Proof of 'X' and Hash Functions Used
Total Page:16
File Type:pdf, Size:1020Kb
Top 20 Cryptocurrencies on Aggregate market value - Proof of ‘X’ and Hash functions used - 1 ISI Kolkata BlockChain Workshop, Nov 30th, 2017 CRYPTOGRAPHY with BlockChain - Hash Functions, Signatures and Anonymization - Hiroaki ANADA*1, Kouichi SAKURAI*2 *1: University of Nagasaki, *2: Kyushu University Acknowledgements: This work is supported by: Grants-in-Aid for Scientific Research of Japan Society for the Promotion of Science; Research Project Number: JP15H02711 Top 20 Cryptocurrencies on Aggregate market value - Proof of ‘X’ and Hash functions used - 3 Table of Contents 1. Cryptographic Primitives in Blockchains 2. Hash Functions a. Roles b. Various Hash functions used for Proof of ‘X’ 3. Signatures a. Standard Signatures (ECDSA) b. Ring Signatures c. One-Time Signatures (Winternitz) 4. Anonymization Techniques a. Mixing (CoinJoin) b. Zero-Knowledge proofs (zk-SNARK) 5. Conclusion 4 Brief History of Proof of ‘X’ 1992: “Pricing via Processing or Combatting Junk Mail” Dwork, C. and Naor, M., CRYPTO ’92 Pricing Functions 2003: “Moderately Hard Functions: From Complexity to Spam Fighting” Naor, M., Foundations of Soft. Tech. and Theoretical Comp. Sci. 2008: “Bitcoin: A peer-to-peer electronic cash system” Nakamoto, S. Proof of Work 5 Brief History of Proof of ‘X’ 2008: “Bitcoin: A peer-to-peer electronic cash system” Nakamoto, S. Proof of Work 2012: “Peercoin” Proof of Stake (& Proof of Work) ~ : Delegated Proof of Stake, Proof of Storage, Proof of Importance, Proof of Reserves, Proof of Consensus, ... 6 Proofs of ‘X’ 1. Proof of Work 2. Proof of Stake Hash-based Proof of ‘X’ 3. Delegated Proof of Stake 4. Proof of Importance 5. Proof of Consensus 6. Proof of Reserves Not “Proof of ‘X’”... 1. delegated Byzantine Fault Tolerance alternative 7 Top 20 Cryptocurrencies on Aggregate market value - Proof of ‘X’ and Hash functions used - 8 2. Roles of Hash functions in Blockchains From singing to MINING 9 Roles of Hash functions in Blockchains 1. Generating Address of Wallet ØPseudonym 2. Generating Digital signature ØECDSA ØOne-time signature 3. Defining Hard problem for Proof of ‘X’ ØProof of Work ØProof of Stake ØProof of ‘X’ 10 Hash for Proof of ‘X’ A Blockchain extends one-way ØNever shrink, Never split ØDue to one-wayness of Hash function ØDue to Equiprobability of Hash domain block4’ block1 block2 block3 block4 block5 block3’ 11 Hash for Proof of Work Hard problem: Find a ����� �(����_���� || �� || �����) < � • ��: Transactions to be approved as integers • �: parameter for difficulty control working... working... working... working... I found it! worked! 12 Hash for Proof of Stake Lottery Problem: Is my ������� lucky? � ����_���� || ����(���) || ������� < (�� �������)/� • �: parameter for difficulty control as integers depending on Stake No hit... No hit... No hit... Lucky my No hit... address! Hit! 13 Hase-based Proofs of ‘X’ 1. Proof of Work ØFinding a nonce in the Equiprobable Hash domain 2. Proof of Stake ØA Lottery based on address and stake Variants 3. Delegated Proof of Stake 4. Proof of Importance 14 2. hash functions used Requirements on Hash function 1. Difficulty controllable (adjustable) 2. Quick verification [1] 3. Progress-free (Memoryless to the next search) 4. Equiprobable Domain 5. ASIC-resistance [1] Narayanan, A., Bonneau, J., Felten, E., Miller, A., and Goldfeder, S.: “Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction” Princeton University Press, 2016 15 What is “Equiprobable Domain”? • Each candidate point on Hash Domain should be with Equal probability of Winning �: ������ → �, � � �(����_���� || �� || �����) < � as integers ØNon-trivial feature ØCritical to our 16 ASIC-resistance • No significant speedup by implementing the mining algorithm in an ASIC, as compared to a CPU based implementation 17 Asic-Registant (One-way) Function • Bandwidth Hard Functions for ASIC Resistance • Ling Ren and Srinivas Devadas TCC-2017 • Alex Byrykov et al. • Symmetrically and Asymmetrically Hard Cryptography, Asiacrypto2017 • Asymmetric proof-of-work based on the generalized birthday problem. NDSS2016. • Fast and tradeoff-resilient memory-hard functions for cryptocurrencies and password hashing, 2015. • Tradeoff cryptanalysis of memory-hard functions. Cryptology ePrint Archive 2015. 18 3. Hash Functions Used 19 Top 20 Cryptocurrencies on Aggregate market value - Proof of ‘X’ and Hash functions used - 20 2. hash functions used SHA-2 in {Bitcoin, Bitcoin Cash, NEM, Namecoin, Peercoin, …} • NIST Standard • Low Memory-use One iteration of Compression Function of SHA-2 (SHA-256) https://ja.wikipedia.org/wiki/SHA-2 21 2. hash functions used SHA-3 in {IOTA} • More security as Hash function Sponge Structure of SHA-3 https://ja.wikipedia.org/wiki/SHA-3 22 2. hash functions used Ethash in {Ethereum, Ethereum Classic} • Memory Hard • Steps: ①,…,⑥ 23 https://www.vijaypradeep.com/blog/2017-04-28-ethereums-memory-hardness-explained/ 2. hash functions used Scrypt in {Litecoin, Dogecoin, …} • Memory Hard • Memory Bound à ASIC Resistant! Scrypt(N, seed) V = [0]*N // Initialize the inner state // Full fill the inner state with pseudo-randomness V[0] = seed for i = 1 to N: V[i] = SHA-256(V[i-1]) // Access with the order of the pseudo-randomness X = SHA-256(V[N-1]) for i = 1 to N: j = X % N X = SHA-256(X^V[j]) Return X 24 X11 in {DASH} • The 11 survivors after 1st round of SHA-3 Compe. 1) BLAKE, 2) BMW, 3) Groestl, 4) JH, 5) Keccak, 6) Skein, 7) Luffa, 8) CubeHash, 9) SHAvite-3, 10) SIMD, 11) ECHO • ASIC resistant (?) input output Hash① Hash② Hash⑪ 25 CryptoNight in {Monero} • ASIC-resistant (executable only with CPU/GPU) • Based on SHA-3 & AES à Memory Hard Loop https://cryptonote.org/cns/cns008.txt 26 4. Difficulty Control Methods 27 Previous Work on Difficulty Control • Mining time is Exponentially Distributed [3][4] • Discussion as Poisson Process [4] 10min, 30min 60min, 63% 95% 99.7% [3] Rosenfeld, M.,: “Analysis of Bitcoin Pooled Mining Reward Systems”, http://arxiv.org/abs/1112.4980, 2011 [4] Kraft, D.,: “Difficulty control for blockchain-based consensus systems”, 28 Peer-to-Peer Networking and Applications, 2016 Difficulty Control on Proof of Work Search problem: �(����_���� || �� || �����) < � as integers • � : the controlling parameter • Bitcoin: 2016 ⋅ 10��� �’: = � ⋅ Latest Mining Time for 2016 blocks 29 Difficulty Control on Proof of Stake Lottery Problem: � ����_���� || ����(���) || ������� < (�� �������)/� as integers depending on Stake • � : the controlling parameter 30 2. Signatures used in Blockchains 31 Top 20 Cryptocurrencies on Aggregate market value - Proof of ‘X’ and Hash functions used - 32 ECDSA in {Bitcoin, etc.} • NIST Standard [6] ØFIPS-PUB 186-3 • Shorter than RSA signatures [6] “Digital Signature Standard (DSS)” National Institute of Standards and Technology, 2009 33 Ring Signatures in {Monero} • The ring signatures [5] mix spender's address with a group of others • Making it exponentially more difficult to establish a link between each subsequent transaction • Impossible to discover actual destination • The "ring confidential transactions" mechanism hides the transferred amount [5] “How to leak a secret”, Rivest, R., Shamir, A., and Tauman, Y., ASIACRYPT 2001 34 Analysis on MONEO • ESORICS 2017 Session 12: Blockchain • Amrit Kumar, Clément Fischer, Fischer, Shruti Tople and Prateek Saxena. • “A Traceability Analysis of Monero’s Blockchain” • Shi-Feng Sun, Man Ho Au, Joseph Liu and Tsz Hon Yuen. • “RingCT 2.0: A Compact Linkable Ring Signature Based Protocol for Blockchain Cryptocurrency Monero” • ProvSec2017 KeyNote by J.Liu and M.H.AU • “(Linkable) Ring Signature and its Applications to Blockchain” • We will further relate linkable ring signature to Monero, one of the current largest blockchain-based cryptocurrency in the world, which is considered to be the most commercial deployment of linkable ring signature nowadays. Finally, we will discuss ways to improve the RingCT (Ring Confidential Transactions) of Monero, the linkable ring signature based protocol to provide privacy for Monero users. 35 Winternitz One-time signatures in {IOTA} • A Secret key of one-time signature is usable for only one time à In a Blockchain, Address is used for only one time • Believed Quantum Resistant(?) • Ref. Post Quantum Signatures • By J.Buchmann and D.J. Bernstain 36 Security of IOTA ? • IOTA is trying to do with DAGs or the SPECTE protocol (eprint.iacr/2016/1159) - • Our "Bitcoin Block Withholding Attack : Analysis and Mitigation[BRS]” • [BRS] Bag, Ruj, and Sakurai “Bitcoin Block Withholding Attack : Analysis and Mitigation” IEEE Trans.IFS 2017. 37 3. Anonymization techniques used in Blockchains 38 Top 20 Cryptocurrencies on Aggregate market value - Proof of ‘X’ and Hash functions used - 39 Mixing by {CoinJoin} • Anonymization method for bitcoin transactions https://en.wikipedia.org/wiki/CoinJoin 40 zk-SNARK in {Zcash} • Succinct Zero-Knowledge Argument of Knowledge [6] "Secure Sampling of Public Parameters for Succinct Zero Knowledge Proofs", Ben-Sasson, E., Chiesa, A., Green, M., Tromer, E., Virza, M., IEEE S&P 2015 41 Challenging Problems 1. Investigate each Coin more 1. Only whitepaper claim its own security 2. Whereas few third party research before proposal/operation 2. New design (ISI- B.R. coin ?) 1. Quantum-resistance 1. Proof of Work, Proof of Stake 2. Assuring Scalability for > 10 million users 1. Proof of Work, Proof of Stake 2. Mining time 3. Anonymization Techniques 42 Top 20 Cryptocurrencies on Aggregate market value - Proof of ‘X’ and Hash functions used - 43 Thank you for your attention ! [SAKURAI 2005 May 23rd MOU CRSI-ISIT] [ANADA: 2014 Nov 24th-25th MOU ISI&CRSI-ISIT] 44.