cs 134 winter 2016 anonymity application example: electronic...
TRANSCRIPT
1
AnonymityApplicationExample:ElectronicCash(E-Cash)andBitcoin
CS134Winter2016
2
MotivationForE-Cash
ConventionalCashis:
• Counterfeitable
• Slow
• Costly
• Vulnerable
• BadforRemoteTransactions
3
CreditCards,BankCards,Checks,andPhone/Subwaycards:
EasyFraud
LittlePrivacy
4
Off-line ElectronicCashisfor2-Party(PayeràPayee)Payment
Deposit
PaymentWithdrawal
• LowCommunicationRequirements
5
InContrast,On-line Payments:
“OK”
E-Cashin1970s
• StephenWiesner‘s (graduatestudentatColumbia)paper“ConjugateCodingandQuantumMoney”sentin1970toIEEETransactionsonInformationTheory
• Paperimmediatelyrejected
• Publishedin1983asisinACMSIGACT
• Proposeddesignofunforgaeble banknotesbasedonquantumproperties
• InfluencedQuantum(Cryptographic)KeyDistribution(QKD)
E-Cashin1980sand1990s
• Chaum’s “BlindSignaturesforUntraceablePayments”paperisthefirsttopropose(realizable)E-Cashusingblinddigitalsignatures
• BasedonRSA(Rivest ShamirandAdelman) signatures
• RSAbreaksifonecanfactorlargecompositenumbers(100sofdecimaldigits,1000sofbits)
• DigiCash (anonymousecash)launchedbyChaum in1990.DigiCash declaredbankruptcyin1998.
1970s 2000s
1990s
RequirementsforAnonymousPayments(afterwardsknownasE-Cash)
FromChaum’s “BlindSignaturesforUntraceablePayments”paper:
• Unlinkability:thirdpartiescannotdeterminepayee(amountandtimeofpayment)
• Provability:individualscanprovide(unforgaeble)proofofpayment,ordetermineidentityofpayeeunderexceptionalcircumstance(e.g.,bycourts)
• Revocation:revokestolencoinsorpaymentmedia
AnonymousPayments
user 1
user 2
AnonymousPayments
user 1
user 2
AnonymousPayments
withdraw coins
withdraw coins
user 1
user 2
AnonymousPayments
user 1
user 2
transfer coins
user 2
AnonymousPayments
Was it user 1 or user 2?
user 2
AnonymousPayments
15
Overspending:ProblemwithOff-line E-Cash
Step1:Thebadusercopieshismoney
16
Step2:Thebadusergivescopiedcashtomultiplepeople
17
TheBankisawareoftroubleonlylater
!!!
18
1. Usetamper-resistanthardwaretopreventover-spending(e.g.,MONDEXinEurope)
2. Traceover-spenders
3. Blacklistover-spenders
4. Putaboundondollar-valueforoff-linetransactions
TechniquestoContainOver-Spending
19
Tracingbeusedtofightbig-timeinternationalcrime
But,tracingcouldbeabusedonmanylevels
20
MintingtheMoney/Coins
HeartofEachCoinisaDigitalSignature
SecretMintingKeytoCreateCoins(Signatures)
PublicVerificationKeytoRecognizeCoins
21
MintingaConventionalCoin
E-CashWithdrawer
SN=12345
SN=12345
BankSig
SN=12345
SN=12345
BankSig
TheMint
22
WithoutAnonymityMintKnowsSerialNumber
OneDollar
SN12345
TheMint
E-CashWithdrawer
$1signingkey
23
MintinganUntraceableCoin
E-CashUserTheMint
SN=12345
SN=12345
BankSig BankSigBankSig
24
BlindSigningis(Like)SigningThroughaVeil
One Dollar
TheMint
$1signingkeyE-CashWithdrawer
25
MintingaTrustee-TraceableCoin
E-CashUser TheMint
SN=12345
SN=12345
BankSig
BankSigBankSig
26
EscrowingTrustee-TraceableCoins
SN=12345
E-CashUser Trustee1
Trustee2
escrowkey1
escrowkey2
27
Recall:CryptographicAssumptions
InfeasibleTasks
1.Factoring. GivenanumberN =pq,find p andq
primesofatleast2048bits
1a.RSAassumption.Givenexponente andme (modN),findm
28
2.Discretelog.Givenaprimep,ageneratorg,andgx (modp),findx
InfeasibleTasks (continued)
ofatleast2048bits
Recall:CryptographicAssumptions
29
ExampleofCoinMinting
Public Information:
N
H()
-- LargeCompositeNumber
-- Cryptographichashfunction
PrivateMintingInformation:
Key=p,q primenumberssuchthatN=pq
Acoinhastheform:(x,H(x)dmodN),1<x<N
30
MintingaConventionalCoinwithRSA(Traceable)
E-CashUser TheMint
x,H(x)
x,H(x)d
x,H(x)
x,H(x)d
31
x
H(x)
H(x)dmodN
Anti-counterfeitingAssumption:Withoutknowingthekey,itisdifficulttofindpre-imagesthatmaptothesamepoint
=p,q
Where:d=e-1modphi(N)
Blind(Digital)Signatures
• Message is blinded (disguised or randomized) before it is signed
• Signature can be publicly verified against the original message(unblinded one) similar to a standard digital signature
• Typically employed in privacy-preserving protocols where signerand author of message are different entities
• Main goal is to provide unlinkability: prevent signer from linkingthe blinded message it signs to a later un-blinded version that itmay be called upon to verify
AnonymousPaymentsviaBlindSignatures
(to withdraw coins: obtain Bank’s signature on a coin (m))
(6) I got this coin: sig(m) for
coin mWas it M?
(4) transfer coins: sig(m)
(1) send blinded coin/message (m’)
(2) sign coin: sig(m’)
(3) unblind the coin to obtain sig(m)
(6) Not sure!? I saw a random
value: m’
(5) receive goods or services
34
BlindDigitalSignaturesà Payer’sPrivacy[Chaum]
E-CashUser TheMint
choosesrandomx,r
x,H(x)
x,H(x)d
reH(x) reH(x)
rH(x)d rH(x)d
RSA-basedBlindSignatures
• Publickey(e,N)andcorrespondingprivatekey(d,p,q),suchthatN=p*qande*d=1modΦ(N)
• Choosearandomrcoprime toN,i.e.,GCD(r,N)=1.re modNisthenusedasablindingfactor.(GCD=greatestcommondivisor)
• m’=m*re modN(m’israndom,doesnotleakanyinfoaboutm)
• m’issenttothesigningauthoritywhosignsitas
• s’=(m’)dmodN=md *red modN=md *rmodN
• s’issentbacktothemessageownerwhounblinds itbymultiplyingbyr-1 toobtainthesignatures=md modN
AnonymousPaymentsviaRSA-basedBlindSignatures
(to withdraw coins: obtain Bank’s signature on a coin (m))
(6) I got this coin:
s = md * modNWas it M?
(4) transfer coins: send coin s
(1) m’ = m * re modN
(2) s’ = md * r modN
(3) s = s’ * r-1 modN = md * modN
(6) Not sure!? I saw a random
value:s’ = md * r modN
(5) receive goods or services
37
• p1,p2:twolargeprimenumberssuchthatp2 |p1-1• G:subgroupofZp1suchthat|G|=p2• g:generatorofG• I:theuser’sidentity(setupbybank),
expressedasanumber
*
=Coin=(gamodp1,gb modp1,H(ga,gb)dmodN)
whereI =abmodp2
TracingDouble-Spenders
38
Buyer
gamodp1,gb modp1,H(ga,gb)1/3
Seller
• verifyBank’ssignature
• sendrandomchallengek
• verifygr=(ga)kgb
k
r=ak+b r
TracingDouble-Spenders
39
TwoPaymentswiththesamecoinyieldBuyer’sIdentity
r=ak+br’ =ak’ +b
a,b I
TracingDouble-Spenders
r=ak+b a?,b? ?
AlotofE-Cashandanonymouspaymentschemesfollowed
similarblueprintsinthe1990sandearly2000s
2009-2016
• 2009:Bitcoin paperbySatoshiNakamoto• Pseudonymforindividualoragroup
• 2009-2011:slowstart…
• 2011-2013:SilkRoadandDreadPirateRoberts
• End2013:Bitcoinpriceskyrockets• alotofpeoplenotice
• 2014-2015:Pricedropsby75%
• 2016:Priceupagain
In2016LargeEcosystem
MarketCapitalizationover$4Billion($8.2Billionayearago)
Numberoftransactionsgrowingsteadily
Bitcoin (BTC)Preliminaries• CryptographicHashFunction:ahashfunctionthatishardto
invert,i.e.,computationallyinfeasibletorecreatedatafromhashvaluealone,e.g.,thesecurehashalgorithm(SHA)
• RequiredpropertiesofaCryptographicHashFunction:i. easytocomputehashvalueh()ofanymessagemii. givenh(m)itis(computationally)infeasibletorecovermiii. infeasibletomodifymwithouth(m)beingalsomodifiediv. infeasibletofindtwodifferentmwithsamehash(collisionresistance)
• Proof-of-WorkSchemes/Protocols:originallyinventedasaneconomicmeasuretopreventdenial-of-serviceandspambyrequiringclientstosolvecomputationally-demandingpuzzles,e.g.,findanumberthathasacertainpreamble(say3zeros)initshash
SteppingBack
Stepping back: most physical and digital currencies todayeffectively exist in the form of a ledger.
ElectronicAccountsinBanks
BlockcaininBitcoin(BTC)
QuestionsAnsweredbyBitcoin (BTC)
How to maintain integrity of a public ledger in a distributedmanner(BTC answer: longest chain of verified transactions)
How to use such a ledger for transactions(BTC answer: transferring coins via signatures)
How to incentivize people to allocate CPU power to ensureintegrity of the longest chain(BTC answer: reward with new minted coins when verifyingtransactions, also called mining)
Bitcoin’s Peer-to-PeerNetwork• A peer-to-peer network without any “central” authority
for ensuring integrity of transactions and keeping track ofownership of (Bit)coins (and minting them)
• Ledger and history of ALL transactions are public andavailable for anyone to inspect
TransactionsinBitcoinOwner0istransferringCoin(s)toOwner1
A(Bit)coinisdefinedasachainofdigitalsignatures.
TimestampsinBitcoin
• Hashablockofitems(transactions)tobetimestampedandwidelypublishthehash
• Thetimestampprovesthatdatamusthaveexistedinordertohavegottenintothehash
• Eachtimestampincludesprevioustimestampinthehash,formingchain(theBtitcoin blockchain)
• Eachadditionaltimestampreinforcestheonesbeforeit
Hash Hash
Block
Item Item …
Block
Item Item …
Proof-of-Work(PoW)andIncentivesinBitcoin
• PoWinBitcoinisfindingavaluethatwhenhashed(SHA-256)thehashbeginswithacertainnumberofzeros(controlofdifficultylevel)
• IncentiveforMining/EnsuringIntegrityofBlockchain:Thefirsttransactioninablockisaspecialtransactionthatstartsanewcoinownedbythecreatoroftheblock.
Block
Tx Tx …
PreviousHash Nonce(tobefound)
Block
Tx Tx …
PreviousHash Nonce(tobefound)
OperationofBitcoin’sNetwork
1) Newtransactionsarebroadcasttoallnodes2) Eachnodecollectsnewtransactionsintoablock3) Eachnodeworksonfindingadifficultproof-of-workforits
block4) Whenanodefindsaproof-of-work,itbroadcaststheblockto
allnodes5) Nodesacceptblockonlyifalltransactionsinitarevalidand
notalreadyspent6) Nodesexpresstheiracceptanceoftheblockbyworkingon
creatingthenextblockinthechain,usingthehashoftheacceptedblockastheprevioushash
51%Attack
Blockchain Size
MoreFeaturesofBitcoin
AdditionalFeatures:– Savingdiskspacebyusinghash(Merkle)treestocompresshistoryofcoins
– Allowmultipleinputsandoutputstobe
handledwithonetransaction
AlternativeCoins(Alt-Coins)
DigitalCurrencyScheme
Centralized/Decentralized
CanbeRegulated?
SecurityGuarantees
Privacy/AnonymityGuarantees
ResilienceGuarantees
Bitcoin,Namecoin
Fully(P2P)Decentralized
No SHA-256proof-of-work
Unrecoverable(butLinkable)Anonymity
P2P DecentralizedLedger
Litecoin Fully(P2P)Decentralized
No Scrypt-basedproof-of-work
Unrecoverable(butLinkable)Anonymity
P2P DecentralizedLedger
Zerocoin Fully(P2P)Decentralized
No SHA-256proof-of-work
Unrecoverable,Unlinkable Anonymity
P2P DecentralizedLedger
PPcoin Fully(P2P)Decentralized
No SHA-256proof-of-work/proof-of-
stake
Unrecoverable(butLinkable)Anonymity
P2P DecentralizedLedger
Ripple Fully(P2P)Decentralized
No Trust-basedconsensus
AnonymityLevelVaries
P2P DecentralizedLedger
– EssentiallyallfollowingtheBitcoinblueprint–Ethereumisthenewkidontheblock(smartcontractsviaa“Turingcomplete”language)