sign in sign up
<<
Home , Monero, Proof of stake

Top 20 on Aggregate market value - Proof of ‘X’ and Hash functions used -

1 ISI Kolkata Workshop, Nov 30th, 2017

CRYPTOGRAPHY with BlockChain

- Hash Functions, Signatures and Anonymization -

Hiroaki ANADA*1, Kouichi SAKURAI*2 *1: University of Nagasaki, *2: Kyushu University

Acknowledgements: This work is supported by: Grants-in-Aid for Scientific Research of Japan Society for the Promotion of Science; Research Project Number: JP15H02711 Top 20 Cryptocurrencies on Aggregate market value - Proof of ‘X’ and Hash functions used -

3 Table of Contents

1. Cryptographic Primitives in 2. Hash Functions a. Roles b. Various Hash functions used for Proof of ‘X’ 3. Signatures a. Standard Signatures (ECDSA) b. Ring Signatures c. One-Time Signatures (Winternitz) 4. Anonymization Techniques a. Mixing (CoinJoin) b. Zero-Knowledge proofs (zk-SNARK) 5. Conclusion

4 Brief History of Proof of ‘X’

1992: “Pricing via Processing or Combatting Junk Mail” Dwork, C. and Naor, M., CRYPTO ’92 Pricing Functions

2003: “Moderately Hard Functions: From Complexity to Spam Fighting” Naor, M., Foundations of Soft. Tech. and Theoretical Comp. Sci.

2008: “: A peer-to-peer electronic cash system” Nakamoto, S.

5 Brief History of Proof of ‘X’

2008: “Bitcoin: A peer-to-peer electronic cash system” Nakamoto, S. Proof of Work 2012: “ (& Proof of Work)

~ : Delegated Proof of Stake, Proof of Storage, Proof of Importance, Proof of Reserves, Proof of Consensus, ...

6 Proofs of ‘X’ 1. Proof of Work 2. Proof of Stake Hash-based Proof of ‘X’ 3. Delegated Proof of Stake 4. Proof of Importance

5. Proof of Consensus 6. Proof of Reserves

Not “Proof of ‘X’”... 1. delegated Byzantine Fault Tolerance alternative

7 Top 20 Cryptocurrencies on Aggregate market value - Proof of ‘X’ and Hash functions used -

8 2. Roles of Hash functions in Blockchains From singing to MINING

9 Roles of Hash functions in Blockchains

1. Generating Address of Wallet ØPseudonym

2. Generating Digital signature ØECDSA ØOne-time signature

3. Defining Hard problem for Proof of ‘X’ ØProof of Work ØProof of Stake

ØProof of ‘X’ 10 Hash for Proof of ‘X’ A Blockchain extends one-way ØNever shrink, Never split

ØDue to one-wayness of Hash function ØDue to Equiprobability of Hash domain

block4’

block1 block2 block3 block4 block5

block3’

11 Hash for Proof of Work Hard problem: Find a ����� �(����_���� || �� || �����) < � • ��: Transactions to be approved as integers • �: parameter for difficulty control

working... working... working...

working... I found it!

worked! 12 Hash for Proof of Stake Lottery Problem: Is my ������� lucky? � ����_���� || ����(���) || ������� < (�� �������)/� • �: parameter for difficulty control as integers depending on Stake

No hit... No hit... No hit...

Lucky my No hit... address! Hit!

13 Hase-based Proofs of ‘X’ 1. Proof of Work ØFinding a nonce in the Equiprobable Hash domain

2. Proof of Stake ØA Lottery based on address and stake

Variants 3. Delegated Proof of Stake 4. Proof of Importance

14 2. hash functions used Requirements on Hash function

1. Difficulty controllable (adjustable) 2. Quick verification [1] 3. Progress-free (Memoryless to the next search) 4. Equiprobable Domain 5. ASIC-resistance

[1] Narayanan, A., Bonneau, J., Felten, E., Miller, A., and Goldfeder, S.: “Bitcoin and Technologies: A Comprehensive Introduction” Princeton University Press, 2016 15 What is “Equiprobable Domain”?

• Each candidate point on Hash Domain should be with Equal probability of Winning �: ������ → �, � � �(����_���� || �� || �����) < � as integers

ØNon-trivial feature ØCritical to our

16 ASIC-resistance

• No significant speedup by implementing the mining algorithm in an ASIC, as compared to a CPU based implementation

17 Asic-Registant (One-way) Function

• Bandwidth Hard Functions for ASIC Resistance • Ling Ren and Srinivas Devadas TCC-2017 • Alex Byrykov et al. • Symmetrically and Asymmetrically Hard Cryptography, Asiacrypto2017 • Asymmetric proof-of-work based on the generalized birthday problem. NDSS2016. • Fast and tradeoff-resilient memory-hard functions for cryptocurrencies and password hashing, 2015. • Tradeoff cryptanalysis of memory-hard functions. Cryptology ePrint Archive 2015.

18 3. Hash Functions Used

19 Top 20 Cryptocurrencies on Aggregate market value - Proof of ‘X’ and Hash functions used -

20 2. hash functions used SHA-2 in {Bitcoin, , NEM, , Peercoin, …}

• NIST Standard • Low Memory-use

One iteration of Compression Function of SHA-2 (SHA-256)

https://ja.wikipedia.org/wiki/SHA-2

21 2. hash functions used SHA-3 in {IOTA}

• More security as Hash function

Sponge Structure of SHA-3

https://ja.wikipedia.org/wiki/SHA-3

22 2. hash functions used Ethash in {, } • Memory Hard • Steps: ①,…,⑥

23 https://www.vijaypradeep.com/blog/2017-04-28-ethereums-memory-hardness-explained/ 2. hash functions used

Scrypt in {, , …}

• Memory Hard • Memory Bound à ASIC Resistant!

Scrypt(N, seed) V = [0]*N // Initialize the inner state // Full fill the inner state with pseudo-randomness V[0] = seed for i = 1 to N: V[i] = SHA-256(V[i-1]) // Access with the order of the pseudo-randomness X = SHA-256(V[N-1]) for i = 1 to N: j = X % N X = SHA-256(X^V[j]) Return X 24 X11 in {}

• The 11 survivors after 1st round of SHA-3 Compe. 1) BLAKE, 2) BMW, 3) Groestl, 4) JH, 5) Keccak, 6) Skein, 7) Luffa, 8) CubeHash, 9) SHAvite-3, 10) SIMD, 11) ECHO • ASIC resistant (?) input output Hash① Hash② Hash⑪

25 CryptoNight in {}

• ASIC-resistant (executable only with CPU/GPU) • Based on SHA-3 & AES

à Memory Hard Loop

https://cryptonote.org/cns/cns008.txt

26 4. Difficulty Control Methods

27 Previous Work on Difficulty Control • Mining time is Exponentially Distributed [3][4] • Discussion as Poisson Process [4]

10min, 30min 60min, 63% 95% 99.7%

[3] Rosenfeld, M.,: “Analysis of Bitcoin Pooled Mining Reward Systems”, http://arxiv.org/abs/1112.4980, 2011 [4] Kraft, D.,: “Difficulty control for blockchain-based consensus systems”, 28 Peer-to-Peer Networking and Applications, 2016 Difficulty Control on Proof of Work

Search problem: �(����_���� || �� || �����) < � as integers

• � : the controlling parameter • Bitcoin: 2016 ⋅ 10��� �’: = � ⋅ Latest Mining Time for 2016 blocks

29 Difficulty Control on Proof of Stake

Lottery Problem: � ����_���� || ����(���) || ������� < (�� �������)/� as integers depending on Stake

• � : the controlling parameter

30 2. Signatures used in Blockchains

31 Top 20 Cryptocurrencies on Aggregate market value - Proof of ‘X’ and Hash functions used -

32 ECDSA in {Bitcoin, etc.}

• NIST Standard [6] ØFIPS-PUB 186-3 • Shorter than RSA signatures

[6] “Digital Signature Standard (DSS)” National Institute of Standards and Technology, 2009

33 Ring Signatures in {Monero} • The ring signatures [5] mix spender's address with a group of others • Making it exponentially more difficult to establish a link between each subsequent transaction • Impossible to discover actual destination • The "ring confidential transactions" mechanism hides the transferred amount

[5] “How to leak a secret”, Rivest, R., Shamir, A., and Tauman, Y., ASIACRYPT 2001 34 Analysis on MONEO • ESORICS 2017 Session 12: Blockchain • Amrit Kumar, Clément Fischer, Fischer, Shruti Tople and Prateek Saxena. • “A Traceability Analysis of Monero’s Blockchain” • Shi-Feng Sun, Man Ho Au, Joseph Liu and Tsz Hon Yuen. • “RingCT 2.0: A Compact Linkable Ring Signature Based Protocol for Blockchain Cryptocurrency Monero” • ProvSec2017 KeyNote by J.Liu and M.H.AU • “(Linkable) Ring Signature and its Applications to Blockchain” • We will further relate linkable ring signature to Monero, one of the current largest blockchain-based cryptocurrency in the world, which is considered to be the most commercial deployment of linkable ring signature nowadays. Finally, we will discuss ways to improve the RingCT (Ring Confidential Transactions) of Monero, the linkable ring signature based protocol to provide privacy for Monero users.

35 Winternitz One-time signatures in {IOTA} • A Secret key of one-time signature is usable for only one time à In a Blockchain, Address is used for only one time • Believed Quantum Resistant(?) • Ref. Post Quantum Signatures • By J.Buchmann and D.J. Bernstain

36 Security of IOTA ?

• IOTA is trying to do with DAGs or the SPECTE protocol (eprint.iacr/2016/1159) -

• Our "Bitcoin Block Withholding Attack : Analysis and Mitigation[BRS]” • [BRS] Bag, Ruj, and Sakurai “Bitcoin Block Withholding Attack : Analysis and Mitigation” IEEE Trans.IFS 2017.

37 3. Anonymization techniques used in Blockchains

38 Top 20 Cryptocurrencies on Aggregate market value - Proof of ‘X’ and Hash functions used -

39 Mixing by {CoinJoin}

• Anonymization method for bitcoin transactions

https://en.wikipedia.org/wiki/CoinJoin

40 zk-SNARK in {} • Succinct Zero-Knowledge Argument of Knowledge

[6] "Secure Sampling of Public Parameters for Succinct Zero Knowledge Proofs", Ben-Sasson, E., Chiesa, A., Green, M., Tromer, E., Virza, M., IEEE S&P 2015 41 Challenging Problems 1. Investigate each Coin more 1. Only whitepaper claim its own security 2. Whereas few third party research before proposal/operation 2. New design (ISI- B.R. coin ?) 1. Quantum-resistance 1. Proof of Work, Proof of Stake 2. Assuring Scalability for > 10 million users 1. Proof of Work, Proof of Stake 2. Mining time 3. Anonymization Techniques

42 Top 20 Cryptocurrencies on Aggregate market value - Proof of ‘X’ and Hash functions used -

43 Thank you for your attention ! [SAKURAI 2005 May 23rd MOU CRSI-ISIT] [ANADA: 2014 Nov 24th-25th MOU ISI&CRSI-ISIT]

44