DFINITY Crypto Techniques

DFINITY Crypto Techniques

INTRODUCING DFINITY Crypto Techniques V1 - 19th May 2017 Threshold Relay Produce randomness that is incorruptible, unmanipulable and unpredictable BACKGROUNDER Explain “unique deterministic” threshold signatures… Usually a signer creates a signature on message data Shared seed data (“message”) 01010101010 11010111011 01010101010 10101001010 Verifier Signature SIGN σ 10101010101 Private 00101101010 Key 10010101010 10010101001 Verifier Signer’s identity Public Key Signer Verifier AUTHORIZED SIGNER SIGNATURE VERIFIERS That can be verified using the signer’s public key Shared seed data (“message”) 01010101010 11010111011 01010101010 10101001010 Verifier Signature SIGN 10101010101 Private 00101101010 Key 10010101010 10010101001 VERIFY Verifier Signer’s identity Public Key Signer Verifier AUTHORIZED SIGNER SIGNATURE VERIFIERS If scheme unique and deterministic then only 1 correct signature Shared seed data THE SIGNATURE IS A RANDOM NUMBER, AS IF (“message”) IT WERE PREDICTABLE, THE SIGNATURE SCHEME WOULD NOT BE SECURE 01010101010 11010111011 01010101010 10101001010 Verifier Signature SIGN 10101010101 DETERMINISTIC Private 00101101010 RANDOM Key 10010101010 10010101001 VERIFY NUMBER Verifier Signer’s identity Public Key Signer Verifier AUTHORIZED SIGNER SIGNATURE VERIFIERS Unique and deterministic threshold signature scheme possible GROUP MEMBERS INDEPENDENTLY SIGN THE Shared seed data MESSAGE TO CREATE “SIGNATURE SHARES”. (“message”) A THRESHOLD NUMBER ARE COMBINED TO CREATE THE OUTPUT SIGNATURE 01010101010 11010111011 01010101010 10101001010 Verifier Signature SIGN SIGN SIGN COMBINE 10101010101 DETERMINISTIC 00101101010 RANDOM 10010101010 10010101001 VERIFY NUMBER Share 1 Share 3 Share 2 Verifier Group’s identity Public Key Signer Signer Signer Verifier THRESHOLD GROUP SIGNATURE VERIFIERS Whatever subset (threshold) of group sign still same signature Shared seed data (“message”) Share 1 01010101010 Share 3 11010111011 01010101010 Signer Signer Signer 10101001010 Verifier Signature Share 4 Share 5 COMBINE 10101010101 DETERMINISTIC 00101101010 RANDOM Signer Signer Signer 10010101010 10010101001 VERIFY NUMBER Verifier Group’s identity Share 7 Share 9 Public Key Signer Signer Signer Verifier THRESHOLD GROUP SIGNATURE VERIFIERS Important observations of powerful magic 1. A group identified by its threshold public key can only produce a single valid output signature on given seed data Verifier DETERMINISTIC RANDOM NUMBER Verifier Verifier Important observations of powerful magic 1. A group identified by its threshold public key can only produce a single valid output signature on given seed data 2. A group is fault tolerant and any subset of threshold size can distribute signature shares for combination into the signature Verifier DETERMINISTIC RANDOM NUMBER Verifier Verifier Important observations of powerful magic 1. A group identified by its threshold public key can only produce a single valid output signature on given seed data 2. A group is fault tolerant and any subset of threshold size can distribute signature shares for combination into the signature Verifier 3. The resulting threshold signature can be validated by anyone who has the group’s public key and the seed data DETERMINISTIC RANDOM NUMBER Verifier Verifier Important observations of powerful magic 1. A group identified by its threshold public key can only produce a single valid output signature on given seed data 2. A group is fault tolerant and any subset of threshold size can distribute signature shares for combination into the signature Verifier 3. The resulting threshold signature can be validated by anyone who has the group’s public key and the seed data DETERMINISTIC RANDOM 4. The signature is a deterministically produced random number NUMBER Verifier Verifier Important observations of powerful magic 1. A group identified by its threshold public key can only produce a single valid output signature on given seed data 2. A group is fault tolerant and any subset of threshold size can distribute signature shares for combination into the signature Verifier 3. The resulting threshold signature can be validated by anyone who has the group’s public key and the seed data DETERMINISTIC RANDOM 4. The signature is a deterministically produced random number NUMBER Verifier 5. Given a group’s public key and the input seed data the verifiers reach immediate consensus on the random number produced without running a consensus protocol… Verifier A unique deterministic threshold signature scheme Boneh-Lynn-Shacham signatures (BLS) TIP 1 Ben Lynn is a full time member of the Key Generation DFINITY team - Secret key: x mod r - Public key: P = xQ G TIP 2 You don’t need to understand this 2 2 2 crypto to understand the remaining slides… Signing - Message hashed to H (m) G Parameters 2 1 - Signature: s = xH(m) G1 - Two groups G 1 ,G 2 of prime order r 2 (on two elliptic curves) Verification e ( s, Q 2 )= e ( H ( m ) ,P ) ? - Generators Q1 G1,Q2 G2 2 2 - Bi-linear pairing e : G1 G2 GT ⇥ 7! BLS, 2001 (Stanford University) DECENTRALIZED VERIFIABLE RANDOM FUNCTION Relay between groups to create a random sequence A vast peer-to-peer broadcast network of mining clients… Whose public keys are registered on a supporting ledger PUBKEY 0x1bd1ccf169d755306e077b38cb9aeae28e245351 DEPOSIT: 1000 DFN PUBKEY 0x9a197453dcface85be2fbe32c8cc19bd30576ee1 DEPOSIT: 1000 DFN PUBKEY 0x2b197453dcfabe85be2fbe31c8cc19bd30576ed0 DEPOSIT: 1000 DFN Each client (“process”) belongs to threshold groups Whose public keys are also registered on the supporting ledger … GRP PUBKEY GRP PUBKEY GRP PUBKEY GRP PUBKEY GRP PUBKEY 0x7de4ac5… 0x8fb251b… 0x1a7234e… 0x2b197453… 0xb6e1a33… At each height in the sequence, there is a current group… h That signs the previous group’s signature… BLS Signature Scheme Their random number selects the next group (the “relay”) Gh+1 = [σh mod ] G |G| The relaying between groups is unmanipulable and infinite This is what Threshold Relay looks like h 1 − SIGNATURE h 1 σ − The signature created at h-1 selects the group at h h =) h h 1 G = [σ − mod ] G |G| Group members at h broadcast signature shares h BROADCAST σh,p Gh { p 2 } Collect threshold of shares & create unique group signature… h SIGNATURE σh = bls( σh,p Gh ) { p 2 } That selects the next group, ad infinitum h +1 =) Gh+1 = [σh mod ] G |G| Producing a decentralized Verifiable Random Function (VRF) h 7 h 6 h 5 h 4 h 3 h 2 h 1 h σ , σ , σ , σ , σ , σ , σ , σ = − − − − − − − ) Random number sequence is Deterministic . Verifiable . Unmanipulable Next value released on agreement a threshold of the current group… Unpredictable No consensus protocol is necessary! Random numbers should not be generated with a “ method chosen at random - Donald Knuth TLDR; such unmanipulable randomness is powerful… Decentralized Protocols Decentralized Applications for “Scaling Out” with advanced features COMING UP… PSP Blockchain Designs E.g. PHI autonomous loan Validation Towers issuance and crypto “fiat” Validation Trees USCIDs Validate anything… Fair financial exchanges… Lottery Charging Lazy Validation Fault Tolerance Example NETWORK METRICS P (Faulty 200) ≥ Processes 10,000 Faulty 3,000 1e 17 (Correct) 7,000 Probability that a sufficient Group Size 400 proportion −of the group are faulty Threshold 201 that it cannot produce a signature Calculated using hypergeometric probability e.g. Note: in practice the probability 30% http://www.geneprof.org/GeneProf/tools/ of professionally run mining hypergeometric.jsp processes “just stop” is very low. Miners will generally deregister IDs Note: groups should expire to thwart to retrieve deposits when exiting. “adaptive” adversaries Communications Overhead Example MESSAGE FORMAT GROUP SIZE Process ID 20 bytes Group size 400 Threshold 201 Signature share 32 bytes Signature on comms 32 bytes COMMUNICATION OVERHEAD Total 84 bytes Expected 22 KB In order for a group to produce a 400 messages involve 34 KB of data threshold signature, its members transfer. However, only 17 KB (half must broadcast “signature shares” the messages) are required to on the message that can be construct the signature. Thereafter combined. Here is a typical packet signature shares are not relayed, so carrying a signature share. a more typical overhead is 22 KB. BACKGROUNDER How to setup groups… Clients randomly assigned to groups by randomness (VRF) … GRP PUBKEY GRP PUBKEY GRP PUBKEY GRP PUBKEY GRP PUBKEY - - - - - Need setup threshold scheme within 1000 blocks using DKG… Joint Feldman DKG … GRP PUBKEY GRP PUBKEY GRP PUBKEY GRP PUBKEY GRP PUBKEY - - - - - Successful groups register their Public Key on the ledger … GRP PUBKEY GRP PUBKEY GRP PUBKEY GRP PUBKEY GRP PUBKEY - - - 0x2b197453… - Setup is independent of blockchain progression… Joint Joint Feldman Feldman DKG DKG … GRP PUBKEY GRP PUBKEY GRP PUBKEY GRP PUBKEY GRP PUBKEY - - - 0x2b197453… - And occurs asynchronously … GRP PUBKEY GRP PUBKEY GRP PUBKEY GRP PUBKEY GRP PUBKEY 0x7de4ac5… 0x8fb251b… - 0x2b197453… - New clients and groups activated in CURRENT_EPOCH + 2 KEY FRAME KEY FRAME KEY FRAME KEY FRAME BLOCK BLOCK BLOCK BLOCK ⇠ 3 ⇠ 2 ⇠ 1 ⇠ − − − CHAIN HEAD Activation… GROUP Join tx Join tx 0x2b197453… GROUP CLIENT 0x2b197453… 0x6e22e1ba… CLIENT 0x6e22e1ba… In choosing the epoch length there are a number of considerations. For correctness, an epoch must minimally contain more blocks than may ever be present in a chain fork. However, since light clients only require key frame header copies, for reasons of efficiency, epochs may be much longer e.g. one week Probabilistic Slot Protocol Extend the Threshold Relay system to produce a more secure

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    67 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us