SlideShare a Scribd company logo

Bitcoin MOOC Lecture 1.pptx

Download as PPTX, PDF
Oluseyi Akindeinde
Oluseyi Akindeinde

This lecture introduces cryptocurrencies and the cryptographic concepts that enable them. It discusses hash functions and their properties like collision resistance. Digital signatures are explained as well as how public keys can represent identities. Simple cryptocurrency schemes are presented like GoofyCoin where a central party controls coin generation, and ScroogeCoin where a transaction history is published but one entity still controls validity. The goal of later lectures is to create a decentralized currency without a central trusted authority.

Education
1 of 54
Lecture 1 Intro to Crypto and Cryptocurrencies
Welcome Joseph Bonneau Ed Felten Arvind Narayanan special guest: Andrew Miller
This lecture Crypto background hash functions digital signatures … and applications Intro to cryptocurrencies basic digital cash
Lecture 1.1: Cryptographic Hash Functions
Hash function: takes any string as input fixed-size output (we’ll use 256 bits) efficiently computable Security properties: collision-free hiding puzzle-friendly
Hash property 1: Collision-free Nobody can find x and y such that x != y and H(x)=H(y) x y H(x) = H(y)
Collisions do exist ... possible inputs possible outputs … but can anyone find them?
How to find a collision try 2130 randomly chosen inputs 99.8% chance that two of them will collide This works no matter what H is … … but it takes too long to matter
Is there a faster way to find collisions? For some possible H’s, yes. For others, we don’t know of one. No H has been proven collision-free.
Application: Hash as message digest If we know H(x) = H(y), it’s safe to assume that x = y. To recognize a file that we saw before, just remember its hash. Useful because the hash is small.
Hash property 2: Hiding We want something like this: Given H(x), it is infeasible to find x. H(“heads”) H(“tails”) easy to find x!
Hash property 2: Hiding Hiding property: If r is chosen from a probability distribution that has high min-entropy, then given H(r | x), it is infeasible to find x. High min-entropy means that the distribution is “very spread out”, so that no particular value is chosen with more than negligible probability.
Application: Commitment Want to “seal a value in an envelope”, and “open the envelope” later. Commit to a value, reveal it later.
Commitment API (com, key) := commit(msg) match := verify(com, key, msg) To seal msg in envelope: (com, key) := commit(msg) -- then publish com To open envelope: publish key, msg anyone can use verify() to check validity
Commitment API (com, key) := commit(msg) match := verify(com, key, msg) Security properties: Hiding: Given com, infeasible to find msg. Binding: Infeasible to find msg != msg’ such that verify(commit(msg), msg’) == true
Commitment API commit(msg) := ( H(key | msg), H(key) ) where key is a random 256-bit value verify(com, key, msg) := ( H(key | msg) == com ) Security properties: Hiding: Given H(key | msg), infeasible to find msg. Binding: Infeasible to find msg != msg’ such that H(key | msg) == H(key | msg’)
Hash property 3: Puzzle-friendly Puzzle-friendly: For every possible output value y, if k is chosen from a distribution with high min-entropy, then it is infeasible to find x such that H(k | x) = y.
Application: Search puzzle Given a “puzzle ID” id (from high min-entropy distrib.), and a target set Y: Try to find a “solution” x such that H(id | x) ∈ Y. Puzzle-friendly property implies that no solving strategy is much better than trying random values of x.
SHA-256 hash function 256 bits 256 bits 512 bits Theorem: If c is collision-free, then SHA-256 is collision-free. Padding (10* | length) IV Message (block 1) Message (block 2) Message (block n) Hash c c c
Lecture 1.2: Hash Pointers and Data Structures
hash pointer is: * pointer to where some info is stored, and * (cryptographic) hash of the info if we have a hash pointer, we can * ask to get the info back, and * verify that it hasn’t changed
(data) H( ) will draw hash pointers like this
key idea: build data structures with hash pointers
linked list with hash pointers = “block chain” data prev: H( ) data prev: H( ) data prev: H( ) H( ) use case: tamper-evident log
detecting tampering data prev: H( ) data prev: H( ) data prev: H( ) H( ) use case: tamper-evident log
binary tree with hash pointers = “Merkle tree” H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) (data) (data) (data) (data) (data) (data) (data) (data)
proving membership in a Merkle tree H( ) H( ) H( ) H( ) H( ) H( ) (data) show O(log n) items
Advantages of Merkle trees Tree holds many items but just need to remember the root hash Can verify membership in O(log n) time/space Variant: sorted Merkle tree can verify non-membership in O(log n) (show items before, after the missing one)
More generally ... can use hash pointers in any pointer-based data structure that has no cycles
Lecture 1.3: Digital Signatures
What we want from signatures Only you can sign, but anyone can verify Signature is tied to a particular document can’t be cut-and-pasted to another doc
API for digital signatures (sk, pk) := generateKeys(keysize) sk: secret signing key pk: public verification key sig := sign(sk, message) isValid := verify(pk, message, sig) can be randomized algorithms
Requirements for signatures “valid signatures verify” verify(pk, message, sign(sk, message)) == true “can’t forge signatures” adversary who: knows pk gets to see signatures on messages of his choice can’t produce a verifiable signature on another message
challenger attacker (sk, pk) m0 sign(sk, m0) m1 sign(sk, m1) . . . M, sig M not in { m0, m1, … } verify(pk, M, sig) if true, attacker wins
Practical stuff... algorithms are randomized need good source of randomness limit on message size fix: use Hash(message) rather than message fun trick: sign a hash pointer signature “covers” the whole structure
Bitcoin uses ECDSA standard Elliptic Curve Digital Signature Algorithm relies on hairy math will skip the details here --- look it up if you care good randomness is essential foul this up in generateKeys() or sign() ? probably leaked your private key
Lecture 1.4: Public Keys as Identities
Useful trick: public key == an identity if you see sig such that verify(pk, msg, sig)==true, think of it as pk says, “[msg]”. to “speak for” pk, you must know matching secret key sk
How to make a new identity create a new, random key-pair (sk, pk) pk is the public “name” you can use [usually better to use Hash(pk)] sk lets you “speak for” the identity you control the identity, because only you know sk if pk “looks random”, nobody needs to know who you are
Decentralized identity management anybody can make a new identity at any time make as many as you want! no central point of coordination These identities are called “addresses” in Bitcoin.
Privacy Addresses not directly connected to real-world identity. But observer can link together an address’s activity over time, make inferences. Later: a whole lecture on privacy in Bitcoin ...
Lecture 1.5: Simple Cryptocurrencies
GoofyCoin
Goofy can create new coins CreateCoin [uniqueCoinID] signed by pkGoofy New coins belong to me.
A coin’s owner can spend it. CreateCoin [uniqueCoinID] signed by pkGoofy Pay to pkAlice : H( ) signed by pkGoofy Alice owns it now.
The recipient can pass on the coin again. CreateCoin [uniqueCoinID] signed by pkGoofy Pay to pkAlice : H( ) signed by pkGoofy Pay to pkBob : H( ) signed by pkAlice Bob owns it now.
CreateCoin [uniqueCoinID] signed by pkGoofy Pay to pkAlice : H( ) signed by pkGoofy Pay to pkBob : H( ) signed by pkAlice Pay to pkChuck : H( ) signed by pkAlice double-spending attack
double-spending attack the main design challenge in digital currency
ScroogeCoin
trans prev: H( ) trans prev: H( ) trans prev: H( ) H( ) transID: 73 transID: 72 transID: 71 Scrooge publishes a history of all transactions (a block chain, signed by Scrooge) optimization: put multiple transactions in the same block
transID: 73 type:CreateCoins CreateCoins transaction creates new coins coins created num value recipient 0 3.2 0x... 1 1.4 0x... 2 7.1 0x... coinID 73(0) coinID 73(1) coinID 73(2) Valid, because I said so.
transID: 73 type:PayCoins PayCoins transaction consumes (and destroys) some coins, and creates new coins of the same total value coins created num value recipient 0 3.2 0x... 1 1.4 0x... 2 7.1 0x... consumed coinIDs: 68(1), 42(0), 72(3) signatures Valid if: -- consumed coins valid, -- not already consumed, -- total value out = total value in, and -- signed by owners of all consumed coins
Immutable coins Coins can’t be transferred, subdivided, or combined. But: you can get the same effect by using transactions to subdivide: create new trans consume your coin pay out two new coins to yourself
Don’t worry, I’m honest. Crucial question: Can we descroogify the currency, and operate without any central, trusted party?

Recommended

Bitcoin MOOC Lecture 2.pptx
Bitcoin MOOC Lecture 2.pptxBitcoin MOOC Lecture 2.pptx
Bitcoin MOOC Lecture 2.pptx
Oluseyi Akindeinde
 
Blockchain 101 presentation by fstream.io
Blockchain 101 presentation by fstream.ioBlockchain 101 presentation by fstream.io
Blockchain 101 presentation by fstream.io
Baiju Devani
 
Diffie_Hellman-Merkle Key Exchange
Diffie_Hellman-Merkle Key ExchangeDiffie_Hellman-Merkle Key Exchange
Diffie_Hellman-Merkle Key Exchange
Kevin OBrien
 
Bitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsBitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & Wallets
Christopher Allen
 
How Hashing Algorithms Work
How Hashing Algorithms WorkHow Hashing Algorithms Work
How Hashing Algorithms Work
CheapSSLsecurity
 
Data Encryption Standard
Data Encryption StandardData Encryption Standard
Data Encryption Standard
Adri Jovin
 
Blockchain
BlockchainBlockchain
Blockchain
Frank Schwab
 
Bitcoin and the future of cryptocurrency
Bitcoin and the future of cryptocurrencyBitcoin and the future of cryptocurrency
Bitcoin and the future of cryptocurrency
Ben Hall
 

Recommended

Bitcoin MOOC Lecture 2.pptx
Bitcoin MOOC Lecture 2.pptxBitcoin MOOC Lecture 2.pptx
Bitcoin MOOC Lecture 2.pptx
Oluseyi Akindeinde
 
Blockchain 101 presentation by fstream.io
Blockchain 101 presentation by fstream.ioBlockchain 101 presentation by fstream.io
Blockchain 101 presentation by fstream.io
Baiju Devani
 
Diffie_Hellman-Merkle Key Exchange
Diffie_Hellman-Merkle Key ExchangeDiffie_Hellman-Merkle Key Exchange
Diffie_Hellman-Merkle Key Exchange
Kevin OBrien
 
Bitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsBitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & Wallets
Christopher Allen
 
How Hashing Algorithms Work
How Hashing Algorithms WorkHow Hashing Algorithms Work
How Hashing Algorithms Work
CheapSSLsecurity
 
Data Encryption Standard
Data Encryption StandardData Encryption Standard
Data Encryption Standard
Adri Jovin
 
Blockchain
BlockchainBlockchain
Blockchain
Frank Schwab
 
Bitcoin and the future of cryptocurrency
Bitcoin and the future of cryptocurrencyBitcoin and the future of cryptocurrency
Bitcoin and the future of cryptocurrency
Ben Hall
 
WIlfried K. AGBO- Exposé sur la Cryptographie
WIlfried K. AGBO- Exposé sur la CryptographieWIlfried K. AGBO- Exposé sur la Cryptographie
WIlfried K. AGBO- Exposé sur la Cryptographie
Wilfreid AGBO
 
Cryptographie
CryptographieCryptographie
CryptographieSeifallah Jardak
 
Advanced task management with Celery
Advanced task management with CeleryAdvanced task management with Celery
Advanced task management with Celery
Mahendra M
 
A Brief History of Cryptography
A Brief History of CryptographyA Brief History of Cryptography
A Brief History of Cryptography
guest9006ab
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh
morisson
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
n|u - The Open Security Community
 
Analyzing Bitcoin Security
Analyzing Bitcoin SecurityAnalyzing Bitcoin Security
Analyzing Bitcoin Security
Philippe Camacho, Ph.D.
 
Eternal blue Vulnerability
Eternal blue VulnerabilityEternal blue Vulnerability
Eternal blue Vulnerability
kandelrc
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
Shiu-Fun Poon
 
Information and data security cryptographic hash functions
Information and data security cryptographic hash functionsInformation and data security cryptographic hash functions
Information and data security cryptographic hash functions
Mazin Alwaaly
 
RSA Signature Verification
RSA Signature VerificationRSA Signature Verification
RSA Signature Verification
GeorgeCallow
 
Cryptography Key Management.pptx
Cryptography Key Management.pptxCryptography Key Management.pptx
Cryptography Key Management.pptx
SurendraBasnet6
 
Cryptography for Smalltalkers 2 - ESUG 2006
Cryptography for Smalltalkers 2 - ESUG 2006Cryptography for Smalltalkers 2 - ESUG 2006
Cryptography for Smalltalkers 2 - ESUG 2006
Martin Kobetic
 
CS283_hash.ppt
CS283_hash.pptCS283_hash.ppt
CS283_hash.ppt
vicepy
 
Hash functions, digital signatures and hmac
Hash functions, digital signatures and hmacHash functions, digital signatures and hmac
Hash functions, digital signatures and hmac
ssuserec53e73
 
6.hash mac
6.hash mac6.hash mac
6.hash mac
Virendrakumar Dhotre
 
introduction to cryptography
introduction to cryptographyintroduction to cryptography
introduction to cryptography
Priyamvada Singh
 
Bitcoin’s blockchain - from hashes to Escrow and beyond
Bitcoin’s blockchain - from hashes to Escrow and beyondBitcoin’s blockchain - from hashes to Escrow and beyond
Bitcoin’s blockchain - from hashes to Escrow and beyond
Grzegorz Gawron
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
Ajay Ohri
 
crypto1.ppt
crypto1.pptcrypto1.ppt
crypto1.ppt
tommychauhan
 

More Related Content

What's hot

WIlfried K. AGBO- Exposé sur la Cryptographie
WIlfried K. AGBO- Exposé sur la CryptographieWIlfried K. AGBO- Exposé sur la Cryptographie
WIlfried K. AGBO- Exposé sur la Cryptographie
Wilfreid AGBO
 
Advanced task management with Celery
Advanced task management with CeleryAdvanced task management with Celery
Advanced task management with Celery
Mahendra M
 
A Brief History of Cryptography
A Brief History of CryptographyA Brief History of Cryptography
A Brief History of Cryptography
guest9006ab
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh
morisson
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
n|u - The Open Security Community
 
Analyzing Bitcoin Security
Analyzing Bitcoin SecurityAnalyzing Bitcoin Security
Analyzing Bitcoin Security
Philippe Camacho, Ph.D.
 
Eternal blue Vulnerability
Eternal blue VulnerabilityEternal blue Vulnerability
Eternal blue Vulnerability
kandelrc
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
Shiu-Fun Poon
 
Information and data security cryptographic hash functions
Information and data security cryptographic hash functionsInformation and data security cryptographic hash functions
Information and data security cryptographic hash functions
Mazin Alwaaly
 
RSA Signature Verification
RSA Signature VerificationRSA Signature Verification
RSA Signature Verification
GeorgeCallow
 

What's hot (13)

WIlfried K. AGBO- Exposé sur la Cryptographie
WIlfried K. AGBO- Exposé sur la CryptographieWIlfried K. AGBO- Exposé sur la Cryptographie
WIlfried K. AGBO- Exposé sur la Cryptographie
 
Cryptographie
CryptographieCryptographie
Cryptographie
 
Advanced task management with Celery
Advanced task management with CeleryAdvanced task management with Celery
Advanced task management with Celery
 
A Brief History of Cryptography
A Brief History of CryptographyA Brief History of Cryptography
A Brief History of Cryptography
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Analyzing Bitcoin Security
Analyzing Bitcoin SecurityAnalyzing Bitcoin Security
Analyzing Bitcoin Security
 
Eternal blue Vulnerability
Eternal blue VulnerabilityEternal blue Vulnerability
Eternal blue Vulnerability
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
 
Information and data security cryptographic hash functions
Information and data security cryptographic hash functionsInformation and data security cryptographic hash functions
Information and data security cryptographic hash functions
 
RSA Signature Verification
RSA Signature VerificationRSA Signature Verification
RSA Signature Verification
 

Similar to Bitcoin MOOC Lecture 1.pptx

Cryptography Key Management.pptx
Cryptography Key Management.pptxCryptography Key Management.pptx
Cryptography Key Management.pptx
SurendraBasnet6
 
Cryptography for Smalltalkers 2 - ESUG 2006
Cryptography for Smalltalkers 2 - ESUG 2006Cryptography for Smalltalkers 2 - ESUG 2006
Cryptography for Smalltalkers 2 - ESUG 2006
Martin Kobetic
 
CS283_hash.ppt
CS283_hash.pptCS283_hash.ppt
CS283_hash.ppt
vicepy
 
Hash functions, digital signatures and hmac
Hash functions, digital signatures and hmacHash functions, digital signatures and hmac
Hash functions, digital signatures and hmac
ssuserec53e73
 
6.hash mac
6.hash mac6.hash mac
6.hash mac
Virendrakumar Dhotre
 
introduction to cryptography
introduction to cryptographyintroduction to cryptography
introduction to cryptography
Priyamvada Singh
 
Bitcoin’s blockchain - from hashes to Escrow and beyond
Bitcoin’s blockchain - from hashes to Escrow and beyondBitcoin’s blockchain - from hashes to Escrow and beyond
Bitcoin’s blockchain - from hashes to Escrow and beyond
Grzegorz Gawron
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
Ajay Ohri
 
crypto1.ppt
crypto1.pptcrypto1.ppt
crypto1.ppt
tommychauhan
 
crypto.ppt
crypto.pptcrypto.ppt
crypto.ppt
Ganesh Chavan
 
needed.ppt
needed.pptneeded.ppt
needed.ppt
faizalkhan673954
 
introduction to cryptography (basics of it)
introduction to cryptography (basics of it)introduction to cryptography (basics of it)
introduction to cryptography (basics of it)
neonaveen
 
1329 n 9460
1329 n 94601329 n 9460
1329 n 9460
kicknit123
 
El Passo - Privacy-preserving single sign on
El Passo - Privacy-preserving single sign onEl Passo - Privacy-preserving single sign on
El Passo - Privacy-preserving single sign on
Frank Denis
 
Bitcoin cryptosecurity
Bitcoin cryptosecurityBitcoin cryptosecurity
Bitcoin cryptosecurity
Navneet kumar
 
Cryptography and SSL in Smalltalk - StS 2003
Cryptography and SSL in Smalltalk - StS 2003Cryptography and SSL in Smalltalk - StS 2003
Cryptography and SSL in Smalltalk - StS 2003
Martin Kobetic
 
Message Authentication using Message Digests and the MD5 Algorithm
Message Authentication using Message Digests and the MD5 AlgorithmMessage Authentication using Message Digests and the MD5 Algorithm
Message Authentication using Message Digests and the MD5 Algorithm
Ajay Karri
 
Hash Techniques in Cryptography
Hash Techniques in CryptographyHash Techniques in Cryptography
Hash Techniques in Cryptography
Basudev Saha
 
Ethereum: From there to here, and ownards yonder
Ethereum: From there to here, and ownards yonderEthereum: From there to here, and ownards yonder
Ethereum: From there to here, and ownards yonder
gavofyork
 
Itt project
Itt projectItt project
Itt project
Harish Kumar
 

Similar to Bitcoin MOOC Lecture 1.pptx (20)

Cryptography Key Management.pptx
Cryptography Key Management.pptxCryptography Key Management.pptx
Cryptography Key Management.pptx
 
Cryptography for Smalltalkers 2 - ESUG 2006
Cryptography for Smalltalkers 2 - ESUG 2006Cryptography for Smalltalkers 2 - ESUG 2006
Cryptography for Smalltalkers 2 - ESUG 2006
 
CS283_hash.ppt
CS283_hash.pptCS283_hash.ppt
CS283_hash.ppt
 
Hash functions, digital signatures and hmac
Hash functions, digital signatures and hmacHash functions, digital signatures and hmac
Hash functions, digital signatures and hmac
 
6.hash mac
6.hash mac6.hash mac
6.hash mac
 
introduction to cryptography
introduction to cryptographyintroduction to cryptography
introduction to cryptography
 
Bitcoin’s blockchain - from hashes to Escrow and beyond
Bitcoin’s blockchain - from hashes to Escrow and beyondBitcoin’s blockchain - from hashes to Escrow and beyond
Bitcoin’s blockchain - from hashes to Escrow and beyond
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
 
crypto1.ppt
crypto1.pptcrypto1.ppt
crypto1.ppt
 
crypto.ppt
crypto.pptcrypto.ppt
crypto.ppt
 
needed.ppt
needed.pptneeded.ppt
needed.ppt
 
introduction to cryptography (basics of it)
introduction to cryptography (basics of it)introduction to cryptography (basics of it)
introduction to cryptography (basics of it)
 
1329 n 9460
1329 n 94601329 n 9460
1329 n 9460
 
El Passo - Privacy-preserving single sign on
El Passo - Privacy-preserving single sign onEl Passo - Privacy-preserving single sign on
El Passo - Privacy-preserving single sign on
 
Bitcoin cryptosecurity
Bitcoin cryptosecurityBitcoin cryptosecurity
Bitcoin cryptosecurity
 
Cryptography and SSL in Smalltalk - StS 2003
Cryptography and SSL in Smalltalk - StS 2003Cryptography and SSL in Smalltalk - StS 2003
Cryptography and SSL in Smalltalk - StS 2003
 
Message Authentication using Message Digests and the MD5 Algorithm
Message Authentication using Message Digests and the MD5 AlgorithmMessage Authentication using Message Digests and the MD5 Algorithm
Message Authentication using Message Digests and the MD5 Algorithm
 
Hash Techniques in Cryptography
Hash Techniques in CryptographyHash Techniques in Cryptography
Hash Techniques in Cryptography
 
Ethereum: From there to here, and ownards yonder
Ethereum: From there to here, and ownards yonderEthereum: From there to here, and ownards yonder
Ethereum: From there to here, and ownards yonder
 
Itt project
Itt projectItt project
Itt project
 

Recently uploaded

A Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdfA Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdf
Jean Carlos Nunes Paixão
 
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
PECB
 
Assessment and Planning in Educational technology.pptx
Assessment and Planning in Educational technology.pptxAssessment and Planning in Educational technology.pptx
Assessment and Planning in Educational technology.pptx
Kavitha Krishnan
 
Top five deadliest dog breeds in America
Top five deadliest dog breeds in AmericaTop five deadliest dog breeds in America
Top five deadliest dog breeds in America
Bisnar Chase Personal Injury Attorneys
 
How to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold MethodHow to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold Method
Celine George
 
Main Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docxMain Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docx
adhitya5119
 
PCOS corelations and management through Ayurveda.
PCOS corelations and management through Ayurveda.PCOS corelations and management through Ayurveda.
PCOS corelations and management through Ayurveda.
Dr. Shivangi Singh Parihar
 
Hindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdfHindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdf
Dr. Mulla Adam Ali
 
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptxC1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
mulvey2
 
Liberal Approach to the Study of Indian Politics.pdf
Liberal Approach to the Study of Indian Politics.pdfLiberal Approach to the Study of Indian Politics.pdf
Liberal Approach to the Study of Indian Politics.pdf
WaniBasim
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
History of Stoke Newington
 
World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024
ak6969907
 
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
Priyankaranawat4
 
clinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdfclinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdf
Priyankaranawat4
 
PIMS Job Advertisement 2024.pdf Islamabad
PIMS Job Advertisement 2024.pdf IslamabadPIMS Job Advertisement 2024.pdf Islamabad
PIMS Job Advertisement 2024.pdf Islamabad
AyyanKhan40
 
Smart-Money for SMC traders good time and ICT
Smart-Money for SMC traders good time and ICTSmart-Money for SMC traders good time and ICT
Smart-Money for SMC traders good time and ICT
simonomuemu
 
Digital Artefact 1 - Tiny Home Environmental Design
Digital Artefact 1 - Tiny Home Environmental DesignDigital Artefact 1 - Tiny Home Environmental Design
Digital Artefact 1 - Tiny Home Environmental Design
amberjdewit93
 
Digital Artifact 1 - 10VCD Environments Unit
Digital Artifact 1 - 10VCD Environments UnitDigital Artifact 1 - 10VCD Environments Unit
Digital Artifact 1 - 10VCD Environments Unit
chanes7
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
thanhdowork
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
Jean Carlos Nunes Paixão
 

Recently uploaded (20)

A Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdfA Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdf
 
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
 
Assessment and Planning in Educational technology.pptx
Assessment and Planning in Educational technology.pptxAssessment and Planning in Educational technology.pptx
Assessment and Planning in Educational technology.pptx
 
Top five deadliest dog breeds in America
Top five deadliest dog breeds in AmericaTop five deadliest dog breeds in America
Top five deadliest dog breeds in America
 
How to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold MethodHow to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold Method
 
Main Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docxMain Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docx
 
PCOS corelations and management through Ayurveda.
PCOS corelations and management through Ayurveda.PCOS corelations and management through Ayurveda.
PCOS corelations and management through Ayurveda.
 
Hindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdfHindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdf
 
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptxC1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
 
Liberal Approach to the Study of Indian Politics.pdf
Liberal Approach to the Study of Indian Politics.pdfLiberal Approach to the Study of Indian Politics.pdf
Liberal Approach to the Study of Indian Politics.pdf
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
 
World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024
 
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
 
clinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdfclinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdf
 
PIMS Job Advertisement 2024.pdf Islamabad
PIMS Job Advertisement 2024.pdf IslamabadPIMS Job Advertisement 2024.pdf Islamabad
PIMS Job Advertisement 2024.pdf Islamabad
 
Smart-Money for SMC traders good time and ICT
Smart-Money for SMC traders good time and ICTSmart-Money for SMC traders good time and ICT
Smart-Money for SMC traders good time and ICT
 
Digital Artefact 1 - Tiny Home Environmental Design
Digital Artefact 1 - Tiny Home Environmental DesignDigital Artefact 1 - Tiny Home Environmental Design
Digital Artefact 1 - Tiny Home Environmental Design
 
Digital Artifact 1 - 10VCD Environments Unit
Digital Artifact 1 - 10VCD Environments UnitDigital Artifact 1 - 10VCD Environments Unit
Digital Artifact 1 - 10VCD Environments Unit
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
 

Bitcoin MOOC Lecture 1.pptx

  • 1. Lecture 1 Intro to Crypto and Cryptocurrencies
  • 2. Welcome Joseph Bonneau Ed Felten Arvind Narayanan special guest: Andrew Miller
  • 3. This lecture Crypto background hash functions digital signatures … and applications Intro to cryptocurrencies basic digital cash
  • 5. Hash function: takes any string as input fixed-size output (we’ll use 256 bits) efficiently computable Security properties: collision-free hiding puzzle-friendly
  • 6. Hash property 1: Collision-free Nobody can find x and y such that x != y and H(x)=H(y) x y H(x) = H(y)
  • 7. Collisions do exist ... possible inputs possible outputs … but can anyone find them?
  • 8. How to find a collision try 2130 randomly chosen inputs 99.8% chance that two of them will collide This works no matter what H is … … but it takes too long to matter
  • 9. Is there a faster way to find collisions? For some possible H’s, yes. For others, we don’t know of one. No H has been proven collision-free.
  • 10. Application: Hash as message digest If we know H(x) = H(y), it’s safe to assume that x = y. To recognize a file that we saw before, just remember its hash. Useful because the hash is small.
  • 11. Hash property 2: Hiding We want something like this: Given H(x), it is infeasible to find x. H(“heads”) H(“tails”) easy to find x!
  • 12. Hash property 2: Hiding Hiding property: If r is chosen from a probability distribution that has high min-entropy, then given H(r | x), it is infeasible to find x. High min-entropy means that the distribution is “very spread out”, so that no particular value is chosen with more than negligible probability.
  • 13. Application: Commitment Want to “seal a value in an envelope”, and “open the envelope” later. Commit to a value, reveal it later.
  • 14. Commitment API (com, key) := commit(msg) match := verify(com, key, msg) To seal msg in envelope: (com, key) := commit(msg) -- then publish com To open envelope: publish key, msg anyone can use verify() to check validity
  • 15. Commitment API (com, key) := commit(msg) match := verify(com, key, msg) Security properties: Hiding: Given com, infeasible to find msg. Binding: Infeasible to find msg != msg’ such that verify(commit(msg), msg’) == true
  • 16. Commitment API commit(msg) := ( H(key | msg), H(key) ) where key is a random 256-bit value verify(com, key, msg) := ( H(key | msg) == com ) Security properties: Hiding: Given H(key | msg), infeasible to find msg. Binding: Infeasible to find msg != msg’ such that H(key | msg) == H(key | msg’)
  • 17. Hash property 3: Puzzle-friendly Puzzle-friendly: For every possible output value y, if k is chosen from a distribution with high min-entropy, then it is infeasible to find x such that H(k | x) = y.
  • 18. Application: Search puzzle Given a “puzzle ID” id (from high min-entropy distrib.), and a target set Y: Try to find a “solution” x such that H(id | x) ∈ Y. Puzzle-friendly property implies that no solving strategy is much better than trying random values of x.
  • 19. SHA-256 hash function 256 bits 256 bits 512 bits Theorem: If c is collision-free, then SHA-256 is collision-free. Padding (10* | length) IV Message (block 1) Message (block 2) Message (block n) Hash c c c
  • 20. Lecture 1.2: Hash Pointers and Data Structures
  • 21. hash pointer is: * pointer to where some info is stored, and * (cryptographic) hash of the info if we have a hash pointer, we can * ask to get the info back, and * verify that it hasn’t changed
  • 22. (data) H( ) will draw hash pointers like this
  • 23. key idea: build data structures with hash pointers
  • 24. linked list with hash pointers = “block chain” data prev: H( ) data prev: H( ) data prev: H( ) H( ) use case: tamper-evident log
  • 25. detecting tampering data prev: H( ) data prev: H( ) data prev: H( ) H( ) use case: tamper-evident log
  • 26. binary tree with hash pointers = “Merkle tree” H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) (data) (data) (data) (data) (data) (data) (data) (data)
  • 27. proving membership in a Merkle tree H( ) H( ) H( ) H( ) H( ) H( ) (data) show O(log n) items
  • 28. Advantages of Merkle trees Tree holds many items but just need to remember the root hash Can verify membership in O(log n) time/space Variant: sorted Merkle tree can verify non-membership in O(log n) (show items before, after the missing one)
  • 29. More generally ... can use hash pointers in any pointer-based data structure that has no cycles
  • 31. What we want from signatures Only you can sign, but anyone can verify Signature is tied to a particular document can’t be cut-and-pasted to another doc
  • 32. API for digital signatures (sk, pk) := generateKeys(keysize) sk: secret signing key pk: public verification key sig := sign(sk, message) isValid := verify(pk, message, sig) can be randomized algorithms
  • 33. Requirements for signatures “valid signatures verify” verify(pk, message, sign(sk, message)) == true “can’t forge signatures” adversary who: knows pk gets to see signatures on messages of his choice can’t produce a verifiable signature on another message
  • 34. challenger attacker (sk, pk) m0 sign(sk, m0) m1 sign(sk, m1) . . . M, sig M not in { m0, m1, … } verify(pk, M, sig) if true, attacker wins
  • 35. Practical stuff... algorithms are randomized need good source of randomness limit on message size fix: use Hash(message) rather than message fun trick: sign a hash pointer signature “covers” the whole structure
  • 36. Bitcoin uses ECDSA standard Elliptic Curve Digital Signature Algorithm relies on hairy math will skip the details here --- look it up if you care good randomness is essential foul this up in generateKeys() or sign() ? probably leaked your private key
  • 37. Lecture 1.4: Public Keys as Identities
  • 38. Useful trick: public key == an identity if you see sig such that verify(pk, msg, sig)==true, think of it as pk says, “[msg]”. to “speak for” pk, you must know matching secret key sk
  • 39. How to make a new identity create a new, random key-pair (sk, pk) pk is the public “name” you can use [usually better to use Hash(pk)] sk lets you “speak for” the identity you control the identity, because only you know sk if pk “looks random”, nobody needs to know who you are
  • 40. Decentralized identity management anybody can make a new identity at any time make as many as you want! no central point of coordination These identities are called “addresses” in Bitcoin.
  • 41. Privacy Addresses not directly connected to real-world identity. But observer can link together an address’s activity over time, make inferences. Later: a whole lecture on privacy in Bitcoin ...
  • 44. Goofy can create new coins CreateCoin [uniqueCoinID] signed by pkGoofy New coins belong to me.
  • 45. A coin’s owner can spend it. CreateCoin [uniqueCoinID] signed by pkGoofy Pay to pkAlice : H( ) signed by pkGoofy Alice owns it now.
  • 46. The recipient can pass on the coin again. CreateCoin [uniqueCoinID] signed by pkGoofy Pay to pkAlice : H( ) signed by pkGoofy Pay to pkBob : H( ) signed by pkAlice Bob owns it now.
  • 47. CreateCoin [uniqueCoinID] signed by pkGoofy Pay to pkAlice : H( ) signed by pkGoofy Pay to pkBob : H( ) signed by pkAlice Pay to pkChuck : H( ) signed by pkAlice double-spending attack
  • 48. double-spending attack the main design challenge in digital currency
  • 50. trans prev: H( ) trans prev: H( ) trans prev: H( ) H( ) transID: 73 transID: 72 transID: 71 Scrooge publishes a history of all transactions (a block chain, signed by Scrooge) optimization: put multiple transactions in the same block
  • 51. transID: 73 type:CreateCoins CreateCoins transaction creates new coins coins created num value recipient 0 3.2 0x... 1 1.4 0x... 2 7.1 0x... coinID 73(0) coinID 73(1) coinID 73(2) Valid, because I said so.
  • 52. transID: 73 type:PayCoins PayCoins transaction consumes (and destroys) some coins, and creates new coins of the same total value coins created num value recipient 0 3.2 0x... 1 1.4 0x... 2 7.1 0x... consumed coinIDs: 68(1), 42(0), 72(3) signatures Valid if: -- consumed coins valid, -- not already consumed, -- total value out = total value in, and -- signed by owners of all consumed coins
  • 53. Immutable coins Coins can’t be transferred, subdivided, or combined. But: you can get the same effect by using transactions to subdivide: create new trans consume your coin pay out two new coins to yourself
  • 54. Don’t worry, I’m honest. Crucial question: Can we descroogify the currency, and operate without any central, trusted party?

Editor's Notes

  1. This is going to be kinda mathy. Sorry about that. I’ll do my best to tell you just what you need to know, and approach things intuitively. Those who want all of the formal mathy details will have to do some more reading.