Data Privacy and Security - Daniele Venturi...

Data Privacy and Security

Master Degree in Data Science

Sapienza University of Rome

Academic Year 2017-2018

Instructor: Daniele Venturi(Slides from a series of lectures by Stefan Dziembowski)

BitcoinData Privacy and Security

2

Part VI: Bitcoin and Beyond

History of Digital Cash


3

• 1990: Chaum’s anonymous eCash

– Uses sophisticated crypto to achieve security and user anonimity

withdrawal

pay

deposit

Company foundedin 1990… Went

bankrupt in 1998

History of Digital Cash


4

• 2008: Bitcoin announced by Satoshi Nakamoto

• 2011-2013: Popular for buying illegal goods

– E.g., Silk Road anonymous marketplace

• End of 2013: Market price skyrockets and the world notices

Main difference with eCash:

The Bitcoin Revolution


5

• Problems of earlier ecash systems

– Need trusted center (money does not circulate)

– High transaction fees

• Solutions in bitcoin ecosystem

– Decentralized system (money circulates)

– Variable transaction fees

Bitcoin’s Success


6

• Probably one of the most discussedcryptographic technologies ever!

Bitcoin

Snowden

Encryption

No Trusted Servers!


7

• Nobody controls the money

– The amount of money that will ever be created isfixed to around 21 mln Bitcoin (no inflation)

Exchange rate fluctuates

Next Block Halving


8

Really No Trusted Server?


9

• The client software is written by people whoare in charge to change the system

• Software contains so-called checkpoints (more on this later)

• Popular clients:

The people behindthe software are not

anonymous

Bitcoin in Context


10

Bitcoin:• Protocol• Client

software• Data

(blockchain)

Bitcoin Ecosystem

Financial Sector

• Banks• Fonds• Regulators• Treasury

• Exchanges• Mining pools• Remote wallets

Real Economy

• Agents• Goods• Markets (legal/illegal)• Externalities

Updates?


11

• How to update the protocol if there is no governing body?

• Updates take the form of Bitcoin ImprovementProposals (BIPs)

• The Bitcoin community votes on BIPs

– Weight of votes proportional to computing power

– Voting process organised centrally (via a forum)

Bitcoin ≈ Real Money?


12

• Bitcoin values comes from the fact that: «People expect that other people will accept itin the future.»

It’s like realmoney

It’s a ponzischeme

Enthusiasts:

Sceptics:

Some Economist Are More Positive


13

• Billions of VC funding, many major banks and companies are interested

While these types of innovations may pose risks related to law enforcement and

supervisory matters, there are also areas in which they may hold long-term

promise, particularly if the innovations promote a faster, more secure and more

efficient payment system

Ben Bernanke

Why Bitcoin Became So Popular?


14

• Ideological reasons

– Crypto anarchy (nobody controls the money)

• Good timing due to financial crisis in 2008

– No money printing in Bitcoin

• Trading of illegal goods due to seeminganonymity (pseudonimity)

• Payments can be cheap

– Almost no fees for long time (PayPal 2-10%)

• Novel technology for distributed systems

Illegal Market Places


15

• What is sold?

• Mostly non-professional sellers

– Most items only listed for few days

• All markets value: 600000 USD per day

Category # of items % of total

Weed 3338 13.7

Prescriptions 1784 7,3

Books 955 3,9

Cannabis 877 3,6

Cocaine 630 2,6

LSD 440 1,8

Downsides of Decentralization


16

• There are no regulators

– MtGox (handling 70% of all Bitcoin transactions) shut down on Feb 2014, reporting 850000 BTC (450 million USD) stolen

• Transactions cannot be reserved

– But see a later lecture for alternatives

• Software bugs immediately exploited ashackers can make money

– Ransomware

– Virus stealing bitcoins


17

Main Design Principles

Doublespending


18

• Main problem with the digital money is that itis much easier to copy than real money

– Bits are easier to copy than paper

16fab13fc6890

Bitcoin’s Idea (Simplified)


19

• The users emulate a public bulletin-boardcontaining a list of transactions

– A transaction if of the form: «User 𝑃1 transfers a coin #16fab13fc6890 to user 𝑃2»

16fab13fc6890

You have alreadyspent this!

Trusted Bulletin-Board Emulation


20

Ideal World Real World

Main difficulty:Some parties can

cheat!

An Idea


21

• Assume honest majority and implement the bulletin-board by voting

– Every transaction is broadcast

Transaction id Value

ddbs21239864k… 0.084 BTC

edd98763hn3nr… 1.2 BTC

mkk8765g4g2j3… 0.036 BTC

YES NO YES NO

Is this the correctbulletin-board?

In cryptocurrencies this is called

the consensus protocol

How to Implement Consensus?


22

• A very well-studied problem in distributedcomputing

• Idea: Use techniques from MPC

– Agreement requires honest majority

– Problem: Sybil attack

– How to define majority in a context whereeverybody can join the network?

Bitcoin’s solution


23

• Majority = Majority of computing power

• Now creating multiple identities does not help

How is this verified?


24

• Use Proofs of Work (PoW) – Dwork & Naor ‘92

• Basic idea: User solve moderately hard puzzle

• Digital puzzle: Use cryptographic hashing

– Hash function 𝐇 with running time TIME 𝐇

– Solve: Find input s.t. output starts with 𝑛 zeroes

– Verify: Compute hash

Hard to find solution Easy to verify

Simple PoW


25

Hash function 𝐇 with running time TIME(𝐇)

Random 𝑥

Answer 𝑠

Find 𝑠 s.t. 𝐇(𝑠||𝑥)starts with 𝑛 zeroes (time 2𝑛 ∙ TIME(𝐇))

Check that 𝐇(𝑠||𝑥)starts with 𝑛 zeroes

(time TIME(𝐇))

Setup for the Bulletin-Board


26

• Users maintaining the bulletin-board are called miners

• Miners maintain a chain of blocks:

Block 0 Block 1 Block 2 Block 3

Transactionsfrom period 1



The genesis block, createdby Nakamoto on 03/01/09

Block size < 1MB ≈ 7 trans./sec

Period ≈ 10 mins

Extending the Blockchain


27

• The chain is extended by using the PoW

• PoW challenge: 𝐇(Salt||𝐇 Block𝑖 ||TX) startswith 𝑛 zeroes (hardness parameter)

Block 0 Block 1 Block 2

Transactions Transactions

𝐇 𝐇

Salt Salt

In Bitcoin 𝐇= SHA-256

Adjusting the Hardness Parameter


28

• The computing power of the miners changes

• Miners should generate a new block every 10 minutes (on average)

• Thus the hardness parameter is periodicallyadjusted to the mining power

– It happens once every 2016 blocks

– Automatic process, in a way that depends on the time it took to generate the 2016 blocks

– Possible because each block contains a timestamp

Hash Rate


29

• September 2013: 990,986 GH/s

• September 2014: 280,257,530 GH/s

• September 2015: 385,067,688 GH/s≈ 258 H/s

How to Post on the Board


30

• Broadcast over the internet your transactionto the miners

• Hope they will add it to the next block

– Miners are incentivized to do so

• Miners never add invalid transactions (e.g., doublespending)

– A chain with an invalid transaction is itself notvalid, so no rational miner would do it

• When a miner finds an extension he broadcasts it to all the users

Forks


31

• The longest chain counts!

Block i

Block i+1

Block i+2

Block i+3

Block’ i+2

This chain is valid

Makes no sense to work on a shorter chain, as everybodyelse is working on extending

the longest one

Consequences


32

• The system should quickly self-stabilize

• If there is a fork, then one branch will die

– What if your transaction ends up in a deadbranch?

– Recommendation: To make sure it doesn’t happenwait 6 blocks (≈1 hour)

Can Transactions be Reversed?


33

• Requires a fork in the past

– Unlikely with minority computing power

– Honest miners always ahead of the adversary

Attack based on Hardness Parameter


34

⋯ ⋯ ⋯

⋯⋯

1) Secretly compute another chain with fake

timestamps (indicating thatit took a long time to

produce it)

2016 blocks

2) The difficulty dropsdrammatically, so can

quickly produce a chainlonger than the valid one

and publish it

The Strongest Chain


35

• For this reason, in Bitcoin is not the longestchain that matters, but rather the strongest

• Strength of each block is 2𝑛

• Strength of the chain is the sum of the hardnesses of all blocks

– This clearly prevents the previous attack

Joining the Network


36

• How to identify a user? Use a digital signaturescheme (𝐊, 𝐒, 𝐕)

– Bitcoin uses ECDSA

New user

Publish 𝑝𝑘and keep 𝑠𝑘 secret

(𝑝𝑘, 𝑠𝑘) ←$ 𝐊

Every userhas his own

key pair

Digital Signature Standard (DSS)


37

• Approved by US government in 1994

– Designed by NIST & NSA

– Originally using SHA-1, but now SHA-2 isrecommended

– DSS is the standard and DSA is the algorithm

• A variant of ElGamal PKE

– Security based on the hardness of DL

– Creates a 320-bit signature (vs 1024 bits with RSA)

– Most of the computation is mod a 160-bit prime

DSA Key Generation


38

• Shared global public values (𝑝, 𝑞, 𝛼)

– Prime 𝑝 of size 1024 bits

– Prime 𝑞 of size 160 bits (factor of 𝑝 − 1)

• Value 𝛼 ∈ ℤ𝑝∗ of order 𝑞

– Pick 𝑔 ∈ ℤ𝑝∗ and compute 𝛼 = 𝑔(𝑝−1)/𝑞mod 𝑝

– Repeat if 𝛼 = 1

• Each user generates (𝑎, 𝛽)

– Private key 𝑎 ←$ ℤ𝑞

– Public key 𝛽 = 𝛼𝑎mod 𝑝

DSA Signing


39

• Let 𝑥 ∈ {0,1}∗ the message to be signed

– Pick random 𝑘 ←$ ℤ𝑞

– Let 𝑟 = 𝛼𝑘 mod 𝑝 mod 𝑞

– Let 𝑠 = 𝐒𝐇𝐀𝟐 𝑥 + 𝑎 ∙ 𝑟 𝑘−1mod 𝑞

– Repeat if 𝑟 = 0 or 𝑠 = 0

• Signature is 𝑦 = (𝑟, 𝑠)

– Value 𝑘 should be destroyed and never reused

Signature Verification


40

• Give message 𝑥 and signature 𝑦 = (𝑟, 𝑠)

– Compute 𝑢 = 𝑠−1 ∙ 𝐒𝐇𝐀𝟐 𝑥 mod 𝑞

– Compute 𝑡 = 𝑠−1 ∙ 𝑟 mod 𝑞

– Let 𝑣 = 𝛼𝑢𝛽𝑡mod 𝑝 mod 𝑞

• Accept iff 𝑣 = 𝑟

• Correctness𝑣 = 𝛼𝑢+𝑎𝑡mod 𝑝 mod 𝑞

= 𝛼𝑠−1(𝐒𝐇𝐀𝟐 𝑥 +𝑎𝑟)mod 𝑝 mod 𝑞

= 𝛼𝑠−1𝑘𝑠mod 𝑝 mod 𝑞 = 𝑟 mod 𝑞

Remarks on DSA


41

• Important to check 𝑟, 𝑠 ≠ 0

– If 𝑟 = 0, then 𝑠 = 𝐒𝐇𝐀𝟐 𝑥 ∙ 𝑘−1mod 𝑞 isindependent of the secret key 𝑎

– If 𝑠 = 0, then 𝑠−1mod 𝑞 cannot be computed

– Both events very unlikely (probability ≈ 2−160)

• Operations on both sides are performed mod𝑞, only one operation is performed mod 𝑝

Elliptic Curve DSA (ECDSA)


42

• Variant of DSA using elliptic curve groups

• Signature is 320 bits

• All operations are mod a 160-bit prime (or slightly more)

– Minimum size 163 or 192 bits

• Security depends on hardness of solving DL in an elliptic curve group

Validating Blockchains


43

• What is needed in order to decide whichblockchain is valid?

• One needs to know:

– The initial rules of the game

– The genesis block

• Given many candidates pick the one that:

– Verifies correctly

– Is the longest (i.e., the strongest)

• Verification can take several hours (blockchainsize ≈ 70GB as of June 2016)

Summary of Main Features


44

• Extending blockchain is computationally hard

• Once a miner finds an extension he broadcaststhe new block to everybody

• Users will always accept the longest chain asthe valid one

– In practice it is a bit more complex

• How are the miners incentivized to followthese rules?

– Short answer: They are payed in bitcoins!

Where Do These Bitcoins Come From?


45

• A miner that solves the PoW gets a reward

– 50 BTC for the first 210000 blocks

– 25 BTC for the next 210000 blocks

– 12.5 BTC for the next 210000 blocks

– … and so on

• Note that: 210000 50 + 25 + 12.5 + ⋯ = 21000000

More in Details…


46

• Each block contains a transaction thattransfers the reward to the miner

– A so-called coinbase transaction

• Advantages:

– It provides an incentive to be a miner

– It makes miners interested in broadcasting the new block asap

An Important Feature


47

• Assuming everybody follows the protocol, the following invariant is maintained:

• Fract. of computing power ≈ fract. of revenue

• This is because 𝑃𝑖’s chances of solving the PoW are proportional to the number of times𝑃𝑖 can evaluate the hash function

Every miner 𝑃𝑖 whose computing power is a 𝛼𝑖-fraction of the total computing power mines a

𝛼𝑖-fraction of the blocks

Freshness of the Genesis Block


48

Genesisblock

I did not know the genesisblock before Bitcoin waslaunched (Jan 3, 2009)

Here is a heuristic proof: «The genesis block contains a hash of a title from a front page of the London Times on Jan 3, 2009.»

Why Does it Matter?


49

Genesisblock

• Otherwise Satoshi could «pre-mine»1) Secretely start miningin 1980 and produce a

very strong chain

3) On Jan 3, 2010 publish secret chain

2) Honest miners start working on Jan 3, 2009;

since they have lesstime after 1 year their

chain is still weaker

Checkpoints


50

• Old block hash hardcoded into Bitcoinsoftware

• In theory: Not needed

• Goes against the decentralized spirit of Bitcoin

• But useful in practice:

– Prevent some DoS attacks (flooding nodes with unusable chains)

– Prevent attacks involving isolating nodes and providing them fake chains

– Optimization for initial blockchain download

Protocol Updates


51

• The Bitcoin protocol can be updated

• Proposals can be submitted to the Bitcoinfoundation in the form of BitcoinImprovement Proposals (BIPs)

• Only the miners can vote

– Votes included in the minted blocks

– Currently, need 75% approval which roughlycorresponds to 75% of computing power

Bitcoin’s Money Mechanics


52

• Bitcoin is transaction based

• Technically there is no notion of coin

• Users 𝑃7 and 𝑃8 holds 5 BTC, whereas user 𝑃9

holds 40 BTC

25 BTC createdby 𝑃1

25 BTC sent to 𝑃2

5 BTC sent to 𝑃4

5 BTC sent to 𝑃3

15 BTC sent to 𝑃5

25 BTC created by 𝑃6

15 BTC from 𝑃5 + 25 BTC from 𝑃6

to 𝑃9

5 BTC sent to 𝑃7

5 BTC sent to 𝑃8

TIME

Syntax of Transactions (Simplified)


53

User 𝑃1 creates 25 BTC

User 𝑃1 sends 25 BTC from 𝑇1 to 𝑃2Signature of 𝑃1

on 𝑇2


on 𝑇3

𝑇1 =

𝑇2 =

𝑇3 =

𝑃1

𝑃2

𝑃3

During the mining process

We say 𝑇3

redeems 𝑇2

Multiple Output Transactions


54

User 𝑃1 sends 10 BTC from 𝑇1 to 𝑃2



Signature of 𝑃1

on 𝑇2𝑇2 =

𝑃1

𝑃2 𝑃3

10 BTC 7 BTC

𝑃4

Multiple Input Transactions


55




Signature of 𝑃2 on 𝑇4Signature of 𝑃3 on 𝑇4Signature of 𝑃4 on 𝑇4

𝑇4 =

𝑃1

𝑃2 𝑃3

10 BTC 7 BTC

𝑃4

All signaturesneed to be valid

Time Locks


56


if time 𝑡 has passedSignature of 𝑃1 on 𝑇2𝑇2 =

Transaction specifiestime 𝑡 after which it is

considered valid

Measured in blocks or real time

Generalizations


57

• All these features can be combined

• The total value of in-coming transactions can be larger than the total value of outgoingtransactions

– The difference is called the fee

– Goes to the miner

• The conditions for redeeming a transactioncan be more general (the so-called smartcontracts)

Block Structure in More Details


58

𝐇

𝐇 𝐇

𝐇 𝐇 𝐇 𝐇

𝑇𝑋1 𝑇𝑋2 𝑇𝑋3 𝑇𝑋4 𝑇𝑋5 𝑇𝑋6 𝑇𝑋7 𝑇𝑋8

ℎ00 ℎ01 ℎ10 ℎ11

ℎ1ℎ0

Prevhash

SaltTXBlock

Header

𝐇

Block

Merkle tree

How to Verify Merkle Trees


59

𝐇

𝐇 𝐇

𝐇 𝐇 𝐇

𝑇𝑋1 𝑇𝑋2 𝑇𝑋3 𝑇𝑋4 𝑇𝑋5 𝑇𝑋6 𝑇𝑋7 𝑇𝑋8

ℎ00 ℎ01 ℎ10 ℎ11

ℎ1ℎ0

TX

𝐇

Root

Proofs are log(depth) and verification requires log(depth) time

Why Merkle Trees?


60

• Merkle root always of same small size

– Easily transmittable for pooled mining

– Simplifies writing hashing algorithms in hardware

• Light clients

– No need to process the entire block

• Pruning of old spend transactions

– Old transactions are not needed in order to verifythe validity of the blockchain


61

Mining Pools and Attacks

Solo Mining


62

• Variance of income too high for solo miners

• Here is a rough estimate:

8,139,095 THash/s

7.95 THash/s≈ 1023785.5

≈ 19.4 ∙ (365 ∙ 24 ∙ 6)

• Waiting time for mining a block ≈ 19 years

Total hash rate asof 10/11/2017

ASICS Antminer R4 – 7,95 THash/s (2,000 USD)

Mining Pools


63

• Miners create cartels called mining pools

• Mining pools are either operated centrally or in a peer-to-peer fashion

• Some of the pools charge fees for their service

– E.g., if the operator gets 25 BTC for mining, then itwill share 25 − 𝜑 BTC (where 𝜑 is the fee)

• Expected revenue is lower on average, butvariance is significantly smaller

– Tricky bit: How to prevent cheating? How to reward the miners?

Biggest Mining Pools


64

As of July 13, 2017

How to Design a Mining Pool?


65

Nonce 𝑠𝑖

A transaction 𝑇𝑖 and a hash 𝐇(𝐵𝑖)

Tries to find 𝑠𝑖 such that𝐇(𝑠𝑖 , 𝐇 𝐵𝑖 , 𝑇𝑖) starts with 𝑛 zeroes

MinerMining Pool

Operator

Current hardnessparameter

𝑝𝑘

Includes coinbase transactiontransferring money to 𝑝𝑘

Once nonce is found by one of the pool members, each of them is rewardedproportionally to his work

But how to verifyhow much work a

miner did?

Proportional Method


66

Nonce 𝑠𝑖But also submit partialsolutions, i.e. values 𝑠𝑖′

such that 𝐇(𝑠𝑖 , 𝐇 𝐵𝑖 , 𝑇𝑖)starts with 𝑛′ ≪ 𝑛 zeroes

A transaction 𝑇𝑖 and a hash 𝐇(𝐵𝑖)

Tries to find 𝑠𝑖 such that𝐇(𝑠𝑖 , 𝐇 𝐵𝑖 , 𝑇𝑖) starts with 𝑛 zeroes

MinerMining Pool Operator

Current hardnessparameter

𝑝𝑘

Amount of work measured in # of partial solutions

Probability of Success


67

• Probability of pool winning is 𝛼1 + 𝛼2 + 𝛼3

• Reward for Alice: BTC 25 ∙𝛼1

𝛼1+𝛼2+𝛼3

≈ proportional to 𝛼1



𝛼1

𝛼2

𝛼3

time

proportion of computing power

submitted share

Expected rewardBTC 25 ∙ 𝛼1

Pool Hopping


68

• What if miners change pool?

– Expected revenue is 𝛼𝑖 (from new pool)

– Plus the revenue form old pool (small extra)

• It is profitable to escape from pools with lotsof share holders

– Because such pools have too many «mouths to feed»

Slush’s Method


69

• Solution: Use a scoring function that assigns to each share a score 𝜎

• Then assign rewards proportionally to the score 𝜎

• Slush’s scoring function: 𝜎 = 𝑒𝑇/𝑐

– 𝑇: time since beginning of this round

– 𝑐: some constant

• Intuitively this gives advantage to miners whojoined late

Other Methods


70

• Pay-per-share: Operator pays for each partialsolution, no matter if he mined the block

– Risky for operator (leading to higher fees)

• Score-based: Geometric method, double geometric method…

• Improved pay-per-share

• See also:

– Meni Rosenfeld, Analysis of Bitcoin Pooled MiningReward Systems, 2011

Security of Mining Pools


71

• Typically assume the operator is honest

– Because he has reputation

• Miners are instead untrusted

• We will describe two attacks:

– Sabotage attack

– Lie-in-wait attack

• Both attacks are based on withholding certainblocks

– Similar to selfish-mining attack (see later)

Sabotage Attack


72

• Based on submitting only partial solutions

• Results:

– Pool loses money

– Dishonest miner does not earn anything (actuallyit loses a little bit)

• Ultimate goal: Make the pool go bankrupt

– E.g., because it is a competing pool

Mining Pool Operator

Partial solutions

RewardComplete solution

Miner

Lie-in-Wait Attack


73

• Once solution is found (say for 𝑃2)

– Wait submitting it and mine for 𝑃2 only

– Send it to 𝑃2 after some time

• Intuition is that this is profitable because 𝑃2 isa very likely winner

1/3 computing power

Mining pool 𝑃1

Mining pool 𝑃2

Mining pool 𝑃3

Mine for several pools

Peer-to-Peer Mining


74

• General idea: Miners create a blockchain with hardness parameter 𝑛′ ≪ 𝑛 on top last block

– Every 𝐵𝑖𝑗

is a valid extension of 𝐵𝑖 (hardness 𝑛′)

– Requires to use other fields in the block

• Parameter 𝑛′ chosen in such a way that new blocks appear often (say every 30 sec)

Block 𝐵𝑖 Block 𝐵𝑖1 Block 𝐵𝑖

2 Block 𝐵𝑖3

How to Do it


75

𝐵𝑖:

…

…

…

𝐵𝑖2:

nonce

𝐇(𝐵𝑖)

trans.

𝐇(𝐵𝑖1)

𝐇(∙)

𝐵𝑖3:

nonce

𝐇(𝐵𝑖)

trans.

𝐇(𝐵𝑖2)

𝐇(∙)

𝐵𝑖1:

nonce

𝐇(𝐵𝑖)

trans.

𝐇(∙)

• The blocks contain extra space that can be

used to store the 𝐇(𝐵𝑖𝑗)

Reward


76

• Block 𝐵𝑖𝑘 enters the main blockchain as 𝐵𝑖+1

• Reward can be computed using some formula

• Each miner is incentivized to behave nicely

Block 𝐵𝑖 Block 𝐵𝑖1 Block 𝐵𝑖

2 𝐵𝑖𝑘 = 𝐵𝑖+1

…

Ends with 𝑛 zeroes

𝑃2𝑃1 𝑃𝑘

Includes a payment to 𝑃1

Includes a payment to 𝑃1, … , 𝑃𝑘−1

Possible Attack Goals


77

• Double spending

• Get more money from money than you should

• Short selling

– Bet that the price of BTC will drop and thendestroy the system (i.e., make the price of BTC go to zero)

• Someone (government?) interested in shutting Bitcoin down

The 51% Attack


78

• An adversary controlling majority of computational power cannot

– Steal money from earlier transactions (requiresforging a signature)

– Generate money without effort (still needs to solve PoW)

• However such an adversary can

– Fork the chain and doublespend

– Reject all other miners’ blocks

– Exclude certain transactions

Programming Errors


79

• Block 74638 (Aug 2010) contained a transaction with 2 outputs summing to over 184 billion BTC

– Integer overflow in Bitcoin software

– Solved by software update + manual fork

• Fork at block 225430 caused by an error in the software update

– Solved by reverting to older version

• Moral: Nothing can be fully decentralized

– Sometimes human intervention is needed

Transaction Malleability


80

• Transactions are identified by their hashes

• One can change TxId by mauling a signature

– In ECDSA if 𝜎 = (𝑟, 𝑠) is a valid signature of message 𝑚, so is 𝜎′ = (𝑟, −𝑠)


on 𝑇2𝑇2 =

𝐇(∙)

TxId = 𝐇(𝑇2)

How to Exploit Malleability


81

• As a result TxId changes!

• Often not a problem as semantically nothingchanged

• Problematic for Bitcoin contracts

Miners

Claimed Attack on MtGox


82

• MtGox cannot see transaction with TxId 𝐇(𝑇) in blockchain

– As if transaction did not happen

– Doublespending possible

• Decker-Wattenhofer 14: This isprobably not true

Deposit 1BTC

Withdraw 1BTC

𝐵𝑖 𝐵𝑖+1 𝐵𝑖+2 𝐵𝑖+3

«MtGox pays 1 BTC to 𝐴»

𝐴

Lack of Anonimity


83

• Bitcoin only guarantees pseudonymity

• Can sometimes be de-anonymized

– Meiklejohn et al.: A Fistful of Bitcoin, 2013

1 BTC 1 BTC

1 BTC

Can be linked!

Heuristic solution:

Hardware Mining


84

• Evolution of mining habits

– CPU -> GPU -> FPGA -> ASIC

• Several drawbacks

– Makes the whole process non-democratic

– Might be exploited by very powerful adversary

– Excludes some applications (e.g., mining asmicropayment)

• Advantages

– Security against botnets and makes minersinterested in long-term stability of the system

How long term? Hashrate can go up by 100x

in a year

Risks Associated with Pool Mining


85

• June 2014: The Ghash.io pool got > 50% of the total hash power

– What we were promised: A distributed currencyindependent of the central banks

– What we got (June 2014): Currency controlled by single company

• Miners lost control of which blocks they mine

– Not possible to choose Bitcoin transactions

– Common believe: 99% of the miners only care about highest possible block reward

How to Break Bitcoin?


86

• Start a number of mining pools with a negative fee

• Wait to get > 50% computational power

• Will the miners join?

– Well, yes if they only care about block reward

• Is Bitcoin secure?

– Need to assume that majority behaves honestlyeven if it has incentives not to do so

– Conjecture: Maybe the only reason why it is stillunbroken is that nobody really tried to break it

Majority is not Enough (Selfish Mining)


87

• Ittay Eyal and Emin G. Sirer: Bitcoin Mining is Vulnerable

• Basic idea: When a new block is found keep itfor yourself

• Goal: Make the honest miners waste theireffort to mine blocks that will never make it to the blockchain

• The proportion of mined blocks will be higher, yielding a revenue greater than the fair share

Bitcoin is not Incentive Compatible


88

• Recall with the honest strategy every minerwith 𝛼-fraction of computing power gets 𝛼-fraction of the revenue

• But if there is a strategy that is more beneficialthan the honest strategy, miners have an incentive to misbehave

– The larger 𝛼 the more beneficial the dishoneststrategy is

– Hence miners have incentive to join a large pool that uses this strategy

Simplifying Assumption (Warm-Up)


89

• What happens if there is a fork?

• Assume that the adversary is always first

– E.g., he puts a lots of fake nodes acting as sensors

– We will remove this assumption later

Bitcoin specification: «From twochains of equal length mine on the one that was received first.»

Selfish Mining (Basic Idea)


90

• Adversary finds new block and keeps it

• Two things can happen:

In this case the adversarypublishes his own block

and loses nothingPublish the chain when the public one equalizes

Towards the Full Attack


91

• The assumption that the adversary is alwaysfirst might look unrealistic

• Eyal and Sirer show a modification of the attack that works without this assumption

• Let 𝛾 be the probability that a honest minerwill choose to mine on the adversary’s chain

• Assume the adversary controls an 𝛼- fractionof the computing power

– The other miners hold 1 − 𝛼 -fract. for 𝛼 < 1/2

An Observation


92

• What is the probability that the adversary’schain is selected?

• Let 𝛿 = 𝛼 + (1 − 𝛼) ∙ 𝛾

Adversaryextends the

chain

Honest minerextends the

chain

Adversary’schain getsextended

Honest chaingets extended

State Transitions


93

State 0

State 1

State 0’State 2

1 − 𝛼 𝛼

1 − 𝛿

𝛿

Initial state (no forks)

Adversary findsnew block

Adversary findsanother block

Adversary’sblock winsHonest block

wins

Honest minersalso find a block

State 0

State 0

Adversarypublishes hischain ASAP

Continuing from State 2


94

State 3

State 2

Adversarypublishes hischain ASAP

1 − 𝛼

𝛼

State 0

Resulting State Machine


95

State 0 State 1 State 2 State 3 State 4

1 − 𝛼 1 − 𝛼 1 − 𝛼

𝛼 𝛼 𝛼 𝛼

…

State 0’

1 − 𝛼1

Calculating the Revenue


96

• The above can be analyzed using the theory of Markov chains

• To compute the revenue:

– Compute stationary distribution

– Execute one step in the Markov chain according to the transition probability

– Multiply the result with corresponding revenue

• Expected revenue exceeds honest strategy as

long as 𝛼 >1−𝛾

3−2𝛾

How to Fix it?


97

• One simple idea is to choose 𝛾 = 1/2

– This means choosing which fork to mine uniformlyat random

• The threshold for 𝛼 moves to ¼

– This means that with such a modification Bitcoinwould be secure as long as a ¾-fraction of computing power is honest

– Smaller than the believed ½-fraction but betterthan current reality

Summary of Other Attacks


98

• Whale transactions

– Make transactions with huge fees

– Incentivizes miners to mine on old blocks

– Accidentally happened in the past

• Flood attack

– Send big amount of small transactions

– Countermeasure: Increase transactions fees

• Destroy Bitcoins

– Send Bitcoins to unspendable output addresses to burn them


99

Consensus

Consensus Protocol


100

• Fundamental for cryptocurrencies

• Miners need to agree on the state of the blockchain

– What transactions are in the block

– What are the currently unspent transactions

– Which is the valid chains and which are forks

• Theoretically a very well studied problem

– The Byzantine Generals Problem (Lamport et al., 1982)

The Byzantine Generals Problem


101

• Generals need to decide to attack/retreat

• If some attack and some not they lose (and get killed by the Sultan)

• Main problem: Cheaters

– Can trick honest generals

• Setting: Assume the generals are connectedby point-wise bidirectional channels

• Adversary model: 𝑛 parties out of which 𝑡 are malicious

Timing Model


102

• Describes uncertainty of message propagation

• Synchronious: Messages arrive within knowntime ∆

– If message does not arrive, sender is malicious

• Partially synchronious: Messages willeventually arrive, but time ∆ is unknown

• Asynchronious: No time constraint on message arrival

Setup Assumptions


103

• Assume a PKI

• All parties know public keys of other parties

(1, 𝑝𝑘1) (2, 𝑝𝑘2) … (𝑛, 𝑝𝑘𝑛)

Problem Statement


104

• Total of 𝑛 parties connected by p2p network

• Maximum 𝑡 < 𝑛 parties are malicious

• Input: Each party 𝑃𝑖 inputs bit 𝑏𝑖

• Output: Each party 𝑃𝑖 outputs bit 𝑏𝑖

Input: 𝑏1

Output: 𝑏1

Input: 𝑏2

Output: 𝑏2

Input: 𝑏3

Output: 𝑏3

Security Definition


105

• Termination: Protocol terminates after finitelymany rounds

– Typically poly(n) (optimal is constant)

• Agreement: All honest parties agree on sameoutput

– I.e., if 𝑃𝑖 , 𝑃𝑗 are both honest we have 𝑏𝑖 = 𝑏𝑗

• Validity: If initial values of all honest playersare identical, they decide on that value

– I.e., if 𝑏𝑖 = 𝑏 for all honest 𝑃𝑖, each of them

outputs 𝑏𝑖 = 𝑏

Observations


106

• Trivial to achieve validity or agreement in isolation

• Agreement:

• Validity:

Output 0 Output 0

Output 0

Output 𝑏1 Output 𝑏3

Output 𝑏2

Broadcast Channel


107

• When a party sends a message it is receivedby all other parties

𝑣 𝑣𝑣

Broadcast versus Byzantine Agreement


108

• Theorem: If 𝑡 < 𝑛/2 broadcast impliesByzantine agreement

• Proof: Design protocol for Byzantineagreement

– All parties send input 𝑏𝑖

– Each party outputs majority of received values

– Agreement: All 𝑃𝑖 receive same message via broadcast channel (majority uniquely defined)

– Validity: If all honest parties start with same input 𝑏 than all honest parties output 𝑏 (as 𝑡 < 𝑛/2)

Let’s Focus on Broadcast!


109

• Setup: Total of 𝑛 parties with sender 𝑃𝑠 for some 𝑠 ∈ [𝑛], out of which 𝑡 < 𝑛 malicious

– Only sender has input

– Honest players decide on output 𝑏𝑖

• Termination: Protocol terminates after finitenumber of rounds

• Agreement: For all honest 𝑃𝑖 , 𝑃𝑗, then 𝑏𝑖 = 𝑏𝑗

• Validity: If 𝑃𝑠 is honest, all honest parties 𝑃𝑖

output 𝑏𝑖 = 𝑏𝑠

Dolev-Strong Protocol


110

• Goal: Implement broadcast using PKI

• Building block: Digital signatures

• Variables maintained by each 𝑃𝑖

– 𝐴𝐶𝐶𝑖: set of accepted values

– 𝑆𝐸𝑇𝑖,0: set of signatures received from otherparties on message 0

– 𝑆𝐸𝑇𝑖,1: set of signatures received from otherparties on message 1

• Protocol proceeds in 3 stages

Stage 1 (Round 𝑟 = 0)


111

• Only the sender 𝑃𝑠 is active

• All parties initialize𝐴𝐶𝐶𝑖 = 𝑆𝐸𝑇𝑖,0 = 𝑆𝐸𝑇𝑖,1 = ∅

• 𝑃𝑠 sends (𝑣, σ = 𝐒(𝑠𝑘𝑠, 𝑣)) to everybody

• Finally 𝑃𝑠 terminates and outputs 𝑣

(𝑣, 𝜎)

Stage 2 (Round 𝑟 = 1,2,3,…)


112

• If 𝑃𝑖 receives (𝑣′, 𝑆𝐸𝑇) from 𝑃𝑗 with 𝑣′ ∈ {0,1}

and where 𝑆𝐸𝑇 contains valid signatures on 𝑣′from at least 𝑟 parties (including 𝑃𝑠), then

– 𝐴𝐶𝐶𝑖 = 𝐴𝐶𝐶𝑖 ∪ {𝑣′}

– 𝑆𝐸𝑇𝑖,𝑣′ = 𝑆𝐸𝑇𝑖,𝑣′ ∪ 𝑆𝐸𝑇

(𝑣′, 𝑆𝐸𝑇)

𝐴𝐶𝐶2 = 𝐴𝐶𝐶2 ∪ {𝑣′}

𝑆𝐸𝑇2,𝑣′ = 𝑆𝐸𝑇2,𝑣′ ∪ 𝑆𝐸𝑇

𝐴𝐶𝐶3 = 𝐴𝐶𝐶3 ∪ {𝑣′}

𝑆𝐸𝑇3,𝑣′ = 𝑆𝐸𝑇3,𝑣′ ∪ 𝑆𝐸𝑇

Stage 2 (Round 𝑟 = 1,2,3,…)


113

• Each 𝑃𝑖 checks if 𝑣′ was newly added to 𝐴𝐶𝐶𝑖

during round 𝑟

• In that case, it computes 𝜎′ = 𝐒(𝑠𝑘𝑖 , 𝑣′) and sends (𝑣′, 𝑆𝐸𝑇𝑖,𝑣′ ∪ {𝜎′}) to everybody

(𝑣′, 𝑆𝐸𝑇2,𝑣′ ∪ {𝜎′})𝜎′ = 𝐒(𝑠𝑘2, 𝑣′)

(𝑣′, 𝑆𝐸𝑇2,𝑣′ ∪ {𝜎′})

Stage 3 (Final Round)


114

• Each 𝑃𝑖 proceeds as follows

– If 𝐴𝐶𝐶𝑖 = 1 return 1

– Else, return 0

0 1

Correctness


115

• Here 𝑃𝑠 is honest

• Stage 1: 𝑃𝑠 sends 𝑣, σ = 𝐒(𝑠𝑘𝑠, 𝑣)

• Stage 2:

– All honest 𝑃𝑖 add 𝑣 to 𝐴𝐶𝐶𝑖 in round 𝑟 = 1 (as 𝜎 isaccepting) and afterwards resend signatures

– Malicious parties in round 𝑟 = 1 might send𝑣′, σ = 𝐒(𝑠𝑘𝑖 , 𝑣′) for 𝑣′ ≠ 𝑣 (but never acceptedin future rounds since it does not cointainsignature from 𝑃𝑠)

• Stage 3: All parties output 𝑣

Agreement (1/3)


116

• Assume 𝑃𝑠 is malicious (honest is as before)

• Situation after round 𝑟 = 1(1, 𝐒(𝑠𝑘𝑠, 1))

𝐴𝐶𝐶2 = {1}

𝑆𝐸𝑇2,1 = {1, 𝐒(𝑠𝑘𝑠, 1)}

𝐴𝐶𝐶3 = {0}

𝑆𝐸𝑇3,0 = {0, 𝐒(𝑠𝑘𝑠 , 0)}

Agreement (2/3)


117

• Round 𝑟 = 2

• Both honest parties output 0 as𝐴𝐶𝐶2, 𝐴𝐶𝐶3 ≠ {1}

(1, 𝐒 𝑠𝑘𝑠, 1 , 𝐒 𝑠𝑘2, 1 )

(0, 𝐒 𝑠𝑘𝑠, 0 , 𝐒 𝑠𝑘3, 0 )𝐴𝐶𝐶2 = {0,1}𝐴𝐶𝐶3 = {0,1}

Agreement (3/3)


118

• What if 𝑃𝑠 sends message only to one party?

(1, 𝐒 𝑠𝑘𝑠, 1 ) 𝐴𝐶𝐶2 = {1}

(1, 𝐒 𝑠𝑘𝑠 , 1 , 𝐒 𝑠𝑘2, 1 )

𝑆𝐸𝑇2,1 = {1, 𝐒(𝑠𝑘𝑠 , 1)}

𝐴𝐶𝐶3 = {1}

Dolev-Strong Theorem


119

• Theorem: If the signature scheme isunforgeable the above protocol implementsbroadcast among 𝑛 parties, in the synchronious setting with 𝑡 < 𝑛

– Round complexity: Linear in 𝑛

– Can be improved to constant with more complexprotocol, assuming 𝑡 < 𝑛/2

• Theorem: Without PKI broadcast is impossibleiff 𝑡 < 𝑛/3

Blockchain Consensus


120

• Some differences:

– No setup is used

– Exact number of participants not known

– Number of participants can change (permissionless)

• Some simalarities:

– Only works under assumption that some parties are honest (measured by PoW)

– Important: Consensus only achieved over time and only with some probability

Date post:	24-Apr-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Data Privacy and Security - Daniele Venturi...

Documents