It would be nice if non-secure parts of implementation or design were clearly marked.
What's the point of education article, if bad examples aren't clearly marked as bad? If MD5 usage is the only issue, author could easily replace it with SHA and get rid of the warning at the start. If there are other issues, how can a reader know which parts to trust?
Even if fixing bad/insecure parts are "left as an exercise for the reader", learning value of the article would be much greater if those parts would be at least pointed at.
erikb is spot on in the sibling comment. This hasn't been expert-reviewed, hasn't been audited so I'm pretty confident there is a bug somewhere that I don't know about.
It's educational in the sense that I tried as best a I could to implement the various algorithmic parts (mining, validating blocks & transactions, etc...).
I originally used MD5 because I thought I would do more exploration regarding difficulty and MD5 is faster to compute than SHA. In the end, I didn't do that exploration, so I could easily replace MD5 with SHA. I'll update the notebook to use SHA, but I'm still not gonna remove the warning :)
I'll also try to point out more explicitly which parts I think are not secure.
Things I've noticed:
* Use of floating point arithmetic.
* Non-reproducible serialization in verify_transaction can produce slightly different, but equivalent JSON, which leads to rejecting transactions if produced JSON is platform-dependent (e.g. CRLFs, spaces vs tabs).
* Miners can perform DoS by creating a pair of blocks referencing each other (recursive call in verify_block is made before any sanity checks or hash checks, so they can modify block's ancestor without worrying about changing its hash).
* mine method can loop forever due to integer overflow.
* Miners can put in block a transaction with output sum greater than input sum - only place where it is checked is in compute_fee and no path from verify_block leads there.
I'll fix the two bugs with verify_block and the possibility for a miner to inject invalid a output > input transaction.
I'll add a note for the 3 others.
Most current blockchains sign a binary representation with fixed length fields. In terms of JSON, JSON-LD is for graphs and it can be canonicalized. Blockcerts and Chainpoint are JSON-LD specs:
> Blockcerts uses the Verifiable Claims MerkleProof2017 signature format, which is based on Chainpoint 2.0.
> #python news: @gvanrossum just pronounced that dicts are now guaranteed to retain insertion order. This is the end of a long journey.
OrderedDicts are backwards-compatible and are guaranteed to maintain order after deletion.
So what the author is saying he doesn't take responsibility for when you use the result of his work and get problems. If you want to act responsibly build a team of different experts, have tests for security scenarios, have automated tests, from time to time pay people to attack your system and show the weaknesses you have.
Or, do it like 99.9% of people and just accept that there are risks but don't try to put resulting failures on people who provide free solutions for you online.
PS: Incorporation is a good way to protect yourself. Then having even ineffective due diligence processes is enough to protect your personal life from the risks of doing business.
The doc string for the hash function states:
An INSECURE hash function that you should not use in the real world.
Returns an hexadecimal hash
The point in the article seems to be understanding the blockchain protocol and concepts and not "how to write secure crypto."
It's not about this warning. It's about that it's the only warning. From the intro and from discussion here on HN, I imply author knows about other shortcuts made for the sake of simplicity/explanation/readability - I just wished those shortcuts were pointed at more directly in the article, instead of blanket disclaimer.
After that, I decided to re-implement everything from scratch. My foremost constraint was to write readable code so that anyone could read the codebase and have an idea of how blockchain works.
My current draft of implementation can be found on https://github.com/halilozercan/halocoin , which currently lacks detailed README and documentation. However, you can still experiment with it by using API or CLI. I'm running a dedicated server to have an always online peer you can connect to.
Edit: a word
Here's an nbviewer link (which, like base58, works on/over a phone):
Note that Bitcoin does two rounds of SHA256 rather than one round of MD5. There's also a "P2P DHT" (peer-to-peer distributed hash table) for storing and retrieving blocks from the blockchain; instead of traditional database multi-master replication and secured offline backups.
> ERROR:root:Invalid transaction signature, trying to spend someone else's money ?
This could be more specific. Where would these types of error messages log to?
Regarding the error, they are logged when a verify_block/transaction returns False, just to be a bit more explicit about what failed. In a real implementation, I guess you would throw exceptions instead (or use some Result pattern), but I tried and it cluttered the code quite a bit, so I went back to logging.
I'm still a little unsure around exactly how miners and nodes communicate with each other. Especially things like broadcasting transactions and new blocks. Any good resources for that?
Note it uses MD5 hash instead of SHA256 so not exactly bitcoin. I wonder how much more work would be to make the code fully implement bitcoin. Will it still be readable? Or Etherium? Would be great value for understanding even if Python would be inefficient to run in prod.
Swapping MD5 for SHA256 is very easy. I'll actually do it - see my other answer above for why MD5.
For the other differences to bitcoin and from the top of my head :
- In my implementation, wallet addresses are the public key of the owner. Bitcoin addresses are slightly more complicated  and a wallet can (and should) generate a new address for each transaction.
- Bitcoin uses ECDSA instead of RSA
- Bitcoin transactions use a (simpler than ethereum but still) scripting language .
- The whole communication part was left out : you need a way to broadcast blocks. I haven't looked into that
- Bitcoin uses a Merkle tree to store transactions (and prune spent ones).
I think the scripting and communication would be the two biggest tasks. But it would also require unit testing and obviously wouldn't fit in a single notebook.
Was wondering, any specific reason to choose RSA vs ECDSA? Signatures would be smaller.
I think one can maintain code readability in a python implementation but documentation is the key here. Developer needs to clearly state the objective of each function.
For ethereum, you need one external element called: Ethereum Virtual Machine. Smart Contracts are basically byte code that runs on EVM. Without it, blockchain cannot function. So, ethereum development may require extra knowledge on top of blockchain technology.
also, not sure why folks are nitpicking about minor things like security disclaimers, number of sha256 hashes, md5, etc. while ignoring nontrivial gaps (eg no merkle dags, one of the cornerstone concepts).
You're right about Merkle tree. This is a whole section of the bitcoin paper and it's pretty important. But as far as I understand, it's "only" an optimization to save disk space, so it doesn't change the underlying logic.
Jupyter notebooks are popular in the data science / Python communities to explain concepts, for examples see here .