17 December 2019 Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? Blockchain and Distributed Outline Consensus: A short history lesson Hype or Science? Highlights of Bitcoin Design - crypto problems PROF. DR. IR. BART PRENEEL COSIC, AN IMEC LAB AT KU LEUVEN, BELGIUM Cryptanalysis - Improving proof-of-work FIRSTNAME.LASTNAME@ESAT.KULEUVEN.BE Alternatives to proof-of-work INDOCRYPT 2019 Blockchain challenges and opportunities 17 DECEMBER 2019 1 2 Hash functions (1975): one-way Currencies = maintaining memory easy to compute but hard to invert X RIPEMD-160 SHA-256 SHA-512 This is an input to a crypto- SHA-3 graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed f length. There are additional 1A3FD4128A198FB3CA345932 security conditions: it should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision). Cuneiform, Sumeria, ca 2600 BC Susa, Iran, ca 3300 BC Slide inspired by George Danezis 4 3 1
17 December 2019 Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? Digital signatures (1975): “equivalent” to manual signature Merkle tree (1979) Using a hash function f to authenticate a set of Donald agrees to Public key messages through a pay to Joe 100 x 12 logarithmic number of values Bitcoins. x 5678 Sept. 25, 2019 Private key Applications: digital signatures, revocation… root 5 6 Byzantine generals problem (1978) Timestamping (1990) (can deal with at most 1/3 traitors) Collect documents and hash them with a Merkle tree Chain these trees together with a hash chain Publish intermediate values on a regular basis hash f f f chain 0 t1 t2 t3 7 8 2
17 December 2019 Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? Proof of work to combat spam Timestamping: Surety Technologies ( 1994) [Dwork-Naor-Ponyatovski 1992] http://www.surety.com/ Adam Back Hashcash 1997 This is an input to a crypto- graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed f length. There are additional 1A3FD4128A198FB3CA345932 security conditions: it should be very hard to find an input hashing to a given value (a https://www.belspo.be/belspo/organisation/Publ/pub_ostc/NO/rNOb007_en.pdf preimage) or to find two Belgian TIMESEC project (1996-1999) colliding inputs (a collision). Estonia: Cybernetica 9 10 Technologies underlying Bitcoin A (very very) brief history of ecash 2000 2002 1996 2009 1975 1978 1979 1992 1985 1990 1990 1998 11 12 3
17 December 2019 Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? Bitcoin (2008): Satoshi Nakamoto Paying with Bitcoin Everyone can produce money No central bank Boris Donald Everyone can verify transactions Distributed consensus Blockchain name amount 1BxgB4tjcoDnz1LC7bRqyybbE8YNigUQn5 70.00 X 19EULTY5DMyvDM6krKtcuvcUoHT4T3QmQL 80.02 5.00 1CMMwinpNduzooWeJ4sK9u7Lkp4YAyK2Lw 16PVjaawyWqWnzyttJTAyv7hTcPNmRnVzY 2.50 +1.00 16LNAxwBQupD7yDC8RUSRhyb62BFAZtgae 0.17 12tQUEb8zzdQSXkgt1553z7zS6Fm1cMQZB 10.00 -1.00 2.30 16VT.wYYCLUNgzB8Xs8fYtWWxHR4wdyHm5 13 14 Paying with Bitcoin Paying with Bitcoin Boris Public key Donald Donald agrees to pay Blockchain 12tQUEb8zzdQSXkgt15 to Boris 1 Bitcoin. 53z7zS6Fm1cMQZB name amount Dec. 17, 2019 1BxgB4tjcoDnz1LC7bRqyybbE8YNigUQn5 70.00 19EULTY5DMyvDM6krKtcuvcUoHT4T3QmQL 80.02 Private 5.00 1CMMwinpNduzooWeJ4sK9u7Lkp4YAyK2Lw key 16PVjaawyWqWnzyttJTAyv7hTcPNmRnVzY 3.50 16LNAxwBQupD7yDC8RUSRhyb62BFAZtgae 0.17 12tQUEb8zzdQSXkgt1553z7zS6Fm1cMQZB 9.00 2.30 16VTrwYYCLUNgzB8Xs8fYtWWxHR4wdyHm5 15 16 4
17 December 2019 Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? Paying with Bitcoin Managing the blockchain Anyone can verify a digital signature Miners all over the world verify all the transactions Anyone can verify whether the “account” of Donald contains enough money But due to communication errors or fraud there are multiple versions 17 18 Voting? Sybil attack Puzzles (a lottery) – [Dwork-Naor’92][Hashcash] 19 20 5
17 December 2019 Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? The Bitcoin network Block Chain: a public decentralized ledger From bitnodes.earn.com Bitcoin transactions Block 1 Block 2 Block 3 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 x 19 x 20 x 21 x 22 x 23 x 24 block chain (253 nonce2 nonce3 nonce1 f f f Gbyte) “small” “small” “small” 0 t1 t2 t3 Also include in every block timestamp and difficulty level of puzzle 21 22 Bitcoin Transaction: send money from one Mining rewards public key (address) to another one Transaction A Total number of Transaction C 50 BTC 8 BTC Bitcoins is limited to In Out 21 million, each In Out 10 BTC divided in 8 decimal places leading to Out 42 BTC 21×10 14 units Out 7 BTC In Transaction B Out 6 BTC 10 BTC In Out 15 BTC 5 BTC In Figure by Chris Pacia Slide credit: F. Vercauteren 23 24 6
17 December 2019 Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? Market price in USD (market cap 125 B$) Mining has become industrial 1 Bitcoin $6,900 Dec. 2019 China + Korea ban Mount Gox 2011 bubble Cyprus crisis The worth of a thing is the price it will bring Slide credit: Joseph Bonneau 25 26 Number of transactions per day Energy cost: 50-75 TWh per year (same as Austria) 2-5 transactions/s Peak: 10 transactions/s large share goes to a few addresses Alipay peak 256.000/s Visa peak 56.000/s Western Union peak: 750/s Cost per transaction: 600 kWh 1 US household for 20 days https://digiconomist.net/ 27 28 7
17 December 2019 Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? Is Bitcoin is the money of the future? Is Bitcoin is the money of the future? 3 main purposes of money Computer scientists set the 2019 • medium of exchange monetary policy • store of value We don’t understand Bitcoin • unit of account 2013 29 30 Improving Bitcoin cryptography Outline A short history lesson Improve signatures: shorter signatures, batch verification, 1 post-quantum signatures 5 2 Highlights of Bitcoin Privacy: ring signatures (Monero) 4 3 Design - crypto problems Privacy: Non-Interactive Zero-Knowledge (NIZK): hide amount, payer, payee Cryptanalysis - Improving proof-of-work ◦ ZK-SNARKS: Zero-Knowledge Succinct Non-Interactive Argument of Knowledge Alternatives to proof-of-work ◦ Bulletproofs ◦ ZK-STARKS: Zero-Knowledge Scalable Transparent ARguments of Knowledge Blockchain challenges and opportunities Also gives rise to new symmetric key research: e.g. low AND Depth: MiMC, MARVELlous 31 32 8
17 December 2019 Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? NZIK for privacy Scientific value of Bitcoin (https://ethereum.stackexchange.com/questions/59145/zk-snarks-vs-zk-starks-vs-bulletproofs-updated) Solves distributed consensus problem: ZK-SNARKS Bulletproofs ZK-STARKS ◦ Byzantine agreement with open system Cost prover O(N log N) O(N log N) O(N polylog N) ◦ Continuous processing of transactions (not sequential) Cost verifier O(1) O(N) O(polylog N) Cost communication O(1) O(log N) O(polylog N) Incentives (game theory) Trusted setup YES (CRS) NO NO Overwhelming probability rather than deterministic Postquantum NO NO YES Assumption Strong Discrete Log Collision resistant hash Size 10K transactions 600 Gbyte + 200b x 2.5 kb 135 kb 33 34 Science of Nakamoto Consensus Science of Nakamoto Consensus [Pass-Seeman-shelat’EC17] Analysis of the blockchain protocol in asynchronous networks [Garay-Kiayias-Leonardos’15] [Kiayias-Panagiotakos’15] [Pass-Seeman-Shelat17] chain growth: chain grows proportionally with the number of time steps (block)chain quality/fairness: fraction of blocks mined by compliant miners (blockchain) consistency: agreement among players on blockchain except for last blocks liveliness: no transaction censorship Consider Byzantine rather than rational adversaries 35 36 9
17 December 2019 Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? Nakamoto Consensus Tortoise and Hares Publish or ? Perish NC To resolve fork Longest chain (roughly) if there is one First-received in a tie To issue rewards Main chain blocks receive full rewards Orphaned blocks receive nothing Conflux Key Weakness imperfect chain quality: a <50% attacker can modify the blockchain with high success rate Slide credit for this part: Ren Zhang 37 38 Imperfect Chain Quality 👊 3 Attacks Imperfect Chain Quality 👊 3 Attacks broadcast time Selfish Mining [Eyal-Sirer’14] Double-spending [Sompolinksy-Zohar’16] attacker block Tx: A→B broadcast time 6 confirmation, attacker block B delivers the product the public the public time time Tx: A→A’ The attacker reverses confirmed txs The attacker gains unfair block rewards; rational miners would join the attacker, which damages decentralization Subversion bounty = minimum double-spending reward to incentivize attack attempts 39 40 10
Recommend
More recommend