CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Similar documents
CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

ENEE 457: E-Cash and Bitcoin

Problem: Equivocation!

Blockchain. CS 240: Computing Systems and Concurrency Lecture 20. Marco Canini

Analyzing Bitcoin Security. Philippe Camacho

How Bitcoin achieves Decentralization. How Bitcoin achieves Decentralization

Bitcoin and Blockchain

Computer Security. 14. Blockchain & Bitcoin. Paul Krzyzanowski. Rutgers University. Spring 2019

Bitcoin. CS6450: Distributed Systems Lecture 20 Ryan Stutsman

Chapter 13. Digital Cash. Information Security/System Security p. 570/626

Blockchain, Cryptocurrency, Smart Contracts and Initial Coin Offerings: A Technical Perspective

SpaceMint Overcoming Bitcoin s waste of energy

Security Analysis of Bitcoin. Dibyojyoti Mukherjee Jaswant Katragadda Yashwant Gazula

Bitcoin, a decentralized and trustless protocol

Smalltalk 3/30/15. The Mathematics of Bitcoin Brian Heinold

Bitcoin, Security for Cloud & Big Data

Consensus & Blockchain

SmartPool: practical decentralized pool mining. Loi Luu, Yaron Velner, Jason Teutsch, and Prateek Saxena August 18, 2017

Lecture 3. Introduction to Cryptocurrencies

Bitcoin. Arni Par ov. December 17, 2013

EECS 498 Introduction to Distributed Systems

CONSENSUS PROTOCOLS & BLOCKCHAINS. Techruption Lecture March 16 th, 2017 Maarten Everts (TNO & University of Twente)

Hijacking Bitcoin: Routing Attacks on Cryptocurrencies

On the impact of propogation delay on mining rewards in Bitcoin. Xuan Wen 1. Abstract

REM: Resource Efficient Mining for Blockchains

Bitcoin (Part I) Ken Calvert Keeping Current Seminar 22 January Keeping Current 1

Anupam Datta CMU. Fall 2015

Blockchains & Cryptocurrencies

BITCOIN PROTOCOL & CONSENSUS: A HIGH LEVEL OVERVIEW

The power of Blockchain: Smart Contracts. Foteini Baldimtsi

What is Proof of Work?

Biomedical Security. Some Security News 10/5/2018. Erwin M. Bakker

Ergo platform. Dmitry Meshkov

ICS 421 & ICS 690. Bitcoin & Blockchain. Assoc. Prof. Lipyeow Lim Information & Computer Sciences Department University of Hawai`i at Mānoa

CS 251: Bitcoin and Crypto Currencies Fall 2015

Whitepaper Rcoin Global

A Gentle Introduction To Bitcoin Mining

University of Duisburg-Essen Bismarckstr Duisburg Germany HOW BITCOIN WORKS. Matthäus Wander. June 29, 2011

Introduction to Cryptoeconomics

International Journal of Computer Engineering and Applications, Volume XIII, Issue II, Feb. 19, ISSN

BlockFin A Fork-Tolerant, Leaderless Consensus Protocol April

What is Bitcoin? How Bitcoin Works. Outline. Outline. Bitcoin. Problems with Centralization

Biomedical Security. Cipher Block Chaining and Applications

Reliability, distributed consensus and blockchain COSC412

BLOCKCHAIN Blockchains and Transactions Part II A Deeper Dive

Lecture 6. Mechanics of Bitcoin

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts. Yashar Dehkan Asl

Crypto tricks: Proof of work, Hash chaining

Biomedical and Healthcare Applications for Blockchain. Tiffany J. Callahan Computational Bioscience Program Hunter/Kahn Labs

EVALUATION OF PROOF OF WORK (POW) BLOCKCHAINS SECURITY NETWORK ON SELFISH MINING

Key concepts of blockchain

Introduc)on to Bitcoin

Bitcoin and Cryptocurrency Technologies. Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller, Steven Goldfeder

Applied cryptography

Distributed Algorithms Bitcoin

On the linkability of Zcash transactions

SOME OF THE PROBLEMS IN BLOCKCHAIN TODAY

Lecture 9. Anonymity in Cryptocurrencies

Blockchain (a.k.a. the slowest, most fascinating database you ll ever see)

P2P BitCoin: Technical details

How Bitcoin Achieves Decentralization

Introduction to Cryptocurrency Ecosystem. By Raj Thimmiah

Algorand: Scaling Byzantine Agreements for Cryptocurrencies

Introduction to Bitcoin I

Proof-of-Stake Protocol v3.0

Transactions as Proof-of-Stake! by Daniel Larimer!

Data Consistency and Blockchain. Bei Chun Zhou (BlockChainZ)

DEV. Deviant Coin, Innovative Anonymity. A PoS/Masternode cr yptocurrency developed with POS proof of stake.

Technical White Paper of. MOAC Mother of All Chains. June 8 th, 2017

CS 251: Bitcoin and Cryptocurrencies Fall 2016

Radix - Public Node Incentives

TOPPERCASH TOPPERCASH WHITEPAPER REFORM THE BEST OF BLOCKCHAIN

Hyperledger fabric: towards scalable blockchain for business

New Cryptocurrency Protocol without Proof of Work

Cryptography and Cryptocurrencies. Intro to Cryptography and Cryptocurrencies

Security (and finale) Dan Ports, CSEP 552

Anupam Datta CMU. Spring 2017

Cryptocurrency and Blockchain Research

I. Introduction. II. Security, Coinage and Attacks

Multiparty Computation (MPC) protocols

Who wants to be a millionaire? A class in creating your own cryptocurrency

The game If you listen very carefully during the first 4 cards (or use the cheat sheet) you will get an advantage on the last 5 cards

BLOCKCHAIN The foundation behind Bitcoin

Ensimag - 4MMSR Network Security Student Seminar. Bitcoin: A peer-to-peer Electronic Cash System Satoshi Nakamoto

Lecture 12. Algorand

A Perspective on Bitcoin and Blockchain

Digital Currencies: Algorithms and Protocols

The security and insecurity of blockchains and smart contracts

BITCOIN MECHANICS AND OPTIMIZATIONS. Max Fang Philip Hayes

Proof of Stake Made Simple with Casper

Distributed Ledger Technology & Fintech Applications. Hart Montgomery, NFIC 2017

Ergo platform overview

Resource-Efficient Mining (REM) with Proofs of Useful Work (PoUW)

GENESIS VISION NETWORK

Alternatives to Blockchains. Sarah Meiklejohn (University College London)

Blockchain, cryptography, and consensus

GRADUBIQUE: AN ACADEMIC TRANSCRIPT DATABASE USING BLOCKCHAIN ARCHITECTURE

Blockchain Beyond Bitcoin. Mark O Connell

Alternative Consensus Algorithms. Murat Osmanoglu

Transcription:

CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University April 9 2018

Schedule HW 4 Due on Thu 04/12 Programming project 3 Due on 04/26 (last day it can be accepted) Grading on 04/27 Final exam 04/23, 1-3pm Office hours during the week of 04/16 2

Bitcoin Digital crypto currencies Advantages over paper cash Distributed public ledger Blockchain creation and distribution Proof of Work (PoW) Agreement and resilience to adversaries Incentives for users Bitcoin security Other cryptocurrencies 3

Resources Book: Bitcoin and Cryptocurrency Technologies http://bitcoinbook.cs.princeton.edu/ Bonneau et al. Research Perspectives and Challenges for Bitcoin and Cryptocurrencies. https://eprint.iacr.org/2015/261.pdf Bitcoin and Cryptocurrency Technologies Course https://www.coursera.org/learn/cryptocurrency https://piazza.com/princeton/spring2015/btctech /resources 4

Bitcoin a digital analogue of the paper money A digital currency introduced by Satoshi Nakamoto in 2008 First e-cash without a centralized issuing authority Store and transfer value without reliance on central banks Anyone can join the system and make transactions Transactions are publicly verifiable Built on top of an unstructured P2P system Participants validate transactions and mint currency System works as long as the majority of users are honest Currency unit: Bitcoin (BTC) 1 BTC = 10 8 Satoshi; value $6800 5

Bitcoin idea Public trusted bulletinboard (public ledger or DB) Includes list of all transactions Verifiable by all users How to maintain it in decentralized fashion? SK A SK A Public ledger PK A owns coin 92cab79341c PK A transfers 1 coin (16fab13fc6890) to PK B PK A transfers 1 coin (16fab13fc6890) to PK C 16fab13fc6890 You ve already spent this coin! 6

Challenges in designing public ledger T1 T2 T3 T1 T3 T2 - Decentralized ledger - Each user maintains a list of transactions ordered across time - His own transactions and transactions received from other users - Main challenges: Obtain consensus - Order of transactions is the same at all nodes - Attack models - Network failures (messages might not be delivered timely) - Offline participants (nodes leave and re-connect to the network) - Malicious nodes (nodes try to double spend) 7

Distributing transactions New transactions are broadcast to all nodes P2P network Each node collects new transactions into a block In each round (e.g., every 10 minutes) A random node creates the next block (includes outstanding transactions) and broadcasts it to the network Other nodes accept the block only if all transactions in it are valid Valid signatures Coins not spent before Nodes accept the block by including it in their local ledger 8

A simple hash-based PoW H -- a hash function whose computation takes time TIME(H) random x Prover s finds s such that H(s,x) starts with n zeros (in binary) salt hardness parameter n Verifier checks if H(s,x) starts with n zeros takes time 2 n TIME(H) takes time TIME(H) 9

How are the PoWs used? H hash function salt salt salt block 0 H block 1 H block 2 H block 3 transactions from period 1 transactions from period 2 transactions from period 3 Main idea: to extend it one needs to find salt such that H(salt, block i, transactions) starts with some number n of zeros Process is called block mining 10

Public ledger Tamper-evident log Record and order all transactions Valid transactions can not be modified New transactions are appended after being validated How to design it? What data structure and crypto primitives to use? How to prevent attackers controlling majority of transactions? How to reach agreement? How to incentivize users? 11

Distributed consensus Traditional application Reliability in distributed systems Fixed number of nodes, each has an input Requirements The protocol terminates and all correct nodes output same value The value they output is input to a correct node In Bitcoin nodes need to reach consensus on order of transactions Adversary can create arbitrary transactions 12

13

Why consensus is hard Many reasons Nodes may crash (benign failures) Nodes may be malicious (adversarial failures) Network is imperfect Faults, dis-connections, variable latency No notion of global time Impossibility results Asynchronous setting (messages might be delayed indefinitely) FLP theorem: It is impossible to achieve consensus with single node failing in asynchronous networks 14

Consensus in Bitcoin New transactions are broadcast to all nodes Nodes collect new transactions into a block In each round the node solving the puzzle generates and sends the next block Other nodes accept the block only if all transactions in it are valid They all broadcast the new block to all nodes Nodes accept the block by including it in their local ledger and mining on the new block Probabilistic guarantee to get around impossibility results 15

Eventual consistency Consensus doesn t happen right away At least 10 mins to verify a transaction Agree to pay Wait for one block (10 mins) for the transaction to go through But, for a large transaction ($$$) wait longer. If you wait longer there will be more blocks mined and higher probability that your transaction is on the consensus chain For large $$$, you wait for six blocks (1 hour) or longer E.g., if a vendor requires 6 confirmations and an attacker controls 10% of the CPU power, the attack will succeed 0.02428% of the time 16

The hardness parameter is periodically changed The computing power of the miners changes. The miners should generate the new block each 10 minutes (on average). Therefore the hardness parameter is periodically adjusted to the mining power This happens once each 2016 blocks. For example the block generated on 2014-03-17 18:52:10 looked like this: 00000000000000006d8733e03fa9f5e5 2ec912fa82c9adfed09fbca9563cb4ce 17

Bitcoin Snapshot 18

Attacks Adversary generates new blocks Can happen proportional to his computational power (less than 50%) A transaction generated by honest node is not included by adversary in his generated blocks Eventually honest nodes will solve the puzzle and include all outstanding transactions As long the honest node is connected to other honest nodes, his transactions will be included in a block It might take some time! 19

Double spending: forks The longest chain counts. - It includes more work block i block i+1 block 1+2 block 1+2 block i+3 block 1+3 fork Double spending Malicious nodes spend same coin on different branches Once network reconciles, only one of the transaction will be accepted The transaction on the longest chain block i+4 this chain is valid 20

Does it make sense to work on a shorter chain? No! block i+1 block 1+2 block 1+2 block i+3 block 1+3 block i+4 Because everybody else is working on extending the longest chain. Recall: we assumed that the majority follows the protocol. 21

Bitcoin Protocol Each P2P node runs the following algorithm: New transactions are broadcast to all nodes. Each node (miner) collects new transactions into a block. Each node works on solving proof-of-work (PoW) for its block Use computational resources When a node finds a solution, it broadcasts the block to all nodes. Nodes accept the block only if all transactions are valid (digital signature checking) and coins not already spent (check transactions from public ledger). Nodes express their acceptance by working on creating the next block in the chain If multiple valid blocks are available, choose the longest chain and include transactions from discarded blocks in the queue Include the hash of the accepted block as the previous hash. Nodes eventually reach global consensus on all transactions 22

Main principles 1. It is computationally hard to extend the chain (solve puzzle) 2. Once a miner finds an extension he broadcasts it to everybody 3. The users will always accept the longest chain as the valid one the system incentivizes them to do it 4. Wait longer to perform action according to the value of the transaction 23

Public ledger Tamper-evident log Record and order all transactions Valid transactions can not be modified New transactions are appended after being validated How to design it? What data structure and crypto primitives to use? How to prevent attackers controlling majority of transactions? How to reach agreement? How to incentivize users? 24

How are the miners incentivized to participate in this game? Short answer: they are paid (in Bitcoins) for this 25

Incentives Transactions may include a transaction fee Paid to whoever mines a block that includes the transaction New blocks mint new coins Node who wins mines a fixed amount of coins as a prize Called a coinbase transaction The only way to generate new coins in the system 26

Where does the money come from? A miner who finds a new block gets a reward in BTC: 4 years for the first 210,000 blocks: 50 BTC for the next 210,000 blocks: 25 BTC for the next 210,000 blocks: 12.5 BTC, and so on Note: 210,000 (50 + 25 + 12.5 + ) 21,000,000 Fixed number of blocks in the system current reward

Coinbase Transactions Block Hash Prev. Block Hash Transaction I Transaction J Coinbase Transaction K Nonce X Generated upon successful mining and included in block chain Node will get the reward only if this transaction is on the blockchain Elegantly solves several problems Where do bitcoins come from? How are they minted? Who gets newly minted coins? 28

Bitcoin security Protection again invalid transactions (forgery) Cryptographic (digital signature) Protection against modification of blockchain (remove or modify old transactions) Cryptography (collision-resistant hash functions and digital signatures) Non-repudiation of transactions Based on blockchain Protection against double spending Enforced by consensus (correct majority) One of the transactions (either one) will be eventually accepted Protection against Sybil attacks PoW cryptographic puzzles Assume that adversary does not control majority of CPU resources 29

Selfish mining attacks Majority is not Enough: Bitcoin Mining is Vulnerable Ittay Eyal, and Emin Gün Sirer Attacker Private chain Public chain Honest Attacker: I ll keep these blocks for myself! - Create private chain When attacker reveal blocks in private chain, honest blocks will switch to longer chain and waste resources - Creates incentives for honest users to join attacker coalition 30

Partitioning attacks Hijacking Bitcoin: Routing Attacks on Cryptocurrencies Maria Apostolaki, Aviv Zohar, Laurent Vanbever 31

1 BTC One obvious problem: lack of anonymity can be linked 1 BTC 1 BTC Heuristic solution: 1 BTC 1 BTC 1 BTC Can sometimes be de-anonymized: [Meiklejohn et al., A fistful of bitcoins: characterizing payments among men with no names, 2013]

Transaction syntax simplified view 25 BTC in the mining process P 1 T 1 = (User P 1 mints 25 BTC) P 2 25 BTC 25 BTC [T 2 ] T 2 = (User P 1 sends 25 BTC from T 1 to P 2 signature of P 1 on [T 2 ]) [T 3 ] T 3 = (User P 2 sends 25 BTC from T 2 to P 3 signature of P 2 on [T 3 ]) P 3 33

How to divide money? P 1 7 BTC P 2 Multi-output transactions: [T 2 ] P 3 P 4 T 2 = (User P 1 sends 10 BTC from T 1 to user P 2, User P 1 sends 7 BTC from T 1 to user P 3, User P 1 sends 8 BTC from T 1 to user P 4 signature of P 1 on [T 2 ] ) 34

Multiple inputs P 1 P 2 P 3 8 BTC [T 4 ] P 4 T 4 = (User P 1 sends 10 BTC from T 1 to user P 4, User P 2 sends 7 BTC from T 2 to user P 4, User P 3 sends 8 BTC from T 3 to user P 4 signature of P 1 on [T 4 ], signature of P 2 on [T 4 ], signature of P 3 on [T 4 ]) all signatures need to be valid! 35

Time-locks It is also possible to specify time t when a transaction becomes valid. [T 2 ] T 2 = (User P 1 sends 25 BTC from T 1 to P 2 if time t has passed) signature of P 1 on [T 2 ]) measured in: real time, or blocks. 36

Generalizations 1. All these features can be combined. 2. The total value of in-coming transactions can be larger that the value of the out-going transactions. (the difference is called a transaction fee and goes to the miner) 3. Second mechanism to incentivize nodes to be honest 37

Popular mining pools Miners create cartels called mining pools This allows them to reduce the variance of their income 38

The general picture The mining pool is operated centrally. Some of the mining pools charge fees for their services. Tricky part: how to prevent cheating by miners? How to reward the miners? 39

June 2014 Ghash.io got > 50% of the total hashpower. Then this percentage went down 40

Alternative cryptocurrencies a) Litecoin a currency where hardware mining is (supposedly) harder b) Spacecoin a currency based on the Proofs of Space c) Currencies based on the Proofs of Stake d) Currencies doing some useful work (Primecoin, Permacoin) e) Zerocash a currency with true anonymity f) Ethereum a currency with Turing-complete scripts g) Other uses of the Blockchain technology Disclaimers: (a) some of them are just academic proposals, (b) this order is not chronologic. 41

Digital currency is just one application on top of a blockchain Users Money Decentralized Consensus Blockchain Account Balances Alice: 10 Bob: 15 Carol: 120 42

Smart Contracts: user-defined programs running on top of a blockchain Users Money Decentralized Consensus Blockchain Contracts Data Code Storage 43

Smart Contract Example (very high level) If GOOG rises to $1,000 by 30 June 2015, assign 10 shares from Alice to Bob and pay Alice $10,000 Other examples abound: Auctions, elections, lotteries, escrow,... 44

Zerocash [Ben-Sasson, Chiesa, Garman, Green, Miers, Tromer, Virza, Zerocash: Decentralized Anonymous Payments from Bitcoin, 2014] Main idea: instead of showing I spend some unspent transaction Tx from the past show: There exists an unspent transaction Tx from the past that I now spend This is done using zero-knowledge proofs (ZKP) Technical challenge: how to do it without executing ZKPs on the entire blockchain?

Acknowledgement Some of the slides and slide contents are taken from http://www.crypto.edu.pl/dziembowski/teaching and fall under the following: 2012 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation. We have also used slides from Prof. Dan Boneh online cryptography course at Stanford University: http://crypto.stanford.edu/~dabo/courses/onlinecrypto/ 46

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback