blockchain and smart contract long term security (updated)

Copyright © 2016 Peter Robinson

Blockchain and Smart Contract Long Term SecurityPeter Robinson, [email protected] November 18, 2016

mailto:[email protected]

2


Overview

▪ Distributed Ledger and Smart Contract systems have as an underlying assumption that once transactions are in a block chain, they are locked-in forever.

▪ This presentation analyses whether this immutability can actually be delivered in the long term, given increasing traditional computational power, the emergence of quantum computing, and the possibility of cryptographic algorithmic flaws.

▪ Additionally, an idea about distributed systems security is presented.

3


Caveat on results in these slides

▪ Tentative results are presented herein.

▪ More detailed analysis is needed.

4


Agenda

▪ Blockchain and Smart Contract Platforms Long Term Security:▪ Cryptography and Cryptanalysis.

▪ Blockchain Platforms and Cryptanalysis.

▪ Mitigations.

▪ Mitigation for Active Attacks against Distributed Systems.


Cryptography & Cryptanalysis

6


Cryptography: Algorithms

▪ Digest Algorithm (Hash): SHA256, SHA512, RIPEMD160, KECCAK, SHA3/256:▪ Variable length input -> Fixed Length Output.

▪ Signing: ECDSA (secp256k1)/Digest Algorithm, RSA/Digest Algorithm:▪ Sign with private key, verify with public key.

7


Cryptography: Message Digests / Hashes

?

Preimage Resistance

Hash

n

h(x)

x

Second Preimage Resistance

Hash

n

h(x)

?

Hash

h(x’)

≠

=

?

CollisionResistance

Hash

n/2

h(x)

?

Hash

h(x’)

≠

=

8


Cryptography: Signatures

▪ Forgeability: Recover private key from public key.

▪ Non-repudiation: Have two public keys P1 and P2 which verify the same signature.

▪ Integrity: Have two message digests M1 and M2 which when signed with public key P result in the same signature.

9


Cryptography: Security Strength (Assuming no Quantum Cryptanalysis)

Security Strength

RSA ECC HashPreimage

HashCollision

80 1024 RIPEMD160

112 2048

128 3072 secp256k1 SHA256, Keccak-256, SHA512/256

160 RIPEMD160

256 SHA256, Keccak-256, SHA512/256

SHA512SHA3,512

512 SHA512SHA3,512

10


Traditional Computing Power

Ref 1: http://www.extremetech.com/wp-content/uploads/2015/04/MooresLaw2.png

http://www.extremetech.com/wp-content/uploads/2015/04/MooresLaw2.png

http://www.extremetech.com/wp-content/uploads/2015/04/MooresLaw2.png

11


Security Strength


HashCollision

80 1024 RIPEMD160

112 2048

128 3072 secp256k1 SHA256, Keccak-256, SHA512/256

160 RIPEMD160

256 SHA256, Keccak-256, SHA512/256

SHA512, SHA3,512

512 SHA512, SHA3,512

Cryptography: Security Strength assuming no Quantum Cryptanalysis

2010

2030?

12


Quantum Cryptanalysis

▪ Shor’s Algorithm: Allows ECC private key to be calculated from ECC public key.

▪ Gover’s Algorithm: Allows algorithms to be executed in square-root time:▪ Affects message digest algorithms and symmetric key algorithms.

▪ Security Strength after Quantum = (Security Strength Before Quantum) / 2

13


Quantum Cryptanalysis

▪ When will Quantum Computing and Quantum Cryptanalysis be a reality?

▪ Michele Mosca, Institute for Quantum Computing and Department of Combinatorics and Optimization, University of Waterloo, said2:▪ “I estimate a 1/7 chance of breaking RSA-2048 by 2026 and a 1/2 chance by 2031”

▪ Predicts a “Moore’s Law” type of increase in capability.

Ref 2: Mosca, M. (2015) “Cybersecurity in an era with quantum computers: will we be ready?”Available: https://eprint.iacr.org/2015/1075.pdf

https://eprint.iacr.org/2015/1075.pdf

https://eprint.iacr.org/2015/1075.pdf

14


Cryptography: Security Strength assuming Quantum Cryptanalysis

Security Strength*


HashCollision

4 5

19 secp256k1

26 2048

40 RIPEMD160

64 SHA256, Keccak-256,SHA512/256

80 RIPEMD160

128 SHA256, Keccak-256,SHA512/256

SHA512, SHA3,512

256 SHA512, SHA3,512

2012

*: Shor algorithm security strength calculated as log2(K * K * log(K) * log(log(K)))

Late 2020s or 2030s?

15


Cryptographic Algorithmic Flaws

Ref 3: Preneel, B. (2013) “Introduction to the Design and Cryptanalysis of Cryptographic Hash Functions”Available: https://www.cosic.esat.kuleuven.be/summer_school_albena/slides/preneel_hash_july2013_shortv1_print.pdf

https://www.cosic.esat.kuleuven.be/summer_school_albena/slides/preneel_hash_july2013_shortv1_print.pdf

https://www.cosic.esat.kuleuven.be/summer_school_albena/slides/preneel_hash_july2013_shortv1_print.pdf


Blockchain Platforms and Cryptanalysis

17


Three Attack Scenarios

▪ Attack existing blocks.

▪ Attacking new blocks as they are being made:▪ Miners either altering transactions being included in blocks or being able to always mine

the best block.

▪ Users either craft transactions masquerading as other users or craft transactions to double spend.

18


Bitcoin: Cryptographic Usage4

▪ Main Hash: HM(x) = SHA256(SHA256(x))

▪ Address Hash: HA(x) = RIPEMD160(SHA256(x))

▪ Key Pairs: ECC using secp256k1 curve.

▪ Signatures: ECDSA, with Main Hash.

Ref 4: Giechaskiel, I., Cremers, C., Rasmussen, K. (2016) “On Bitcoin Security in the Presence of Broken Crypto Primitives”

19


Ripple Cryptographic Usage

▪ Main Hash: HM(x) = 256 bit truncated SHA512(x)

▪ Address Hash: HA(x) = RIPEMD160(SHA256(x))



20


Ethereum Cryptographic Usage

▪ Main Hash: HM(x) = KECCAK-256(x)

▪ Address Hash: HA(x) = 160 bit truncated KECCAK-256(x)



21



Security Strength

HashPreimage

HashSecond Preimage

HashCollision

40 Keccak-256/160, RIPEMD160(SHA256(x))

64 SHA256(SHA256(x)), Keccak-256, SHA512/256

80 Keccak-256/160 Keccak-256/160, RIPEMD160(SHA256(x))

128 SHA512/256 SHA256(SHA256(x)), Keccak-256, SHA512/256

208 RIPEMD160(SHA256(x))

256 SHA256(SHA256(x))

22


Attack Existing BlocksMessage Digest Algorithm Issues

Breakage Address Hash (HA) Main Hash (HM)

Collision None None

Second pre-image Repudiate transaction Repudiate transaction

Pre-imageUncover public key associated with address None

23


Attack Existing BlocksSignature Algorithm Issues

Breakage Effect

Selective forgeryDetermine private key based on public key, then execute transactions

Integrity break Repudiate transaction

Repudiation None

24


Miner AttackMessage Digest Algorithm Issues


Collision Repudiate transaction

Double spend and execute transactions and then repudiate them

Second pre-image Repudiate transaction


Pre-imageUncover public key associated with address

Complete failure of the blockchain: be able to determine best block more easily than other miners.

25


Miner AttackSignature Algorithm Issues

Breakage Effect

Selective forgeryDetermine private key based on public key, then execute transactions

Integrity break Repudiate transaction

Repudiation None

26


User AttackMessage Digest Algorithm Issues


Collision Repudiate transaction


Second pre-image Repudiate transaction


Pre-imageUncover key associated with address None

27


User AttackSignature Algorithm Issues

Breakage EffectSelective forgery None

Integrity break Execute transactions and then repudiate them

RepudiationExecute transactions and then repudiate them


Mitigations

29


Mitigations: Better Use of Existing Algorithms

▪ Use stronger algorithms for Address Hash and Main Hash.

▪ Address Hash: ▪ SHA 512(SHA 512(x)) or

▪ SHA3/512(x)

▪ Main Hash: ▪ SHA 512(SHA 512(x)) or

▪ SHA3/512(x)

30



Security Strength

HashPreimage

HashSecond Preimage

HashCollision

40 Keccak-256/160, RIPEMD160(SHA256(x))

64 SHA256(SHA256(x)), Keccak-256, SHA512/256

80 Keccak-256/160 Keccak-256/160, RIPEMD160(SHA256(x))

128 SHA512/256 SHA256(SHA256(x)), Keccak-256, SHA512/256

SHA 512(SHA 512(x)), SHA3/512(x)

208 RIPEMD160(SHA256(x))

256 SHA256(SHA256(x)), SHA3/512(x) SHA 512(SHA 512(x)), SHA3/512(x)

512 SHA 512(SHA 512(x))

31


Mitigations: Post-Quantum

▪ USA’s NIST are looking to standardize post-quantum algorithms by 20225.

▪ Lattice Based Signature Algorithms:▪ Different type of mathematics to RSA and ECC.

▪ Historically, Lattice based algorithms have been found to be not as strong as first thought after two to five years of cryptanalysis.

▪ Sphincs:▪ Based on well understood message digest algorithms.

▪ Larger public keys, private keys and signatures.

Ref 5: http://csrc.nist.gov/groups/ST/post-quantum-crypto/documents/pqcrypto-2016-presentation.pdf

32


Mitigations: Be Prepared to Change▪ Blockchain platforms need to have migration plans in place.

▪ Allow for multiple algorithms:▪ Should allow for faster transition in case of a sudden event: stop accepting transactions which

use one algorithm.

▪ Can lead to downgrade attacks.

▪ Learn from other domains such as Transport Layer Security.

▪ Plan for:▪ Larger signatures and larger identifiers.

▪ Re-sign entire blockchain.

▪ Roll-over all keys to newer algorithms.


Mitigation for Active Attacks against Distributed Systems

34


Using Blockchain to provide Defence in Depth against Active Attacks

▪ Web applications and SaaS can be delivered as scalable cloud services.

▪ These services can be viewed as distributed systems.

▪ Active attackers may Powerfully Own (POWN) parts of the distributed system.

▪ Distributed Ledgers could be used as a resilient distributed database.

▪ Challenges:▪ Performance.

▪ Non-proof of work consensus algorithms which are resilient to active attack.

▪ Dynamic scaling.


Closing

36


Future Work

▪ More detailed analysis to verify the results presented herein.

▪ Hyper Ledger needs to be reviewed.

▪ Proof of Stake protocols need to be considered.

37


Summary

▪ Cryptography is a dynamic field. Things change:▪ Quantum Cryptanalysis may become a reality.

▪ Processing power is still ever increasing despite declarations, “Moore’s Law is dead”.

▪ Breaks in cryptographic algorithms happen from time to time.

▪ Plan for change:▪ Do mitigation planning and determine migration paths.

▪ Start executing changes now which can be done now.

38


Questions

blockchain and smart contract long term security (updated)

Technology