Chapter 13. Digital Cash. Information Security/System Security p. 570/626

Similar documents
Smalltalk 3/30/15. The Mathematics of Bitcoin Brian Heinold

ENEE 457: E-Cash and Bitcoin

Computer Security. 14. Blockchain & Bitcoin. Paul Krzyzanowski. Rutgers University. Spring 2019

Bitcoin, Security for Cloud & Big Data

How Bitcoin achieves Decentralization. How Bitcoin achieves Decentralization

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Bitcoin. CS6450: Distributed Systems Lecture 20 Ryan Stutsman

Ensimag - 4MMSR Network Security Student Seminar. Bitcoin: A peer-to-peer Electronic Cash System Satoshi Nakamoto

P2P BitCoin: Technical details

Bitcoin (Part I) Ken Calvert Keeping Current Seminar 22 January Keeping Current 1

Security Analysis of Bitcoin. Dibyojyoti Mukherjee Jaswant Katragadda Yashwant Gazula

EECS 498 Introduction to Distributed Systems

E-cash. Cryptography. Professor: Marius Zimand. e-cash. Benefits of cash: anonymous. difficult to copy. divisible (you can get change)

Applied cryptography

Digital Cash Systems

Problem: Equivocation!

University of Duisburg-Essen Bismarckstr Duisburg Germany HOW BITCOIN WORKS. Matthäus Wander. June 29, 2011

Transactions as Proof-of-Stake! by Daniel Larimer!

Bitcoin and Blockchain

Introduction to Bitcoin I

SpaceMint Overcoming Bitcoin s waste of energy

Security (and finale) Dan Ports, CSEP 552

A simple approach of Peer-to-Peer E-Cash system

Introduction to Cryptography in Blockchain Technology. December 23, 2018

Consensus & Blockchain

BITCOIN PROTOCOL & CONSENSUS: A HIGH LEVEL OVERVIEW

Blockchain Certification Protocol (BCP)

BLOCKCHAIN Blockchains and Transactions Part II A Deeper Dive

The Design of an Anonymous and a Fair Novel E-cash System

TOPPERCASH TOPPERCASH WHITEPAPER REFORM THE BEST OF BLOCKCHAIN

CS 251: Bitcoin and Crypto Currencies Fall 2015

Privacy Enhancing Technologies CSE 701 Fall 2017

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

As a 3rd generation currency, not only are transactions secured, private and fast, you actually get paid for holding DigitalPrice coins.

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

Lecture 3. Introduction to Cryptocurrencies

Biomedical Security. Cipher Block Chaining and Applications

Biomedical Security. Some Security News 10/5/2018. Erwin M. Bakker

Blockchain. CS 240: Computing Systems and Concurrency Lecture 20. Marco Canini

Whitepaper Rcoin Global

ICS 421 & ICS 690. Bitcoin & Blockchain. Assoc. Prof. Lipyeow Lim Information & Computer Sciences Department University of Hawai`i at Mānoa

Anonymity in Bitcoin. Presenter: Muhammad Anas Imtiaz

Bitcoin, a decentralized and trustless protocol

Blockchain, Cryptocurrency, Smart Contracts and Initial Coin Offerings: A Technical Perspective

Radix - Public Node Incentives

Bitcoin: A Peer-to-Peer Electronic Cash System

Introduction to Cryptocurrency Ecosystem. By Raj Thimmiah

Introduction to Cryptoeconomics

Bitcoin and Cryptocurrency Technologies. Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller, Steven Goldfeder

How Bitcoin Achieves Decentralization

Biomedical and Healthcare Applications for Blockchain. Tiffany J. Callahan Computational Bioscience Program Hunter/Kahn Labs

LEOcoin Private Chat wallet FAQ V 1

Bitcoin: A Peer-to-Peer Electronic Cash System

Security: Focus of Control

BYZANTINE CONSENSUS THROUGH BITCOIN S PROOF- OF-WORK

Upgrading Bitcoin: Segregated Witness. Dr. Johnson Lau Bitcoin Core Contributor Co-author of Segregated Witness BIPs March-2016

Zero-Knowledge proof of knowledge transfer. Perm summer school on blockchain 2018

Jan Møller Co-founder, CTO Chainalysis

DEV. Deviant Coin, Innovative Anonymity. A PoS/Masternode cr yptocurrency developed with POS proof of stake.

Payment systems. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Anupam Datta CMU. Fall 2015

Cryptography and Network Security

Blockchains & Cryptocurrencies

Bitcoin. Tom Anderson

On the impact of propogation delay on mining rewards in Bitcoin. Xuan Wen 1. Abstract

Elphyrecoin (ELPH) a Private, Untraceable, ASIC-Resistant CryptoCurrency Based on CryptoNote

Let's build a blockchain!

Multiparty Computation (MPC) protocols

CRUDE COINS.

Cryptography and Cryptocurrencies. Intro to Cryptography and Cryptocurrencies

Computer Security Spring 2010 Paxson/Wagner HW 4. Due Thursday April 15, 5:00pm

WHITEPAPER 1.0 Boostx, Lead Developer BoxyCoin

Payment systems. Tuomas Aura T Information security technology. Aalto University, autumn 2013

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Crypto tricks: Proof of work, Hash chaining

Proof-of-Stake Protocol v3.0

Key Security Issues for implementation of Digital Currency, including ITU-T SG17 activities

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Applied Cryptography Protocol Building Blocks

BBc-1 : Beyond Blockchain One - An Architecture for Promise-Fixation Device in the Air -

The Blockchain. Josh Vorick

Using Chains for what They re Good For

11:1 Anonymous Internet Access Method for Wireless Systems

The power of Blockchain: Smart Contracts. Foteini Baldimtsi

Bitcoin. Arni Par ov. December 17, 2013

Part 2. Use Cases (40 points). Consider examples of such signed records R (as in Part 1) from systems we discussed.

Alternative Consensus Algorithms. Murat Osmanoglu

CCP: Conflicts Check Protocol for Bitcoin Block Security 1

Yada. A blockchain-based social graph

===============================================================================

A Gentle Introduction To Bitcoin Mining

Reliability, distributed consensus and blockchain COSC412

P2_L8 - Hashes Page 1

I. Introduction. II. Security, Coinage and Attacks

Introduc)on to Bitcoin

Security protocols and their verification. Mark Ryan University of Birmingham

CS 251: Bitcoin and Cryptocurrencies Fall 2016

Lecture 41 Blockchain in Government III (Digital Identity)

Analyzing Bitcoin Security. Philippe Camacho

Transcription:

Chapter 13 Digital Cash Information Security/System Security p. 570/626

Introduction While cash is used in illegal activities such as bribing money laundering tax evasion it also protects privacy: not everyone needs to know about your payments for transportation and accommodation pharmaceuticals books and magazines religious and political contributions Information Security/System Security p. 571/626

Introduction (2) In the physical world, cash is an anonymous, untraceable way to transfer money Currently, we are missing an electronic counterpart Everytime we pay using online banking credit cards or services like PayPal we leave a trace Information Security/System Security p. 572/626

Introduction (3) Liberty Reserve (based in Costa Rica) offered a service to transfer money in an anonymous way All you needed was a name, e-mail address, and birth date However, the identity was never checked The U.S. government eventually filed a case against Liberty Reserve The service was used for criminal activities as well When it was shut down in 2013, legitimate users also lost money Information Security/System Security p. 573/626

Not So Serious Attempt Simple procedure to create digital cash: 1. Create new file and type in This file is worthe 10. 2. Take file with you to buy things Now you just have to find someone who accepts this... Information Security/System Security p. 574/626

First Attempt Let s try to come up with a cryptographic protocol for digital cash Paper money started out as a promise by a bank: I promise to pay the bearer on demand the sum of... Information Security/System Security p. 575/626

First Attempt (2) Can we have a digital equivalent of this? 1. Alice goes to bank, handing overe 10 2. Bank creates message m: pay bearere 10 3. Bank signs m with its private key d B 4. Bank gives E db (m) to Alice Alice can now spend it A merchant can check the validity (assuming the public key e B of the bank is known) Merchant gets cash from bank for E db (m) Information Security/System Security p. 576/626

Double Spending Now we have a problem: What prevents Alice from spending it multiple times? Or someone showing up with the same message multiple times to cash it in? This is a serious problem: copying physical bank notes is difficult, copying bits and bytes not Bank could add a serial number to the message m Each digital bank note is allowed to be cashed in only once Everything fine now? Information Security/System Security p. 577/626

Anonymity We lose the anonymity The bank knows which messages were spent by Alice it generated the serial number We need a so-called blind signature Let s illustrate this with paper documents Information Security/System Security p. 578/626

Blind Signatures 1. Alice creates x messages fore 10 each 2. Puts each one in a separate envelope lined with carbon paper and gives them to the bank 3. Bank randomly opens x 1 of them, verifying that each is fore 10 4. Bank signs the last envelope blindly without opening it, deductse 10 from Alice s bank account 5. Bank hands unopened envelope to Alice Payment and cashing in as before Information Security/System Security p. 579/626

Blind Signatures (2) Bank never sees what it signs Assume Alice wants to cheat (by putting different amounts in the envelopes): Bank opens envelopes randomly With a probability of x 1 x bank can detect this fraud This is anonymous, but we have re-introduced the double spending Information Security/System Security p. 580/626

Adding Anonymity Alice can add the serial number herself Every message is appended by a different long random string Probability of a collision should be really, really small By opening x 1 envelopes bank can see those serial numbers but not the one it actually signs However, if someone tries to cash in a message twice, bank can detect it Information Security/System Security p. 581/626

Cryptography What do blind signatures look like in terms of cryptography? Both, Alice and the bank, have a pair of keys (public and private): e A and d A for Alice and e B and d B for the bank Alice blinds x messages: she encrypts them with e A She sends them to the bank, which signs them with d B The bank asks Alice to unblind x 1 of the messages: she decrypts them with d A and sends them to the bank The bank then verifies that messages are well-formed Alice unblinds final message, which she spends Information Security/System Security p. 582/626

Further Issues The bank is protected from cheaters, but we cannot identify them When double-spending is detected, we don t know whether someone tried to cheat a merchant a merchant tried to cheat the bank There are more complicated versions of the protocol that try to identify cheater Another solution is for the merchant to check with the bank before accepting a message Information Security/System Security p. 583/626

Further Issues (2) However, all of these protocols assume a trusted third party (the bank) We would like to have a decentralized, self-enforcing protocol Enter Bitcoin: Information Security/System Security p. 584/626

Bitcoin Bitcoin eliminates the trusted third party in the protocol Two parties can directly interact with each other As we have seen, digital signatures are part of the solution The problem is double-spending Bitcoin replaces the trusted third party with a peer-to-peer network The protocol is based on cryptographic proof rather than trust Information Security/System Security p. 585/626

A Basic Simplified Protocol We start by describing a very simplified view Every user participating in the scheme is identified by a public key A user can have more than one key (to obfuscate their identity) Every digital coin has an ID, a value, and is associated with a public/private key pair Coin is signed with private key of owner d A ID: 5873, value: 10 Information Security/System Security p. 586/626

Transfer of Ownership To transfer a coin, the current owner takes a hash of the previous transaction (or original coin) the public key of the new owner and signs them with their private key A payee can check signatures to verify chain of ownership d B e C d A e H( ) B d A H( ) ID: 5873, value: 10 Information Security/System Security p. 587/626

Issues Anonymity is ok as long as owners of key pairs are not identified Nevertheless, there are still problems Who creates the initial coins? How do we prevent double-spending Information Security/System Security p. 588/626

Trusted Third Party These issues could be solved with a trusted third party (Trent) Initial coins are issued by Trent, who is signing them Trent would also keep a complete record of all transactions in a public ledger Before accepting a transaction, ledger is checked for double-spending How do we make sure that Trent (or someone else) does not manipulate the ledger? Information Security/System Security p. 589/626

Blockchain A block chain is a series of data blocks Each contains a transaction consisting of an ID, its content and a hash pointer to the previous block In practice, each block contains more than one transaction to not waste space Trent signs the final hash pointer Information Security/System Security p. 590/626

Blockchain (2) Why does Trent not just sign individual transactions? Blockchain is an unmodifiable append-only data structure Any attempts to modify or remove an earlier transaction will affect the whole chain (one-way hash function) and therefore be easy to catch Anyone can now verify the validity of a transaction in the chain and see the same order of events Information Security/System Security p. 591/626

Issues Trusted third party is a single point of failure Trent cannot create fake transactions (he does not have any private keys of users) However, he could reject transactions of certain users, basically denying them service create as many coins as he wants, causing inflation hike up transaction costs significantly abandon the whole scheme Information Security/System Security p. 592/626

Decentralized Scheme In the ideal case, we would like to run the scheme without a trusted third party In a decentralized scheme, users need to agree on how to maintain a single official blockchain on which transactions are valid and actually happened on how to create new coins The following scheme will work if the majority of the nodes are honest Information Security/System Security p. 593/626

From Third Party to Peer-to-Peer Let s assume that we have n nodes in a network Nodes can join and leave while the system is running 1. Each node collects new transactions in a block (all transactions are broadcast widely in the network) 2. Each round a random node gets to broadcast its new block 3. Other nodes accept the block if all transactions are valid (unspent coins; valid signatures) 4. When a node accepts a block, it includes its hash in the next block it creates Information Security/System Security p. 594/626

Attacking the Scheme Let s assume Mallory operates a node in the scheme and wants to subvert it Possible attack vectors: Stealing coins Denial-of-Service Double Spending Information Security/System Security p. 595/626

Stealing Coins Mallory wants to transfer ownership of a coin to himself He would need the private key of a user to forge a transaction If he just makes up things, the other nodes would notice an invalid signature and not accept his block Information Security/System Security p. 596/626

Denial-of-Service Mallory dislikes Alice and will not include any of her transactions in his blocks He cannot prevent other nodes from processing Alice s transactions The only effect is that Alice may have to wait a little bit longer for her transactions to be included in a block Information Security/System Security p. 597/626

Double Spending Mallory buys something (online) from Bob and transfers a coin to Bob He and/or Bob broadcast this transaction to the network and an (honest) node includes it in its block Mallory, who runs a node in the network, creates a block without this transaction Instead he transfers the coin to another public key that he owns and includes this transaction in the block he creates He then broadcasts this block to the network Information Security/System Security p. 598/626

Double Spending (2) Now we have a conflict: There is one version of the blockchain with the transaction Mallory Bob and one with the transaction Mallory Mallory How do we resolve this conflict? A node cannot distinguish which one is the correct one: both look valid The second, fraudulent block may even arrive first at a node Information Security/System Security p. 599/626

Double Spending (3) A node will always extend the longer blockchain (and discard shorter ones) In case of a tie, it is not clear which block will make it However, there is something Bob can do Not immediately delivering the service/product Wait until the transaction transferring a coin to him is embedded deeper in the blockchain Usually sufficient to wait until five to six new blocks have been added to the chain containing his transaction Information Security/System Security p. 600/626

Random Selection There is still an open issue: how do we select the random node to broadcast their block? We are in a peer-to-peer network with no central authority We use a concept called proof-of-work Information Security/System Security p. 601/626

Proof-of-Work We select nodes in proportion to their computing power Assuming that the computing power is not monopolized Roughly speaking, the amount of computing power spent by a node will determine their chance of being picked Information Security/System Security p. 602/626

Proof-of-Work (2) A node cannot just add a block to the chain It has to solve a hash puzzle to do so: It has to find a nonce (number used only once)...... that hashed together with the hash of the previous block and the transactions has certain properties E.g, H( nonce H(prev block) TA 1 TA 2... ) has 20 leading zeroes Information Security/System Security p. 603/626

Proof-of-Work (3) As we are using cryptographic one-way hash functions, we can find a nonce only by trying out a (large) range of values Once a node finds a nonce, it can broadcast the new block Finding the nonce takes some time, verifying it is very fast Solving these hash puzzles is called bitcoin mining Nodes are called miners Information Security/System Security p. 604/626

Incentives Why would you want to run a miner? As a reward for solving the hash puzzle for a block you are allowed to add a special transaction to the block This special transaction creates a new bitcoin that belongs to you Information Security/System Security p. 605/626

Incentives (2) The hardness of the hash puzzles is readjusted from time to time E.g. by requiring more leading zeroes Otherwise the mining time would become shorter and shorter As hardware is getting faster and faster Information Security/System Security p. 606/626

Incentives (3) The total number of bitcoins is fixed Miners are allowed to create a total of 21 million At some point, Bitcoin will have to switch to transaction fees Actually, this is already possible The creator of a transaction allows the miner to take a small part of the money in the transaction as a fee Information Security/System Security p. 607/626

Optimizations There are a couple of optimizations that are not covered here There are schemes for saving disk space by getting rid of some (old) transactions A simplified payment verification without running a full P2P network node A technique for combining and splitting the value of coins Information Security/System Security p. 608/626

Issues with Bitcoin The bitcoin protocol is not perfect, there are some issues Scalability Throughput of transactions per second is not particularly high The size of the blockchain is also a problem There is no service infrastructure (when things go wrong) Is bitcoin really anonymous? No authentication necessary, but full transaction history available Is that enough? Open research questions Various political issues Information Security/System Security p. 609/626

The Future of Bitcoin It s very hard to say what the future will bring For example, the exchange rate is quite volatile: Information Security/System Security p. 610/626

The Future of Bitcoin (2) The opinions about bitcoin range from: It s dead (has been proclaimed dead a couple of times) It will revolutionize the world, bringing an end to banks and also causing problems for financial regulators The truth is probably somewhere in between Even if it fails, it has come up with new ideas If it continues, it probably has to switch to a transaction fee model (new coins will be harder and harder to find) Information Security/System Security p. 611/626

Summary Coming up with a digital currency that has properties similar to cash, being decentralized anonymous hard to copy is a challenging task Bitcoin is one of the first approaches that seems practicable Information Security/System Security p. 612/626

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback