Pass, L. Seeman, and a. shelat, Analysis of the Blockchain Protocol in Asynchronous Networks, EUROCRYPT, 2017.

• Lecture 9 (Thu Oct 7): The permissionless setting. Proof-of-work sybil-resistance. Difficulty adjustment. Supplementary reading:
  • The Bitcoin white paper, 2008.
  • Chapters 14 of Elaine Shi's book draft, Foundations of Distributed Consensus and Blockchains.
  • R. Pass and E. Shi, Rethinking Large-Scale Consensus, 2018.
  • A. Lewis-Pye and T. Roughgarden, Byzantine Generals in the Permissionless Setting, 2021.
  Historical readings:
  • C. Dwork and M. Naor, Pricing via Processing or Combatting Junk Mail, CRYPTO '92.
  • A. Back, Hashcash - A Denial of Service Counter-Measure, 2002.

• Lecture 10 (Tue Oct 12): Cryptocurrencies, block rewards, and selfish mining. Supplementary reading:
  • Chapters 15 of Elaine Shi's book draft, Foundations of Distributed Consensus and Blockchains.
  • Lecture notes from David Tse's Internet-Scale Consensus in the Blockchain Era course
  • I. Eyal and E. G. Sirer, Majority is not Enough: Bitcoin Mining is Vulnerable, FC '16 (also CACM '18).

• Lecture 11 (Thu Oct 14): Proof-of-stake sybil resistance. Supplementary reading:
  • Lecture notes from David Tse's Internet-Scale Consensus in the Blockchain Era course: lecture 1, lecture 2, lecture 3
  • J. Brown-Cohen, A. Narayanan, C.-A. Promas, and S. Matthew Weinberg, Formal Barriers to Longest-Chain Proof-of-Stake Protocols, EC '19.
  • A. Dembo, S. Kannan, E. N. Tas, D. Tse, P. Viswanath, X. Wang, and O. Zeitouni, Everything is a Race and Nakamoto Always Wins, CCS, 2020.
  • E. Deirmentzoglou, G. Papakyriakopoulos, and C. Patsakis, A Survey on Long-Range Attacks for Proof of Stake Protocols, IEEE Access, 2019.
  • Tezos and Cardano, two examples of proof-of-stake longest-chain-type blockchains.
  • Algorand, an example of a proof-of-stake BFT-type protocol.

• Lecture 12 (Tue Oct 19): Transaction fees. EIP-1559. Supplementary reading:
  • M. Carlsten, H. Kalodner, S. M. Weinberg, and A. Narayanan, On the Instability of Bitcoin Without the Block Reward, CCS '16.
  • V. Buterin, Blockchain Resource Pricing, 2018.
  • T. Roughgarden, Transaction Fee Mechanism Design for the Ethereum Blockchain: An Economic Analysis of EIP-1559, December 2020. (Related talk from an Ethereum meetup)

• Lecture 13 (Thu Oct 21): The economic security of blockchains. Supplementary reading:
  • E. Budish, The Economic Limits of Bitcoin and the Blockchain, 2018.
  • J. S. Gans and N. Gandal, More (or Less) Economic Limits of the Blockchain, 2019.
  • D. J. Moroz, D. J. Aronoff, N. Narula, and D. C. Parkes, Double-Spend Counterattacks: Threat of Retaliation in Proof-of-Work Systems, 2020.
  • R. Auer, Beyond the doomsday economics of “proof-ofwork” in cryptocurrencies, 2019.
  • Hasu, J. Prestwich, and B. Curtis, A model for Bitcoin’s security and the declining block subsidy, 2019.
  • G. Huberman, J. D. Leshno, and C. Moallemi, Monopoly without a Monopolist: An Economic Analysis of the Bitcoin Payment System, 2021.

• Lecture 14 (Tue Oct 26): Deep dive on Bitcoin (UTXOs, Merkle trees, light clients, etc.). Supplementary reading:
  • The Bitcoin white paper, 2008.
  • Chapters 1-3 of the book Bitcoin and Cryptocurrency Technologies, by A. Narayanan, J. Bonneau, E. Felten, A. Miller, and S. Goldfeder (draft from 2016).

• Lecture 15 (Thu Oct 28): Scaling Bitcoin. Payment channels, hash time lock contracts (HTLCs), and the Lightning Network. Supplementary reading:
  • J. Poon and T. Dryja, The Bitcoin Lightning Network: Scalable Off-Chain Instant Payments, 2016.
  • Lightning network in depth, Part 1 and Part 2, 2018.

• [no class on Tue Nov 2 --- academic holiday]

• Lecture 16 (Thu Nov 4): Ethereum deep dive: Turing-completeness, gas, accounts, transactions, Merkle-Patricia trees. Supplementary reading:
  • Increasing order of detail: white paper; beige paper; yellow paper
  • Merkling in Ethereum (Buterin)
  • Ethereum docs

• Lecture 17 (Tue Nov 9): Consensus vs. compute. The EVM. Straegies for scaling. Supplementary reading:
  • Ethereum EVM illustrated (Takenobu)

• Lecture 18 (Thu Nov 11): Layer-2's. Sidechains. Optimistic rollups: fraud proofs and dispute resolution. Supplementary reading:
  • An Incomplete Guide to Rollups (Buterin)
  • P. McCorry, C. Buckland, B. Yee, and D. Song, SoK: Validating Bridges as a Scaling Solution for Blockchains, October 2021.
  • Ethereum Smart Contracts in L2: Optimistic Rollup (Floersch)
  • Specific implementations of optimistic rollups: Optimism (see also Konstantopoulos (Part 1 and Part 2) and Surendran) and Arbitrum (see also Kalodner et al.)
  • More on dispute resolution in Optimism vs. Arbitrum: Simon and Buckland
  • L2BEAT FAQ

• Lecture 19 (Tue Nov 16): Rollups with validity (aka zk) proofs. SNARGs. Supplementary reading:
  • SNARGs and SNARKs via the PCP theorem: Kilian and Micali.

• Lecture 20 (Thu Nov 18): SNARKs. Validium and off-chain transaction data. Supplementary reading:
  • More on modern constructions of SNARKs: Reitwiessner, Buterin (1), Buterin (2), Buterin (3).
  • More on validium.

• Lecture 21 (Tue Nov 23): A multi-chain world. Cross-chain bridges. Scaling at layer 1. Brief introduction to Solana and Avalanche. Supplementary reading:
  • Secure The Bridge: Cross-Chain Communication Done Right (Wan)
  • A couple examples of bridges: Solana-Ethereum and NEAR-Ethereum.
  • Solana docs; see also the white paper and the Shinobi Systems primer.
  • Avalanche docs; see also the white paper and Lee's primer.

• [no class on Thu Nov 25 --- academic holiday]

• Lecture 22 (Tue Nov 30): Oracles. Introduction to DeFi. Overcollateralized lending. Supplementary reading:
  • S. Eskandari, M. Salehi, W. C. Gu, and J. Clark, SoK: Oracles from the Ground Truth to Market Manipulation, AFT '21.
  • Defi MOOC lecture on oracles by Ari Juels.
  • Chainlink Docs and latest white paper.
  • Defi MOOC lecture on lending platforms by Arthur Gervais.
  • K. Qin, L. Zhou, P. Gamito, P. Jovanovic, and A. Gervais, An Empirical Study of DeFi Liquidations: Incentives, Risks, and Instabilities, IMC '21.
  • More on Maker, Compound, and Aave.

• Lecture 23 (Thu Dec 2): Trading, crypto exchanges, automated market makers, Uniswap, divergence loss. Supplementary reading:
  • Lecture notes on continuous double auctions and automated market makers.
  • A Comparison of Decentralized Exchange Designs (Chen)
  • The x*y=k curve (Lu)
  • Uniswap (v2) (Adams, Zinsmeister, Robinson)

• Lecture 24 (Tue Dec 7): Deep dive on automated market makers. Price impact. StableSwap. The space of constant-function market-makers. Capital efficiency. Supplementary reading:
  • G. Angeris and T. Chitra, Improved Price Oracles: Constant Function Market Makers, AFT '20.
  • D. Engel and M. Herlihy, Loss and Slippage in Networks of Automated Market Makers, 2021.
  • StableSwap white paper (Egorov)
  • Uniswap v3 white paper (Adams, Zinsmeister, Salem, Keefer, Robinson)

• Lecture 25 (Thu Dec 9): Interactions between the consensus and application layers. Abitrage between AMMs. Priority gas auctions. Miner/maximal extractable value (MEV). Flashbots. Supplementary reading:
  • P. Daian, S. Goldfeder, T. Kell, Y. Li, X. Zhao, I. Bentov, L. Breidenbach, and A. Juels, Flash Boys 2.0: Frontrunning, Transaction Reordering, and Consensus Instability in Decentralized Exchanges, April 2019.
  • MEV and Me (Noyes)
  • Flashbots docs
  • Latest on mitigating MEV in Ethereum: PBS on Ethereum Roadmap (MEV Roast 15)
  • Down the MEV rabbit hole: Interview with a searcher (Uncommon Core)