O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

DigiCash

1.402 visualizações

Publicada em

CryptoCurrency Cafe
Class 5: DigiCash
http://bitcoin-class.org

Publicada em: Diversão e humor
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

DigiCash

  1. 1. Cryptocurrency Café UVa cs4501 Spring 2015 David Evans Class 5: DigiCash
  2. 2. Plan for Today Hashing Preventing Double Spending DigiCash – Untraceable Cash Distributed Consensus 1 Project 1 is due Friday (11:59pm) Upcoming office hours: Me: Thursday 4-5pm (Rice 507) Nick: Friday noon-2pm (HackCville)
  3. 3. Price Volatility 2
  4. 4. Size of Bitcoin 3 $0 $2 $4 $6 $8 $10 $12 $14 $16 $18 $20 Apple's Profits, last 3 months Bitcoin Market Cap Apple’s Profits (last 3 months) = $18B (Revenues = $75B) Value of all Bitcoin at today’s price: $3.5B
  5. 5. Size of Bitcoin 4 $0 $2 $4 $6 $8 $10 $12 $14 $16 $18 $20 Apple's Profits, last 3 months Bitcoin Market Cap $0 $2,000 $4,000 $6,000 $8,000 $10,000 $12,000 $14,000 $16,000 $18,000 $20,000 Apple's Profits, last 3 months Bitcoin Market Cap Apple's Market Cap US National Debt US National Debt: $18.1 T
  6. 6. Using Asymmetric Crypto: Signatures 5 E D Verified Message Signed Message Message Insecure Channel KUB KRB Bob Generates key pair: KUB, KRB Publishes KUB Anyone Get KUB from trusted provider
  7. 7. Signing Long Messages 6 Alice signs m1 = { “I give coin x = KUA, t to address KUB.”} with KRA. Bob signs m2 = { “I give coin x = KUA, t, given to me by m1to address KUC.”} with KRB. Asymmetric crypto is expensive: what is the longest m we can sign with 256-bit ECDSA?
  8. 8. Verified Message Message Message Digests 7 E D Verified Message Digest Message Alice Bob KUB KRB H MessageDigest H= SignedMessage H is a cryptographic hash function: one-way: given H(x) cannot find preimage x strong collision-resistant: hard to find pair x and y where H(x) = H(y)
  9. 9. Hash Functions 8 E IV K  P1 C1 E  P2 C2 ... EK  Pn Cn Cipher Block Chaining
  10. 10. SHA-2 9http://opencores.org/project,sha256core SHA-256 256-bit output 64 rounds (best known attacks break preimage resistance for 52 rounds)
  11. 11. Cryptographic Hashing in Bitcoin • Transactions: message digests for signatures • Public address: hash of public key • Blockchain 10
  12. 12. 11
  13. 13. 12 Alice {KUA, KRA} High Trust Bank {KUTB, KRTB} M M = “The High Trust Bank owes the holder of this message $100.” EKRTB [H(M)] Bank IOU Protocol
  14. 14. 13 Alice High Trust Bank {KUTB, KRTB} M M = “The High Trust Bank owes the holder of this message $100.” EKRTB [H(M)] Bob
  15. 15. 14 Alice High Trust Bank {KUTB, KRTB} M M = “The High Trust Bank owes the holder of this message $100.” EKRTB [H(M)] Bob M EKRTB [H(M)] EKUA [secret curry recipe]
  16. 16. 15 Alice High Trust Bank {KUTB, KRTB} M M = “The High Trust Bank owes the holder of this message $100.” EKRTB [H(M)] Bob M EKRTB [H(M)] EKUA [secret curry recipe] M EKRTB [H(M)]
  17. 17. 16 Alice High Trust Bank {KUTB, KRTB} M M = “The High Trust Bank owes the holder of this message $100.” EKRTB [H(M)] Bob M EKRTB [H(M)] EKUA [secret curry recipe] M EKRTB [H(M)] Both Alice and Bob can attempt to redeem the IOU (multiple times).
  18. 18. 17 Alice {KUA, KRA} Bear’s Turns Bank {KUTB, KRTB} M M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $100.” EKRTB [H(M)] Add Unique Identifiers
  19. 19. 18 Alice {KUA, KRA} Bear’s Turns Bank {KUTB, KRTB} M M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $100.” EKRTB [H(M)] Add Unique Identifiers Bill can only be redeemed once. Bank cannot tell if it is Alice or Bob who cheated (first redeemer wins?) Not anonymous; tracable
  20. 20. CRYPTO 1988 David Chaum Photo: Declan McCullagh (2002)19
  21. 21. 20
  22. 22. Key Technology: Blind Signatures 21 Normal Signatures: Alice selects message m Sends m to bank Bank returns signature: SM = md mod n Blind Signatures: Alice selects message m Bank’s public key: (e, n) Bank’s private key: d
  23. 23. Key Technology: Blind Signatures 22 Normal Signatures: Alice selects message m SM = md mod n Blind Signatures: Alice selects message m Picks random k in [1, n) Sends bank t = mke mod n Bank signs: td = (mke mod n)d mod n Alice computes md mod n: = (mke)d mod n  mdked mod n divide by k = md mod n Bank’s public key: (e, n) Bank’s private key: d
  24. 24. 23 Bear’s Turns Bank {KUTB, KRTB} Mk M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $100.” EKRTB [Mk] Client-Selected Identifiers
  25. 25. 24 Bear’s Turns Bank {KUTB, KRTB} Mk M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $10000000.” EKRTB [Mk] Client-Selected Identifiers
  26. 26. Cut-and-Choose 25 M1 k1 M2 k2 M256 k256 … Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.”
  27. 27. Cut-and-Choose 26 M1 k1 M2 k2 M256 k256 … Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.” Alice generate N different messages, and blinds each with different k. Sends all of them to Bank. Bank randomly selects N-1 of them, and challenges Alice to unblind. If all are okay, Bank (blindly) signs the one un-opened message, and returns it to Alice.
  28. 28. Cut-and-Choose 27 M1 k1 M2 k2 M256 k256 … Alice generate N different messages, and blinds each with different k. Sends all of them to Bank. Bank randomly selects N-1 of them, and challenges Alice to unblind. If all are okay, Bank (blindly) signs the one un-opened message, and returns it to Alice. What is probability Alice can cheat without getting caught?
  29. 29. 28 Alice {KUA, KRA} Bear’s Turns Bank {KUTB, KRTB} M M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $100.” EKRTB [H(M)] Add Unique Identifiers Bill can only be redeemed once. Bank cannot tell if it is Alice or Bob who cheated (first redeemer wins?) Not anonymous; tracable
  30. 30. 29 Alice {KUA, KRA} Bear’s Turns Bank {KUTB, KRTB} M M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $100.” EKRTB [H(M)] Blinded Identifiers Bill can only be redeemed once. Bank cannot tell who cheated (first redeemer wins?) Anonymous and untraceable
  31. 31. Catching Cheaters 30 M EKRTB [H(M)] M EKRTB [H(M)] Bear’s Turns Bank Spend a bill once: anonymity preserved M EKRTB [H(M)] Spend a bill twice: identity revealed
  32. 32. Identity Strings 31 M1 k1 M2 k2 M256 k256 … I = “alice@alice.org” Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.” + identity strings: I1 = (h(I1L), h(I1R)) ... In = (h(InL), h(InR)) where h is a one-way hash function and each IiL  IiR = I
  33. 33. Spending a Bill 32 M EKRTB [H(M)] I = “alice@alice.org” Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.” + identity strings: I1 = (h(I1L), h(I1R)) ... In = (h(InL), h(InR)) where h is a one-way hash function and each IiL  IiR = I Reveal request: LRRLRLR… (randomly select L or R for each pair) I1L, I2R,I3R, I4L,… verifies hashes, accepts bill
  34. 34. Charge Next week: The Blockchain Project 1 is due Friday 33 Upcoming office hours: Me: Thursday 4-5pm (Rice 507) Nick: Friday noon-2pm (HackCville)

×