Rolling your own crypto is like making your own dynamite its sounds - PowerPoint PPT Presentation

Rolling your own crypto is like making your own dynamite – its sounds cool, but it will blow up on you if you don't know what you are doing. (And sometimes even if you do).

Cryptocurrencies & Security on the Blockchain A Distributed Lottery Prof. Tom Austin San José State University

Reading for next class: DigiCash • Goldwasser and Bellare's lecture notes, Section 12.5 (p.233-237). http://cseweb.ucsd.edu/~mihir/papers/gb.pdf • Skim through David Chaum's paper on blinded signatures. http://www.hit.bme.hu/~buttyan/courses/BM EVIHIM219/2009/Chaum.BlindSigForPaym ent.1982.PDF

Simple, Centralized Lottery Protocol rules: 1. Server (TTP) registers players 2. Server randomly determines winner What could go wrong?

Random Numbers • Truly random – What we want, but may not exist. • Unpredictable – Attacker cannot predict – Useful for security • Irregular – Look random – Predictable – Not useful in security • Source of many security bugs.

Random Number Generators • Pseudo-random number generator (PRNG) – Return irregular values • Cryptographically secure pseudo-random number generator (CSPRNG) – PRNGs that return unpredictable values • For security applications, WE MUST USE CSPRNGs

Articles on random numbers • Generating random integers from random bytes. http://dimitri.xyz/random-ints-from- random-bits/ • Secure random values (in Node.js) https://gist.github.com/joepie91/7105003c3b26 e65efcea63f3db82dfba

Secure (but limited) random function // Range 0-255 function sample() { return crypto.randomBytes(1) .readUInt8(); }

Secure random function? function randInt(range) { if (range > 256) throw new Error(); return sample() % range; }

Testing Random Function (in-class)

Which player wins on randInt(10) ? 0: 0, 10, 20, 30, ... 230, 240, 250 1: 1, 11, 21, 31, ... 231, 241, 251 2: 2, 12, 22, 32, ... 232, 242, 252 3: 3, 13, 23, 33, ... 233, 243, 253 4: 4, 14, 24, 34, ... 234, 244, 254 5: 5, 15, 25, 35, ... 235, 245, 255 6: 6, 16, 26, 36, ... 236, 246 7: 7, 17, 27, 37, ... 237, 247 8: 8, 18, 28, 38, ... 238, 248 9: 9, 19, 29, 39, ... 239, 249

Rejection sampling To remove the bias: 1. Get a cryptographic random number 2. Larger than max required? – Yes: go back to step 1 – No: return number

Lab, part 1: implement rejection sampling Download rand.js and testRand.js from the course website. Implement the rejection sampling approach on the nextInt function in rand.js .

Improved Rejection Sampling Our previous approach wastes a lot of work. Instead, we can modify it to use as much of the space as possible without biasing the results.

Improved Rejection Sampling Formula 1. Calculate usable range ( UR ): UR = floor(max_range / desired_range) * desired_range 2. Use prev. rejection sampling approach to get a random value (R) between 0 and UR 3. Return R % desired_range

Which player wins on randInt(10) ? 0: 0, 10, 20, 30, ... 230, 240, 250 1: 1, 11, 21, 31, ... 231, 241, 251 Reject numbers 2: 2, 12, 22, 32, ... 232, 242, 252 3: 3, 13, 23, 33, ... 233, 243, 253 that bias results 4: 4, 14, 24, 34, ... 234, 244, 254 5: 5, 15, 25, 35, ... 235, 245, 255 6: 6, 16, 26, 36, ... 236, 246 7: 7, 17, 27, 37, ... 237, 247 8: 8, 18, 28, 38, ... 238, 248 9: 9, 19, 29, 39, ... 239, 249

Lab, part 2: improve your rejection sampling function Update your solution from part 1 to use the improved rejection sampling method. Be sure that it does not bias your random results.

Distributed Lottery What approaches can we take? • Elect a leader – Like a temporary TTP – How do we choose the leader? • Calculate the winner together • Others?

Distributed Version #1 • Everyone chooses a random number. • To determine the winner: 1. Collect everyone's random numbers 2. Sum the random numbers 3. Take the mod of the sum to determine the winner

Testing Distributed Lottery (in-class)

What attacks are there?

Last Actor Problem Trudy could: 1. Wait for all other numbers to be announced. 2. Calculate her "random" number to select herself as the winner.

Lab, part 3: cheat the lottery Download cheater.js, player.js, and fakeNet.js from the course website. Update t.handleShare in this file so that Trudy always selects herself as the winner. You should not modify player.js for this part of the lab.

Last Actor Defense We need players to commit to their number before revealing it. How can we do that?

Modified Distributed Lottery Rules Each player: 1. Selects a random number R . 2. Broadcasts hash(R) . 3. Once all hashes are collected, broadcasts R . 4. Calculates winner as in previous approach.

What attacks can Trudy do now? • Refuse to broadcast her R if she won't win. • Broadcast fake commits posing as other miners. • Broadcast multiple commits. • Other attacks? How can we stop these attacks?

Lab, part 4: Implement Improved Lottery Download lottery2.js and upgrade player.js : • Add a commit method – Choose a random number – Broadcast the hash of the random number • Listen for "COMMIT" messages – Store the hash for every miner – When every hash is received, share random number • When all numbers received, calculate winner