CRYPTOGRAPHYwithBlockChain
- HashFunctions,SignaturesandAnonymization -
HiroakiANADA*1,Kouichi SAKURAI*2
*1:UniversityofNagasaki,*2:KyushuUniversity
ISIKolkataBlockChain Workshop,Nov30th,2017
Acknowledgements:Thisworkissupportedby:Grants-in-AidforScientificResearchof
JapanSocietyforthePromotionofScience;ResearchProjectNumber:JP15H02711
TableofContents
1. CryptographicPrimitivesinBlockchains2. HashFunctions
a. Rolesb. VariousHashfunctionsusedforProof of ‘X’
3. Signaturesa. StandardSignatures(ECDSA)b. RingSignaturesc. One-TimeSignatures(Winternitz)
4. AnonymizationTechniquesa. Mixing(CoinJoin)b. Zero-Knowledgeproofs(zk-SNARK)
5. Conclusion
4
BriefHistoryofProof of ‘X’1992:“PricingviaProcessingorCombattingJunkMail”
Dwork,C.andNaor,M.,CRYPTO’92
Pricing Functions
2003:“Moderately Hard Functions:FromComplexitytoSpamFighting”
Naor,M.,FoundationsofSoft.Tech.andTheoreticalComp.Sci.
2008:“Bitcoin:Apeer-to-peerelectroniccashsystem”Nakamoto,S.
Proof of Work
5
BriefHistoryofProof of ‘X’2008:“Bitcoin:Apeer-to-peerelectroniccashsystem”
Nakamoto,S.Proof of Work
2012:“Peercoin”Proof of Stake
(& Proof of Work)
~ :Delegated Proof of Stake, Proof of Storage,Proof of Importance, Proof of Reserves,Proof of Consensus, ...
6
Proofs of ‘X’1. Proof of Work2. Proof of Stake3. Delegated Proof of Stake4. Proof of Importance
5. Proof of Consensus6. Proof of Reserves
Not“Proofof‘X’”...1. delegated Byzantine Fault Tolerance alternative
7
Hash-based Proof of ‘X’
RolesofHashfunctionsinBlockchains
1. GeneratingAddressofWalletØPseudonym
2. GeneratingDigitalsignatureØECDSAØOne-timesignature
3. DefiningHardproblemforProof of ‘X’ØProof of WorkØProof of StakeØProof of ‘X’ 10
HashforProof of ‘X’ABlockchain extendsone-way
ØNevershrink,Neversplit
ØDuetoone-wayness ofHashfunctionØDuetoEquiprobability ofHashdomain
11
block1 block2 block3 block4 block5
block3’
block4’
HashforProof of WorkHardproblem: Find a 𝑛𝑜𝑛𝑐𝑒
𝑯(𝒍𝒂𝒔𝒕_𝒉𝒂𝒔𝒉||𝑻𝒙||𝑛𝑜𝑛𝑐𝑒) < 𝑫• 𝑇𝑥:Transactionstobeapproved• 𝐷:parameterfordifficultycontrol
12
I found it!
working...working...
working...
working...
worked!
asintegers
HashforProof of StakeLotteryProblem:Is my 𝑎𝑑𝑑𝑟𝑒𝑠𝑠 lucky?𝑯 𝒍𝒂𝒔𝒕_𝒉𝒂𝒔𝒉||𝒕𝒊𝒎𝒆(𝒔𝒆𝒄)||𝑎𝑑𝑑𝑟𝑒𝑠𝑠 < (𝟐𝝀𝒃𝒂𝒍𝒂𝒏𝒄𝒆)/𝑫
• 𝐷:parameterfordifficultycontrol
13
Lucky my address!
Nohit...Nohit... Nohit...
Nohit...Hit!
asintegers dependingonStake
Hase-basedProofs of ‘X’1. Proof of Work
ØFinding a nonce in the Equiprobable Hash domain
2. Proof of StakeØA Lottery based on address and stake
Variants3. Delegated Proof of Stake4. Proof of Importance
14
RequirementsonHashfunction
1. Difficultycontrollable(adjustable)2. Quickverification3. Progress-free(Memorylesstothenextsearch)4. Equiprobable Domain5. ASIC-resistance
15
2.hashfunctionsused
[1]Narayanan,A.,Bonneau,J.,Felten,E.,Miller,A.,andGoldfeder,S.:“BitcoinandCryptocurrencyTechnologies:AComprehensiveIntroduction”PrincetonUniversityPress,2016
[1]
Whatis“Equiprobable Domain”?
• EachcandidatepointonHashDomainshouldbewithEqualprobability ofWinning
ØNon-trivialfeatureØCriticaltoour
16
𝑯: 𝑫𝒐𝒎𝒂𝒊𝒏 → 𝟏, 𝟎 𝝀
𝑯(𝒍𝒂𝒔𝒕_𝒉𝒂𝒔𝒉||𝑻𝒙||𝒏𝒐𝒏𝒄𝒆) < 𝑫asintegers
ASIC-resistance
• Nosignificantspeedupbyimplementingtheminingalgorithm inanASIC,ascomparedtoaCPUbasedimplementation
17
Asic-Registant (One-way)Function
• BandwidthHardFunctionsforASICResistance• LingRenandSrinivasDevadas TCC-2017
• AlexByrykov etal.• SymmetricallyandAsymmetricallyHardCryptography,Asiacrypto2017• Asymmetricproof-of-workbasedonthegeneralizedbirthdayproblem.NDSS2016.• Fastandtradeoff-resilientmemory-hardfunctionsforcryptocurrenciesandpasswordhashing,2015.• Tradeoffcryptanalysisofmemory-hardfunctions.CryptologyePrint Archive2015.
18
SHA-2in{Bitcoin,BitcoinCash,NEM,Namecoin,Peercoin,…}
21
2.hashfunctionsused
• NISTStandard• LowMemory-use
https://ja.wikipedia.org/wiki/SHA-2
OneiterationofCompressionFunctionofSHA-2(SHA-256)
SHA-3in{IOTA}
• MoresecurityasHashfunction
22
2.hashfunctionsused
SpongeStructureofSHA-3
https://ja.wikipedia.org/wiki/SHA-3
Ethash in{Ethereum,Ethereum Classic}• MemoryHard• Steps:①,…,⑥
23
2.hashfunctionsused
https://www.vijaypradeep.com/blog/2017-04-28-ethereums-memory-hardness-explained/
Scrypt in{Litecoin,Dogecoin,…}• MemoryHard• MemoryBoundà ASIC Resistant!
Scrypt(N, seed)V = [0]*N // Initialize the inner state
// Full fill the inner state with pseudo-randomnessV[0] = seedfor i = 1 to N:
V[i] = SHA-256(V[i-1]) // Access with the order of the pseudo-randomness
X = SHA-256(V[N-1])for i = 1 to N:
j = X % NX = SHA-256(X^V[j])
Return X24
2.hashfunctionsused
X11in{DASH}
• The11survivorsafter1st roundofSHA-3Compe.1)BLAKE,2)BMW,3)Groestl,4)JH,5)Keccak,6)Skein,7)Luffa,8)CubeHash,9)SHAvite-3,10)SIMD,11)ECHO
• ASICresistant(?)
25
Hash① Hash② Hash⑪input output
CryptoNight in{Monero}
• ASIC-resistant(executableonlywithCPU/GPU)• BasedonSHA-3&AES
àMemoryHardLoop
26
https://cryptonote.org/cns/cns008.txt
PreviousWorkonDifficultyControl• MiningtimeisExponentiallyDistributed [3][4]• DiscussionasPoissonProcess[4]
28
[3]Rosenfeld,M.,:“AnalysisofBitcoinPooledMiningRewardSystems”,http://arxiv.org/abs/1112.4980,2011[4]Kraft,D.,:“Difficultycontrolforblockchain-basedconsensussystems”,Peer-to-PeerNetworkingandApplications,2016
10min,63%
30min95%
60min,99.7%
DifficultyControlonProof of Work
Searchproblem:𝑯(𝒍𝒂𝒔𝒕_𝒉𝒂𝒔𝒉||𝑻𝒙||𝑛𝑜𝑛𝑐𝑒) < 𝑫
• 𝑫 :thecontrollingparameter• Bitcoin:𝐷’:= 𝐷 ⋅
2016 ⋅ 10𝑚𝑖𝑛LatestMiningTimefor2016blocks
29
asintegers
DifficultyControlonProof of Stake
LotteryProblem:𝑯 𝒍𝒂𝒔𝒕_𝒉𝒂𝒔𝒉||𝒕𝒊𝒎𝒆(𝒔𝒆𝒄)||𝑎𝑑𝑑𝑟𝑒𝑠𝑠
< (𝟐𝝀𝒃𝒂𝒍𝒂𝒏𝒄𝒆)/𝑫
• 𝑫 :thecontrollingparameter
30
dependingonStakeasintegers
ECDSAin{Bitcoin,etc.}
• NISTStandard[6]ØFIPS-PUB186-3
• ShorterthanRSAsignatures
33
[6]“DigitalSignatureStandard(DSS)”NationalInstituteofStandardsandTechnology,2009
RingSignaturesin{Monero}• Theringsignatures[5]mixspender'saddresswithagroupofothers• Makingitexponentiallymoredifficulttoestablishalinkbetweeneachsubsequenttransaction• Impossibletodiscoveractualdestination• The"ringconfidentialtransactions"mechanismhidesthetransferredamount
34[5]“Howtoleakasecret”,Rivest,R.,Shamir,A.,andTauman,Y.,ASIACRYPT2001
AnalysisonMONEO• ESORICS2017Session12: Blockchain• Amrit Kumar,ClémentFischer,Fischer,Shruti Tople and Prateek Saxena.
• “ATraceabilityAnalysisof Monero’s Blockchain”• Shi-FengSun,ManHoAu,JosephLiuand Tsz HonYuen.
• “RingCT 2.0:ACompactLinkableRingSignatureBasedProtocolfor Blockchain Cryptocurrency Monero”
• ProvSec2017KeyNote byJ.Liu andM.H.AU• “(Linkable)RingSignatureanditsApplicationstoBlockchain”• WewillfurtherrelatelinkableringsignaturetoMonero,oneofthecurrentlargestblockchain-basedcryptocurrencyintheworld,whichisconsideredtobethemostcommercialdeploymentoflinkableringsignaturenowadays.Finally,wewilldiscusswaystoimprovetheRingCT (RingConfidentialTransactions)ofMonero,thelinkableringsignaturebasedprotocoltoprovideprivacyforMonero users.
35
Winternitz One-timesignaturesin{IOTA}
• ASecretkeyofone-timesignatureisusableforonlyonetimeà InaBlockchain,Addressisusedforonlyonetime• BelievedQuantumResistant(?)• Ref.PostQuantumSignatures
• ByJ.Buchmann andD.J.Bernstain
36
SecurityofIOTA?
• IOTA istryingtodowithDAGsortheSPECTEprotocol (eprint.iacr/2016/1159) -
• Our"BitcoinBlockWithholdingAttack:AnalysisandMitigation[BRS]”• [BRS]Bag,Ruj,andSakurai“BitcoinBlockWithholdingAttack:AnalysisandMitigation”IEEETrans.IFS 2017.
37
Mixingby{CoinJoin}
• Anonymizationmethodforbitcointransactions
40
https://en.wikipedia.org/wiki/CoinJoin
zk-SNARKin{Zcash}• SuccinctZero-KnowledgeArgumentofKnowledge
41
[6]"SecureSamplingofPublicParametersforSuccinctZeroKnowledgeProofs",Ben-Sasson,E.,Chiesa,A.,Green,M.,Tromer,E.,Virza,M.,IEEES&P2015
ChallengingProblems1. InvestigateeachCoinmore
1. Onlywhitepaperclaimitsownsecurity2. Whereasfewthirdpartyresearchbefore
proposal/operation2. Newdesign(ISI- B.R.coin?)
1. Quantum-resistance1. Proof of Work, Proof of Stake
2. AssuringScalabilityfor>10millionusers1. Proof of Work, Proof of Stake2. Miningtime
3. AnonymizationTechniques
42