Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DigiCash

1,401 views

Published on

CryptoCurrency Cafe
Class 5: DigiCash
http://bitcoin-class.org

Published in: Entertainment & Humor
  • Be the first to comment

  • Be the first to like this

DigiCash

  1. 1. Cryptocurrency Café UVa cs4501 Spring 2015 David Evans Class 5: DigiCash
  2. 2. Plan for Today Hashing Preventing Double Spending DigiCash – Untraceable Cash Distributed Consensus 1 Project 1 is due Friday (11:59pm) Upcoming office hours: Me: Thursday 4-5pm (Rice 507) Nick: Friday noon-2pm (HackCville)
  3. 3. Price Volatility 2
  4. 4. Size of Bitcoin 3 $0 $2 $4 $6 $8 $10 $12 $14 $16 $18 $20 Apple's Profits, last 3 months Bitcoin Market Cap Apple’s Profits (last 3 months) = $18B (Revenues = $75B) Value of all Bitcoin at today’s price: $3.5B
  5. 5. Size of Bitcoin 4 $0 $2 $4 $6 $8 $10 $12 $14 $16 $18 $20 Apple's Profits, last 3 months Bitcoin Market Cap $0 $2,000 $4,000 $6,000 $8,000 $10,000 $12,000 $14,000 $16,000 $18,000 $20,000 Apple's Profits, last 3 months Bitcoin Market Cap Apple's Market Cap US National Debt US National Debt: $18.1 T
  6. 6. Using Asymmetric Crypto: Signatures 5 E D Verified Message Signed Message Message Insecure Channel KUB KRB Bob Generates key pair: KUB, KRB Publishes KUB Anyone Get KUB from trusted provider
  7. 7. Signing Long Messages 6 Alice signs m1 = { “I give coin x = KUA, t to address KUB.”} with KRA. Bob signs m2 = { “I give coin x = KUA, t, given to me by m1to address KUC.”} with KRB. Asymmetric crypto is expensive: what is the longest m we can sign with 256-bit ECDSA?
  8. 8. Verified Message Message Message Digests 7 E D Verified Message Digest Message Alice Bob KUB KRB H MessageDigest H= SignedMessage H is a cryptographic hash function: one-way: given H(x) cannot find preimage x strong collision-resistant: hard to find pair x and y where H(x) = H(y)
  9. 9. Hash Functions 8 E IV K  P1 C1 E  P2 C2 ... EK  Pn Cn Cipher Block Chaining
  10. 10. SHA-2 9http://opencores.org/project,sha256core SHA-256 256-bit output 64 rounds (best known attacks break preimage resistance for 52 rounds)
  11. 11. Cryptographic Hashing in Bitcoin • Transactions: message digests for signatures • Public address: hash of public key • Blockchain 10
  12. 12. 11
  13. 13. 12 Alice {KUA, KRA} High Trust Bank {KUTB, KRTB} M M = “The High Trust Bank owes the holder of this message $100.” EKRTB [H(M)] Bank IOU Protocol
  14. 14. 13 Alice High Trust Bank {KUTB, KRTB} M M = “The High Trust Bank owes the holder of this message $100.” EKRTB [H(M)] Bob
  15. 15. 14 Alice High Trust Bank {KUTB, KRTB} M M = “The High Trust Bank owes the holder of this message $100.” EKRTB [H(M)] Bob M EKRTB [H(M)] EKUA [secret curry recipe]
  16. 16. 15 Alice High Trust Bank {KUTB, KRTB} M M = “The High Trust Bank owes the holder of this message $100.” EKRTB [H(M)] Bob M EKRTB [H(M)] EKUA [secret curry recipe] M EKRTB [H(M)]
  17. 17. 16 Alice High Trust Bank {KUTB, KRTB} M M = “The High Trust Bank owes the holder of this message $100.” EKRTB [H(M)] Bob M EKRTB [H(M)] EKUA [secret curry recipe] M EKRTB [H(M)] Both Alice and Bob can attempt to redeem the IOU (multiple times).
  18. 18. 17 Alice {KUA, KRA} Bear’s Turns Bank {KUTB, KRTB} M M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $100.” EKRTB [H(M)] Add Unique Identifiers
  19. 19. 18 Alice {KUA, KRA} Bear’s Turns Bank {KUTB, KRTB} M M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $100.” EKRTB [H(M)] Add Unique Identifiers Bill can only be redeemed once. Bank cannot tell if it is Alice or Bob who cheated (first redeemer wins?) Not anonymous; tracable
  20. 20. CRYPTO 1988 David Chaum Photo: Declan McCullagh (2002)19
  21. 21. 20
  22. 22. Key Technology: Blind Signatures 21 Normal Signatures: Alice selects message m Sends m to bank Bank returns signature: SM = md mod n Blind Signatures: Alice selects message m Bank’s public key: (e, n) Bank’s private key: d
  23. 23. Key Technology: Blind Signatures 22 Normal Signatures: Alice selects message m SM = md mod n Blind Signatures: Alice selects message m Picks random k in [1, n) Sends bank t = mke mod n Bank signs: td = (mke mod n)d mod n Alice computes md mod n: = (mke)d mod n  mdked mod n divide by k = md mod n Bank’s public key: (e, n) Bank’s private key: d
  24. 24. 23 Bear’s Turns Bank {KUTB, KRTB} Mk M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $100.” EKRTB [Mk] Client-Selected Identifiers
  25. 25. 24 Bear’s Turns Bank {KUTB, KRTB} Mk M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $10000000.” EKRTB [Mk] Client-Selected Identifiers
  26. 26. Cut-and-Choose 25 M1 k1 M2 k2 M256 k256 … Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.”
  27. 27. Cut-and-Choose 26 M1 k1 M2 k2 M256 k256 … Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.” Alice generate N different messages, and blinds each with different k. Sends all of them to Bank. Bank randomly selects N-1 of them, and challenges Alice to unblind. If all are okay, Bank (blindly) signs the one un-opened message, and returns it to Alice.
  28. 28. Cut-and-Choose 27 M1 k1 M2 k2 M256 k256 … Alice generate N different messages, and blinds each with different k. Sends all of them to Bank. Bank randomly selects N-1 of them, and challenges Alice to unblind. If all are okay, Bank (blindly) signs the one un-opened message, and returns it to Alice. What is probability Alice can cheat without getting caught?
  29. 29. 28 Alice {KUA, KRA} Bear’s Turns Bank {KUTB, KRTB} M M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $100.” EKRTB [H(M)] Add Unique Identifiers Bill can only be redeemed once. Bank cannot tell if it is Alice or Bob who cheated (first redeemer wins?) Not anonymous; tracable
  30. 30. 29 Alice {KUA, KRA} Bear’s Turns Bank {KUTB, KRTB} M M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $100.” EKRTB [H(M)] Blinded Identifiers Bill can only be redeemed once. Bank cannot tell who cheated (first redeemer wins?) Anonymous and untraceable
  31. 31. Catching Cheaters 30 M EKRTB [H(M)] M EKRTB [H(M)] Bear’s Turns Bank Spend a bill once: anonymity preserved M EKRTB [H(M)] Spend a bill twice: identity revealed
  32. 32. Identity Strings 31 M1 k1 M2 k2 M256 k256 … I = “alice@alice.org” Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.” + identity strings: I1 = (h(I1L), h(I1R)) ... In = (h(InL), h(InR)) where h is a one-way hash function and each IiL  IiR = I
  33. 33. Spending a Bill 32 M EKRTB [H(M)] I = “alice@alice.org” Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.” + identity strings: I1 = (h(I1L), h(I1R)) ... In = (h(InL), h(InR)) where h is a one-way hash function and each IiL  IiR = I Reveal request: LRRLRLR… (randomly select L or R for each pair) I1L, I2R,I3R, I4L,… verifies hashes, accepts bill
  34. 34. Charge Next week: The Blockchain Project 1 is due Friday 33 Upcoming office hours: Me: Thursday 4-5pm (Rice 507) Nick: Friday noon-2pm (HackCville)

×