CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco http://www.cs.usfca.edu/~keldefrawy/teachin g/fall2019/cs683/cs683_main.htm 1
Ba Basi sics s of of Bl Bloc ockchain-bas based d Cr Cryptoc ocurr rrencies s and Systems
A A good d so sour urce for more information Slides of this lecture are largely based on those presented in accompanying videos (for lectures 1 and 2) at: http://bitcoinbook.cs.princeton.edu/
Crypto Back ckground: Hash Funct ctions, Hash Po Pointers, and Hash Po Pointer-ba based d Data Struct ctures
Has Hash h Func Functio tions ns • Functional requirements: • Takes any string or arbitrary length as input • Fixed-size output (we will use 256 bits as an example) • Efficiently computable • Security requirements: • Collision-free • Hiding • Puzzle-friendly
Pr Property 1 of Hash Functions: Collision-fr free • No adversary can find x and y such that x ≠ y and H(x) = H(y) X H(X) = H(y) Y
Ho How w to find ind a a collis llisio ion? n? • Try 2 130 randomly chosen inputs (for a 256 bit hash output) • 99.8% chance two of them will collide This works no matter how H is constructed … but takes long to be a serious attack that matters
Appl Application: n: ha hash sh as s messa ssage di digest
Pr Property 2 of Hash Functions: Hiding
Pr Property 2 of Has Hash h Func Functio tions ns: Hiding Hiding
Appl Application: n: Co Commitment X Commit X Open
Co Commi mmitme ment AP API 1/ 1/3
Co Commi mmitme ment AP API 2/ 2/3
Co Commi mmitme ment AP API 3/ 3/3
Pr Property 3 3 of of H Hash F Function ons : : Pu Puzzle-fr friendly
Appl Application: n: Search h puz puzzle
SH SHA-256 256
Has Hash h Poin inter ers
Ka Kay Idea Utilize hash pointers to build efficient integrity ensuring data-structures
Has Hash h po poin inter er chaining haining
Has Hash h po poin inter er chaining haining
Has Hash h po poin inter er chaining haining
Tr Tree using hash pointers We have seen this before; in what context? Root Hash
Adv Advantages s of f Merkel Trees
Mo More generally … Can use hash pointer in any pointer-based data structure that has no cycles • Hash pointers will ensure integrity of information stored/used in the data structure
Dig Digit ital S al Sig ignatures in in t the C Context o of Cr Cryp yptocurr rrencies
Re Requirements of a digital signature scheme
AP API for di digi gital si signa gnatur ures
Re Requirements for signatures
Se Securi rity game me for r a signature scheme me
Se Securi rity game me for r a signature scheme me
Se Securi rity game me for r a signature scheme me
Se Securi rity game me for r a signature scheme me
Se Securi rity game me for r a signature scheme me
Addi Additiona nal issue ssues
Wha What si signa gnatur ure sc sche heme is s use used d in n Bitcoin ECDSA is the elliptic curve version of the DSA standard which is similar to El-Gamal signature scheme.
Us Useful l tr tric ick: use e public lic key as as an an id iden entity tity
Ho How w to gener enerate e a a ne new w iden identity tity In practice: use H(pk) as identity as it is smaller than pk
De Dece centraliz alized id identit ity m man anag agement
Pr Privacy is complicate ated Addresses not directly connected to real-world identity. (Un)linkability: But observer can link together an address’s activity over time, and make inferences.
Si Simp mple Examp mples of Cr Cryptocurr rrency Designs
At Attempt #1: Goofy Coin
Op Operation of f Goofy y Co Coin 1/3 Rule #1:
Op Operation of f Goofy y Co Coin 2/3 Rule #2:
Op Operation of f Goofy y Co Coin 3/ 3/3 Rule #3:
Bi Big se securi rity y issu ssue with Goofy y Co Coin Double-Spending Double-spending is one of the hardest security challenges to solve when developing a cryptocurrency
At Attempt #2: Scrooge Coin
Op Operation of f Scrooge Co Coin 1/3
Op Operation of f Scrooge Co Coin 2/ 2/3 Transaction Type #1:
Op Operation of f Scrooge Co Coin 3/3 /3 Transaction Type #2:
Im Immut utable able Coins ins
Th The main problem with Scrooge Coin Crucial question: Can we descroogify the currency, and operates without any central, trusted party?
Ho How w Bit itcoin in solv lves es the the dec decen entr traliz alizatio tion n is issue ue
Bi Bitcoin’s s Peer-to to-Pe Peer Network • A peer-to-peer network without any “central” authority for ensuring integrity of transactions and keeping track of ownership of (Bit)coins (and minting them) • Ledger and history of ALL transactions are public and available for anyone to inspect
Ce Centralizations s vs s Decentralizations • Competing paradigms that underlie many digital technologies Sir Tim Berners-Lee (inventor of the Web)
De Dece centraliz alizatio ion is is n not all all-or or-no nothi hing ng • Email: Decentralized protocol, but dominated by centralized webmail services.
Aspe Aspects s of f de decentralization n in n Bi Bitcoin • Who maintains the ledger? • Who has authority over which transactions are valid? • Who creates new bitcoins? • Who determines how the rules of the system change? • How do bitcoins acquire exchange value? • Beyond the protocol: Exchanges, wallet software, service providers …
Aspe Aspects s of f de decentralization n in n Bi Bitcoin
Bi Bitcoin’s s key y challenge: distri ributed conse sensu sus
Wh Why y conse nsensus nsus pr protocols? s? • Traditional motivation: reliability in distributed systems. • Distributed key-value store enables various applications: DNS, public-key directory, stock trades, databases … etc. Good target for Altcoins!
De Defin inin ing d dis istrib ibuted c consensus • Assume N servers/processors/processes. • The protocol terminates and all correct nodes decide on the same value (V). • The value V must have been proposed by some correct node. • Typically assume honest majority, e.g., less than N/3 or N/2 are misbehaving.
Bi Bitcoin is s a peer-to to-peer peer system em Alice’s transaction is broadcast/flooded throughout the Bitcoin network coin’s history Note: Bob’s computer is not in the picture
Ho How w cons nsens ensus us co could wo work in Bitcoin At any given time: • All nodes have a sequence of blocks of transactions they’ve reached consensus on • Each node has a set of outstanding transactions it’s heard about (but consensus has not happened for them yet)
Ho How w cons nsens ensus us co could wo work in Bitcoin Consensus reached on these blocks
How consensus could work in Bitcoin
Ho How w cons nsens ensus us co could wo work in Bitcoin
Ho How w cons nsens ensus us co could wo work in Bitcoin Consensus reached on these blocks The green block is chosen as a result of consensus and is added to the agreed-upon blockchain. This is close to how Bitcoin cloud work, but not exactly. Why?
Wh Why y conse nsensus nsus is s ha hard No notion of global time!
Ma Many imp mpossibility results • Byzantine generals problem: https://en.wikipedia.org/wiki/Byzantine_fault_tolerance#B yzantine_Generals'_Problem • Fischer-Lynch-Paterson (deterministic nodes): consensus impossible with a single faulty note
So Some me well-kn known conse sensu sus s protocols http://www.cs.yale.edu/homes/aspnes/pinewiki/Paxos.html
Un Under erstan andin ing im impossib ibility ility res esults lts
Bi Bitcoin conse sensu sus: s: theory y vs s practice
So Some me things Bi Bitcoin does differently Bitcoin does not solve the (large-scale) consensus problem in the general sense, but only in the context of a digital currency system.
Wh Why y ide dentity? y? Why don’t Bitcoin nodes have identities? • Identity is hard in a P2P system – Sybil attack • Pseudonymity is a goal of Bitcoin
We Weaker assumption: select random nodes
Ke Key idea: implicit consensus
Bi Bitcoin conse sensu sus s algori rithm m (si (simp mplifi fied)
Wha What can n a malicious us no node de do do?
Wha What can n a malicious us no node de do do?
Wha What can n a malicious us no node de do do?
Wha What can n a malicious us no node de do do?
Wha What can n a malicious us no node de do do?
Wha What can n a malicious us no node de do do? Honest nodes will extend the longest valid branch.
Fr From Bob b the the mer erchan hant’s po poin int t of vie view
Recommend
More recommend
