Hash functions in blockchains Daniel Augot INRIA Saclay–ˆIle-de-France Laboratoire d’informatique de l’Ecole´ polytechnique Head of project-team Grace (crypto) Daniel Augot: 1/50 Well, actually, there are very good research topics. A very narrow view: hash functions. This talk Crypto is standard Power law! Peer-to-peer is Time series unefficient viz: so easy Basic Game theory No big data ! Not consensus Daniel Augot: 2/50 A very narrow view: hash functions. This talk Crypto is standard Power law! Peer-to-peer is Time series unefficient viz: so easy Basic Game theory No big data ! Not consensus Well, actually, there are very good research topics. Daniel Augot: 2/50 This talk Crypto is standard Power law! Peer-to-peer is Time series unefficient viz: so easy Basic Game theory No big data ! Not consensus Well, actually, there are very good research topics. A very narrow view: hash functions. Daniel Augot: 2/50 Outline Transactions and Ledger Hash functions and Proof-of-work Opening the box: SHA-256 SHA256(SHA256(x)) and mining Scrypt Ethash Equihash Daniel Augot: 3/50 Outline Transactions and Ledger Hash functions and Proof-of-work Opening the box: SHA-256 SHA256(SHA256(x)) and mining Scrypt Ethash Equihash Daniel Augot: Transactions and Ledger 4/50 Bitcoin: A Peer-to-Peer Electronic Cash System Satoshi Nakamoto [email protected] www.bitcoin.org What is needed is an electronic Abstract. A purely peer-to-peer version of electronic cash would allow online payment system based on cryp- payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main tographic proof instead of trust, benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of [. ] without the need for a hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As trusted third party long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone. We propose a solution [. ] using 1. Introduction a peer-to-peer distributed times- Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. While the system works well enough for tamp server to generate [. ] most transactions, it still suffers from the inherent weaknesses of the trust based model. Completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating disputes. The cost of mediation increases transaction costs, limiting the proof of the chronological order of minimum practical transaction size and cutting off the possibility for small casual transactions, and there is a broader cost in the loss of ability to make non-reversible payments for non- reversible services. With the possibility of reversal, the need for trust spreads. Merchants must transactions be wary of their customers, hassling them for more information than they would otherwise need. A certain percentage of fraud is accepted as unavoidable. These costs and payment uncertainties can be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a trusted party. What is needed is an electronic payment system based on cryptographic proof instead of trust, Satoshi Nakamoto. Bitcoin: allowing any two willing parties to transact directly with each other without the need for a trusted third party. Transactions that are computationally impractical to reverse would protect sellers from fraud, and routine escrow mechanisms could easily be implemented to protect buyers. In A Peer-to-Peer Electronic Cash this paper, we propose a solution to the double-spending problem using a peer-to-peer distributed timestamp server to generate computational proof of the chronological order of transactions. The system is secure as long as honest nodes collectively control more CPU power than any System. Online, bit- cooperating group of attacker nodes. coin.org/bitcoin.pdf. 2008 1 Daniel Augot: Transactions and Ledger 5/50 Transactions I I Alice transfers bitcoins to Bob From Alice To Bob "1" I this is written in a public ledger Daniel Augot: Transactions and Ledger 6/50 Blocks and the ledger Daniel Augot: Transactions and Ledger 7/50 Blocks and the ledger Rebbeca Mary Marewitt "This book must be produced whenever any money is deposited or withdraw" Transaction Officer's signature March 27, 1869 Date stamp of the office to be affixed against each entry Daniel Augot: Transactions and Ledger 8/50 Blocks and the ledger Rebbeca Mary Marewitt adresse bitcoin "This book must be produced whenever any money is deposited or withdraw" registre public Transaction Officer's signature pas d'officier March 27, 1869 ni de signature Date stamp of the office "minage" to be affixed against each entry Daniel Augot: Transactions and Ledger 9/50 Actually, the hash is hard to find: proof-of-work Cynthia Dwork and Moni Naor. “Pricing via Processing or Combatting Junk Mail”. In: CRYPTO’ 92. 1993 Blocks are chained Daniel Augot: Transactions and Ledger 10/50 Actually, the hash is hard to find: proof-of-work Cynthia Dwork and Moni Naor. “Pricing via Processing or Combatting Junk Mail”. In: CRYPTO’ 92. 1993 Blocks are chained hash hash hash Daniel Augot: Transactions and Ledger 10/50 Blocks are chained hash hash hash Actually, the hash is hard to find: proof-of-work Cynthia Dwork and Moni Naor. “Pricing via Processing or Combatting Junk Mail”. In: CRYPTO’ 92. 1993 Daniel Augot: Transactions and Ledger 10/50 Outline Transactions and Ledger Hash functions and Proof-of-work Opening the box: SHA-256 SHA256(SHA256(x)) and mining Scrypt Ethash Equihash Daniel Augot: Hash functions and Proof-of-work 11/50 Cryptographic hash function f0; 1g∗ ! f0; 1gm H : x 7! y = H(x) I deterministic algorithm I no secrets, no keys (neither private, public, or secret) I it is not signature, neither encryption I it is not signature, neither encryption I it is not signature, neither encryption I it is not signature, neither encryption I it is not signature, neither encryption I ... Daniel Augot: Hash functions and Proof-of-work 12/50 Cryptographic hash function any bit string ! m bits H : x 7! y = H(x) I deterministic algorithm I no secrets, no keys (neither private, public, or secret) I it is not signature, neither encryption I it is not signature, neither encryption I it is not signature, neither encryption I it is not signature, neither encryption I it is not signature, neither encryption I ... Daniel Augot: Hash functions and Proof-of-work 12/50 Cryptographic hash function any bit string ! m/8 bytes H : x 7! y = H(x) I deterministic algorithm I no secrets, no keys (neither private, public, or secret) I it is not signature, neither encryption I it is not signature, neither encryption I it is not signature, neither encryption I it is not signature, neither encryption I it is not signature, neither encryption I ... Daniel Augot: Hash functions and Proof-of-work 12/50 Cryptographic hash function any digitalized document ! m/8 bytes H : x 7! y = H(x) I deterministic algorithm I no secrets, no keys (neither private, public, or secret) I it is not signature, neither encryption I it is not signature, neither encryption I it is not signature, neither encryption I it is not signature, neither encryption I it is not signature, neither encryption I ... Daniel Augot: Hash functions and Proof-of-work 12/50 Cryptographic hash function: properties Standard definition I First preimage resistance: given y = H(x), impossible to find x m I no better way than 2 calls to H 0 I Second preimage resistance: given x impossible to find x s.t. H(x 0) = H(x) m I no better way than 2 calls to H 0 0 I Collision resistance: impossible to find x, x s.t. H(x) = H(x ) m=2 I no better way than 2 calls to H Random Oracle Idealization I Hold a table T I when queried for x I if x 2 T return T [x] I if x 62 T return a random y, and set T [x] = y Daniel Augot: Hash functions and Proof-of-work 13/50 Difficult to create, only a few are in use: SHA1, SHA256, Keccak (SHA3) Why such a thing would be useful Most unsemantic function: given x, y = F (x) is (hopefully) pure random! Usage I Ensuring file integrity: M 7! (M; h(M)) If h(M) is secure, there can be non corruption on M =) integrity of the blockchain from last trusted hash h I Password storage (with a pinch of salt) I Blind registration of documents (notarization) d95b82d3187458f83ad36abd509c7688f60cbda4 Daniel Augot: Hash functions and Proof-of-work 14/50 Where do they come from Daniel Augot: Hash functions and Proof-of-work 15/50 Where do they come from Daniel Augot: Hash functions and Proof-of-work 15/50 SHA-1 is well broken (alongside with pdf) Daniel Augot: Hash functions and Proof-of-work 16/50 SHA-1 is well broken (alongside with pdf) Daniel Augot: Hash functions and Proof-of-work 16/50 Mining, proof-of-work Mining is finding a nonce wich contributes to a partially prescribed hash nonce = an arbitrary meaningless number Daniel Augot: Hash functions and Proof-of-work 17/50 T is readjusted every 2016 blocks, to keep producing a block every 10 min 2 weeks difficulty difficulty · time to mine last 2016 blocks where difficulty / 1=T Proof-of-work with SHA2562 Bitcoin uses 64 f0; 1g2 ! f0; 1g256 x 7! SHA256(SHA256(x)) 2 f0; 1g256 256 I given a “target” T 2 [0; 2 ) I to “mine” block-data: UNTIL hash < T nonce = next nonce hash = H(block-data jj nonce) No better way than guessing.