hash functions in blockchains
play

Hash functions in blockchains Daniel Augot INRIA Saclay - PowerPoint PPT Presentation

Hash functions in blockchains Daniel Augot INRIA Saclay Ile-de-France Laboratoire dinformatique de l Ecole polytechnique Head of project-team Grace (crypto) Daniel Augot: 1/50 This talk Crypto is standard Power law!


  1. Hash functions in blockchains Daniel Augot INRIA Saclay–ˆ Ile-de-France Laboratoire d’informatique de l’´ Ecole polytechnique Head of project-team Grace (crypto) Daniel Augot: 1/50

  2. This talk Crypto is standard Power law! Peer-to-peer is Time series unefficient viz: so easy Basic Game theory No big data ! Not consensus Daniel Augot: 2/50

  3. This talk Crypto is standard Power law! Peer-to-peer is Time series unefficient viz: so easy Basic Game theory No big data ! Not consensus Well, actually, there are very good research topics. Daniel Augot: 2/50

  4. This talk Crypto is standard Power law! Peer-to-peer is Time series unefficient viz: so easy Basic Game theory No big data ! Not consensus Well, actually, there are very good research topics. A very narrow view: hash functions. Daniel Augot: 2/50

  5. Outline Transactions and Ledger Hash functions and Proof-of-work Opening the box: SHA-256 SHA256(SHA256( x )) and mining Scrypt Ethash Equihash Daniel Augot: 3/50

  6. Outline Transactions and Ledger Hash functions and Proof-of-work Opening the box: SHA-256 SHA256(SHA256( x )) and mining Scrypt Ethash Equihash Daniel Augot: Transactions and Ledger 4/50

  7. Bitcoin: A Peer-to-Peer Electronic Cash System Satoshi Nakamoto satoshin@gmx.com What is needed is an electronic www.bitcoin.org payment system based on cryp- Abstract. A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a tographic proof instead of trust, financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. [. . . ] without the need for a The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of trusted third party events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest We propose a solution [. . . ] using proof-of-work chain as proof of what happened while they were gone. a peer-to-peer distributed times- 1. Introduction Commerce on the Internet has come to rely almost exclusively on financial institutions serving as tamp server to generate [. . . ] trusted third parties to process electronic payments. While the system works well enough for most transactions, it still suffers from the inherent weaknesses of the trust based model. Completely non-reversible transactions are not really possible, since financial institutions cannot proof of the chronological order of avoid mediating disputes. The cost of mediation increases transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small casual transactions, transactions and there is a broader cost in the loss of ability to make non-reversible payments for non- reversible services. With the possibility of reversal, the need for trust spreads. Merchants must be wary of their customers, hassling them for more information than they would otherwise need. A certain percentage of fraud is accepted as unavoidable. These costs and payment uncertainties can be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a trusted party. Satoshi Nakamoto. Bitcoin: What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted A Peer-to-Peer Electronic Cash third party. Transactions that are computationally impractical to reverse would protect sellers from fraud, and routine escrow mechanisms could easily be implemented to protect buyers. In this paper, we propose a solution to the double-spending problem using a peer-to-peer distributed System . Online, bit- timestamp server to generate computational proof of the chronological order of transactions. The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes. coin.org/bitcoin.pdf. 2008 1 Daniel Augot: Transactions and Ledger 5/50

  8. Transactions I ◮ Alice transfers bitcoins to Bob Alice From Bob To "1" ◮ this is written in a public ledger Daniel Augot: Transactions and Ledger 6/50

  9. Blocks and the ledger Daniel Augot: Transactions and Ledger 7/50

  10. Blocks and the ledger Rebbeca Mary Marewitt "This book must be produced whenever any money is deposited or withdraw" Transaction Officer's signature March 27, 1869 Date stamp of the office to be affixed against each entry Daniel Augot: Transactions and Ledger 8/50

  11. Blocks and the ledger Rebbeca Mary Marewitt adresse bitcoin "This book must be produced whenever any money is deposited or withdraw" registre public Transaction Officer's signature pas d'officier March 27, 1869 ni de signature Date stamp of the office "minage" to be affixed against each entry Daniel Augot: Transactions and Ledger 9/50

  12. Blocks are chained Daniel Augot: Transactions and Ledger 10/50

  13. Blocks are chained hash hash hash Daniel Augot: Transactions and Ledger 10/50

  14. Blocks are chained hash hash hash Actually, the hash is hard to find: proof-of-work Cynthia Dwork and Moni Naor. “Pricing via Processing or Combatting Junk Mail”. In: CRYPTO’ 92 . 1993 Daniel Augot: Transactions and Ledger 10/50

  15. Outline Transactions and Ledger Hash functions and Proof-of-work Opening the box: SHA-256 SHA256(SHA256( x )) and mining Scrypt Ethash Equihash Daniel Augot: Hash functions and Proof-of-work 11/50

  16. Cryptographic hash function � { 0 , 1 } ∗ { 0 , 1 } m → H : x �→ y = H ( x ) ◮ deterministic algorithm ◮ no secrets, no keys (neither private, public, or secret) ◮ it is not signature, neither encryption ◮ it is not signature, neither encryption ◮ it is not signature, neither encryption ◮ it is not signature, neither encryption ◮ it is not signature, neither encryption ◮ . . . Daniel Augot: Hash functions and Proof-of-work 12/50

  17. Cryptographic hash function � any bit string → m bits H : x �→ y = H ( x ) ◮ deterministic algorithm ◮ no secrets, no keys (neither private, public, or secret) ◮ it is not signature, neither encryption ◮ it is not signature, neither encryption ◮ it is not signature, neither encryption ◮ it is not signature, neither encryption ◮ it is not signature, neither encryption ◮ . . . Daniel Augot: Hash functions and Proof-of-work 12/50

  18. Cryptographic hash function � any bit string → m/8 bytes H : x �→ y = H ( x ) ◮ deterministic algorithm ◮ no secrets, no keys (neither private, public, or secret) ◮ it is not signature, neither encryption ◮ it is not signature, neither encryption ◮ it is not signature, neither encryption ◮ it is not signature, neither encryption ◮ it is not signature, neither encryption ◮ . . . Daniel Augot: Hash functions and Proof-of-work 12/50

  19. Cryptographic hash function � any digitalized document → m/8 bytes H : x �→ y = H ( x ) ◮ deterministic algorithm ◮ no secrets, no keys (neither private, public, or secret) ◮ it is not signature, neither encryption ◮ it is not signature, neither encryption ◮ it is not signature, neither encryption ◮ it is not signature, neither encryption ◮ it is not signature, neither encryption ◮ . . . Daniel Augot: Hash functions and Proof-of-work 12/50

  20. Cryptographic hash function: properties Standard definition ◮ First preimage resistance: given y = H ( x ) , impossible to find x ◮ no better way than 2 m calls to H ◮ Second preimage resistance: given x impossible to find x ′ s.t. H ( x ′ ) = H ( x ) ◮ no better way than 2 m calls to H ◮ Collision resistance: impossible to find x , x ′ s.t. H ( x ) = H ( x ′ ) ◮ no better way than 2 m / 2 calls to H Random Oracle Idealization ◮ Hold a table T ◮ when queried for x ◮ if x ∈ T return T [ x ] ◮ if x �∈ T return a random y , and set T [ x ] = y Daniel Augot: Hash functions and Proof-of-work 13/50

  21. Why such a thing would be useful Most unsemantic function: given x , y = F ( x ) is (hopefully) pure random! Usage ◮ Ensuring file integrity: M �→ ( M , h ( M )) If h ( M ) is secure, there can be non corruption on M = ⇒ integrity of the blockchain from last trusted hash h ◮ Password storage (with a pinch of salt) ◮ Blind registration of documents (notarization) d95b82d3187458f83ad36abd509c7688f60cbda4 Daniel Augot: Hash functions and Proof-of-work 14/50

  22. Where do they come from Daniel Augot: Hash functions and Proof-of-work 15/50

  23. Where do they come from Daniel Augot: Hash functions and Proof-of-work 15/50

  24. SHA-1 is well broken (alongside with pdf) Daniel Augot: Hash functions and Proof-of-work 16/50

  25. SHA-1 is well broken (alongside with pdf) Daniel Augot: Hash functions and Proof-of-work 16/50

Recommend


More recommend