foteini baldimtsi
play

Foteini Baldimtsi Public Key Address 133GT5661q8RuSKrrv8q2Pb4RwS - PowerPoint PPT Presentation

Jul 05, 2023 •120 likes •525 views

Foteini Baldimtsi Public Key Address 133GT5661q8RuSKrrv8q2Pb4RwS 146KL5461d8KuSPxvv8q2Nd6K2q Posted on the ... Blockchain Alice 122NB5426d8Lau3Kbbf8q2L7g89h Bitcoin De-anonymization in Practice eCash Adversarial Bank cannot link a

  1. Foteini Baldimtsi

  3. Public Key Address 133GT5661q8RuSKrrv8q2Pb4RwS 146KL5461d8KuSPxvv8q2Nd6K2q Posted on the ... Blockchain Alice 122NB5426d8Lau3Kbbf8q2L7g89h

  4. Bitcoin De-anonymization in Practice

  5. eCash Adversarial Bank cannot link a withdrawal to a deposit unlinkability Bitcoin It should be hard to link the sender of a payment to its recipient Ledger

  6. Payer Payee Break the link between payer and payee

  7. Payers Payees ● Set Anonymity: the set of transactions which the adversary cannot distinguish from your transaction (depends on anonymity model). ● Taint resistance analysis: calculating how “related” two addresses are or how well an adversary can discern the ownership of a bitcoin based on its previous spending history.

  8. 1) Mixing/Tumbler Services (for Bitcoin) Blindcoin Bitcoin Compatible XIM 2) Anonymous Cryptocurrencies Non- Compatible to Bitcoin

  9. ● achieve the level of privacy that we are already used to from traditional banking, and mitigate the deanonymization risk that the public block chain brings. ● go above and beyond the privacy level of traditional banking and develop currencies that make it technologically infeasible for anyone to track the participants.

  10. Mixing/Tumbler Services Based in joint work with Ethan Heilman and Sharon Goldberg from Boston University

  11. MIX ? ● Centralized (intermediary) ● Decentralized

  14. Issuance SK σ σ σ σ σ Redemption

  15. σ Issuance SK σ σ σ σ σ Redemption

  16. σ σ ▪

  17. Fair exchange 1: σ A: Gives 1 bitcoin A: Gets 1 voucher σ Fair exchange 2: B: Gives 1 voucher B: Gets 1 bitcoin

  18. Fair exchange 1: σ A: Gives 1 bitcoin A: Gets 1 voucher σ Fair exchange 2: B: Gives 1 voucher B: Gets 1 bitcoin

  19. Intermediary can check if Voucher already spent. Fair exchange 1: Fair exchange 2: σ A: Gives 1 bitcoin B: Gives 1 voucher A: Gets 1 voucher B: Gets 1 bitcoin σ

  21. Not Anonymous! Not Anonymous! An ephemeral address is a newly created address that is used once and then discarded. The receiving address is always an ephemeral address.

  22. ● ○ ● ○ ○

  23. Intermediary has to front bitcoins for exchange. DoS risk! * Inspired by the fees used by XIM [1] to resist DoS and Sybil attacks. [1]: ‘Sybil-resistant mixing for bitcoin.’ Bissias, Ozisik, Levine, Liberatore.

  24. Start protocol. Pay Fee Thanks! … Also protects against Sybil attacks since sybils must now pay a fee. * Inspired by the fees used by XIM [1] to resist DoS and Sybil attacks. [1]: ‘Sybil-resistant mixing for bitcoin.’ Bissias, Ozisik, Levine, Liberatore.

  25. HBG’16

  26. Anonymous Decentralized Cryptocurrencies

  27. Almost a decentralized mixing service performance issues and limited functionality Standalone cryptocurrency

  28. Requires a trusted, append only bulletin board (it could be the Bitcoin blockchain) Minting Bulletin Board pick SN, compute C1 = Commit(SN,r) C1 pin C1 on BB with a bitcoin C2 All Users accept C1 and agree it carries 1 C3 unlinkable by C4 Redeem Commitment ... compute a NIZK π: and NIZK - I know Ci in (C1,C2,..,CN) CN - I know r to open Ci to SN Post (SN,π) (SN,π) Spend All Users verify π and check SN is new if OK, I can collect a from any location of BB

  29. Implementing BB with Bitcoin Recall how Bitcoin transactions work Image by Rainer Bohme

  30. Implementing BB with Bitcoin Minting a zerocoin of value d: Alice creates a transaction and includes commitment C to output. The bitcoin value is put into escrow Spending a zerocoin: Alice creates a transaction that spends any unclaim bitcoin on escrow to Bob and also includes (SN, π). Successful if π verifies.

  31. π Redeem Bulletin Board compute a NIZK π: C1 - I know Ci in (C1,C2,..,CN) - I know r to open Ci to SN C2 Post (SN,π) C3 C4 ... Naive Solution CN Identify all valid zerocoins in the bulletin board Prove that SN is the serial number of a coin C (SN,π) Spend C = C1 ∨ C = C2 ∨ ...C=CN This “OR” proof is O(N)

  32. π Cryptographic Accumulators Bulletin Board C1 Rsa modulus n = p · q, u ∈ QR N C2 C3 Accumulator: A = u C1 C2 ...CN mod n C4 witness for C2: w = u C1 C3 ...CN mod n ... To prove that C2 is in A give (w,C2) CN check: w C2 = A mod n (SN,π) Spend This is not anonymous!

  33. π Cryptographic Accumulators Bulletin Board C1 RSA modulus n = p · q, u ∈ QR N C2 C3 Accumulator: A = u C1 C2 ...CN mod n C4 witness for C2: w = u C1 C3 ...CN mod n ... To prove that C2 is in A give (w,C2) CN check: w C2 = A mod n (SN,π) Spend There exists an efficient proof (NIZK) that I have a valid witness to a commitment of SN and know the corresponding randomness r cost log (N) [CL’02]

  34. - Accumulators require a trusted setup (somebody to compute N and throw away p,q) - Proofs not very efficient log(N) Each proof is approximately 50 KB) - note the scaling problems of Bitcoin - Not compatible with bitcoin - these new types of transactions should be included - you would need to be able to verify sophisticated ZK proofs - Payments of single denomination and payment values appear in the clear (1 BTC) Solves the problems above*

  35. Zerocash enables users to pay one another directly via payment transactions of variable denomination that reveal neither the origin, destination, or amount. ● reduces the size of transactions spending a coin to under 1 kB (an improvement of over 97:7%) ● reduces the spend-transaction verication time to under 6 ms (an improvement of over 98:6%) ● allows for anonymous transactions of variable amounts ● hides transaction amounts and the values of coins held by users ● allows for payments to be made directly to a user's xed address (without user interaction).

  36. zk-SNARKS Zero Knowledge Succinct Non Interactive Arguments of Knowledge Allows to: - hide transaction value inside the commitment - split and merge transactions Use of zk-SNARKS for Bitcoin also suggested by DFKP13

  37. Create efficient proofs for NP statements - construct an arithmetic circuit for the statement to be proved How are they different from NIZKs? - Both need trusted setup & provide same guarantees (completeness, proof of knowledge, ZK) - Proof length depends only on the security parameter and verification time on instance size (not on circuit) - Security relies in very strong assumptions (knowledge- of-exponent)

  38. HBG’16

  39. - Rigorous definitions for mixing a services and cryptocurrencies (UC model) - Anonymous cryptocurrencies without trusted setup - Anonymous cryptocurrencies based in standard assumptions - Anonymity solutions that “scale” - Policy questions about anonymous payments

Recommend

Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? Satoshi Nakamoto, 2008

Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? Satoshi Nakamoto, 2008

Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? Satoshi Nakamoto, 2008 Bitcoin is only pseudonymous Public Key Address 133GT5661q8RuSKrrv8q2Pb4RwS 146KL5461d8KuSPxvv8q2Nd6K2q Posted on the ... Blockchain Alice

821 views • 40 slides
Efficient Constructions of Bilinear Accumulators Ioanna Karantaidou, Foteini Baldimtsi Set Me

Efficient Constructions of Bilinear Accumulators Ioanna Karantaidou, Foteini Baldimtsi Set Me

Efficient Constructions of Bilinear Accumulators Ioanna Karantaidou, Foteini Baldimtsi Set Me Membership ip Bank, GMU, subscription- based service, etc Alice List of members I am Alice ce ... List of members as a Data structure

898 views • 48 slides
Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang

Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang

Indistinguishable Proofs of Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang ASIACRYPT 2016 8th December, Hanoi, Vietnam Motivation (ZK) Proofs of Knowledge - PoK Statement: Prover

984 views • 79 slides
On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore, India Foteini Baldimtsi, Anna Lysyanskaya 2 Blind Signatures [Chaum'82] Blind signatures are a special type of digital signatures. Signer is

439 views • 33 slides
ITI-CERTH in TRECVID 2016 Ad-hoc Video Search (AVS) Foteini Markatopoulou, Damianos Galanopoulos,

ITI-CERTH in TRECVID 2016 Ad-hoc Video Search (AVS) Foteini Markatopoulou, Damianos Galanopoulos,

ITI-CERTH in TRECVID 2016 Ad-hoc Video Search (AVS) Foteini Markatopoulou, Damianos Galanopoulos, Ioannis Patras, Vasileios Mezaris Information Technologies Institute / Centre for Research and Technology Hellas TRECVID 2016 Workshop,

365 views • 23 slides
AnatoliaGreece Anatolia College, Thessaloniki, Greece Construct a product that recognizes UV

AnatoliaGreece Anatolia College, Thessaloniki, Greece Construct a product that recognizes UV

AnatoliaGreece Anatolia College, Thessaloniki, Greece Construct a product that recognizes UV radiation and emits Red Fluorescent Protein (RFP) in response Foteini Kalampalika, Representing The Team 01 Team Roster 1. Christos

393 views • 18 slides
Time dependence of AGN pair echo, and halo emission as a probe of extragalactic magnetic fields FO,

Time dependence of AGN pair echo, and halo emission as a probe of extragalactic magnetic fields FO,

Time dependence of AGN pair echo, and halo emission as a probe of extragalactic magnetic fields FO, Murase & Kotera, 2017, in prep FO, Murase & Kotera, PoS(ICRC2017)869 FO, Murase & Kotera, A&A 568, A110 (2014) ICRC2017 Foteini

503 views • 33 slides

More recommend