[PPT] - X RIPEMD-160 SHA-256 SHA-512 This is an input to a crypto- SHA-3 PowerPoint Presentation

SLIDE 1

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 1

Blockchain and Distributed Consensus: Hype or Science?

PROF. DR. IR. BART PRENEEL COSIC, AN IMEC LAB AT KU LEUVEN, BELGIUM

FIRSTNAME.LASTNAME@ESAT.KULEUVEN.BE

1

INDOCRYPT 2019 17 DECEMBER 2019

Outline

A short history lesson Highlights of Bitcoin Design - crypto problems Cryptanalysis - Improving proof-of-work Alternatives to proof-of-work Blockchain challenges and opportunities

2

Currencies = maintaining memory

3

Slide inspired by George Danezis

Susa, Iran, ca 3300 BC Cuneiform, Sumeria, ca 2600 BC

Hash functions (1975): one-way easy to compute but hard to invert

4

This is an input to a crypto- graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed

length. There are additional

security conditions: it should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision). 1A3FD4128A198FB3CA345932

f

RIPEMD-160 SHA-256 SHA-512 SHA-3

X

SLIDE 2

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 2

Digital signatures (1975): “equivalent” to manual signature

5

Donald agrees to pay to Joe 100 Bitcoins.

Sept. 25, 2019

Public key Private key

Merkle tree (1979)

Using a hash function f to authenticate a set of messages through a logarithmic number of values Applications: digital signatures, revocation…

6

root

x12 x5678

Byzantine generals problem (1978)

(can deal with at most 1/3 traitors)

7

Timestamping (1990)

Collect documents and hash them with a Merkle tree Chain these trees together with a hash chain Publish intermediate values on a regular basis

8

f f f

t1 t2 t3

hash chain

SLIDE 3

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 3

Timestamping: Surety Technologies (1994)

9

http://www.surety.com/

https://www.belspo.be/belspo/organisation/Publ/pub_ostc/NO/rNOb007_en.pdf

Belgian TIMESEC project (1996-1999) Estonia: Cybernetica

Proof of work to combat spam

[Dwork-Naor-Ponyatovski 1992]

10

This is an input to a crypto- graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed

length. There are additional

security conditions: it should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision). 1A3FD4128A198FB3CA345932

f

Adam Back Hashcash 1997

Technologies underlying Bitcoin

11

1975 1979 1990 1992 1978

A (very very) brief history of ecash

12

1985 1998 1990 1996 2009 2000 2002

SLIDE 4

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 4

13

Bitcoin (2008): Satoshi Nakamoto

No central bank Distributed consensus

X

Everyone can produce money Everyone can verify transactions

14

Paying with Bitcoin

name amount

1BxgB4tjcoDnz1LC7bRqyybbE8YNigUQn5

70.00

19EULTY5DMyvDM6krKtcuvcUoHT4T3QmQL

80.02

1CMMwinpNduzooWeJ4sK9u7Lkp4YAyK2Lw

5.00

16PVjaawyWqWnzyttJTAyv7hTcPNmRnVzY

2.50

16LNAxwBQupD7yDC8RUSRhyb62BFAZtgae

0.17

12tQUEb8zzdQSXkgt1553z7zS6Fm1cMQZB

10.00

16VT.wYYCLUNgzB8Xs8fYtWWxHR4wdyHm5

2.30 +1.00

1.00

Donald Boris

Blockchain

15

Paying with Bitcoin

name amount

1BxgB4tjcoDnz1LC7bRqyybbE8YNigUQn5

70.00

19EULTY5DMyvDM6krKtcuvcUoHT4T3QmQL

80.02

1CMMwinpNduzooWeJ4sK9u7Lkp4YAyK2Lw

5.00

16PVjaawyWqWnzyttJTAyv7hTcPNmRnVzY

3.50

16LNAxwBQupD7yDC8RUSRhyb62BFAZtgae

0.17

12tQUEb8zzdQSXkgt1553z7zS6Fm1cMQZB

9.00

16VTrwYYCLUNgzB8Xs8fYtWWxHR4wdyHm5

2.30 Donald Boris

Blockchain

16

Paying with Bitcoin

Donald agrees to pay to Boris 1 Bitcoin.

Dec. 17, 2019

Public key Private key

12tQUEb8zzdQSXkgt15 53z7zS6Fm1cMQZB

SLIDE 5

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 5

17

Paying with Bitcoin

Anyone can verify a digital signature Anyone can verify whether the “account” of Donald contains enough money

18

Managing the blockchain

Miners all over the world verify all the transactions But due to communication errors or fraud there are multiple versions

19

Voting? Sybil attack

20

Puzzles (a lottery) – [Dwork-Naor’92][Hashcash]

SLIDE 6

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 6

The Bitcoin network

21

From bitnodes.earn.com

Block Chain: a public decentralized ledger

Bitcoin transactions

22

f f f

t1 t2 t3

block chain

(253 Gbyte)

nonce1 nonce2 nonce3 “small” “small” “small”

Block 1 Block 2 Block 3

Also include in every block timestamp and difficulty level of puzzle

x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24

Bitcoin Transaction: send money from one

public key (address) to another one

Transaction A In Out Out Transaction B In Out In 50 BTC Transaction C In Out Out Out 10 BTC 5 BTC In 15 BTC 8 BTC 42 BTC 10 BTC 7 BTC 6 BTC

23

Slide credit: F. Vercauteren

Mining rewards

Figure by Chris Pacia

24

Total number of Bitcoins is limited to 21 million, each divided in 8 decimal places leading to 21×1014 units

SLIDE 7

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 7

Mining has become industrial

25

Slide credit: Joseph Bonneau

Market price in USD (market cap  125 B$)

26

2011 bubble 1 Bitcoin  $6,900 Dec. 2019 China + Korea ban Cyprus crisis Mount Gox

The worth of a thing is the price it will bring Energy cost: 50-75 TWh per year (same as Austria)

27

https://digiconomist.net/

Cost per transaction: 600 kWh  1 US household for 20 days

Number of transactions per day

28

2-5 transactions/s Peak: 10 transactions/s large share goes to a few addresses Alipay peak 256.000/s Visa peak 56.000/s Western Union peak: 750/s

SLIDE 8

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 8

Is Bitcoin is the money of the future?

3 main purposes of money

medium of exchange
store of value
unit of account

29

Computer scientists set the monetary policy We don’t understand Bitcoin

Is Bitcoin is the money of the future?

2013

30

2019

Outline

A short history lesson Highlights of Bitcoin Design - crypto problems Cryptanalysis - Improving proof-of-work Alternatives to proof-of-work Blockchain challenges and opportunities

31

Improving Bitcoin cryptography

Improve signatures: shorter signatures, batch verification, post-quantum signatures Privacy: ring signatures (Monero)

32

Privacy: Non-Interactive Zero-Knowledge (NIZK): hide amount, payer, payee

ZK-SNARKS: Zero-Knowledge Succinct Non-Interactive Argument of Knowledge
Bulletproofs
ZK-STARKS: Zero-Knowledge Scalable Transparent ARguments of Knowledge

Also gives rise to new symmetric key research: e.g. low AND Depth: MiMC, MARVELlous

1 2 3 4 5

SLIDE 9

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 9

NZIK for privacy

(https://ethereum.stackexchange.com/questions/59145/zk-snarks-vs-zk-starks-vs-bulletproofs-updated)

ZK-SNARKS Bulletproofs ZK-STARKS

Cost prover O(N log N) O(N log N) O(N polylog N) Cost verifier O(1) O(N) O(polylog N) Cost communication O(1) O(log N) O(polylog N) Trusted setup YES (CRS) NO NO Postquantum NO NO YES Assumption Strong Discrete Log Collision resistant hash Size 10K transactions 600 Gbyte + 200b x 2.5 kb 135 kb

33

Scientific value of Bitcoin

Solves distributed consensus problem:

Byzantine agreement with open system
Continuous processing of transactions (not sequential)

Incentives (game theory) Overwhelming probability rather than deterministic

34

Science of Nakamoto Consensus

[Garay-Kiayias-Leonardos’15] [Kiayias-Panagiotakos’15] [Pass-Seeman-Shelat17]

chain growth: chain grows proportionally with the number of time steps (block)chain quality/fairness: fraction of blocks mined by compliant miners (blockchain) consistency: agreement among players on blockchain except for last  blocks liveliness: no transaction censorship Consider Byzantine rather than rational adversaries

35

Science of Nakamoto Consensus

[Pass-Seeman-shelat’EC17] Analysis of the blockchain protocol in asynchronous networks

36

SLIDE 10

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 10

Conflux

Publish or Perish Tortoise and Hares

37

?

Slide credit for this part: Ren Zhang

Nakamoto Consensus

 To resolve fork

 Longest chain (roughly) if there is one  First-received in a tie

 To issue rewards

 Main chain blocks

receive full rewards

 Orphaned blocks

receive nothing

 imperfect chain quality:

a <50% attacker can modify the blockchain with high success rate NC Key Weakness

38

Imperfect Chain Quality 👊 3 Attacks

The attacker gains unfair block rewards; rational miners would join the attacker, which damages decentralization Selfish Mining [Eyal-Sirer’14]

time the public broadcast time attacker block

39

Imperfect Chain Quality 👊 3 Attacks

The attacker reverses confirmed txs

Double-spending [Sompolinksy-Zohar’16]

time the public broadcast time attacker block Tx: A→B Tx: A→A’ 6 confirmation, B delivers the product

40

Subversion bounty = minimum double-spending reward to incentivize attack attempts

SLIDE 11

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 11

Imperfect Chain Quality 👊 3 Attacks

Rational choice: join the attacker in censorship The attacker becomes a de facto owner These 3 attacks are most influential Censorship (feather-forking)

[Miller’13]

time the public

41

Threat: I will try to invalidate all blocks confirming these txs I do not stand by in the presence of evil

Other attacks

– out of scope as beyond pure consensus protocol

Renting mining equipment
Bribing miners
Coin hopping (based on difficulty adjustments)
Attacks on mining pools
If block rewards shrink: claim less transaction fees
n fork so miners join for remaining higher fees

[Bonneau’16] [Meshkov+’17] [Eyal’15] [Kwon+’17] [Carlsten+’16] [Tsabary+’18]

42

Our Evaluation Framework: Four Metrics

A protocol claims to be more secure than NC:

 achieves better chain quality  resists better against all three attacks:

 selfish mining 👊 incentive compatibility (revenue)  double-spending 👊 subversion gain  censorship 👊 censorship susceptibility

(check [Zhang-P’19] for the math definitions) it either

r

43

Candidates

Better-chain-quality protocols [tie breaking rule] Attack-resistant protocols [topology/reward distribution]

this talk

 “I can raise the chain quality”

 UTB: Ethereum PoW, Bitcoin-NG (Aeternity, Waves)  SHTB: DECOR+ (Rootstock)  UDTB: Byzcoin, Omniledger  Publish or Perish

 “I don’t need to raise the chain quality, I can defend

against the attacks”

 Reward-all (“compensate the losers”): FruitChains,

Ethereum PoW, Inclusive, SPECTRE, PHANTOM, …

 Punishment (“fine all suspects”): DECOR+, Bahack’s idea  Reward-lucky (content-based reward): Subchains, Bobtail

?

44

SLIDE 12

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 12

Attack model

Attacker works on a single chain Ignore transaction fees Expected block interval identical for all protocols Zero natural orphan rate (low delay) Longest chain rule + rational attacker: can prove that there are at most two chains: public/attacker

45

Simplified “Better-Chain-Quality” Results

“Better-chain-quality” Protocol Chain Quality Uniform tie-breaking

Ethereum PoW, Bitcoin-NG (Aeternity, Waves)

😠(omitted here, check

the paper)

Smallest-hash tie-breaking

DECOR+ (Rootstock)

?

Unpredictable deterministic tie- breaking

DÉCOR+LAMI, Byzcoin, Omniledger

?

Publish or perish

😖(omitted here, check

the paper)

😁 better 😖 it depends 😠 worse

46

Better-Chain-Quality: SHTB & UDTB

Smallest hash tie- breaking (SHTB) Unpredictable deterministic tie- breaking (UDTB) NC, γ=0.5

 Compare H(A) and H(B): break the tie with the smallest

hash regardless of which one is received first

 Compare, e.g., FK(A⨁B, A) and FK(A⨁B, B):

break the tie with a deterministic PRF regardless of which

ne is received first

 First received tie-breaking; when two chains broadcast

simultaneously, choose randomly

the public A B

47

 = fraction of nodes to which attacker can send blocks first (in case of a tie)

Chain Quality of Better-Chain-Quality

NC,𝛿 = 0.5 > UDTB > SHTB Ranking Why is NC,𝛿 = 0.5 better than UDTB? Why does SHTB perform so badly?

time the compliant miners’ blocks the attacker’s blocks Hash=1/100 Hash=40/100 𝛽 = 0.02

48

SLIDE 13

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 13

Simplified “Better-Chain-Quality” Results

49

Ideal: Q() = 1-

Simplified Results

“Better-chain- quality” Chain Quality Uniform tie- breaking

😠

Smallest-hash tie-breaking

😠

Unpredictable deterministic tie- breaking

😠

Publish or perish 😖

😁 better 😖 it depends 😠 worse

“Attack- resistant” Incentive compatibility Subversion gain Censorship susceptibility Reward-all 👊Fruitchains

😖 😠 😁

Punishment 👊Reward- splitting

😁 😁 😖

Reward-lucky 👊Subchains

😠 😠 😠

50

Attack-Resistant Protocols: General Results

Longer confirmation helps
More bandwidth consumption may help

“Rewarding the bad vs. punishing the good”

Reward all -> helps double-spending attacks
Punish -> aid censorship
Reward lucky -> lucky≠good

Need to go beyond reward distribution policy to solve all attacks

Security vs. Performance Dilemma

51

Discussion

Simplicity is beauty
Designing protocols too complicated to analyze
Security analysis against one attack strategy
Security analysis against one attacker incentive
Security analysis with unrealistic or unspecified

parameters

NC rocks! What not to do

52

SLIDE 14

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 14 Discussion

Practical assumptions

Awareness of network conditions
Loosely synchronized clock
Real-world commitments (e.g. deposits)
Introduce additional punishment rules (embed

proofs of malicious behavior in blockchain)

Solve at layer 2 (e.g. lightning guarantees double

spending resistance)

Better chain quality & attack resistance?

53

Outline

A short history lesson Highlights of Bitcoin Design - crypto problems Cryptanalysis - Improving proof-of-work Alternatives to proof-of-work Blockchain challenges and opportunities

54

Business and governments

tend to dislike

distributed control
full transparency
unclear governance (or anarchy)
uncontrolled money supply

55

restrict

write, verify or read
to non-monetary applications

56

Distributed Ledger: a range of solutions

Public Blockchain

No central point of

control by individuals, corporations or governments

Permissionless to

participate

Consensus based on

“proof of work”

Examples:
Bitcoin
Ethereum

Consortium/Hybrid Blockchain

Controlled by more than

two individuals, corporations or governments

Permission on

participation from consortium necessary

Arbitrary consensus

mechanism

Readability of the

blockchain can be public

r restricted to the

consortium

Example: RSCOIN (UC

London) Fully Private Blockchain

Controlled by one

individual, corporation or government (no consensus needed)

Permission on

participation from owner necessary

Readability of the

blockchain can be public

r restricted to one

SLIDE 15

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 15

Blockchain challenges: consensus mechanism

Proof of Work (PoW):

high energy consumption
dilemma: concentration (ASICs) or malware (memory hard functions)

Proof of Storage: more efficient; less concentrated? [Pietrzak, AC’19]: Chia Proof of Stake (PoS): Algorand, Orobouros Praos, Ethereum Casper, Peercoin, Nxt, BlackCoin Proof of Elapsed Time (PoET): Intel Sawtooth Lake (hardware assumption) Consortium with voting scheme: Paxos, PBFT vs. Casper, Dfinity, Hotstuff, Pili, Pala, Streamlet [Shi, Indo’19]

permissioned system; number of users known

57

Total market cap 127 B$

https://coinmarketcap.com/all/views/all/ 283 cryptocurrencies > 10 M$

58

Total value of all gold? Total value of stock exchange? 7.5 T$ 70 T$ Stablecoins: Tether Mpesa WeChat Facebook Libra CBDC

Blockchain opportunities

59

Consensus Provenance Immutability Finality Transparency Accountability

Avoid trusted third parties intermediaries gatekeepers and censors

Cost savings (reduce

verhead)

Shared replicated permissioned ledger

63 Party C’s Records Auditor records Counter-party Bank records

re co rd s Ledger L e d g e r

Ledger Party A’s Records Ledger Party B’s Records

Figure https://blogs.wsj.com/cio/2016/02/02/cio-explainer-what-is-blockchain/

All technical building blocks of distributed ledgers were developed by 1990

2015

SLIDE 16

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 16

Blockchain challenges

64

Scalability Consensus mechanisms Transparency versus privacy Governance of decentralization Key management Cryptography: agility & postquantum Interoperability Regulation Business cases

Blockchain challenges: scalability

Throughput Latency Storage per node

65

Blockchain challenges: scalability

5 billion users 1000 transactions/year transaction size: 1 Kbyte storage: 5.1015 byte/year = 5 Petabyte/year

66

32 billion IoT devices

31.5 million transactions/device per year (1/s)

transaction size: 1 Kbyte storage: 1021 bytes = 1 Zettabyte/year communications: 256 1012 bit/s = 256 Terabit/s

Cisco (2022 forecast): 587 Exabyte mobile traffic per year (82% is video!)

Blockchain challenges: scalability

solutions separate applications sharding – changes trust assumptions trusted verification – e.g. Simplified Payment Verification payment channels – e.g. Lightning network

67

SLIDE 17

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 17

Blockchain challenges: transparency versus privacy

Full transparency for verifiability Privacy required for finance, e-health, strategic business processes Fully encrypted processing too expensive: Hawk on Ethereum Partial privacy for cryptocurrencies is feasible with cryptography Privacy for transaction logging: Opacity Restricted access in permissioned ledgers

68

Blockchain challenges: governance of decentralized systems

IT systems tend to evolve toward monopolies or oligopolies

even open source projects have their “benevolent dictators”

Decentralization is response to mass surveillance and abuses Decentralization at multiple levels

transaction approval
governance (meta-decisions) – today often centralized

Which decisions to (de-)centralize Separation of powers Accountability

69

Can we learn from centuries of political science?

Centralization: https://arewedecentralizedyet.com/

70

Blockchain challenges: key management

Cryptography reduces protection of information to that of keys Critical information requires better key management Strong potential for secret sharing and threshold systems

71

SLIDE 18

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 18

Blockchain challenges: cryptography crypto agility

Most blockchains have fixed crypto algorithms Update requires hard fork Exceptions

Crypto in smart contracts
Hyperledger Fabric: plug-in consensus mechanism
What about quantum computers?

72

Blockchain challenges: interoperability

Sidechains for interactions between chains – require further study Oracles for interaction with physical world

e.g. Town Crier, Oraclize

73

Do you need a blockchain?

[Greenspan 2016][Wüst-Gervais 2017]

74

Store state?

Multiple writers? Trusted party?

All writers known? All writers trusted?

Need public verifiability?

Database

Permissionless blockchain Public Permissioned blockchain Private Permissioned blockchain

no yes yes yes yes yes yes no no no no no Interactions between transactions relevant

Conclusion: blockchain

Exciting new technology for distributed consensus

most (if not all) components are 25 years old

Improving Bitcoin is non-trivial Many challenges including scalability, decentralization and governance Still strong interest in re-engineering business models Novel ways to deploy cryptography to achieve resilience, security and privacy

75

SLIDE 19

Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? 17 December 2019 19

Bart Preneel, COSIC an imec lab at KU Leuven

Kasteelpark Arenberg 10, 3000 Leuven homes.esat.kuleuven.be/~preneel/ Bart.Preneel@esat.kuleuven.be @CosicBe ADDRESS: WEBSITE: EMAIL: TWITTER: +32 16 321148 TELEPHONE:

76

Find out more?

J.A. Garay, A. Kiayias, N. Leonardos, The Bitcoin backbone protocol: Analysis and

applications, Eurocrypt’15

R. Pass, L. Seeman, A. Shelat. Analysis of the blockchain protocol in

asynchronous networks. Eurocrypt’17

A. Sapirshtein, Y. Sompolinsky, and A. Zohar, Optimal selfish mining strategies in

Bitcoin, Financial Cryptography and Data Security, 2016.

R. Zhang, B. Preneel, On the Necessity of a Prescribed Block Validity Consensus:

Analyzing Bitcoin Unlimited Mining Protocol, ACM CoNEXT ‘17

R. Zhang, B. Preneel, Lay Down the Common Metrics: Evaluating Proof-of-Work

Consensus Protocols' Security, IEEE Symposium on Security and Privacy (SP 2019)

77