Rolling your own crypto is like making your own dynamite its sounds - - PowerPoint PPT Presentation

▶

Jul 11, 2023 294 likes •568 views

Rolling your own crypto is like making your own dynamite its sounds cool, but it will blow up on you if you don't know what you are doing. (And sometimes even if you do). Cryptocurrencies & Security on the Blockchain A Distributed

SLIDE 1

Rolling your own crypto is like making your own dynamite – its sounds cool, but it will blow up on you if you don't know what you are doing. (And sometimes even if you do).

SLIDE 2

Cryptocurrencies & Security on the Blockchain

Prof. Tom Austin

San José State University

A Distributed Lottery

SLIDE 3

Reading for next class: DigiCash

Goldwasser and Bellare's lecture notes,

Section 12.5 (p.233-237). http://cseweb.ucsd.edu/~mihir/papers/gb.pdf

Skim through David Chaum's paper on

blinded signatures. http://www.hit.bme.hu/~buttyan/courses/BM EVIHIM219/2009/Chaum.BlindSigForPaym ent.1982.PDF

SLIDE 4

Simple, Centralized Lottery Protocol rules:

1. Server (TTP) registers players
2. Server randomly determines

winner

What could go wrong?

SLIDE 5

Random Numbers

Truly random

– What we want, but may not exist.

Unpredictable

– Attacker cannot predict – Useful for security

Irregular

– Look random – Predictable – Not useful in security

Source of many security bugs.

SLIDE 6

Random Number Generators

Pseudo-random number generator (PRNG)

–Return irregular values

Cryptographically secure pseudo-random

number generator (CSPRNG)

–PRNGs that return unpredictable values

For security applications, WE MUST USE

CSPRNGs

SLIDE 7

Articles on random numbers

Generating random integers from random
bytes. http://dimitri.xyz/random-ints-from-

random-bits/

Secure random values (in Node.js)

https://gist.github.com/joepie91/7105003c3b26 e65efcea63f3db82dfba

SLIDE 8

Secure (but limited) random function

// Range 0-255 function sample() { return crypto.randomBytes(1) .readUInt8(); }

SLIDE 9

Secure random function?

function randInt(range) { if (range > 256) throw new Error(); return sample() % range; }

SLIDE 10

Testing Random Function

(in-class)

SLIDE 11

Which player wins on randInt(10)?

0: 0, 10, 20, 30, ... 230, 240, 250 1: 1, 11, 21, 31, ... 231, 241, 251 2: 2, 12, 22, 32, ... 232, 242, 252 3: 3, 13, 23, 33, ... 233, 243, 253 4: 4, 14, 24, 34, ... 234, 244, 254 5: 5, 15, 25, 35, ... 235, 245, 255 6: 6, 16, 26, 36, ... 236, 246 7: 7, 17, 27, 37, ... 237, 247 8: 8, 18, 28, 38, ... 238, 248 9: 9, 19, 29, 39, ... 239, 249

SLIDE 12

Rejection sampling

To remove the bias:

1. Get a cryptographic random number
2. Larger than max required?

– Yes: go back to step 1 – No: return number

SLIDE 13

Lab, part 1: implement rejection sampling

Download rand.js and testRand.js from the course website. Implement the rejection sampling approach on the nextInt function in rand.js.

SLIDE 14

Improved Rejection Sampling

Our previous approach wastes a lot of work. Instead, we can modify it to use as much of the space as possible without biasing the results.

SLIDE 15

Improved Rejection Sampling Formula

1. Calculate usable range (UR):

UR = floor(max_range / desired_range) * desired_range

2. Use prev. rejection sampling approach to get

a random value (R) between 0 and UR

3. Return R % desired_range

SLIDE 16

Which player wins on randInt(10)?

0: 0, 10, 20, 30, ... 230, 240, 250 1: 1, 11, 21, 31, ... 231, 241, 251 2: 2, 12, 22, 32, ... 232, 242, 252 3: 3, 13, 23, 33, ... 233, 243, 253 4: 4, 14, 24, 34, ... 234, 244, 254 5: 5, 15, 25, 35, ... 235, 245, 255 6: 6, 16, 26, 36, ... 236, 246 7: 7, 17, 27, 37, ... 237, 247 8: 8, 18, 28, 38, ... 238, 248 9: 9, 19, 29, 39, ... 239, 249

Reject numbers that bias results

SLIDE 17

Lab, part 2: improve your rejection sampling function

Update your solution from part 1 to use the improved rejection sampling method. Be sure that it does not bias your random results.

SLIDE 18

Distributed Lottery What approaches can we take?

Elect a leader

–Like a temporary TTP –How do we choose the leader?

Calculate the winner together
Others?

SLIDE 19

Distributed Version #1

Everyone chooses a random number.
To determine the winner:
1. Collect everyone's random numbers
2. Sum the random numbers
3. Take the mod of the sum to determine

the winner

SLIDE 20

Testing Distributed Lottery

(in-class)

SLIDE 21

What attacks are there?

SLIDE 22

Last Actor Problem

Trudy could:

1. Wait for all other numbers to be

announced.

2. Calculate her "random" number to

select herself as the winner.

SLIDE 23

Lab, part 3: cheat the lottery

Download cheater.js, player.js, and fakeNet.js from the course website. Update t.handleShare in this file so that Trudy always selects herself as the winner. You should not modify player.js for this part

f the lab.

SLIDE 24

Last Actor Defense

We need players to commit to their number before revealing it. How can we do that?

SLIDE 25

Modified Distributed Lottery Rules

Each player:

1. Selects a random number R.
2. Broadcasts hash(R).
3. Once all hashes are collected, broadcasts R.
4. Calculates winner as in previous approach.

SLIDE 26

What attacks can Trudy do now?

Refuse to broadcast her R if she won't win.
Broadcast fake commits posing as other miners.
Broadcast multiple commits.
Other attacks?

How can we stop these attacks?

SLIDE 27

Lab, part 4: Implement Improved Lottery

Download lottery2.js and upgrade player.js:

Add a commit method

– Choose a random number – Broadcast the hash of the random number

Listen for "COMMIT" messages

– Store the hash for every miner – When every hash is received, share random number

When all numbers received, calculate winner