Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Before Bitcoin

604 views

Published on

http://www.bitcoin-class.org
University of Virginia
Cryptocurrency Cabal
cs4501 Fall 2015

Published in: Economy & Finance
  • Be the first to comment

  • Be the first to like this

Before Bitcoin

  1. 1. Class 23: Before Bitcoin Cryptocurrency Cabal cs4501 Fall 2015 David Evans and Samee Zahur University of Virginia
  2. 2. Plan Projects Elevator Speeches start Wednesday In the News: Graph Isomorphism Tor Attack Chaum’s Digicash (Post-Bitcoin Alternatives) 1
  3. 3. Projects Lots of interesting ideas: check out course site Elevator Pitches Up to 2 minutes Can project something (but must be from URL) Explain: - Purpose (what problem are you solving) - What are you doing - Why should we care 2 Teams will be pseudo-randomly selected to give project pitches during class starting Wednesday. Be prepared to do this!
  4. 4. Progress Reports Due: Next Monday (8:29pm) See course site for details: 1. Link to project website 2. What has changed since preliminary proposal 3. Description of progress 4. Plan to finish project 5. Any questions you have 3
  5. 5. Is Graph Isomorphism Hard? 4
  6. 6. 5
  7. 7. 6Photo: Jeremy Kun
  8. 8. Complexity of Graph Isomorphism 7 Best previously known: Laszlo Babai’s (claimed) result: How close is this to polynomial time?
  9. 9. 8
  10. 10. Does this matter in practice? 9 Image from Botao Hu http://amber.botao.hu/works/research/de-anonymizingsocialnetworks
  11. 11. Should we be worried? 10
  12. 12. Tor, CMU, and the FBI? 11
  13. 13. Operation Onymous (Nov 2014) 12 Shutdown dark markets (including “Silk Road 2.0”) 414 .onion domains seized 17 Arrests 17 Countries involved
  14. 14. 13
  15. 15. 14
  16. 16. 15
  17. 17. 16
  18. 18. 17
  19. 19. 18
  20. 20. CRYPTO 1988 David Chaum Photo: Declan McCullagh (2002)19
  21. 21. 20 Communications of the ACM October 1985
  22. 22. 21 Communications of the ACM October 1985
  23. 23. 22 CRYPTO 1988
  24. 24. 23 Alice {KUA, KRA} High Trust Bank {KUTB, KRTB} M M = “The High Trust Bank owes the holder of this message $100.” EKRTB [H(M)] Bank IOU Protocol
  25. 25. 24 Alice High Trust Bank {KUTB, KRTB} M M = “The High Trust Bank owes the holder of this message $100.” EKRTB [H(M)] Bob
  26. 26. 25 Alice High Trust Bank {KUTB, KRTB} M M = “The High Trust Bank owes the holder of this message $100.” EKRTB [H(M)] Bob M EKRTB [H(M)] EKUA [secret curry recipe]
  27. 27. 26 Alice High Trust Bank {KUTB, KRTB} M M = “The High Trust Bank owes the holder of this message $100.” EKRTB [H(M)] Bob M EKRTB [H(M)] EKUA [secret curry recipe] M EKRTB [H(M)]
  28. 28. 27 Alice High Trust Bank {KUTB, KRTB} M M = “The High Trust Bank owes the holder of this message $100.” EKRTB [H(M)] Bob M EKRTB [H(M)] EKUA [secret curry recipe] M EKRTB [H(M)] Both Alice and Bob can attempt to redeem the IOU (multiple times).
  29. 29. 28 Alice {KUA, KRA} Bear’s Turns Bank {KUTB, KRTB} M M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $100.” EKRTB [H(M)] Add Unique Identifiers
  30. 30. 29 Alice {KUA, KRA} Bear’s Turns Bank {KUTB, KRTB} M M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $100.” EKRTB [H(M)] Add Unique Identifiers Bill can only be redeemed once. Bank cannot tell if it is Alice or Bob who cheated (first redeemer wins?) Not anonymous; tracable
  31. 31. Untraceable Cash 30 Can we make untraceable digital banknotes that can only be spent once?
  32. 32. Key Technology: Blind Signatures 31 Normal RSA Signatures: Alice selects message m Sends m to bank Bank returns signature: SM = md mod n Goal: Blind Signatures: Alice selects message m Alice obtains SM Bank doesn’t learn m Bank’s public key: (e, n) Bank’s private key: d
  33. 33. Key Technology: Blind Signatures 32 Normal Signatures: Alice selects message m SM = md mod n Blind Signatures: Alice selects message m Picks random k in [1, n) Sends bank t = mke mod n Bank signs: td = (mke mod n)d mod n Alice computes md mod n: = (mke)d mod n  mdked mod n divide by k = md mod n Bank’s public key: (e, n) Bank’s private key: d
  34. 34. 33 Bear’s Turns Bank {KUTB, KRTB} Mk M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $100.” EKRTB [Mk] Client-Selected Identifiers
  35. 35. 34 Bear’s Turns Bank {KUTB, KRTB} Mk M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $10000000.” EKRTB [Mk] Client-Selected Identifiers
  36. 36. Cut-and-Choose 35 M1 k1 M2 k2 M256 k256 … Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.”
  37. 37. Cut-and-Choose 36 M1 k1 M2 k2 M256 k256 … Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.” Alice generate N different messages, and blinds each with different k. Sends all of them to Bank. Bank randomly selects N-1 of them, and challenges Alice to unblind. If all are okay, Bank (blindly) signs the one un-opened message, and returns it to Alice.
  38. 38. Cut-and-Choose 37 M1 k1 M2 k2 M256 k256 … Alice generate N different messages, and blinds each with different k. Sends all of them to Bank. Bank randomly selects N-1 of them, and challenges Alice to unblind. If all are okay, Bank (blindly) signs the one un-opened message, and returns it to Alice. What is probability Alice can cheat without getting caught?
  39. 39. 38 Alice {KUA, KRA} Bear’s Turns Bank {KUTB, KRTB} M M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $100.” EKRTB [H(M)] Add Unique Identifiers Bill can only be redeemed once. Bank cannot tell if it is Alice or Bob who cheated (first redeemer wins?) Not anonymous; tracable
  40. 40. 39 Alice {KUA, KRA} Bear’s Turns Bank {KUTB, KRTB} M M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $100.” EKRTB [H(M)] Blinded Identifiers Bill can only be redeemed once. Bank cannot tell who cheated (first redeemer wins?) Anonymous and untraceable
  41. 41. Catching Cheaters 40 M EKRTB [H(M)] M EKRTB [H(M)] Bear’s Turns Bank Spend a bill once: anonymity preserved M EKRTB [H(M)] Spend a bill twice: identity revealed
  42. 42. Identity Strings 41 M1 k1 M2 k2 M256 k256 … I = “alice@alice.org” Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.” + identity strings: I1 = (h(I1L), h(I1R)) ... In = (h(InL), h(InR)) where h is a one-way hash function and each IiL  IiR = I
  43. 43. Spending a Bill 42 M EKRTB [H(M)] I = “alice@alice.org” Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.” + identity strings: I1 = (h(I1L), h(I1R)) ... In = (h(InL), h(InR)) where h is a one-way hash function and each IiL  IiR = I Reveal request: LRRLRLR… (randomly select L or R for each pair) I1L, I2R,I3R, I4L,… verifies hashes, accepts bill
  44. 44. 43 How well does this scheme work as a currency?
  45. 45. Rise of DigiCash 44 David Chaum
  46. 46. Collapse 45 Bankrupt, 1998
  47. 47. Charge Be ready for project elevator pitches starting Wednesday! 46

×