http://www.bitcoin-class.org University of Virginia Cryptocurrency Cabal cs4501 Fall 2015

1. Class 23:
Before Bitcoin
Cryptocurrency Cabal
cs4501 Fall 2015
David Evans and Samee Zahur
University of Virginia

2. Plan
Projects
Elevator Speeches start Wednesday
In the News:
Graph Isomorphism
Tor Attack
Chaum’s Digicash
(Post-Bitcoin Alternatives)
1

3. Projects
Lots of interesting ideas: check out course site
Elevator Pitches
Up to 2 minutes
Can project something (but must be from URL)
Explain:
- Purpose (what problem are you solving)
- What are you doing
- Why should we care
2
Teams will be pseudo-randomly selected to give project pitches
during class starting Wednesday. Be prepared to do this!

4. Progress Reports
Due: Next Monday (8:29pm)
See course site for details:
1. Link to project website
2. What has changed since preliminary proposal
3. Description of progress
4. Plan to finish project
5. Any questions you have
3

5. Is Graph Isomorphism Hard?
4

6. 5

7. 6Photo: Jeremy Kun

8. Complexity of Graph Isomorphism
7
Best previously known: Laszlo Babai’s (claimed) result:
How close is this to polynomial time?

9. 8

10. Does this matter in practice?
9
Image from Botao Hu
http://amber.botao.hu/works/research/de-anonymizingsocialnetworks

11. Should we be worried?
10

12. Tor, CMU, and
the FBI?
11

13. Operation Onymous (Nov 2014)
12
Shutdown dark markets (including “Silk Road 2.0”)
414 .onion domains seized
17 Arrests
17 Countries involved

14. 13

15. 14

16. 15

17. 16

18. 17

19. 18

20. CRYPTO 1988
David Chaum
Photo: Declan McCullagh (2002)19

21. 20
Communications of the ACM
October 1985

22. 21
Communications of the ACM
October 1985

23. 22
CRYPTO 1988

24. 23
Alice
{KUA, KRA}
High
Trust
Bank
{KUTB, KRTB}
M
M = “The High Trust Bank owes the
holder of this message $100.”
EKRTB
[H(M)]
Bank IOU Protocol

25. 24
Alice
High
Trust
Bank
{KUTB, KRTB}
M
M = “The High Trust Bank owes the
holder of this message $100.”
EKRTB
[H(M)]
Bob

26. 25
Alice
High
Trust
Bank
{KUTB, KRTB}
M
M = “The High Trust Bank owes the
holder of this message $100.”
EKRTB
[H(M)]
Bob
M EKRTB
[H(M)]
EKUA
[secret curry recipe]

27. 26
Alice
High
Trust
Bank
{KUTB, KRTB}
M
M = “The High Trust Bank owes the
holder of this message $100.”
EKRTB
[H(M)]
Bob
M EKRTB
[H(M)]
EKUA
[secret curry recipe]
M EKRTB
[H(M)]

28. 27
Alice
High
Trust
Bank
{KUTB, KRTB}
M
M = “The High Trust Bank owes the
holder of this message $100.”
EKRTB
[H(M)]
Bob
M EKRTB
[H(M)]
EKUA
[secret curry recipe]
M EKRTB
[H(M)]
Both Alice and Bob can
attempt to redeem the
IOU (multiple times).

29. 28
Alice
{KUA, KRA}
Bear’s
Turns
Bank
{KUTB, KRTB}
M
M = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB
[H(M)]
Add Unique Identifiers

30. 29
Alice
{KUA, KRA}
Bear’s
Turns
Bank
{KUTB, KRTB}
M
M = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB
[H(M)]
Add Unique Identifiers
Bill can only be
redeemed once.
Bank cannot tell if it is Alice
or Bob who cheated (first
redeemer wins?)
Not anonymous; tracable

31. Untraceable Cash
30
Can we make untraceable
digital banknotes that can
only be spent once?

32. Key Technology: Blind Signatures
31
Normal RSA Signatures:
Alice selects message m
Sends m to bank
Bank returns signature:
SM = md mod n
Goal: Blind Signatures:
Alice selects message m
Alice obtains SM
Bank doesn’t learn m
Bank’s public key: (e, n)
Bank’s private key: d

33. Key Technology: Blind Signatures
32
Normal Signatures:
Alice selects message m
SM = md mod n
Blind Signatures:
Alice selects message m
Picks random k in [1, n)
Sends bank t = mke mod n
Bank signs:
td = (mke mod n)d mod n
Alice computes md mod n:
= (mke)d mod n  mdked mod n
divide by k = md mod n
Bank’s public key: (e, n)
Bank’s private key: d

34. 33
Bear’s
Turns
Bank
{KUTB, KRTB}
Mk
M = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB
[Mk]
Client-Selected Identifiers

35. 34
Bear’s
Turns
Bank
{KUTB, KRTB}
Mk
M = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $10000000.”
EKRTB
[Mk]
Client-Selected Identifiers

36. Cut-and-Choose
35
M1
k1
M2
k2
M256
k256
…
Mi = “Bill #[ri] : Bear’s Turns Bank owes the
holder of this message $100.”

37. Cut-and-Choose
36
M1
k1
M2
k2
M256
k256
…
Mi = “Bill #[ri] : Bear’s Turns Bank owes the
holder of this message $100.”
Alice generate N different messages, and blinds each
with different k. Sends all of them to Bank.
Bank randomly selects N-1 of them, and challenges
Alice to unblind.
If all are okay, Bank (blindly) signs the one un-opened
message, and returns it to Alice.

38. Cut-and-Choose
37
M1
k1
M2
k2
M256
k256
…
Alice generate N different messages, and blinds each
with different k. Sends all of them to Bank.
Bank randomly selects N-1 of them, and challenges
Alice to unblind.
If all are okay, Bank (blindly) signs the one un-opened
message, and returns it to Alice.
What is probability Alice can cheat without getting caught?

39. 38
Alice
{KUA, KRA}
Bear’s
Turns
Bank
{KUTB, KRTB}
M
M = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB
[H(M)]
Add Unique Identifiers
Bill can only be
redeemed once.
Bank cannot tell if it is Alice
or Bob who cheated (first
redeemer wins?)
Not anonymous; tracable

40. 39
Alice
{KUA, KRA}
Bear’s
Turns
Bank
{KUTB, KRTB}
M
M = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB
[H(M)]
Blinded Identifiers
Bill can only be
redeemed once.
Bank cannot tell who cheated
(first redeemer wins?)
Anonymous and untraceable

41. Catching Cheaters
40
M EKRTB
[H(M)] M EKRTB
[H(M)]
Bear’s
Turns
Bank
Spend a bill once: anonymity preserved
M EKRTB
[H(M)]
Spend a bill twice: identity revealed

42. Identity Strings
41
M1
k1
M2
k2
M256
k256
…
I = “alice@alice.org”
Mi = “Bill #[ri] : Bear’s Turns Bank owes the
holder of this message $100.”
+ identity strings:
I1 = (h(I1L), h(I1R))
...
In = (h(InL), h(InR))
where h is a one-way hash function and
each IiL  IiR = I

43. Spending a Bill
42
M EKRTB
[H(M)]
I = “alice@alice.org”
Mi = “Bill #[ri] : Bear’s Turns Bank owes the
holder of this message $100.”
+ identity strings:
I1 = (h(I1L), h(I1R))
...
In = (h(InL), h(InR))
where h is a one-way hash function and
each IiL  IiR = I
Reveal request: LRRLRLR…
(randomly select L or R for each pair)
I1L, I2R,I3R, I4L,… verifies hashes,
accepts bill

44. 43
How well does this
scheme work as a
currency?

45. Rise of DigiCash
44
David Chaum

46. Collapse
45
Bankrupt, 1998

47. Charge
Be ready for project elevator pitches starting
Wednesday!
46