proof of work hash chaining
play

Proof of work, Hash chaining CS 161: Computer Security Prof. David - PowerPoint PPT Presentation

Nov 22, 2022 •190 likes •488 views

Crypto tricks: Proof of work, Hash chaining CS 161: Computer Security Prof. David Wagner April 13, 2016 A Tangent: How Can I Prove I Am Rich? Math Puzzle Proof of Work Problem. To prove to Bob Im not a spammer, Bob wants me to do 10

  1. Crypto tricks: Proof of work, Hash chaining CS 161: Computer Security Prof. David Wagner April 13, 2016

  2. A Tangent: How Can I Prove I Am Rich?

  3. Math Puzzle – Proof of Work • Problem. To prove to Bob I’m not a spammer, Bob wants me to do 10 seconds of computation before I can send him an email. How can I prove to Bob that I wasted 10 seconds of CPU time, in a way that he can verify in milliseconds?

  4. Math Puzzle – Proof of Work • Problem. To prove to Bob I’m not a spammer, Bob wants me to do 10 seconds of computation before I can send him an email. How can I prove to Bob that I wasted 10 seconds of CPU time, in a way that he can verify in milliseconds? • Hint: Computing 1 billion SHA256 hashes might take 10 seconds.

  5. Your Solution • Bob provides a random challenge r • I compute: find x such that H(r,x) starts with 33 0 bits – This will take me 2^33 hash computations, on average – Geometric: coin flip, with 1 / 2^33 chance of heads • Bob verifies by: checking that H(r,x) starts with 33 0 bits • Problem: replay attacks

  6. Your Solution • Bob picks 50-bit primes p,q, sends me n = pq • I have to factor n, send back p and q • Bob can verify by multiply p*q

  7. Solution • To prove that I wasted 10 seconds of CPU time, in a way that he can verify quickly: • Bob sends me: r • I look for x such that first30bits(SHA256( x || r )) = 0 • I send Bob: x • Bob can verify using a single hash.

  10. Tamper-Evident Logging • We work for the police Electronic Records office. • To ensure that evidence can’t be questioned in court, we want to make sure that evidence can’t be tampered with, after it is logged with the office. • In other words: a police officer can log an electronic file at any time; after it is logged, no back-dating or after-the-fact changes to evidence should be possible. • How should we do it? What crypto or data structures could we use?

  11. Design Problem for You • Idea: Each day, collect all the files ( f 1 , f 2 , … , f n ) that are logged that day. Then, publish something in the next day’s newspaper, to commit to these files. • Question: What should we publish? Needs to be short, and ensure after-the-fact changes or backdating are detectable. • When a file f i is exhibited into evidence in a trial, how can judge verify it hasn’t been modified post- facto?

  12. Your Solution • Store in database: f1, .., fn • Publish: H(f1), H(f2), .., H(fn) • To verify f i : reveal fi

  13. Your Solution • Store in database: f1, .., fn • Publish: H(H(f1), H(f2), .., H(fn)) • To verify f i : reveal fi, H(f1), H(f2), .., H(fn)

  14. Your Solution • Store in database: f1, .., fn • Publish: Sign(f1), Sign(f2), .., Sign(fn), signed under judge’s key • To verify f i : reveal fi

  15. Candidate Solution • Store in database: f 1 , Sign( f 1 ), f 2 , Sign( f 2 ), … , f n , Sign( f n ) • Publish: public key • To verify f i : reveal f 1 , Sign( f i ) • Critique: Sysadmin can get a copy of the private key, modify database, update the signature, and thus modify old entries or create new backdated entries.

  16. Candidate Solution • Publish: H( f 1 , f 2 , … , f n ) • To verify f i : reveal f 1 , f 2 , … , f n

  17. Solution • Each day, collect all the files ( f 1 , f 2 , … , f n ) that are logged that day. Then, publish H ( f 1 , f 2 , … , f n ) in the next day’s newspaper, to commit to these files. • When a file f i is exhibited into evidence in a trial, reveal f 1 , f 2 , … , f n to judge. Judge can hash them, check that their hash was in the right day’s newspaper, and check that f i is in the list.

  18. Better Solution • Each day, collect all the files ( f 1 , f 2 , … , f n ) that are logged that day. Let f 0 be the previous day’s hash. Publish H ( f 0 , f 1 , f 2 , … , f n ) in the next day’s newspaper, to commit to these files. • Note that exhibiting file f i into evidence still requires revealing entire list of other files ( f 1 , f 2 , … , f n ) that were logged that day. Can you think of any way to avoid that?

  19. Tamper-evident Audit Logs • X1 = H(X0, “opened vault”) • X2 = H(X1, “disabled alarm”) • X3 = H(X2, “closed alarm”) • X4 = H(X3, “front door locked”) • X5 = H(X4, “closed vault”) • Publishing any Xi commits to all prior log entries.

  20. Take-away • Using hash chaining, we can provide tamper- evident audit logs that let us detect after-the-fact modifications and backdated entries.

  21. Bitcoin CS 161: Computer Security Prof. David Wagner April 13, 2016

  22. Distributed Logging • Let’s do distributed peer-to-peer logging of public data. We have n computers; they all know each others’ public keys. Any computer can broadcast to all others (instantaneously, reliably). Any computer should be able to append a signed entry to the log, and to verify integrity of any previous log entry. • Security goal: Malicious computers should not be able to back-date entries or modify past log entries. Assume ≤ 3 computers are malicious. • Problem 1. Describe a protocol for this. What does Alice do to append an entry? What do other computers need to do?

  23. Your Solution • To append log entry e: • Other computers should:

  24. Distributed Logging • Problem 2. Let’s generalize. Suppose m of the n computers are malicious. If we make the obvious change to your protocol, for which m can it be made secure? • (a): for all m < n. • (b): for all m < n/2. • (c): for all m < n/3. • (d): for all m < √ n. • (e): for all m < O(lg n).

  25. Distributed Logging • Problem 2. Let’s generalize. Suppose m of the n computers are malicious. If we make the obvious change to your protocol, for which m can it be made secure? • (a): for all m < n. • (b): for all m < n/2. • (c): for all m < n/3. • (d): for all m < √ n. • (e): for all m < O(lg n).

  26. Distributed Money • Donna gets the brilliant idea to use this log to store financial transactions. Each person’s initial balance is public. • To transfer $10 from Alice to Bob, Alice appends a signed log entry saying “I transfer $10 to Bob” and broadcasts it. Everyone can compute the updated balance for Alice and Bob. • Problem 3. What are some ways that a malicious actor might try to attack this scheme? Is this a good scheme?

  27. Your Answers • Replay • Denial of service attacks • Broadcast doesn’t scale • TOCTTOU vulnerability

  28. Problems with This Scheme • Initial balance is arbitrary • Broadcasting is expensive and doesn’t scale • A conspiracy of n /2 malicious computers can fork the audit log and steal all the money • Sybil attacks: Anyone can set up millions of servers and thus have a 50% majority

  29. Bitcoin • Public, distributed, peer-to-peer audit log of all transactions. • To append an entry to the log, the latest value must hash to something whose first 30 bits are zero; then broadcast it to everyone. • Anyone who appends an entry to the log is given a small reward, in new money (a fraction of a Bitcoin).

Recommend

Blockchain (Bitcoin) Four ideas Hash chaining Unalterable history Public key

Blockchain (Bitcoin) Four ideas Hash chaining Unalterable history Public key

Blockchain (Bitcoin) Four ideas Hash chaining Unalterable history Public key cryptography Signatures Addition/Subtraction General ledger Notarization Proof of validity Hash chaining Enigma machine Enigma rotors

477 views • 27 slides
Priority queues Hash tables chaining Priority queue ADT Binary heap March 13, 2020 Cinda

Priority queues Hash tables chaining Priority queue ADT Binary heap March 13, 2020 Cinda

Priority queues Hash tables chaining Priority queue ADT Binary heap March 13, 2020 Cinda Heeren / Andy Roth / Geoffrey Tien 1 Separate chaining Separate chaining takes a different approach to collisions Each entry in the hash table

470 views • 26 slides
14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple Uniform Hashing, Popular Hash Functions, Table-Doubling, Open Addressing: Probing, Uniform Hashing, Universal Hashing, Perfect Hashing [Ottman/Widmayer,

1.5k views • 58 slides
14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple Uniform Hashing, Popular Hash Functions, Table-Doubling, Open Addressing: Probing, Uniform Hashing, Universal Hashing, Perfect Hashing [Ottman/Widmayer,

1.25k views • 98 slides
CS261 Data Structures Hash Tables Buckets/Chaining Hash Tables:

CS261 Data Structures Hash Tables Buckets/Chaining Hash Tables:

CS261 Data Structures Hash Tables Buckets/Chaining Hash Tables: Resolving Collisions There are two general approaches to resolving collisions: 1. Open address

293 views • 12 slides
Securing Proof-of-Work Ledgers via Checkpointing Dimitris Karakostas, Aggelos Kiayias

Securing Proof-of-Work Ledgers via Checkpointing Dimitris Karakostas, Aggelos Kiayias

Securing Proof-of-Work Ledgers via Checkpointing Dimitris Karakostas, Aggelos Kiayias Bitcoins novelties Hash chain + Proof-of-Work + Incentives for participation Bitcoins novelties Hash chain + Proof-of-Work

1.26k views • 37 slides
1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

CPE 542: CRYPTOGRAPHY &amp; NETWORK SECURITY Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC Chapter 12 Hash Algorithms Data Authentication Algorithm (DAA) is a widely used MAC

305 views • 5 slides
Hash Tables Direct-Address Tables Hash Functions Universal Hashing Chaining Open Addressing

Hash Tables Direct-Address Tables Hash Functions Universal Hashing Chaining Open Addressing

Hash Tables Direct-Address Tables Hash Functions Universal Hashing Chaining Open Addressing CS 5633 Analysis of Algorithms Chapter 11: Slide 1 Direct-Address Tables Let U = { 0 , . . . , m 1 } , the set of possible keys. direct

424 views • 14 slides
Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole

Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole

Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole normale sup erieure/PSL &amp; INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David Pointcheval 1/51 Hard

300 views • 17 slides
Hashing Algorithms Hash functions Separate Chaining Linear Probing Double Hashing Symbol-Table

Hashing Algorithms Hash functions Separate Chaining Linear Probing Double Hashing Symbol-Table

Hashing Algorithms Hash functions Separate Chaining Linear Probing Double Hashing Symbol-Table ADT Records with keys (priorities) basic operations insert search create generic operations common to many ADTs test if empty

474 views • 13 slides
Chaining Operator in Climb Method Chaining jQuery Method Chaining Extended Climb Christopher

Chaining Operator in Climb Method Chaining jQuery Method Chaining Extended Climb Christopher

Chaining Operator in Climb Introduction Chaining Operator in Climb Method Chaining jQuery Method Chaining Extended Climb Christopher Chedeau Image Processing Implementation Attempts Dollar macro LRDE Extensions Laboratoire de

554 views • 42 slides
Using first order logic (Ch. 9) Backward chaining Backward chaining is almost the opposite of

Using first order logic (Ch. 9) Backward chaining Backward chaining is almost the opposite of

Using first order logic (Ch. 9) Backward chaining Backward chaining is almost the opposite of forward chaining (and eliminating irrelevancy) You try all sentences that are of the form: , and try to find a way to satisfy P1, P2, ... recursively

753 views • 41 slides
A Sybil-Proof Distributed Hash Table Chris Lesniewski-Laas M. Frans Kaashoek MIT 28 April 2010

A Sybil-Proof Distributed Hash Table Chris Lesniewski-Laas M. Frans Kaashoek MIT 28 April 2010

A Sybil-Proof Distributed Hash Table Chris Lesniewski-Laas M. Frans Kaashoek MIT 28 April 2010 NSDI http://pdos.csail.mit.edu/whanau/slides.pptx Distributed Hash Table Interface: PUT( key , value ), GET( key ) value Route to peer

424 views • 30 slides
CS 225 Data Structures Mar March h 15 15 Hash T Table C e Collisions Wade Fa Wa

CS 225 Data Structures Mar March h 15 15 Hash T Table C e Collisions Wade Fa Wa

CS 225 Data Structures Mar March h 15 15 Hash T Table C e Collisions Wade Fa Wa Fagen-Ul Ulmsch schnei eider er, , Cra Craig Zi Zilles (Example of open hashing) Collision Handling: Sep eparate e Chaining S = { 16, 8, 4, 13,

854 views • 10 slides
Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing?

Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing?

Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing? Distribute key/value pairs across bins with a hash function , Hashing Performance Hashing (Application of Probability) which maps elements from

497 views • 3 slides
Conditional Course Lecture 4 Hash Tables I: Separate Chaining and Open Addressing Fabian Kuhn

Conditional Course Lecture 4 Hash Tables I: Separate Chaining and Open Addressing Fabian Kuhn

Algorithms and Data Structures Conditional Course Lecture 4 Hash Tables I: Separate Chaining and Open Addressing Fabian Kuhn Algorithms and Complexity Fabian Kuhn Algorithms and Data Structures Abstract Data Types: Dictionary Dictionary:

717 views • 36 slides
Bitcoin Mechanics: Proof-of-Work (PoW) Blockchain = a chain of blocks; Block = validated

Bitcoin Mechanics: Proof-of-Work (PoW) Blockchain = a chain of blocks; Block = validated

Bitcoin Mechanics: Proof-of-Work (PoW) Blockchain = a chain of blocks; Block = validated transactions Many miners (record keepers) are competing for the right to add a block Miners are involved in hash computation = Lottery draw

573 views • 4 slides
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore, India B. Qin and S. Liu LR-CCA Secure

580 views • 47 slides
Collision Resolution by Chaining 0 U ( universe of keys) k 1 k 4 k 1 k 4 K k 2 k 5 k 2 k 6

Collision Resolution by Chaining 0 U ( universe of keys) k 1 k 4 k 1 k 4 K k 2 k 5 k 2 k 6

Collision Resolution by Chaining 0 U ( universe of keys) k 1 k 4 k 1 k 4 K k 2 k 5 k 2 k 6 (actual k 6 k 5 keys) k 7 k 8 k 3 k 7 k 3 k 8 m 1 Expected Cost of an Search Theorem: An unsuccessful search takes expected time (1+). Proof

466 views • 33 slides
Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
Hash Open Indexing Data Structures and Algorithms CSE 373 SP 18 - KASEY CHAMPION 1 Warm Up

Hash Open Indexing Data Structures and Algorithms CSE 373 SP 18 - KASEY CHAMPION 1 Warm Up

Hash Open Indexing Data Structures and Algorithms CSE 373 SP 18 - KASEY CHAMPION 1 Warm Up Consider a StringDictionary using separate chaining with an internal capacity of 10. Assume our buckets are implemented using a LinkedList. Use the

288 views • 27 slides
Proofs of communication and its application e-mails Proof-of-work for fighting spam Proof-of-

Proofs of communication and its application e-mails Proof-of-work for fighting spam Proof-of-

SOFSEM 2008 Filtering unwanted Proofs of communication and its application e-mails Proof-of-work for fighting spam Proof-of- communication Location generation Preparing proofs Verifying proof Marek Klonowski Tomasz Strumi nski Open

348 views • 23 slides
PoM @ Breaking Bitcoin Kevin Loaec @kloaec kevin@chainsmiths.com The Proof of Work Mechanism A

PoM @ Breaking Bitcoin Kevin Loaec @kloaec kevin@chainsmiths.com The Proof of Work Mechanism A

PoM @ Breaking Bitcoin Kevin Loaec @kloaec kevin@chainsmiths.com The Proof of Work Mechanism A proof: no doubt possible Work: defined in physics, S.I. unit is the Joule. Gaspard-Gustave Coriolis The Proof of Work Mechanism Electrical work

705 views • 16 slides
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale sup erieure/PSL &amp; INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David

319 views • 14 slides

More recommend