Top20CryptocurrenciesonAggregatemarketvalue

- Proofof‘X’andHashfunctionsused-

1

CRYPTOGRAPHYwithBlockChain

- HashFunctions,SignaturesandAnonymization -

HiroakiANADA*1,Kouichi SAKURAI*2

*1:UniversityofNagasaki,*2:KyushuUniversity

ISIKolkataBlockChain Workshop,Nov30th,2017

Acknowledgements:Thisworkissupportedby:Grants-in-AidforScientificResearchof

JapanSocietyforthePromotionofScience;ResearchProjectNumber:JP15H02711

Top20CryptocurrenciesonAggregatemarketvalue

- Proofof‘X’andHashfunctionsused-

3

TableofContents

1. CryptographicPrimitivesinBlockchains2. HashFunctions

a. Rolesb. VariousHashfunctionsusedforProof of ‘X’

3. Signaturesa. StandardSignatures(ECDSA)b. RingSignaturesc. One-TimeSignatures(Winternitz)

4. AnonymizationTechniquesa. Mixing(CoinJoin)b. Zero-Knowledgeproofs(zk-SNARK)

5. Conclusion

4

BriefHistoryofProof of ‘X’1992:“PricingviaProcessingorCombattingJunkMail”

Dwork,C.andNaor,M.,CRYPTO’92

Pricing Functions

2003:“Moderately Hard Functions:FromComplexitytoSpamFighting”

Naor,M.,FoundationsofSoft.Tech.andTheoreticalComp.Sci.

2008:“Bitcoin:Apeer-to-peerelectroniccashsystem”Nakamoto,S.

Proof of Work

5

BriefHistoryofProof of ‘X’2008:“Bitcoin:Apeer-to-peerelectroniccashsystem”

Nakamoto,S.Proof of Work

2012:“Peercoin”Proof of Stake

(& Proof of Work)

～ :Delegated Proof of Stake, Proof of Storage,Proof of Importance, Proof of Reserves,Proof of Consensus, ...

6

Proofs of ‘X’1. Proof of Work2. Proof of Stake3. Delegated Proof of Stake4. Proof of Importance

5. Proof of Consensus6. Proof of Reserves

Not“Proofof‘X’”...1. delegated Byzantine Fault Tolerance alternative

7

Hash-based Proof of ‘X’

Top20CryptocurrenciesonAggregatemarketvalue

- Proofof‘X’andHashfunctionsused-

8

2.RolesofHashfunctionsinBlockchainsFromsingingtoMINING

9

RolesofHashfunctionsinBlockchains

1. GeneratingAddressofWalletØPseudonym

2. GeneratingDigitalsignatureØECDSAØOne-timesignature

3. DefiningHardproblemforProof of ‘X’ØProof of WorkØProof of StakeØProof of ‘X’ 10

HashforProof of ‘X’ABlockchain extendsone-way

ØNevershrink,Neversplit

ØDuetoone-wayness ofHashfunctionØDuetoEquiprobability ofHashdomain

11

block1 block2 block3 block4 block5

block3’

block4’

HashforProof of WorkHardproblem: Find a 𝑛𝑜𝑛𝑐𝑒

𝑯(𝒍𝒂𝒔𝒕_𝒉𝒂𝒔𝒉||𝑻𝒙||𝑛𝑜𝑛𝑐𝑒) < 𝑫• 𝑇𝑥:Transactionstobeapproved• 𝐷:parameterfordifficultycontrol

12

I found it!

working...working...

working...

working...

worked!

asintegers

HashforProof of StakeLotteryProblem:Is my 𝑎𝑑𝑑𝑟𝑒𝑠𝑠 lucky?𝑯 𝒍𝒂𝒔𝒕_𝒉𝒂𝒔𝒉||𝒕𝒊𝒎𝒆(𝒔𝒆𝒄)||𝑎𝑑𝑑𝑟𝑒𝑠𝑠 < (𝟐𝝀𝒃𝒂𝒍𝒂𝒏𝒄𝒆)/𝑫

• 𝐷:parameterfordifficultycontrol

13

Lucky my address!

Nohit...Nohit... Nohit...

Nohit...Hit!

asintegers dependingonStake

Hase-basedProofs of ‘X’1. Proof of Work

ØFinding a nonce in the Equiprobable Hash domain

2. Proof of StakeØA Lottery based on address and stake

Variants3. Delegated Proof of Stake4. Proof of Importance

14

RequirementsonHashfunction

1. Difficultycontrollable(adjustable)2. Quickverification3. Progress-free(Memorylesstothenextsearch)4. Equiprobable Domain5. ASIC-resistance

15

2.hashfunctionsused

[1]Narayanan,A.,Bonneau,J.,Felten,E.,Miller,A.,andGoldfeder,S.:“BitcoinandCryptocurrencyTechnologies:AComprehensiveIntroduction”PrincetonUniversityPress,2016

[1]

Whatis“Equiprobable Domain”?

• EachcandidatepointonHashDomainshouldbewithEqualprobability ofWinning

ØNon-trivialfeatureØCriticaltoour

16

𝑯: 𝑫𝒐𝒎𝒂𝒊𝒏 → 𝟏, 𝟎 𝝀

𝑯(𝒍𝒂𝒔𝒕_𝒉𝒂𝒔𝒉||𝑻𝒙||𝒏𝒐𝒏𝒄𝒆) < 𝑫asintegers

ASIC-resistance

• Nosignificantspeedupbyimplementingtheminingalgorithm inanASIC,ascomparedtoaCPUbasedimplementation

17

Asic-Registant (One-way)Function

• BandwidthHardFunctionsforASICResistance• LingRenandSrinivasDevadas TCC-2017

• AlexByrykov etal.• SymmetricallyandAsymmetricallyHardCryptography,Asiacrypto2017• Asymmetricproof-of-workbasedonthegeneralizedbirthdayproblem.NDSS2016.• Fastandtradeoff-resilientmemory-hardfunctionsforcryptocurrenciesandpasswordhashing,2015.• Tradeoffcryptanalysisofmemory-hardfunctions.CryptologyePrint Archive2015.

18

3.HashFunctionsUsed

19

Top20CryptocurrenciesonAggregatemarketvalue

- Proofof‘X’andHashfunctionsused-

20

SHA-2in{Bitcoin,BitcoinCash,NEM,Namecoin,Peercoin,…}

21

2.hashfunctionsused

• NISTStandard• LowMemory-use

https://ja.wikipedia.org/wiki/SHA-2

OneiterationofCompressionFunctionofSHA-2(SHA-256)

SHA-3in{IOTA}

• MoresecurityasHashfunction

22

2.hashfunctionsused

SpongeStructureofSHA-3

https://ja.wikipedia.org/wiki/SHA-3

Ethash in{Ethereum,Ethereum Classic}• MemoryHard• Steps:①，…，⑥

23

2.hashfunctionsused

https://www.vijaypradeep.com/blog/2017-04-28-ethereums-memory-hardness-explained/

Scrypt in{Litecoin,Dogecoin,…}• MemoryHard• MemoryBoundà ASIC Resistant!

Scrypt(N, seed)V = [0]*N // Initialize the inner state

// Full fill the inner state with pseudo-randomnessV[0] = seedfor i = 1 to N:

V[i] = SHA-256(V[i-1]) // Access with the order of the pseudo-randomness

X = SHA-256(V[N-1])for i = 1 to N:

j = X % NX = SHA-256(X^V[j])

Return X24

2.hashfunctionsused

X11in{DASH}

• The11survivorsafter1st roundofSHA-3Compe.1)BLAKE,2)BMW,3)Groestl,4)JH,5)Keccak,6)Skein,7)Luffa,8)CubeHash,9)SHAvite-3,10)SIMD,11)ECHO

• ASICresistant(?)

25

Hash① Hash② Hash⑪input output

CryptoNight in{Monero}

• ASIC-resistant(executableonlywithCPU/GPU)• BasedonSHA-3&AES

àMemoryHardLoop

26

https://cryptonote.org/cns/cns008.txt

4.DifficultyControlMethods

27

PreviousWorkonDifficultyControl• MiningtimeisExponentiallyDistributed [3][4]• DiscussionasPoissonProcess[4]

28

[3]Rosenfeld,M.,:“AnalysisofBitcoinPooledMiningRewardSystems”,http://arxiv.org/abs/1112.4980,2011[4]Kraft,D.,:“Difficultycontrolforblockchain-basedconsensussystems”,Peer-to-PeerNetworkingandApplications,2016

10min,63%

30min95%

60min,99.7%

DifficultyControlonProof of Work

Searchproblem:𝑯(𝒍𝒂𝒔𝒕_𝒉𝒂𝒔𝒉||𝑻𝒙||𝑛𝑜𝑛𝑐𝑒) < 𝑫

• 𝑫 :thecontrollingparameter• Bitcoin:𝐷’:= 𝐷 ⋅

2016 ⋅ 10𝑚𝑖𝑛LatestMiningTimefor2016blocks

29

asintegers

DifficultyControlonProof of Stake

LotteryProblem:𝑯 𝒍𝒂𝒔𝒕_𝒉𝒂𝒔𝒉||𝒕𝒊𝒎𝒆(𝒔𝒆𝒄)||𝑎𝑑𝑑𝑟𝑒𝑠𝑠

< (𝟐𝝀𝒃𝒂𝒍𝒂𝒏𝒄𝒆)/𝑫

• 𝑫 :thecontrollingparameter

30

dependingonStakeasintegers

2.SignaturesusedinBlockchains

31

Top20CryptocurrenciesonAggregatemarketvalue

- Proofof‘X’andHashfunctionsused-

32

ECDSAin{Bitcoin,etc.}

• NISTStandard[6]ØFIPS-PUB186-3

• ShorterthanRSAsignatures

33

[6]“DigitalSignatureStandard(DSS)”NationalInstituteofStandardsandTechnology,2009

RingSignaturesin{Monero}• Theringsignatures[5]mixspender'saddresswithagroupofothers• Makingitexponentiallymoredifficulttoestablishalinkbetweeneachsubsequenttransaction• Impossibletodiscoveractualdestination• The"ringconfidentialtransactions"mechanismhidesthetransferredamount

34[5]“Howtoleakasecret”,Rivest,R.,Shamir,A.,andTauman,Y.,ASIACRYPT2001

AnalysisonMONEO• ESORICS2017Session12: Blockchain• Amrit Kumar,ClémentFischer,Fischer,Shruti Tople and Prateek Saxena.

• “ATraceabilityAnalysisof Monero’s Blockchain”• Shi-FengSun,ManHoAu,JosephLiuand Tsz HonYuen.

• “RingCT 2.0:ACompactLinkableRingSignatureBasedProtocolfor Blockchain Cryptocurrency Monero”

• ProvSec2017KeyNote byJ.Liu andM.H.AU• “(Linkable)RingSignatureanditsApplicationstoBlockchain”• WewillfurtherrelatelinkableringsignaturetoMonero,oneofthecurrentlargestblockchain-basedcryptocurrencyintheworld,whichisconsideredtobethemostcommercialdeploymentoflinkableringsignaturenowadays.Finally,wewilldiscusswaystoimprovetheRingCT (RingConfidentialTransactions)ofMonero,thelinkableringsignaturebasedprotocoltoprovideprivacyforMonero users.

35

Winternitz One-timesignaturesin{IOTA}

• ASecretkeyofone-timesignatureisusableforonlyonetimeà InaBlockchain,Addressisusedforonlyonetime• BelievedQuantumResistant(?)• Ref.PostQuantumSignatures

• ByJ.Buchmann andD.J.Bernstain

36

SecurityofIOTA?

• IOTA istryingtodowithDAGsortheSPECTEprotocol (eprint.iacr/2016/1159) -

• Our"BitcoinBlockWithholdingAttack:AnalysisandMitigation[BRS]”• [BRS]Bag,Ruj,andSakurai“BitcoinBlockWithholdingAttack:AnalysisandMitigation”IEEETrans.IFS 2017.

37

3.Anonymizationtechniquesused inBlockchains

38

Top20CryptocurrenciesonAggregatemarketvalue

- Proofof‘X’andHashfunctionsused-

39

Mixingby{CoinJoin}

• Anonymizationmethodforbitcointransactions

40

https://en.wikipedia.org/wiki/CoinJoin

zk-SNARKin{Zcash}• SuccinctZero-KnowledgeArgumentofKnowledge

41

[6]"SecureSamplingofPublicParametersforSuccinctZeroKnowledgeProofs",Ben-Sasson,E.,Chiesa,A.,Green,M.,Tromer,E.,Virza,M.,IEEES&P2015

ChallengingProblems1. InvestigateeachCoinmore

1. Onlywhitepaperclaimitsownsecurity2. Whereasfewthirdpartyresearchbefore

proposal/operation2. Newdesign(ISI- B.R.coin?)

1. Quantum-resistance1. Proof of Work, Proof of Stake

2. AssuringScalabilityfor>10millionusers1. Proof of Work, Proof of Stake2. Miningtime

3. AnonymizationTechniques

42

Top20CryptocurrenciesonAggregatemarketvalue

- Proofof‘X’andHashfunctionsused-

43

Thankyouforyourattention![SAKURAI2005May23rd MOUCRSI-ISIT][ANADA:2014Nov24th-25th MOUISI&CRSI-ISIT]

44