before bitcoin
TRANSCRIPT
Class 23:Before Bitcoin
Cryptocurrency Cabalcs4501 Fall 2015
David Evans and Samee ZahurUniversity of Virginia
2
PlanProjects
Elevator Speeches start WednesdayIn the News:
Graph IsomorphismTor Attack
Chaum’s Digicash(Post-Bitcoin Alternatives)
3
ProjectsLots of interesting ideas: check out course siteElevator Pitches
Up to 2 minutesCan project something (but must be from URL)Explain:- Purpose (what problem are you solving)- What are you doing- Why should we care
Teams will be pseudo-randomly selected to give project pitches during class starting Wednesday. Be prepared to do this!
4
Progress ReportsDue: Next Monday (8:29pm)See course site for details:
1. Link to project website2. What has changed since preliminary proposal3. Description of progress4. Plan to finish project5. Any questions you have
5
Is Graph Isomorphism Hard?
6
7Photo: Jeremy Kun
8
Complexity of Graph Isomorphism
Best previously known: Laszlo Babai’s (claimed) result:
How close is this to polynomial time?
9
10
Does this matter in practice?
Image from Botao Huhttp://amber.botao.hu/works/research/de-anonymizingsocialnetworks
11
Should we be worried?
12
Tor, CMU, and the FBI?
13
Operation Onymous (Nov 2014)
Shutdown dark markets (including “Silk Road 2.0”)414 .onion domains seized17 Arrests17 Countries involved
15
17
18
19
20
CRYPTO 1988David Chaum
Photo: Declan McCullagh (2002)
21
Communications of the ACMOctober 1985
22
Communications of the ACMOctober 1985
23
CRYPTO 1988
24
Alice{KUA, KRA}High Trust Bank
{KUTB, KRTB}MM = “The High Trust Bank owes the
holder of this message $100.”
EKRTB[H(M)]
Bank IOU Protocol
25
Alice
High Trust Bank
{KUTB, KRTB}M
M = “The High Trust Bank owes the holder of this message $100.”
EKRTB[H(M)]Bob
26
Alice
High Trust Bank
{KUTB, KRTB}M
M = “The High Trust Bank owes the holder of this message $100.”
EKRTB[H(M)]Bob M EKRTB[H(M)]
EKUA[secret curry recipe]
27
Alice
High Trust Bank
{KUTB, KRTB}M
M = “The High Trust Bank owes the holder of this message $100.”
EKRTB[H(M)]Bob M EKRTB[H(M)]
EKUA[secret curry recipe]
M EKRTB[H(M)]
28
Alice
High Trust Bank
{KUTB, KRTB}M
M = “The High Trust Bank owes the holder of this message $100.”
EKRTB[H(M)]Bob M EKRTB[H(M)]
EKUA[secret curry recipe]
M EKRTB[H(M)]
Both Alice and Bob can attempt to redeem the IOU (multiple times).
29
Alice{KUA, KRA}
Bear’sTurnsBank
{KUTB, KRTB}MM = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB[H(M)]
Add Unique Identifiers
30
Alice{KUA, KRA}
Bear’sTurnsBank
{KUTB, KRTB}MM = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB[H(M)]
Add Unique IdentifiersBill can only be redeemed once.
Bank cannot tell if it is Alice or Bob who cheated (first redeemer wins?)
Not anonymous; tracable
31
Untraceable Cash
Can we make untraceable digital banknotes that can only be spent once?
32
Key Technology: Blind Signatures
Normal RSA Signatures:Alice selects message mSends m to bankBank returns signature:SM = md mod n
Goal: Blind Signatures:Alice selects message mAlice obtains SMBank doesn’t learn m
Bank’s public key: (e, n)Bank’s private key: d
33
Key Technology: Blind Signatures
Normal Signatures:Alice selects message mSM = md mod n
Blind Signatures:Alice selects message mPicks random k in [1, n)Sends bank t = mke mod nBank signs: td = (mke mod n)d mod nAlice computes md mod n: = (mke)d mod n mdked mod ndivide by k = md mod n
Bank’s public key: (e, n)Bank’s private key: d
34
Bear’sTurnsBank
{KUTB, KRTB}
Mk
M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $100.”
EKRTB[Mk]
Client-Selected Identifiers
35
Bear’sTurnsBank
{KUTB, KRTB}
Mk
M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $10000000.”
EKRTB[Mk]
Client-Selected Identifiers
36
Cut-and-ChooseM1k1M2k2
M256k256
…
Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.”
37
Cut-and-ChooseM1k1M2k2
M256k256
…
Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.”
Alice generate N different messages, and blinds each with different k. Sends all of them to Bank.
Bank randomly selects N-1 of them, and challenges Alice to unblind.
If all are okay, Bank (blindly) signs the one un-opened message, and returns it to Alice.
38
Cut-and-ChooseM1k1M2k2
M256k256
…
Alice generate N different messages, and blinds each with different k. Sends all of them to Bank.
Bank randomly selects N-1 of them, and challenges Alice to unblind.
If all are okay, Bank (blindly) signs the one un-opened message, and returns it to Alice.
What is probability Alice can cheat without getting caught?
39
Alice{KUA, KRA}
Bear’sTurnsBank
{KUTB, KRTB}MM = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB[H(M)]
Add Unique IdentifiersBill can only be redeemed once.
Bank cannot tell if it is Alice or Bob who cheated (first redeemer wins?)
Not anonymous; tracable
40
Alice{KUA, KRA}
Bear’sTurnsBank
{KUTB, KRTB}MM = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB[H(M)]
Blinded IdentifiersBill can only be redeemed once.
Bank cannot tell who cheated (first redeemer wins?)
Anonymous and untraceable
41
Catching Cheaters
M EKRTB[H(M)] M EKRTB[H(M)]
Bear’sTurnsBank
Spend a bill once: anonymity preserved
M EKRTB[H(M)]Spend a bill twice: identity revealed
42
Identity StringsM1k1M2k2
M256k256
…
I = “[email protected]”Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.” + identity strings:I1 = (h(I1L), h(I1R))...In = (h(InL), h(InR))where h is a one-way hash function and each IiL IiR = I
43
Spending a Bill
M EKRTB[H(M)]I = “[email protected]”Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.” + identity strings:I1 = (h(I1L), h(I1R))...In = (h(InL), h(InR))where h is a one-way hash function and each IiL IiR = I
Reveal request: LRRLRLR…(randomly select L or R for each pair)
I1L, I2R,I3R, I4L,… verifies hashes,accepts bill
44
How well does this scheme work as a currency?
45
Rise of DigiCash
David Chaum
46
Collapse
Bankrupt, 1998
47
ChargeBe ready for project elevator pitches starting Wednesday!