Chapter 13. Digital Cash. Information Security/System Security p. 570/626

Transcription

1 Chapter 13 Digital Cash Information Security/System Security p. 570/626

2 Introduction While cash is used in illegal activities such as bribing money laundering tax evasion it also protects privacy: not everyone needs to know about your payments for transportation and accommodation pharmaceuticals books and magazines religious and political contributions Information Security/System Security p. 571/626

3 Introduction (2) In the physical world, cash is an anonymous, untraceable way to transfer money Currently, we are missing an electronic counterpart Everytime we pay using online banking credit cards or services like PayPal we leave a trace Information Security/System Security p. 572/626

4 Introduction (3) Liberty Reserve (based in Costa Rica) offered a service to transfer money in an anonymous way All you needed was a name, address, and birth date However, the identity was never checked The U.S. government eventually filed a case against Liberty Reserve The service was used for criminal activities as well When it was shut down in 2013, legitimate users also lost money Information Security/System Security p. 573/626

5 Not So Serious Attempt Simple procedure to create digital cash: 1. Create new file and type in This file is worthe Take file with you to buy things Now you just have to find someone who accepts this... Information Security/System Security p. 574/626

6 First Attempt Let s try to come up with a cryptographic protocol for digital cash Paper money started out as a promise by a bank: I promise to pay the bearer on demand the sum of... Information Security/System Security p. 575/626

7 First Attempt (2) Can we have a digital equivalent of this? 1. Alice goes to bank, handing overe Bank creates message m: pay bearere Bank signs m with its private key d B 4. Bank gives E db (m) to Alice Alice can now spend it A merchant can check the validity (assuming the public key e B of the bank is known) Merchant gets cash from bank for E db (m) Information Security/System Security p. 576/626

8 Double Spending Now we have a problem: What prevents Alice from spending it multiple times? Or someone showing up with the same message multiple times to cash it in? This is a serious problem: copying physical bank notes is difficult, copying bits and bytes not Bank could add a serial number to the message m Each digital bank note is allowed to be cashed in only once Everything fine now? Information Security/System Security p. 577/626

9 Anonymity We lose the anonymity The bank knows which messages were spent by Alice it generated the serial number We need a so-called blind signature Let s illustrate this with paper documents Information Security/System Security p. 578/626

10 Blind Signatures 1. Alice creates x messages fore 10 each 2. Puts each one in a separate envelope lined with carbon paper and gives them to the bank 3. Bank randomly opens x 1 of them, verifying that each is fore Bank signs the last envelope blindly without opening it, deductse 10 from Alice s bank account 5. Bank hands unopened envelope to Alice Payment and cashing in as before Information Security/System Security p. 579/626

11 Blind Signatures (2) Bank never sees what it signs Assume Alice wants to cheat (by putting different amounts in the envelopes): Bank opens envelopes randomly With a probability of x 1 x bank can detect this fraud This is anonymous, but we have re-introduced the double spending Information Security/System Security p. 580/626

12 Adding Anonymity Alice can add the serial number herself Every message is appended by a different long random string Probability of a collision should be really, really small By opening x 1 envelopes bank can see those serial numbers but not the one it actually signs However, if someone tries to cash in a message twice, bank can detect it Information Security/System Security p. 581/626

13 Cryptography What do blind signatures look like in terms of cryptography? Both, Alice and the bank, have a pair of keys (public and private): e A and d A for Alice and e B and d B for the bank Alice blinds x messages: she encrypts them with e A She sends them to the bank, which signs them with d B The bank asks Alice to unblind x 1 of the messages: she decrypts them with d A and sends them to the bank The bank then verifies that messages are well-formed Alice unblinds final message, which she spends Information Security/System Security p. 582/626

14 Further Issues The bank is protected from cheaters, but we cannot identify them When double-spending is detected, we don t know whether someone tried to cheat a merchant a merchant tried to cheat the bank There are more complicated versions of the protocol that try to identify cheater Another solution is for the merchant to check with the bank before accepting a message Information Security/System Security p. 583/626

15 Further Issues (2) However, all of these protocols assume a trusted third party (the bank) We would like to have a decentralized, self-enforcing protocol Enter Bitcoin: Information Security/System Security p. 584/626

16 Bitcoin Bitcoin eliminates the trusted third party in the protocol Two parties can directly interact with each other As we have seen, digital signatures are part of the solution The problem is double-spending Bitcoin replaces the trusted third party with a peer-to-peer network The protocol is based on cryptographic proof rather than trust Information Security/System Security p. 585/626

17 A Basic Simplified Protocol We start by describing a very simplified view Every user participating in the scheme is identified by a public key A user can have more than one key (to obfuscate their identity) Every digital coin has an ID, a value, and is associated with a public/private key pair Coin is signed with private key of owner d A ID: 5873, value: 10 Information Security/System Security p. 586/626

18 Transfer of Ownership To transfer a coin, the current owner takes a hash of the previous transaction (or original coin) the public key of the new owner and signs them with their private key A payee can check signatures to verify chain of ownership d B e C d A e H( ) B d A H( ) ID: 5873, value: 10 Information Security/System Security p. 587/626

19 Issues Anonymity is ok as long as owners of key pairs are not identified Nevertheless, there are still problems Who creates the initial coins? How do we prevent double-spending Information Security/System Security p. 588/626

20 Trusted Third Party These issues could be solved with a trusted third party (Trent) Initial coins are issued by Trent, who is signing them Trent would also keep a complete record of all transactions in a public ledger Before accepting a transaction, ledger is checked for double-spending How do we make sure that Trent (or someone else) does not manipulate the ledger? Information Security/System Security p. 589/626

21 Blockchain A block chain is a series of data blocks Each contains a transaction consisting of an ID, its content and a hash pointer to the previous block In practice, each block contains more than one transaction to not waste space Trent signs the final hash pointer Information Security/System Security p. 590/626

22 Blockchain (2) Why does Trent not just sign individual transactions? Blockchain is an unmodifiable append-only data structure Any attempts to modify or remove an earlier transaction will affect the whole chain (one-way hash function) and therefore be easy to catch Anyone can now verify the validity of a transaction in the chain and see the same order of events Information Security/System Security p. 591/626

23 Issues Trusted third party is a single point of failure Trent cannot create fake transactions (he does not have any private keys of users) However, he could reject transactions of certain users, basically denying them service create as many coins as he wants, causing inflation hike up transaction costs significantly abandon the whole scheme Information Security/System Security p. 592/626

24 Decentralized Scheme In the ideal case, we would like to run the scheme without a trusted third party In a decentralized scheme, users need to agree on how to maintain a single official blockchain on which transactions are valid and actually happened on how to create new coins The following scheme will work if the majority of the nodes are honest Information Security/System Security p. 593/626

25 From Third Party to Peer-to-Peer Let s assume that we have n nodes in a network Nodes can join and leave while the system is running 1. Each node collects new transactions in a block (all transactions are broadcast widely in the network) 2. Each round a random node gets to broadcast its new block 3. Other nodes accept the block if all transactions are valid (unspent coins; valid signatures) 4. When a node accepts a block, it includes its hash in the next block it creates Information Security/System Security p. 594/626

26 Attacking the Scheme Let s assume Mallory operates a node in the scheme and wants to subvert it Possible attack vectors: Stealing coins Denial-of-Service Double Spending Information Security/System Security p. 595/626

27 Stealing Coins Mallory wants to transfer ownership of a coin to himself He would need the private key of a user to forge a transaction If he just makes up things, the other nodes would notice an invalid signature and not accept his block Information Security/System Security p. 596/626

28 Denial-of-Service Mallory dislikes Alice and will not include any of her transactions in his blocks He cannot prevent other nodes from processing Alice s transactions The only effect is that Alice may have to wait a little bit longer for her transactions to be included in a block Information Security/System Security p. 597/626

29 Double Spending Mallory buys something (online) from Bob and transfers a coin to Bob He and/or Bob broadcast this transaction to the network and an (honest) node includes it in its block Mallory, who runs a node in the network, creates a block without this transaction Instead he transfers the coin to another public key that he owns and includes this transaction in the block he creates He then broadcasts this block to the network Information Security/System Security p. 598/626

30 Double Spending (2) Now we have a conflict: There is one version of the blockchain with the transaction Mallory Bob and one with the transaction Mallory Mallory How do we resolve this conflict? A node cannot distinguish which one is the correct one: both look valid The second, fraudulent block may even arrive first at a node Information Security/System Security p. 599/626

31 Double Spending (3) A node will always extend the longer blockchain (and discard shorter ones) In case of a tie, it is not clear which block will make it However, there is something Bob can do Not immediately delivering the service/product Wait until the transaction transferring a coin to him is embedded deeper in the blockchain Usually sufficient to wait until five to six new blocks have been added to the chain containing his transaction Information Security/System Security p. 600/626

32 Random Selection There is still an open issue: how do we select the random node to broadcast their block? We are in a peer-to-peer network with no central authority We use a concept called proof-of-work Information Security/System Security p. 601/626

33 Proof-of-Work We select nodes in proportion to their computing power Assuming that the computing power is not monopolized Roughly speaking, the amount of computing power spent by a node will determine their chance of being picked Information Security/System Security p. 602/626

34 Proof-of-Work (2) A node cannot just add a block to the chain It has to solve a hash puzzle to do so: It has to find a nonce (number used only once) that hashed together with the hash of the previous block and the transactions has certain properties E.g, H( nonce H(prev block) TA 1 TA 2... ) has 20 leading zeroes Information Security/System Security p. 603/626

35 Proof-of-Work (3) As we are using cryptographic one-way hash functions, we can find a nonce only by trying out a (large) range of values Once a node finds a nonce, it can broadcast the new block Finding the nonce takes some time, verifying it is very fast Solving these hash puzzles is called bitcoin mining Nodes are called miners Information Security/System Security p. 604/626

36 Incentives Why would you want to run a miner? As a reward for solving the hash puzzle for a block you are allowed to add a special transaction to the block This special transaction creates a new bitcoin that belongs to you Information Security/System Security p. 605/626

37 Incentives (2) The hardness of the hash puzzles is readjusted from time to time E.g. by requiring more leading zeroes Otherwise the mining time would become shorter and shorter As hardware is getting faster and faster Information Security/System Security p. 606/626

38 Incentives (3) The total number of bitcoins is fixed Miners are allowed to create a total of 21 million At some point, Bitcoin will have to switch to transaction fees Actually, this is already possible The creator of a transaction allows the miner to take a small part of the money in the transaction as a fee Information Security/System Security p. 607/626

39 Optimizations There are a couple of optimizations that are not covered here There are schemes for saving disk space by getting rid of some (old) transactions A simplified payment verification without running a full P2P network node A technique for combining and splitting the value of coins Information Security/System Security p. 608/626

40 Issues with Bitcoin The bitcoin protocol is not perfect, there are some issues Scalability Throughput of transactions per second is not particularly high The size of the blockchain is also a problem There is no service infrastructure (when things go wrong) Is bitcoin really anonymous? No authentication necessary, but full transaction history available Is that enough? Open research questions Various political issues Information Security/System Security p. 609/626

41 The Future of Bitcoin It s very hard to say what the future will bring For example, the exchange rate is quite volatile: Information Security/System Security p. 610/626

42 The Future of Bitcoin (2) The opinions about bitcoin range from: It s dead (has been proclaimed dead a couple of times) It will revolutionize the world, bringing an end to banks and also causing problems for financial regulators The truth is probably somewhere in between Even if it fails, it has come up with new ideas If it continues, it probably has to switch to a transaction fee model (new coins will be harder and harder to find) Information Security/System Security p. 611/626

43 Summary Coming up with a digital currency that has properties similar to cash, being decentralized anonymous hard to copy is a challenging task Bitcoin is one of the first approaches that seems practicable Information Security/System Security p. 612/626