SESSION ID:SESSION ID:

#RSAC

Ren Zhang Bart Preneel

2017 Selected TopicsPublish or Perish: A Backward-Compatible Defense against Selfish Mining in Bitcoin

CRYP-R10

↑ ↑Doctoral Student Professor@nizenzangKU Leuven, ESAT-COSIC and imec

#RSAC

Selfish Mining in Bitcoin

#RSAC

3

Bitcoin

#RSAC

Bitcoin

4

A p2p network

Maintaining a public decentralized ledger

The ledger is organized as a hash chain of blocks

Each block contains a set of transactions (txs)

Prev_Hash

Tx: tx1 tx2 …

#RSAC

Bitcoin Mining

5

New txs are broadcast to the entire network, each miner collects these txs into a block

Every miner works on finding the solution “nonce” to the following puzzle:H(txs, prev_hash, nonce)< threshold

Whoever finds the solution first broadcasts the next block

Within the block, a special coinbase tx issues 12.5 new btc to the miner

Prev_Hash

Tx: tx1 tx2 …coinbase

Nonce

PH Tx N

PH Tx N

#RSAC

Bitcoin Network’s Current Mining Power

6

Network hash rate: 3×1018H/s

Puzzle difficulty: around 71 leading zeros

Known hashratedistribution →

70% of mining power in China

#RSAC

Release new blocks to the public immediately

Fork-resolving policy: mine on the longest chain, or the first received block during a tie

Reward distribution policy: orphaned blocks receive no reward

Bitcoin’s Fork-Resolving Policy

7

time

“orphaned”“fork”

the public

#RSAC

Selfish Mining Attack

8

Fairness assumption: when >50% mining power follows the protocol,a miner’s block rewards ∝ the miner's computational power

The assumption is disproved by this selfish mining attack

Two scenarios: winning a tie (with some luck) or with a longer chain

time

the public

#RSAC

Why is Selfish Mining Harmful?

9

Targets the Bitcoin protocol itself

The selfish miner’s expected relative revenue rises superlinearly with the mining power

=> rational choice for miners: to do selfish mining collectively=> the decentralized nature of Bitcoin is damaged

When combined with selfish mining, double spending attacks can be launched with arbitrarily low mining power, rather than the previously believed 51% percent

=> The most fundamental attack in Bitcoin

#RSAC

Existing Defenses & Key Observation

10

Tie-breaking defenses: have no effectiveness when the selfish chain is longer than the public chain

=> only valid against weak attackers

Backward-incompatible defenses: modify the balances of existing accounts

=> will never see adoption in Bitcoin

Can we change only the fork-resolving policy?

#RSAC

Our Defense

#RSAC

Definitions

12

Assuming the upper bound of block propagation delay is τ

A block received τ after a competing block of the same height is late; otherwise it is in time

A block B1 is considered to be the uncle of another block B2 if B1 is a competing in time block of B2's parent block

time

the public𝜏

late!uncle

#RSAC

Our Defense

13

Modified mining algorithm: miners incorporate the hash of all uncles in their blocks

The weight of a chain: # in time blocks + # in time uncle hashes embedded in these blocks

Modified fork-resolving policy: A miner chooses the chain with the largest weight; in a tie the miner chooses randomly

time

the public𝜏

late!uncle

#RSAC

If publishes S: S counts in weight of both chains

If not: S counts in weight of neither chains

Impossible for earlier secret block to have an honest uncle

A Dilemma for the Selfish Miner

14

time

the public𝜏

late!uncleS S

#RSAC

Another Problem: CAP Theorem

15

In original Bitcoin, if the network is partitioned and reunited, the ledger converges fast

=> selfish mining and network partition are indistinguishable

In our defense, every part of the network would consider blocks mined by other parts late

=> the ledger may not converge

Unfortunately there is no perfect solution

Availability

Partition recoveryConsistency

Original Bitcoin

Our defense

#RSAC

Another Problem

16

Our solution: when the longest chain is k blocks ahead, all miners adopt it

Result:k=1: a tie-breaking defense;k=∞: resistant against 51% attacker;k=3, the ledger converges in a few hours even when an attacker with 50% of total mining power works to prevent convergence

Availability

Partition recoveryConsistency

Our defense, k=3

#RSAC

The Optimal Selfish Mining Strategy

17

We model the mining process as a Markov decision process and solved the optimal selfish mining strategy and its relative revenue

Attacker’s best choice in given mining sequences (48% mining power)

publish or perish, k=3: give up S and work on Puniform tie breaking: keep working on S

publish or perish, k=3 : publish both blocksuniform tie breaking: keep working secretly

S

P

#RSAC

Comparison with Other Defenses

18

Ideal:relative revenue ∝ mining power

Optimal tie breaking:an imaginary defense in which the attacker loses every tie

Our defense is still not fair, but better than existing defenses

#RSAC

Conclusion

#RSAC

Summary

20

Selfish mining is the most fundamental attack in Bitcoin

We proposed an effective, decentralized and backward-compatibledefense against selfish mining

We highlighted the origin of selfish mining attack: Bitcoin’s high partition tolerance

Future work:A fair selfish mining defense

Analyzing selfish mining and double-spending resistance of all existing proof-of-work protocols

Optimal combination of eclipse and selfish mining attacks

#RSAC

“Apply” Slide (Requested by RSA Conference)

21

Bitcoin’s high tolerance to network partition is the reason why selfish mining and some double-spending attacks are possible

To suggest changes to Bitcoin: our protocol has the best resistance against these attacks :D

To design a new proof-of-work cryptocurrency: deal with network partition explicitly! Do not trade security for service availability!

SESSION ID: SESSION ID:

#RSAC

Jihoon Cho, Kyu Young Choi, Itai Dinur, Orr Dunkelman, Nathan Keller, Dukjae Moon and Aviya Veidberg

WEM: A New Family of White-box Block Ciphers Based on the Even-Mansour Construction

CRYP-R10

Dukjae Moon Senior Engineer, Security Research Group, SAMSUNG SDS dukjae.moon@samsung.com

#RSAC

Outline

2

Introduction

Description of WEM

Security in the Black-Box Model

Security in the White-Box Model

Conclusions

#RSAC

Outline

3

Introduction

White-Box Cryptography

Design Directions

Description of WEM

Security in the Black-Box Model

Security in the White-Box Model

Conclusions

#RSAC

White-Box Cryptography [1/3]

4

Attack environment of cryptographic algorithms has been changed

Black-box Environment White-box Environment

Attackers cannot access the environment where encryption occurs

Most cryptographic algorithms are designed under the black-box attack model (BBM)

Attackers can access the environment where encryption occurs

They have much higher chance to acquire the encryption key

#RSAC

White-Box Cryptography [2/3]

5

Encryption key is embedded in the encryption algorithm

WBC is applicable for protecting credentials as a low cost S/W module

Cryptographic algorithm

Decryption using white-box primitives Decryption using conventional primitives

• Static analysis

• Dynamic analysis

• Side-channel attacks

• Memory inspection

Cryptographic keys are never

revealed in memory

Cryptographic algorithm

#RSAC

White-Box Cryptography [3/3]

6

Security goal in White-box attack model (WBM) Unbreakability — WBC is infeasible to recover the secret key K by accessing the implementation

Incompressibility (Weak white-box security, Space hardness) — WBC is infeasible to recover full implementation by using partial components of full

implementation

Strong white-box security (Incompressibility + One-wayness) — One-wayness: WBC is infeasible to decrypt a given ciphertext, even if an adversary

gets the encryption implementation

#RSAC

Design Directions [1/3]

7

Primitives based on an existing block ciphers

In 2002, Chow et al. proposed white-box primitives

The implementation method is using large tables or algebraic equations

Underlying block cipher (e.g., AES)

Implementation WB primitive

#RSAC

Design Directions [2/3]

8

Primitives based on an existing block ciphers

All published primitives were practically broken

Cipher [ref.]

WB-DES [DRM’02]

WB-AES [SAC’02]

WB-AES [ePrint’06]

WB-AES [CSA’09]

WB-D.AES [ICISC’10]

Method 8-bit table 8-bit table equation 16-bit table 8-bit table

Crypt- analysis

DFA[DRM’02] DA[SAC’07]

AA[SAC’04] AA[SAC’08] DFA[BH’15] DPA[FSE’16]

DCA[CHES’16]

SDA [IndoC.’10]

AA[SAC’08] AA[SAC’12]

AA[SAC’13]

DA: Differential Attacks SDA: Structural Decomposition Attacks AA: Algebraic Attacks DPA(DFA/DCA): Differential Power/Fault/Computation Attacks

#RSAC

Design Directions [3/3]

9

Dedicated primitives with white-box protection

These designs are based on key-dependent components (e.g., S-boxes)

ASASA family [Asiacrypt’14] were practically broken [CRYPTO’15, Asiacrypt’15]

Other primitives

Primitive SPACE [ACM-CCS’15] WhiteBlock [Asiacrypt’16]

Structure Generalized Feistel

with secret function S-boxes Iterative function of

one Feistel step and AES call

Figure

#RSAC

Outline

10

Introduction

Description of WEM Design Rationale

New family of Block ciphers

Structure of the incompressible S-Box

Security in the Black-Box Model

Security in the White-Box Model

Conclusions

#RSAC

Design Rationale [1/2]

11

Strong security and Good performance in BBM

Our primitives use the iterated EM (Even-Mansour) construction

The security level of this scheme with more than 2 rounds is close to 2n

The scheme becomes even stronger by changing the key addition for a secret S-box

By taking a round-reduced of a underlying block cipher E as the public permutation, our primitives can have a good performance without sacrificing security

#RSAC

Design Rationale [2/2]

12

Strong security in WBM

Goal: An adversary cannot extract the master key, even if the secret S-boxes are known (he does not have access to the generation process of these S-boxes)

We use the Fisher-Yates shuffle algorithm with the pseudo-random sequences from the block cipher E in counter mode to generate the S-boxes

This generation process ensures incompressibility. One can reuse some S-boxes for more flexibility

One of the main differences between WEM and the previous primitives (such as SPACE and WhiteBlock) is that we use secret permutation S-boxes

#RSAC

New family of Block Ciphers [1/2]

13

Based on an iterated EM construction with incompressible S-boxes

WEM(n, m, r, E, d) is a modification of the r-round EM scheme

n: the block size of the cipher

m: the size of the incompressible S-box

r: the number of rounds in the underlying iterated EM construction

E: the underlying block cipher (e.g., AES)

d: the number of rounds we take in key-less version of E

Public permutation P: a d-round reduced variant of E with the fixed key

S-box layer: parallel application of n/m incompressible m-to-m bit S-boxes

#RSAC

New family of Block Ciphers [2/2]

14

Specific instantiation: WEM(128, 16, 2, AES-128, 5) = WEM-16

Use 24 S-boxes totally

Encryption time complexity is a single AES encryption plus 3 sequences of 8 parallel table lookups

#RSAC

Structure of the incompressible S-box

15

Stand-alone primitive with n-bit security

Generate a long sequence of pseudo-random bits from the n-bit secret key

— For example, we use AES-CTR with 128-bit secret master key

Instantiate an m-to-m bit S-boxes by using the pseudo-random sequence.

— We use the Fisher-Yates shuffle algorithm

— This algorithm generates a truly random permutation

To shuffle an array a of n elements (indices 0..n-1):

for i from n − 1 downto 0 do

j ← random integer (mod i) exchange a[j] and a[i]

#RSAC

Outline

16

Introduction

Description of WEM

Security in the Black-Box Model Minimal Construction for WEM

Security Analysis

Security in the White-Box Model

Conclusions

#RSAC

Minimal Construction for WEM [1/4]

17

Are the primitive WEM-8 and WEM-16 ‘minimal’?

Yes, 2-round WEM is minimal. That is, 1-round WEM does not supply 128-bit security

We can recover all entries of the secret S-boxes by a structural attack against 1-round WEM with about 2n/2 time complexity

WEM(128,8,1,AES-128,10)

P

#RSAC

Minimal Construction for WEM [2/4]

18

Structural attack on WEM(128,8,1,AES-128,10)

Let Δi be the set of 256 (=28) values of 16-bytes for E (= WEM)

— The most significant byte has an active property “A”, remaining 15 bytes are fixed “F”

Let Λj be the set of 256 values of 16-bytes for a public permutation P

Δ𝑖 = *𝑥 ∈ 0,1+128 𝑥 0 = 𝑖 0 , 𝑥 1 = 𝑖 1 , ⋯ , 𝑥 14 = 𝑖 14 +

Λ𝑗 = *𝑦 ∈ 0,1+128 𝑦 0 = 𝑗 0 , 𝑦 1 = 𝑗 1 , ⋯ , 𝑦 14 = 𝑗 14 +

#RSAC

Minimal Construction for WEM [3/4]

19

Useful property

If we look for multi-sets for E(Δi) and P(Λj) with the same property

It guarantees that S(Δi) and Λj collide

This means that the values of fixed 15 bytes are the same

𝑆0 𝑖 0 = 𝑗 0 𝑆1 𝑖 1 = 𝑗 1

⋮ 𝑆14 𝑖 14 = 𝑗 14

#RSAC

Minimal Construction for WEM [4/4]

20

Attack algorithm (Time and memory complexities are about 268)

Evaluate the public permutation P on sets of 256 (=28) inputs Λj for 260 arbitrary values of j.

For each set, evaluate I(P(Λj)) and store it in a table next to Λj.

Ask for the encryptions of sets of 256 inputs Δi for 260 arbitrary values of i.

For each set, evaluate I(E(Δi)) and look for matches in the table.

For each match I(E(Δi)) = I(P(Λj)), compute the corresponding entries of secret S-boxes

Try to recover other entries by changing one byte of Δi and Λj at a time, till recovery of the secret S-boxes succeeds

#RSAC

Security Analysis [1/4]

21

For the sake of black-box analysis, we may view the secret S-boxes of our primitive as random permutations

Previously studied constructions

2-round Iterated Even-Mansour construction

Standard AES with 128-bit key

AES with secret S-boxes

10-round AES with random S-boxes

Known-key round-reduced AES

#RSAC

Security Analysis [2/4]

22

Brief assessment of the security

Count the expected attack rounds in units of AES rounds

The full 10-round WEM-8/16 are expected to be immune to all given attacks

GA DC/LC BA SA ID CA RKA

WEM-8/16 5 4 6 5 7 7 7

Ref. FSE

2015 IET-IFS 2007

AES 2004

FSE 2015

IndoC. 2010

FSE 2013

EuroC. 2010

GA: Generic Key Recovery Attacks DC/LC: Differential and Linear Characteristics BA: Boomerang Attacks SA: Square Attacks CA: Collision Attacks ID: Impossible Differential attacks RKA: Related-Key Attacks

#RSAC

Security Analysis [3/4]

23

4-round differential or linear characteristics of WEM-16

The lower bound of 25 active 8-bit S-boxes in any 4-round differential or linear characteristic for WEM-8 does not hold for WEM-16

Theorem 1. The number of active 8-bit S-boxes in any 4 round differential or linear characteristic of WEM(128,16,2,AES-128,5) is at least 15

— We can compute the number of active S-boxes according to the inserted locations of the secret S-box layer λ

Inserted location 0/4 1 2 3

# of active S-boxes ≥ 25 ≥ 17 ≥ 15 ≥ 17

#RSAC

Security Analysis [4/4]

24

4-round differential or linear characteristics of WEM-16

When λ is applied between the 2nd and the 3rd, we can find a 4-round characteristic with 15 active 8-bit S-boxes plus 2 16-bit secret S-boxes

4 1 2 8 2

#RSAC

Outline

25

Introduction

Description of WEM

Security in the Black-Box Model

Security in the White-Box Model Space-Hardness

Space-Hardness of WEM

Comparison to previous primitives

Conclusions

#RSAC

Space-Hardness

26

Introduced in [ACMCCS2015] as a generalization of the weak white-box security

(M, Z)-space hardness The cipher is a (M, Z)-space hard if it is infeasible for an adversary to encrypt/ decrypt a random chosen plaintext/ciphertext with probability more than 2–Z given code (table) size less than M

Space-hardness does not make code lifting impossible but harder to implement in practice

#RSAC

Space-Hardness of WEM [1/2]

27

First, we evaluate the space-hardness of WEM(128,16,r,AES-128,5)

Goal: Determine the minimal value of r for achieving (T/4, 112)-space hardness, where T is the size of the 16-bit S-box in 16-bit words

CASE 1: an adversary can encrypt a random plaintext by using only the known S-box entries

— Since the probability for this is 2-2∙8r (< 2-128), we can take r = 9

CASE 2: an adversary can encrypt a random plaintext by guessing some S-box entries, when he misses the entries of several S-boxes

— He can miss only 8 S-box entries with very low probability (∵ 2-15∙9 < 2-128)

— Overall, he should choose (8r-8) S-box entries in the known entries

— Therefore, we can take r ≥ 12 (∵ 2-2(8r-8) ∙ 8rC8 < 2-128)

#RSAC

Space-Hardness of WEM [2/2]

28

Generally, we evaluate the space-hardness for a block cipher with m-bit S-box and k S-boxes (k = n/m)

Goal: Determine the minimal value of r for (2-α ∙T, n-log(T))-space hardness

An adversary can miss only k S-box entries with very low probability

We can take r (> m/α) s.t. is sufficient 2-α(k∙r-k) ∙ k∙rCk < 2-k∙m

−𝛼 𝑘 ∙ 𝑟 − 𝑘 + 𝑘 ∙ 𝑙𝑜𝑔 𝑘 + 𝑘 ∙ 𝑙𝑜𝑔 𝑟 < −𝑘 ∙ 𝑚 (∵ 𝐶𝑘 < 𝑘 ∙ 𝑟 𝑘)𝑘∙𝑟

−𝑟 + 1 +log 𝑘

𝛼+

log 𝑟

𝛼< −

𝑚

𝛼 𝑑𝑒𝑣𝑖𝑑𝑖𝑛𝑔 𝑏𝑦 𝛼 ∙ 𝑘

∴ 𝒓 −log 𝑟

𝛼 >

𝒎

𝜶 +

log 𝑘

𝛼+ 1

#RSAC

Comparison to previous primitives [1/2]

29

We can evaluate the space-hardness of the WhiteBlock structure

This cipher uses m-to-64 S-box and

k S-boxes in a round (k∙m=64)

An adversary can miss one S-box entry with very low probability (∵ 2-64∙2 ≤ 2-128)

Overall, he should choose (k∙r-k) S-box entries in r-1 rounds

Therefore, we can take r (≥ 2m/α) (∵ 2-α(k∙r-k) ∙ rC(r-1) < 2-2k∙m)

−𝛼 𝑘 ∙ 𝑟 − 𝑘 + 𝑙𝑜𝑔 𝑟 < −2𝑘 ∙ 𝑚

∴ 𝒓 −log 𝑟

𝛼 ∙ 𝑘 >

𝟐𝒎

𝜶 + 1

m

m

m

m

k k

#RSAC

Comparison to previous primitives [2/2]

30

Summary of bounds for space-hardness (the number of rounds)

We only describe the evaluation results for SPACE family in [ACM-CCS’15] because this cipher differs from WEM significantly

We can reduce the number of rounds in our primitives by using an SP network

Primitive WEM WhiteBlock SPACE WB

Security Ref. This paper

(m/α) This paper

(2m/α) Asiacrypt

2016 ACM-CCS

2015

8-bit 4 8 - 300 (T/4, 120)

16-bit 8 16 18 128 (T/4, 112)

32-bit 16 32 34 128 (T/4, 96)

#RSAC

Outline

31

Introduction

Description of WEM

Security in the Black-Box Model

Security in the White-Box Model

Conclusions

#RSAC

Conclusions [1/2]

32

We presented a new family of white-box primitives WEM

It combines the iterated EM construction with incompressible S-boxes and a round-reduced variant of an existing block cipher (e.g., AES)

This structure allows obtaining good performance with the security confidence in BBM

The security in WBM is based on the provable randomness of the Fisher-Yates shuffle algorithm

#RSAC

Conclusions [2/2]

33

Our cipher is based on an SP network

This structure allows reducing the number of rounds for the same space-hardness level in contrast with the previous primitives based on Feistel construction (e.g., SPACE, WhiteBlock)

If application of S-boxes in parallel is possible, we can make our cipher faster

Performance

Primitive CPB Table Size Platform

WEM(128,16,12,AES-128,5) 96.8 217 Bytes i7-5500U (2.4GHz, w/o AES-NI)

WhiteBlock-16 (HOUND-16) 140 219 Bytes Xeon E5-1603v3 (2.8GHz, w AES-NI)

#RSAC

Thanks for Your Attention!