CS 683 - Security and Privacy Spring 2018 Instructor: Karim - PowerPoint PPT Presentation

CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San Francisco http://www.cs.usfca.edu/~kelde frawy/teaching/spring2018/cs6 83/cs683_main.htm (https://goo.gl/t396Fw) 1

Ba Basi sics s of of Bl Bloc ockchain-bas based d Cr Cryptoc ocurr rrencies s and Systems

A A good d so sour urce for more information Slides of this lecture are largely based on those presented in accompanying videos (for lectures 1 and 2) at: http://bitcoinbook.cs.princeton.edu/

Crypto Back ckground: Hash Funct ctions, Hash Po Pointers, and Hash Po Pointer-ba based d Data Struct ctures

Has Hash h Func Functio tions ns • Functional requirements: • Takes any string or arbitrary length as input • Fixed-size output (we will use 256 bits as an example) • Efficiently computable • Security requirements: • Collision-free • Hiding • Puzzle-friendly

Pr Property 1 of Hash Functions: Collision-fr free • No adversary can find x and y such that x ≠ y and H(x) = H(y) X H(X) = H(y) Y

Ho How w to find ind a a collis llisio ion? n? • Try 2 130 randomly chosen inputs (for a 256 bit hash output) • 99.8% chance two of them will collide This works no matter how H is constructed … but takes long to be a serious attack that matters

Appl Application: n: ha hash sh as s messa ssage di digest

Pr Property 2 of Hash Functions: Hiding

Pr Property 2 of Has Hash h Func Functio tions ns: Hiding Hiding

Appl Application: n: Co Commitment X Commit X Open

Co Commi mmitme ment AP API 1/ 1/3

Co Commi mmitme ment AP API 2/ 2/3

Co Commi mmitme ment AP API 3/ 3/3

Pr Property 3 3 of of H Hash F Function ons : : Pu Puzzle-fr friendly

Appl Application: n: Search h puz puzzle

SH SHA-256 256

Has Hash h Poin inter ers

Ka Kay Idea Utilize hash pointers to build efficient integrity ensuring data-structures

Has Hash h po poin inter er chaining haining

Has Hash h po poin inter er chaining haining

Has Hash h po poin inter er chaining haining

Tr Tree using hash pointers We have seen this before; in what context? Root Hash

Adv Advantages s of f Merkel Trees

Mo More generally … Can use hash pointer in any pointer-based data structure that has no cycles • Hash pointers will ensure integrity of information stored/used in the data structure

Dig Digit ital S al Sig ignatures in in t the C Context o of Cr Cryp yptocurr rrencies

Re Requirements of a digital signature scheme

AP API for di digi gital si signa gnatur ures

Re Requirements for signatures

Se Securi rity game me for r a signature scheme me

Se Securi rity game me for r a signature scheme me

Se Securi rity game me for r a signature scheme me

Se Securi rity game me for r a signature scheme me

Se Securi rity game me for r a signature scheme me

Addi Additiona nal issue ssues

Wha What si signa gnatur ure sc sche heme is s use used d in n Bitcoin ECDSA is the elliptic curve version of the DSA standard which is similar to El-Gamal signature scheme.

Us Useful l tr tric ick: use e public lic key as as an an id iden entity tity

Ho How w to gener enerate e a a ne new w iden identity tity In practice: use H(pk) as identity as it is smaller than pk

De Dece centraliz alized id identit ity m man anag agement

Pr Privacy is complicate ated Addresses not directly connected to real-world identity. (Un)linkability: But observer can link together an address’s activity over time, and make inferences.

Si Simp mple Examp mples of Cr Cryptocurr rrency Designs

At Attempt #1: Goofy Coin

Op Operation of f Goofy y Co Coin 1/3 Rule #1:

Op Operation of f Goofy y Co Coin 2/3 Rule #2:

Op Operation of f Goofy y Co Coin 3/ 3/3 Rule #3:

Bi Big se securi rity y issu ssue with Goofy y Co Coin Double-Spending Double-spending is one of the hardest security challenges to solve when developing a cryptocurrency

At Attempt #2: Scrooge Coin

Op Operation of f Scrooge Co Coin 1/3

Op Operation of f Scrooge Co Coin 2/ 2/3 Transaction Type #1:

Op Operation of f Scrooge Co Coin 3/3 /3 Transaction Type #2:

Im Immut utable able Coins ins

Th The main problem with Scrooge Coin Crucial question: Can we descroogify the currency, and operates without any central, trusted party?

Ho How w Bit itcoin in solv lves es the the dec decen entr traliz alizatio tion n is issue ue

Bi Bitcoin’s s Peer-to to-Pe Peer Network • A peer-to-peer network without any “central” authority for ensuring integrity of transactions and keeping track of ownership of (Bit)coins (and minting them) • Ledger and history of ALL transactions are public and available for anyone to inspect

Ce Centralizations s vs s Decentralizations • Competing paradigms that underlie many digital technologies Sir Tim Berners-Lee (inventor of the Web)

De Dece centraliz alizatio ion is is n not all all-or or-no nothi hing ng • Email: Decentralized protocol, but dominated by centralized webmail services.

Aspe Aspects s of f de decentralization n in n Bi Bitcoin • Who maintains the ledger? • Who has authority over which transactions are valid? • Who creates new bitcoins? • Who determines how the rules of the system change? • How do bitcoins acquire exchange value? • Beyond the protocol: Exchanges, wallet software, service providers …

Aspe Aspects s of f de decentralization n in n Bi Bitcoin

Bi Bitcoin’s s key y challenge: distri ributed conse sensu sus

Wh Why y conse nsensus nsus pr protocols? s? • Traditional motivation: reliability in distributed systems. • Distributed key-value store enables various applications: DNS, public-key directory, stock trades, databases … etc. Good target for Altcoins!

De Defin inin ing d dis istrib ibuted c consensus • Assume N servers/processors/processes. • The protocol terminates and all correct nodes decide on the same value (V). • The value V must have been proposed by some correct node. • Typically assume honest majority, e.g., less than N/3 or N/2 are misbehaving.

Bi Bitcoin is s a peer-to to-peer peer system em Alice’s transaction is broadcast/flooded throughout the Bitcoin network coin’s history Note: Bob’s computer is not in the picture

Ho How w cons nsens ensus us co could wo work in Bitcoin At any given time: • All nodes have a sequence of blocks of transactions they’ve reached consensus on • Each node has a set of outstanding transactions it’s heard about (but consensus has not happened for them yet)

Ho How w cons nsens ensus us co could wo work in Bitcoin Consensus reached on these blocks

How consensus could work in Bitcoin

Ho How w cons nsens ensus us co could wo work in Bitcoin

Ho How w cons nsens ensus us co could wo work in Bitcoin Consensus reached on these blocks The green block is chosen as a result of consensus and is added to the agreed-upon blockchain. This is close to how Bitcoin cloud work, but not exactly. Why?

Wh Why y conse nsensus nsus is s ha hard No notion of global time!

Ma Many imp mpossibility results • Byzantine generals problem: https://en.wikipedia.org/wiki/Byzantine_fault_tolerance#B yzantine_Generals'_Problem • Fischer-Lynch-Paterson (deterministic nodes): consensus impossible with a single faulty note

So Some me well-kn known conse sensu sus s protocols http://www.cs.yale.edu/homes/aspnes/pinewiki/Paxos.html

Un Under erstan andin ing im impossib ibility ility res esults lts

Bi Bitcoin conse sensu sus: s: theory y vs s practice

So Some me things Bi Bitcoin does differently Bitcoin does not solve the (large-scale) consensus problem in the general sense, but only in the context of a digital currency system.

Wh Why y ide dentity? y? Why don’t Bitcoin nodes have identities? • Identity is hard in a P2P system – Sybil attack • Pseudonymity is a goal of Bitcoin

We Weaker assumption: select random nodes

Ke Key idea: implicit consensus

Bi Bitcoin conse sensu sus s algori rithm m (si (simp mplifi fied)

Wha What can n a malicious us no node de do do?

Wha What can n a malicious us no node de do do?

Wha What can n a malicious us no node de do do?

Wha What can n a malicious us no node de do do?

Wha What can n a malicious us no node de do do?

Wha What can n a malicious us no node de do do? Honest nodes will extend the longest valid branch.

Fr From Bob b the the mer erchan hant’s po poin int t of vie view