Cryptocurrency Cafe, Spring 2015 Class 4: Verifiably Random http://bitcoin-class.org

1. Cryptocurrency Café
cs4501 Spring 2015
David Evans
University of Virginia
Class 4:
Verifiably Random

2. Plan for This Week
Signing with Elliptic Curves (Sketch)
Elliptic Curve Parameters
Dual-EC Duel
Preventing Double Spending
Distributed Consensus
The Blockchain
1
Office Hours today!
Me: after class
Nick: 5-7pm in Rice 442
Project 1 Due Friday, 11:59pm
Wednesday

3. Signing with Elliptic Curves
2
Elliptic curve discrete
logarithm problem: given
points P and Q, it is hard to
find k such that Q = kP.
How can we use this hardness
assumption to make
asymmetric cryptosystem?

4. Signing with Elliptic Curves
3
Elliptic curve discrete
logarithm problem: given
points P and Q, it is hard to
find k such that Q = kP.
How can we use this hardness
assumption to make
asymmetric cryptosystem?
Parameters: curve, G (a point on curve),
(large) n such that nG = 0.
Key pair:
Private key: d = pick a random integer in [1, n-1]
Public key: point Q = dG

5. Signing with Elliptic Curves
4
Parameters: curve, G (a point on curve),
(large) n such that nG = 0.
Key pair:
Private key: d = pick a random integer in [1, n-1]
Public key: point Q = dG

6. Signing with Elliptic Curves
5
Parameters: curve, G (a point on curve),
(large) n such that nG = 0.
Key pair:
Private key: d = pick a random integer in [1, n-1]
Public key: point Q = dG
Sign (sketch):
pick random integer k in [1, n-1]
compute curve point: (x, y) = kG
signature = (x mod n, k-1(z + rd) mod n)

7. Verifying a Signature
6
1. Verify Q is valid.
Q is on the curve,
nQ = 0
Q must not be 0
Parameters: curve, G (a point on curve), (large) n such that nG = 0.
Key pair:
Private key: d = pick a random integer in [1, n-1]
Public key: point Q = dG
Sign (sketch):
pick random integer k in [1, n-1]
compute curve point: (x, y) = kG
signature = (x mod n, k-1(z + rd) mod n)

8. Verifying a Signature
7
2. Verify signature is valid. Compute curve point using
Q, z, and signature, and check it.
Parameters: curve, G (a point on curve), (large) n such that nG = 0.
Key pair:
Private key: d = pick a random integer in [1, n-1]
Public key: point Q = dG
Sign (sketch):
pick random integer k in [1, n-1]
compute curve point: (x, y) = kG
signature = (x mod n, k-1(z + rd) mod n)

9. Why Elliptic Curve instead of RSA?
8

10. 9
RSA ECC
Discovery
1977
(previously discovered in 1969 by
GHCQ and perhaps earlier by NSA)
1985
(adoption limited until ~2005)
“Hard” Problem Factoring Discrete Log on Elliptic Curve
Key Size (~112-bit) 2048 bits (768 bits broken) 224 bits (112 bits broken)
Backdoor Risk None Curves selected by NSA/Certicom/?
Quantum Computing Risk
Known fast factoring algorithms
(Shor’s)
Similar (variation of Shor’s algorithm
solves Discrete Log)
Implementation Challenges
Avoiding weak keys, timing side
channels
Fast operations on elliptic curves,
leaks on invalid inputs

11. Why are RSA keys so much bigger?
10
RSA ECC
“Hard” Problem Factoring Discrete Log on Elliptic Curve

12. 11
RSA ECC
“Hard” Problem Factoring Discrete Log on Elliptic Curve
Naïve factoring: try division by all numbers up to √N
Best known factoring:
General Number Field Sieve [“Sneakers” 1992]
Largest challenge solved: RSA-768 (2009)
(RSA stopped funding challenges in 2007.)
NIST deprecated 1024-bit RSA in 2012

13. 12
RSA ECC
Factoring Discrete Log on Elliptic Curve
Naïve algorithm: √N divisions
Best known factoring: ~ (e(ln n)1/3
)
Known vulnerable: 1024-bit

14. 13
RSA ECC
Factoring Discrete Log on Elliptic Curve
Naïve algorithm: √N divisions
Best known factoring: ~ (e(ln n)1/3
)
Known vulnerable: 1024-bit
Naïve algorithm: p curve additions
Best known: ~ (√p) (Pollard’s Rho)
Known vulnerable: 113-bit
(24 days x 18 FPGA cores, 2014)

15. Bitcoin’s Curve
14

16. 15

17. 16
Is 4 a random number?

18. 17
010110000111101100
001110111010000000
011101100000001110
110110010111110011
011110010000011100
000011101110000000
111010100100010100
000101000010011101
110111111110011000
101101010000001001
010110100110101100
001110111010100010
011101100010001110
110110010110110011
011010010010011100
100011101110010000
111010100100010101
000101000010011101
110110101110011000
101101010100001001
Which of these is random?

19. 88575272489122793818301194912983367336244065664
30860213949463952247371907021798609437027705392
17176293176752384674818467669405132000568127145
26356082778577134275778960917363717872146844090
12249534301465495853710507922796892589235420199
56112129021960864034418159813629774771309960518
70721134999999837297804995105973173281609631859
50244594553469083026425223082533446850352619311
88171010003137838752886587533208381420617177669
14730359825349042875546873115956286388235378759
37519577818577805321712268066130019278766111959
0921642019893809525720106548586327886593615338118
Is this sequence random?

20. 88575272489122793818301194912983367336244065664
30860213949463952247371907021798609437027705392
17176293176752384674818467669405132000568127145
26356082778577134275778960917363717872146844090
12249534301465495853710507922796892589235420199
56112129021960864034418159813629774771309960518
70721134999999837297804995105973173281609631859
50244594553469083026425223082533446850352619311
88171010003137838752886587533208381420617177669
14730359825349042875546873115956286388235378759
37519577818577805321712268066130019278766111959
0921642019893809525720106548586327886593615338119
normal numbers look random
“Feynman point” (762nd digit of π)

21. 20Source of images: http://boallen.com/random-numbers.html

22. 21Source of images: http://boallen.com/random-numbers.html
PHP rand()
(on Windows)
random.org
(atmospheric noise)
Which should you use to generate your wallet’s private key?

23. Defining
Randomness
22
Андре́й Колмого́ров
Andrey Kolmogorov
(1903-1987)
For a sequence s, its Kolmogorov
Complexity: K(s) = the length of the
shortest description of s
A sequence s is random,
if K(s) = |s| + C
(This is a somewhat informal version. A real definition would
need to be more careful about stating this asymptotically.)
“He was to probability
theory what Euclid was to
geometry.” (Peter Lax)

24. Kolmogorov Complexities
s = 000000000000000…
23

25. Kolmogorov Complexities
s = 000000000000000…
description = “N repeated 0s”
K(s) = log |s| + C1 < |s| + C
t = 010011000111000011110000011111…
24

26. Kolmogorov Complexities
t = 010011000111000011110000011111…
25

27. Kolmogorov Complexities
t = 010011000111000011110000011111…
26
description =
“t = “”;
for (i = 1; i < N; i++) {
for (j = 0; j < i; j++) t += ‘0’;
for (j = 0; j < i; j++) t += ‘1’; }”
K(s) = log |s| + C1 < |s| + C

28. Kolmogorov Complexities
27
r=ce792b6c0d8c8a8431345e793ce43f6f55e8c44eb582c659cce7b0ef6135bc
a363a2529d2643d05d6d5616b090fb3fdea31708baaebf478ba176ffb9f3e5d96
83201d907d1ff48c248636218e7e0ae34d7bed4a56ba298b887c1ff0ac30dc78d
8261342411e0f694984e5bd645f7da03b348d7c0444c0010bc00c8f61d5e585ce
8ece76076c1bddf9d87357e48995732cb11a080dc63bfb8280795456ee46b41d
1977654a89c46e25b55b0f6ea2849290deebbcd722db3a5078eadb0b63d9b98
7e03e9bbf39f9619ed68b1db0a0cd260dbbc6909aac33c21a422413605c07284
6a9a27af617e417a8438f1666dbf5fe6f9e51767c2d1588ba99296273e4fb61cef
ec3580d2a5968314e0f65b5b419af1aa1be9b20c6db45288891f64ac5552d853e
6101be2e37a1acecb4e2593a009ef54690e00d7477a06d1154dfc3f168ed39904
4d4f57842c33c39d2b515ab5acfcdf85aa3ec3af22d945c2774f87efbc7a188ce47
093cbd25095498329a24542fc94f2f35179ec5d02c43bc51261258f85bfd10db6c
1cfba08c171a351006d513a9736bc08f80ad083987429af7ce4eb6f71d7004a1f6

29. Kolmogorov Complexities
28
r=ce792b6c0d8c8a8431345e793ce43f6f55e8c44eb582c659cce7b0ef6135bc
a363a2529d2643d05d6d5616b090fb3fdea31708baaebf478ba176ffb9f3e5d96
83201d907d1ff48c248636218e7e0ae34d7bed4a56ba298b887c1ff0ac30dc78d
8261342411e0f694984e5bd645f7da03b348d7c0444c0010bc00c8f61d5e585ce
8ece76076c1bddf9d87357e48995732cb11a080dc63bfb8280795456ee46b41d
1977654a89c46e25b55b0f6ea2849290deebbcd722db3a5078eadb0b63d9b98
7e03e9bbf39f9619ed68b1db0a0cd260dbbc6909aac33c21a422413605c07284
6a9a27af617e417a8438f1666dbf5fe6f9e51767c2d1588ba99296273e4fb61cef
ec3580d2a5968314e0f65b5b419af1aa1be9b20c6db45288891f64ac5552d853e
6101be2e37a1acecb4e2593a009ef54690e00d7477a06d1154dfc3f168ed39904
4d4f57842c33c39d2b515ab5acfcdf85aa3ec3af22d945c2774f87efbc7a188ce47
093cbd25095498329a24542fc94f2f35179ec5d02c43bc51261258f85bfd10db6c
1cfba08c171a351006d513a9736bc08f80ad083987429af7ce4eb6f71d7004a1f6
package main
import (
"fmt"
"crypto/rand"
)
func main() {
b := make([]byte, 16)
for {
_, err := rand.Read(b)
fmt.Printf("%x", b)
}
}

30. Kolmogorov Complexities
29
r=ce792b6c0d8c8a8431345e793ce43f6f55e8c44eb582c659cce7b0ef6135bc
a363a2529d2643d05d6d5616b090fb3fdea31708baaebf478ba176ffb9f3e5d96
83201d907d1ff48c248636218e7e0ae34d7bed4a56ba298b887c1ff0ac30dc78d
8261342411e0f694984e5bd645f7da03b348d7c0444c0010bc00c8f61d5e585ce
8ece76076c1bddf9d87357e48995732cb11a080dc63bfb8280795456ee46b41d
1977654a89c46e25b55b0f6ea2849290deebbcd722db3a5078eadb0b63d9b98
7e03e9bbf39f9619ed68b1db0a0cd260dbbc6909aac33c21a422413605c07284
6a9a27af617e417a8438f1666dbf5fe6f9e51767c2d1588ba99296273e4fb61cef
ec3580d2a5968314e0f65b5b419af1aa1be9b20c6db45288891f64ac5552d853e
6101be2e37a1acecb4e2593a009ef54690e00d7477a06d1154dfc3f168ed39904
4d4f57842c33c39d2b515ab5acfcdf85aa3ec3af22d945c2774f87efbc7a188ce47
093cbd25095498329a24542fc94f2f35179ec5d02c43bc51261258f85bfd10db6c
1cfba08c171a351006d513a9736bc08f80ad083987429af7ce4eb6f71d7004a1f6
package main
import (
"fmt"
"crypto/rand"
)
func main() {
b := make([]byte, 16)
for {
_, err := rand.Read(b)
fmt.Printf("%x", b)
}
}
state of
/dev/urandom
when I ran
this

31. Amplifying Physical Randomness
Pseudo-Random Number Generator
30
AES
k = f(physical randomness)
0
k
AES1
k
AES2
k
output output output
3
Every once in a while, compute a new k using new physical randomness.

32. Computing Kolmogorov Complexity
31
Given s, how hard is it to compute K(s)?

33. Understanding Kolmogorov Randomness
32
What is the smallest natural
number that cannot be
described in eleven words?

34. 33
What is the smallest natural
number that cannot be
described in eleven words?
The smallest natural number that
cannot be described in eleven words.
1 2 3 4 5
6 7 8 9 10 11

35. Computing Kolmogorov Complexity
34
Given s, how hard is it to compute K(s)?
Its not just hard, it is undecidable.

36. 35
How many times does one need to write “verifiably random” to be convincing?

37. 36

38. September 2013
37

39. 38

40. Dual-EC PRNG
39
sisi +1= φ(si ×P)
s0  physical randomness
Update Internal State
P and Q are
points on an
elliptic curve
Generate Output Bits
16 least
significant bits of
ri’s x-coordinate
ri = φ(si ×Q)

41. CurveUsedby
Dual-ECPRNG
40
NIST P-256
y2 = x3 + ax + b (mod p)
p = 2256 − 2224 + 2192 + 296 − 1
a = p − 3
b =41058363725152142129326129780047268409114441015993725554835256314039467401291
Elliptic curve operations are expensive! Dual-EC PRNG is 1000x
slower than strong PRNG’s built using symmetric ciphers.

42. Why use Elliptic Curves for PRNG?
• Easier to plant a back-door in it than designs
based on symmetric ciphers
• Can be used to provide provable security
properties based on number theory:
hardness of discrete log on elliptic curves
– But not done for Dual EC PRNG
41

43. Dual-EC PRNG
42
sisi +1= φ(si ×P)
s0  randomness
Update Internal State
P and Q are (random?)
points on P-256.
Generate Output Bits
ri = φ(si ×Q)
16 least
significant bits of
ri’s x-coordinate

44. 43

45. 44

46. 45
OpenSSL-FIPS Implementation (using NIST P and Q values)
Image credit: Matthew Green

47. 46
“Rump session” talk at CRYPTO 2007:

48. Possible Back Door
P and Q are points on the curve
P is a generator of the curve
All points on curve are kP for some k
Curve is prime order: P = eQ for some e
47
Challenge: given oi, can you find si?

49. 48
sisi +1= φ(si ×P)
s0
16 least significant
bits of ri’s x-coord
ri = φ(si ×Q)
oi
Challenge: given oi, can you find si?

50. 49
sisi +1= φ(si ×P)
s0
16 least significant
bits of ri’s x-coord
ri = φ(si ×Q)
oi
Challenge: given oi, can you find si?
ri = (xi, yi) = (16 unknown bits | oi, yi)
Points on the curve: y2 = x3 – 3x + b (mod p)

51. 50
sisi +1= φ(si ×P)
s0
16 least significant
bits of ri’s x-coord
ri = φ(si ×Q)
oi
Challenge: given oi, can you find si?
ri = (xi, yi) = (16 unknown bits | oi, yi)
Points on the curve: y2 = x3 – 3x + b (mod p)
foreach u in [0, 216]:
g = u | oi
z = g3 – 3g + b (mod p)
if z1/2 mod p exists, on the curve
How expensive is this?
How many are on the curve?

52. 51
foreach u in [0, 216]:
g = u | oi
z = g3 – 3g + b (mod p)
if z1/2 mod p exists, on the curve
si +1= φ(si ×P) ri = φ(si ×Q)
P = eQ

53. 52
foreach u in [0, 216]:
g = u | oi
z = g3 – 3g + b (mod p)
if z1/2 mod p exists, on the curve
si +1= φ(si ×P) ri = φ(si ×Q)
P = eQ
A = (x, y) = ri ×Q guessed point on curve
φ(e × A) = φ(e × si ×Q) = φ(si ×P) = si +1
One output is enough to learn internal state (if you know e)!

54. 53
Shumow and Ferguson’s conclusion:

55. 54
2013 Intelligence Budget Request
Snowden Leak (5 September 2013)
2013 Intelligence Budget Request ($250M)

56. 55

57. 56

58. September 2013
57

59. 58

60. 59
With hindsight, NSA should have ceased
supporting the dual EC_DRBG algorithm
immediately after security researchers
discovered the potential
for a trapdoor. In truth, I can think of no better
way to describe our failure to drop support for
the Dual_EC_DRBG algorithm as anything other
than regrettable. …
Furthermore, we realize that our advocacy for
the DUAL_EC_DRBG casts suspicion on the
broader body of work NSA has done to promote
secure standards. Indeed, some colleagues have
extrapolated this single action to allege that NSA
has a broader agenda to “undermine Internet
encryption.”

61. Generating
Randomness
for Your Private Key
60

62. 61
Root Key

63. DNSSEC Key Ceremony
62

64. Charge
Project 1 is due Friday
If you haven’t already read Satoshi’s original
bitcoin paper and Chapter 5, please do before
Wednesday’s class
63
Office Hours today!
Me: now
Nick: 5-7pm in Rice 442
Project 1 Due Friday, 11:59pm