CS 683 - Security and Privacy Spring 2018 Instructor: Karim - - PowerPoint PPT Presentation

CS 683 - Security and Privacy Spring 2018

Instructor: Karim Eldefrawy

University of San Francisco

http://www.cs.usfca.edu/~kelde frawy/teaching/spring2018/cs6 83/cs683_main.htm (https://goo.gl/t396Fw)

1

Ba Basi sics s of

• f Bl

Bloc

• ckchain-bas

based d Cr Cryptoc

• curr

rrencies s and Systems

A A good d so sour urce for more information

Slides of this lecture are largely based on those presented in accompanying videos (for lectures 1 and 2) at: http://bitcoinbook.cs.princeton.edu/

Crypto Back ckground: Hash Funct ctions, Hash Po Pointers, and Hash Po Pointer-ba based d Data Struct ctures

Has Hash h Func Functio tions ns

• Functional requirements:
• Takes any string or arbitrary length as input
• Fixed-size output (we will use 256 bits as an example)
• Efficiently computable
• Security requirements:
• Collision-free
• Hiding
• Puzzle-friendly

Pr Property 1 of Hash Functions: Collision-fr free

• No adversary can find x and y such that

x ≠ y and H(x) = H(y)

X H(X) = H(y) Y

Ho How w to find ind a a collis llisio ion? n?

• Try 2130 randomly chosen inputs

(for a 256 bit hash output)

• 99.8% chance two of them will

collide This works no matter how H is constructed … but takes long to be a serious attack that matters

Appl Application: n: ha hash sh as s messa ssage di digest

Pr Property 2 of Hash Functions: Hiding

Pr Property 2 of Has Hash h Func Functio tions ns: Hiding Hiding

Appl Application: n: Co Commitment

X X

Commit Open

Co Commi mmitme ment AP API 1/ 1/3

Co Commi mmitme ment AP API 2/ 2/3

Co Commi mmitme ment AP API 3/ 3/3

Pr Property 3 3 of

• f H

Hash F Function

• ns :

: Pu Puzzle-fr friendly

Appl Application: n: Search h puz puzzle

SH SHA-256 256

Has Hash h Poin inter ers

Ka Kay Idea

Utilize hash pointers to build efficient integrity ensuring data-structures

Has Hash h po poin inter er chaining haining

Has Hash h po poin inter er chaining haining

Has Hash h po poin inter er chaining haining

Tr Tree using hash pointers

Root Hash

We have seen this before; in what context?

Adv Advantages s of f Merkel Trees

Mo More generally …

Can use hash pointer in any pointer-based data structure that has no cycles

• Hash pointers will ensure integrity of

information stored/used in the data structure

Dig Digit ital S al Sig ignatures in in t the C Context o

• f

Cr Cryp yptocurr rrencies

Re Requirements of a digital signature scheme

AP API for di digi gital si signa gnatur ures

Re Requirements for signatures

Se Securi rity game me for r a signature scheme me

Se Securi rity game me for r a signature scheme me

Se Securi rity game me for r a signature scheme me

Se Securi rity game me for r a signature scheme me

Se Securi rity game me for r a signature scheme me

Addi Additiona nal issue ssues

Wha What si signa gnatur ure sc sche heme is s use used d in n Bitcoin

ECDSA is the elliptic curve version of the DSA standard which is similar to El-Gamal signature scheme.

Us Useful l tr tric ick: use e public lic key as as an an id iden entity tity

Ho How w to gener enerate e a a ne new w iden identity tity

In practice: use H(pk) as identity as it is smaller than pk

De Dece centraliz alized id identit ity m man anag agement

Pr Privacy is complicate ated

Addresses not directly connected to real-world identity. (Un)linkability: But observer can link together an address’s activity over time, and make inferences.

Si Simp mple Examp mples of Cr Cryptocurr rrency Designs

At Attempt #1: Goofy Coin

Op Operation of f Goofy y Co Coin 1/3

Rule #1:

Op Operation of f Goofy y Co Coin 2/3

Rule #2:

Op Operation of f Goofy y Co Coin 3/ 3/3

Rule #3:

Bi Big se securi rity y issu ssue with Goofy y Co Coin

Double-Spending

Double-spending is one of the hardest security challenges to solve when developing a cryptocurrency

At Attempt #2: Scrooge Coin

Op Operation of f Scrooge Co Coin 1/3

Op Operation of f Scrooge Co Coin 2/ 2/3

Transaction Type #1:

Op Operation of f Scrooge Co Coin 3/3 /3

Transaction Type #2:

Im Immut utable able Coins ins

Th The main problem with Scrooge Coin

Crucial question: Can we descroogify the currency, and

• perates without any central, trusted

party?

Ho How w Bit itcoin in solv lves es the the dec decen entr traliz alizatio tion n is issue ue

Bi Bitcoin’s s Peer-to to-Pe Peer Network

• A peer-to-peer network without any “central” authority for

ensuring integrity of transactions and keeping track of

• wnership of (Bit)coins (and minting them)
• Ledger and history of ALL transactions are public and

available for anyone to inspect

Ce Centralizations s vs s Decentralizations

• Competing paradigms that underlie many digital technologies

Sir Tim Berners-Lee (inventor of the Web)

De Dece centraliz alizatio ion is is n not all all-or

• r-no

nothi hing ng

• Email:

Decentralized protocol, but dominated by centralized webmail services.

Aspe Aspects s of f de decentralization n in n Bi Bitcoin

• Who maintains the ledger?
• Who has authority over which transactions are valid?
• Who creates new bitcoins?
• Who determines how the rules of the system change?
• How do bitcoins acquire exchange value?
• Beyond the protocol:

Exchanges, wallet software, service providers …

Aspe Aspects s of f de decentralization n in n Bi Bitcoin

Bi Bitcoin’s s key y challenge: distri ributed conse sensu sus

Wh Why y conse nsensus nsus pr protocols? s?

• Traditional motivation: reliability in distributed systems.
• Distributed key-value store enables various applications:

DNS, public-key directory, stock trades, databases … etc.

Good target for Altcoins!

De Defin inin ing d dis istrib ibuted c consensus

• Assume N servers/processors/processes.
• The protocol terminates and all correct nodes decide on the same

value (V).

• The value V must have been proposed by some correct node.
• Typically assume honest majority, e.g., less than N/3 or N/2 are

misbehaving.

Bi Bitcoin is s a peer-to to-peer peer system em

Note: Bob’s computer is not in the picture

coin’s history Alice’s transaction is broadcast/flooded throughout the Bitcoin network

Ho How w cons nsens ensus us co could wo work in Bitcoin

At any given time:

• All nodes have a sequence of blocks of transactions they’ve reached

consensus on

• Each node has a set of outstanding transactions it’s heard about (but

consensus has not happened for them yet)

Ho How w cons nsens ensus us co could wo work in Bitcoin

Consensus reached on these blocks

How consensus could work in Bitcoin

Ho How w cons nsens ensus us co could wo work in Bitcoin

Ho How w cons nsens ensus us co could wo work in Bitcoin

The green block is chosen as a result of consensus and is added to the agreed-upon blockchain. This is close to how Bitcoin cloud work, but not exactly. Why? Consensus reached on these blocks

Wh Why y conse nsensus nsus is s ha hard

No notion of global time!

Ma Many imp mpossibility results

• Byzantine generals problem:

https://en.wikipedia.org/wiki/Byzantine_fault_tolerance#B yzantine_Generals'_Problem

• Fischer-Lynch-Paterson (deterministic nodes): consensus

impossible with a single faulty note

So Some me well-kn known conse sensu sus s protocols

http://www.cs.yale.edu/homes/aspnes/pinewiki/Paxos.html

Un Under erstan andin ing im impossib ibility ility res esults lts

Bi Bitcoin conse sensu sus: s: theory y vs s practice

So Some me things Bi Bitcoin does differently

Bitcoin does not solve the (large-scale) consensus problem in the general sense, but only in the context of a digital currency system.

Wh Why y ide dentity? y?

Why don’t Bitcoin nodes have identities?

• Identity is hard in a P2P system – Sybil attack
• Pseudonymity is a goal of Bitcoin

We Weaker assumption: select random nodes

Ke Key idea: implicit consensus

Bi Bitcoin conse sensu sus s algori rithm m (si (simp mplifi fied)

Wha What can n a malicious us no node de do do?

Wha What can n a malicious us no node de do do?

Wha What can n a malicious us no node de do do?

Wha What can n a malicious us no node de do do?

Wha What can n a malicious us no node de do do?

Wha What can n a malicious us no node de do do?

Honest nodes will extend the longest valid branch.

Fr From Bob b the the mer erchan hant’s po poin int t of vie view

Fr From Bob b the the mer erchan hant’s po poin int t of vie view

Fr From Bob b the the mer erchan hant’s po poin int t of vie view

Fr From Bob b the the mer erchan hant’s po poin int t of vie view

Fr From Bob b the the mer erchan hant’s po poin int t of vie view

Fr From Bob b the the mer erchan hant’s po poin int t of vie view

Re Recap

Assum Assumption n of f ho hone nesty y is s pr probl blematic

Assum Assumption n of f ho hone nesty y is s pr probl blematic

Pr Proof-of

• f-Wo

Work (Po PoW) ) and Incentives s in Bi Bitcoin

• PoW in Bitcoin is finding a value that when hashed (SHA-256)

the hash begins with a certain number of zeros (control of difficulty level)

• Incentive for Mining/Ensuring Integrity of Blockchain: The first

transaction in a block is a special transaction that starts a new coin owned by the creator of the block.

Block Tx Tx … Previous Hash Nonce (to be found) Block Tx Tx … Previous Hash Nonce (to be found)

Assum Assumption n of f ho hone nesty y is s pr probl blematic

Su Summa mmary of Operation of

• f B

Bitcoi

• in’s N

Networ

• rk

1) New transactions are broadcast to all nodes 2) Each node collects new transactions into a block 3) Each node works on finding a solution to a (somewhat) difficult proof-of-work puzzle for its block 4) When a node finds a solution to the proof-of-work puzzle, it broadcasts the block to all nodes 5) Nodes accept block only if all transactions in it are valid and not already spent 6) Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash

Exploring recent Bitcoin blocks/transactions 1/4

https://blockchain.info/block/00000000000000000042e9d461887fbfcd65d70d436f9c825031f8fc7ce09809

Exploring recent Bitcoin blocks/transactions 2/4

Exploring recent Bitcoin blocks/transactions 3/4

Exploring recent Bitcoin blocks/transactions 4/4