Bitcoin & Blockchain applied cryptography problems Adam Back - - PowerPoint PPT Presentation

bitcoin blockchain applied cryptography problems
SMART_READER_LITE
LIVE PREVIEW

Bitcoin & Blockchain applied cryptography problems Adam Back - - PowerPoint PPT Presentation

Mar 22, 2024 936 likes •1.18k views

Bitcoin & Blockchain applied cryptography problems Adam Back <adam@blockstream.com> Cryptography adoption criteria Conservative security assumptions Or graceful security degradation Reasonably compact serialisation

slide-1
SLIDE 1

Bitcoin & Blockchain applied cryptography problems

Adam Back <adam@blockstream.com>

slide-2
SLIDE 2

Cryptography adoption criteria

  • Conservative security assumptions

– Or graceful security degradation

  • Reasonably compact serialisation
  • Reasonably efficient validation cost
  • Scalable (ideally no indefinitely growing data)
  • Patent free
  • However also side-chains

– Allow more experimental or bleeding edge – Opt-in and bitcoin interoperable

slide-3
SLIDE 3

side-chains

  • Maxwell, Back '13
  • Move coins into a chain (provable destroy)
  • Moving them back (provably suspend)
  • Reanimate via proof of destroy on sidechain

– Proof, maturity period for counter-proof longer chain

  • Compact proof of a chain of work
  • Skip-list with extra 0 allowing depth 2, two extra

0s allowing depth 4.

– Work preserving – forgery requires as much work

slide-4
SLIDE 4

Proofs vs Execution

  • Bitcoin smart contract model is that proofs of

execution are checked for validity.

  • Validation is not execution itself.
  • Blockchain is a contract arbitration mechanism.
  • Inefficient in space & execution to actually

execute.

  • Longer term ZK-SNARKs are an example of

proof vs execution. Script not revealed, just proof that it was known and satisfied.

  • Shorter term MAST model.
slide-5
SLIDE 5

P2SH

  • Delay reveal of script
  • P2SH address = H(script)
  • Validation requires:

– H(script') == H(script) – Providing <scriptSig> <script'> such that scriptSig

as an input to cause script' to be true

  • Generalisable mechanism...
slide-6
SLIDE 6

MAST or P2SH^2

  • Merkelized Abstract Syntax Tree

– address=MerkleRoot(syntax tree)

  • Short-circuit logic can be omitted from proof

– A or B … show more compact of A or B if both true

  • Optional nonce for contract privacy

– node=H(nonce || <left>, nonce2 || <right>)

  • General case: sig(A & B) or Merkle(syntax tree)

– 99% case sig(A & B) is all that is needed – No incentive for A or B to dispute as script is

deterministic known to both

slide-7
SLIDE 7

Fungibility & Privacy

  • Unlike previous systems (Chaum, Brands etc)

bitcoin is missing cryptographic unlinkability

– Ledger has full history of transactions

  • Bitcoin suggests practice of one-use addresses

– Some ambiguity from change vs payment

  • However results in backup problem

– Solution sequence of pub/pri keys Wuille '13 – x_i = MAC(code,i)*x mod n – Q_i = MAC(code,i)*Q – backup “chain code”, and seed/master pri x

slide-8
SLIDE 8

Store & forward, key distribution

  • Bitcoin payments store & forward over p2p

network

  • Sender knows address/public key

– address=H(public key)

  • everyone can see total received by address
  • Share chain-code then sender & recipient can

send/scan for payment to sequence of unlinkable addresses

  • But bootstrap problem – how to communicate

chain-code

slide-9
SLIDE 9

Unlinkable “stealth” address

  • Elgamal encrypt

– Sender derived Q'=y*Q where Q=xG – Send e = Elgamal( P, y )

  • Receiver trial decrypts e and checks if it

matches Q'

  • Problem: expensive download & decrypt all
  • Privacy: delegate decryption gives server

visibility on entire history

slide-10
SLIDE 10

Non-interactive key distribution

  • set of pub/pri keys where private can be

selectively revealed without leaking others

  • selective reveal x_i=MAC(code,i)*x fails

– assuming code is semi-public (untrusted sender)

  • Weil-pairing / IBE schemes can meet this reqt
  • User keeps identity master key

– x_i = keyGen( master-pri, i, identity=epoch ) – address = master-pub, one-use = epoch-id

  • Allows delegation to link only within epoch
slide-11
SLIDE 11

SPV bloom filter query

  • Reduced b/w SPV mode, reduced trust model
  • Bloom query model: send bloom filter with client

addresses to node.

– Size/privacy tradeoff: more false positives → better

privacy, but more blocks downloaded

  • Current model deficient due to parameters

– Defacto links wallets almost immediately – tuned to low false positives; – Filter contains both Q and h(Q) triangulates

slide-12
SLIDE 12

SPV bloom filter

  • Block contains commitment to bloom filter

– Of addresses in block

  • User downloads filters and offline queries
  • User downloads selected blocks or transactions
slide-13
SLIDE 13

Q: Better SPV model?

  • Is there a better privacy SPV model?
  • Supporting store and forward sending
  • Encrypted search?
  • Efficient PIR?
slide-14
SLIDE 14

Cryptographic blinding

  • Sander & Ta-Shma '99 auditable anon e-cash
  • Green, Miers et al zerocoin '13

– ZK set-membership proofs – Cut & choose – Large 20-40kB – RSA accumulator trapdoor – One denomination (subsequently generalised to

multi?)

slide-15
SLIDE 15

Cryptographic Blinding2

  • Ben-Sassoon et al zerocash ZK-SNARK based

– Compact, efficient to verify – Relatively expensive to create proofs – Relatively large CRS (GB+) – Trapdoor with non-graceful failure

  • Q: Alternative compact set-membership?

– No trapdoor – Efficient – Conservative crypto

slide-16
SLIDE 16

SNARKs

  • ZK contingent payment by Maxwell & Bowe '16

– Buyer does setup, proves E(k,verifier),x=H(k)

  • Use SNARK contracts

– Contract & satisfying terms private between parties

  • Make the chain validation code itself be SNARK

proven (large program, unclear if practical)

– Elevates SPV nodes to full-node security

  • Q: better SNARKs?

– Efficient enough to validate chain – No trapdoor, conservative crypto assumptions

slide-17
SLIDE 17

Additive security & SNARKs

  • Additive uses without conservative crypto
  • If efficient enough could have SPV model with

SNARKs chain validation but still fall-back to miner assertion in event of crypto break.

  • Compact proof of chain of hashes
  • Q: other additive models for SNARKs?
slide-18
SLIDE 18

Signature aggregation

  • Signatures are 60% of transaction space
  • Schnorr being proposed for compact n of n
  • Batch validation
  • multisig across inputs (up to 33% smaller)
  • With Coinjoin (up to 50% smaller transactions)
  • Q: More compact sigs, privacy preserving

aggregation?

slide-19
SLIDE 19

coinjoin

  • Maxwell coinJoin '11
  • Observation that transaction inputs can belong

to different users, can combine transaction paying same outputs but with payer ambiguity

  • Blinding can be used to hide mapping from

server (prove signer is a participant)

  • Various protocols to to prevent cheating

– Or stalling protocol

  • Q: Compact ring signature
slide-20
SLIDE 20

Confidential transactions

  • Additive homomorphism of Pedersen

commitments, however mod n problem...

  • ZK range-proof
  • Maxwell '15 borromean ring sig
  • 2.5kB proof number in range 0-2^32
  • Maybe 2kB optimisation
  • Q: compact range proof (related compact

ringsig)

slide-21
SLIDE 21

Key tree compact threshold

  • Key tree signatures Wuille & Maxwell '15
  • Simple method to convert compact n of n

signature into log(n) sized k of n threshold

  • Setup: merkle tree of k of n permutations
  • Sig: merkle path plus n of n signature, to get

log(n) sized threshold sig

  • must avoid Q=A+B+C where attacker knows DL
  • f Q and chooses C st Q=A+B+C.
  • eg Q=H(A)*A+H(A||B)*B+H(A||B||C)*C
slide-22
SLIDE 22

Polysig dense threshold

  • Polysig compact k ~ n threshold

– P={A+B+..+Z},Q={A+2B..

+26Z},R={A+2^2*B+...26^2*Z}

– 2P-Q omits B, 18P-9Q-C omits B & C – Supports k of n where n is too large to populate

merkle tree.

  • Combine with merkle and more signers online,

lower threshold

  • Q: more compact k of n threshold?