Virtual Currency Myth and Reality (Ver. 3.0 (182 pages) : Extended Version of Seoul National Univ. China AMP Seminar, Jan 24, 2018) @ NAVER Corp., Feb 21, 2018
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Virtual Currency Myth and Reality (Ver. 3.0 (182 pages) : Extended Version of Seoul National Univ. China AMP Seminar, Jan 24, 2018)
1. 고려대학교정보보호대학원
마스터 제목 스타일 편집
고려대학교정보보호대학원
Virtual Currency
Myth and Reality(Ver. 3.0 : Extended Version of Seoul National Univ. CHAMP Seminar, Jan 24, 2018)
(Feb 21, 2018)
2. 보안성분석평가연구실
김승주 교수 (skim71@korea.ac.kr)
로봇융합관 306호
- Security Engineering : (1) Threat-Risk Modeling
(2) Provably Secure Design (3) Automated Verification of
Security Implementations (4) (Structured) Penetration
Testing (5) Secure Over-The-Air Software Updates
- Security Evaluation & Certification (including CMVP, CC,
C&A, SSE-CMM)
- SDL (Security Development Lifecycle)
연구분야
Security Analysis aNd Evaluation Lab
www.KimLab.net / gss.korea.ac.kr
주요 경력 :
1990.3~1999.2) 성균관대학교 공학 학사·석사·박사
1998.12~2004.2) KISA 암호기술팀장 및 CC평가1팀장
2004.3~2011.2) 성균관대학교 정보통신공학부 부교수
2011.3~현재) 고려대학교 사이버국방학과∙정보보호대학원 정교수
Founder of (사)HARU & SECUINSIDE
2017.4~현재) 고려대학교 사이버무기시험평가연구센터 부센터장
前) 육군사관학교 초빙교수
前) 선관위 DDoS 특별검사팀 자문위원
前) 개인정보분쟁조정위원회 위원
前) KBS ‘명견만리’, ‘장영실쇼’ 및 EBS ‘과학다큐 비욘드’ 출연
現) 카카오뱅크 정보보호부문 자문교수
現) 한국블록체인협회 정보보호 소위원회 위원
- ’96: Convertible Group Signatures (AsiaCrypt)
- ’97: Proxy Signatures, Revisited (ICICS): 700회이상 피인용
* 100회 이상 피인용 논문 건수: 6건
- ’06: 국가정보원 암호학술논문공모전 우수상
- ’07: 국가정보원장 국가사이버안전업무 유공자 표창
- ’12,’16: 고려대학교 석탑강의상
- ’13,’17: Smart TV Security (Black Hat USA 및 Hack In Paris): 삼성 및 LG 스마트TV 해킹(도청∙도촬) 및 해적방송 송출 시연
주요 R&D 성과
삼성전자와 공동으로
국내 최초 프린터복합기 보안 인증 획득 (2008년)
LG전자와 공동으로
세계 최초 스마트TV 보안 인증 획득 (2015년)
3. 고려대학교 정보보호대학원
마스터 제목 스타일 편집
[1] “Smart TV Security - #1984 in 21st century”, SeungJin (beist) Lee et al., CanSecWest 2013
[2] “Hacking, Surveilling, and Deceiving Victims on Smart TV”,
SeungJin (beist) Lee et al., Black Hat USA 2013
[3] “Developing a Protection Profile for Smart TV”,
Minsu Park et al., International Common Criteria Conference 2014
[4] "(The First Experimental) Study on Smart TV Forensics”,
Heesoo Kang et al., Journal of the KIISC, 2014 (in Korean)
2013.3
2013.7
2014.9
2014.10
[5] (R&D with LG electronics) we got TTA-verified
security certification for Smart TV from TTA
2015.12
[6] ”Further Analysis on Smart TV Forensics",
Minsu Park et al., Journal of Internet Technology (SCI-Indexed Journal),
2016.11 (Accepted for Publication)
2016.11
[7] (R&D with LG electronics) We received 'world-first' Common Criteria EAL2 certification
for home appliances (Smart TV). 2017.4
[8] “Are you watching TV now? Is it real?: Hacking of smart TV with 0-day”
JongHo Lee et al., Hack in Paris 2017 2017.6
[10] “LG vs. Samsung Smart TV: Which Is Better for Tracking You?”
Sangmin Lee et al., CODE BLUE 2017
2017.11
[9] “How to Obtain Common Criteria Certification of Smart TV for Home IoT
Security and Reliability”, Sooyoung Kang et al., Symmetry-Basel (SCI-Indexed Journal)
2017.10
대표 연구 실적 – Smart TV
8. 고려대학교 정보보호대학원
마스터 제목 스타일 편집
Contents – Part I –
Virtual Currency
Bitcoin
Blockchain & Fork
Classical Consensus Mechanisms
Blockchain Consensus Mechanism
Soft Fork vs. Hard Fork
Main Challenges with PoW Blockchain
Decentralized
Scalability
Consensus(or Security)
Anonymity & Privacy
Programming Errors
Other Challenges with PoW Blockchain
9. 고려대학교 정보보호대학원
마스터 제목 스타일 편집
Contents – Part II –
Ethereum & Smart Contracts
Ethereum
Smart Contracts
Main Challenges with Smart Contracts
DAO, ICO, and DApp
IOTA & Tangle
IOTA
Tangle(Not a Blockchain!)
Main Challenges with Tangle
Others : Litecoin, Cardano, NEO
What Happens in Korea Now!
Conclusions
10. 고려대학교 정보보호대학원
마스터 제목 스타일 편집
Contents – FAQs –
정부의 '거래소 폐쇄'에 대한 의견은?
가상화폐는 화폐인가?
블록체인과 가상화폐, 분리가 가능한가?
바람직한 투자 환경이 조성되려면?
17. 고려대학교정보보호대학원
마스터 제목 스타일 편집
17
Anonymity (익명성)
Transferability (양도성)
Prevent copy & double-spending
(재사용 방지)
Decentralized (분산 처리)
DigiCash (1988) vs. Bitcoin (2008)
18. 고려대학교정보보호대학원
마스터 제목 스타일 편집
18
Anonymity (익명성)
Transferability (양도성)
Prevent copy & double-spending
(재사용 방지)
Decentralized (분산 처리)
by Blockchain
DigiCash (1988) vs. Bitcoin (2008)
Bitcoin is often called the first cryptocurrency,
although prior systems existed and it is more
correctly described as ‘the first decentralized
digital currency’. – Wikipedia –
19. 고려대학교정보보호대학원
마스터 제목 스타일 편집
DigiCash
(Jannik Dreier et al., "Formal Analysis of E-Cash Protocols", SECRYPT 2015)
Client
Seller
1. Withdrawal 3. Deposit
4. If a client spends a coin twice
(a.k.a. double-spending),
his identity is revealed. (by
online/offline)
2. Payment
20. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Client
Seller
1. Withdrawal 3. Deposit
2. Payment
Bitcoin 4. Prevent double-spending by
blockchain consensus
mechanism
(Jannik Dreier et al., "Formal Analysis of E-Cash Protocols", SECRYPT 2015)
21. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Client
Seller
1. Withdrawal 3. Deposit
2. Payment
Bitcoin 4. Prevent double-spending by
blockchain consensus
mechanism
(Jannik Dreier et al., "Formal Analysis of E-Cash Protocols", SECRYPT 2015)
“Whereas most technologies tend to automate
workers on the periphery doing menial tasks,
blockchains automate away the center. Instead
of putting the taxi driver out of a job, blockchain
puts Uber out of a job and lets the taxi drivers
work with the customer directly.”
22. 고려대학교정보보호대학원
마스터 제목 스타일 편집
22
[Note] Altcoin
Aside from bitcoin, there are hundreds of
other digital currencies out there. These are
known as “altcoins,” or alternatives to
bitcoin.
(e.g.) Ether, Ripple, Zcash, Monero and Dash, to
name just a few.
However, Most altcoins offer no benefit
over Bitcoin at all. Plus, they have less hash
power securing them.
This means that altcoins are typically riskier
than Bitcoin!
23. 고려대학교정보보호대학원
마스터 제목 스타일 편집
23
[Note] Altcoin (Source: CoinMarketCap, Note: As of midday Feb 17, 2018)
24. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Consensus Mechanism
Agreement in the presence of faults
Coping with failures in computer systems
Very well-studied since 1980 in distributed
computing, starting with Leslie Lamport et al.
Failures (a.k.a. Byzantine failures) can be
non-malicious (due to random SW/HW errors) or
malicious (as a result of being attacked and
compromised)
???
Replicated data
But replication is
expensive! (consistency,
malicious attack etc.)
25. 고려대학교정보보호대학원
마스터 제목 스타일 편집[Note] Byzantine Generals Problem (1982)
(ACM Transactions on Programming Languages and Systems (TOPLAS), July 1982)
27. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Classical Consensus Mechanisms
Crash failure model (Honest nodes that
may fail, but not deliberate act maliciously)
2PC (Two Phase Commit)
Paxos
Quorum
Chubby : Google File System (GFS), BigTable
Byzantine failure model
PBFT (Practical Byzantine Fault Tolerance)
XFT (Cross Fault Tolerance)
Honey Badger
Hybster (Hybrids on Steroids : SGX-based high
performance BFT)
(Bano et al., "SoK: Consensus in The Age of Blockchains", arXiv 2017)
28. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Classical Consensus Mechanisms
Crash failure model (Honest nodes that
may fail, but not deliberate act maliciously)
2PC (Two Phase Commit)
Paxos
Quorum
Chubby : Google File System
Byzantine failure model
PBFT (Practical Byzantine Fault Tolerance)
XFT (Cross Fault Tolerance)
Honey Badger
Hybster (Hybrids on Steroids : SGX-based high
performance BFT)
(Bano et al., "SoK: Consensus in The Age of Blockchains", arXiv 2017)
???
Classical BFT protocols works well in centralized
setting where nodes are controlled by the same
entity or federation (e.g., Google, Naver). However,
decentralized networks that rely on volunteer
nodes need to provide incentives for participation.
29. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Blockchain (a.k.a Distributed Append-Only Ledger)
‘Practical’ distributed trustless
consensus mechanism
Everyone is the bank!
That is, every participant keeps a copy of the
record which would classically be stored at the
central bank.
Type : Public / Consortium / Private
(Nick Szabo, "The God Protocols", 1997)
31. 고려대학교정보보호대학원
마스터 제목 스타일 편집
(Michele D'Aliessi, "How Does the Blockchain Work? Blockchain Technology Explained in Simple Words", Jun 2, 2016)
(Bitcoin address)
Blockchain (a.k.a Distributed Append-Only Ledger)
35. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Property
Public
blockchain
Consortium
blockchain
Private
Blockchain
Consensus
determination
All miners
Selected set of
nodes
One organization
Read permission Public
Could be public or
restricted
Could be public or
restricted
Immutability
Nearly impossible
to tamper
Could be
tampered
Could be
tampered
Efficiency Low High High
Centralized No Partial Yes
Consensus process Permissionless Permissioned Permissioned
(An Overview of Blockchain Technology: Architecture, Consensus, and Future Trends, 2017 IEEE International
Congress on Big Data)
Blockchain (a.k.a Distributed Append-Only Ledger)
36. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Property
Public
blockchain
Consortium
blockchain
Private
Blockchain
Consensus
determination
All miners
Selected set of
nodes
One organization
Read permission Public
Could be public or
restricted
Could be public or
restricted
Immutability
Nearly impossible
to tamper
Could be
tampered
Could be
tampered
Efficiency Low High High
Centralized No Partial Yes
Consensus process Permissionless Permissioned Permissioned
Consensus Core
algorithm
PoW, PoS
DPoS, PBFT, Raft
Ripple,
Tendermint(DPoS+PBFT)
DPoS, PBFT, Raft
Ripple,
Tendermint(DPoS+PBFT)
Blockchain Consensus Core Algorithms
※PoW : Proof of Useful Work / PoS : Proof of Stake / DPoS : Delegated Proof
of Stake / PBFT : Practical Byzantine Fault Tolerance
37. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Blockchain Consensus Core Algorithms
Property PoW PoS PBFT DPoS Ripple
Tender
mint
Node
identity
manage-
ment
open open
Permission-
ed
open open
Permission-
ed
Energy
saving
no partial yes partial yes yes
Tolerated
power of
adversary
<25%
computing
power
<51% stake
<33.3% fault
replicas
<51%
validators
<20%
faulty node
in UNL
<33.3%
byzantine
voting
power
Example
Bitcoin,
Ethereum
(Ethash)
Peercoin,
PPCoin, Nxt,
BlackCoin,
(Ethereum
(Slasher))
Hyperledger
Fabric
Bitshares Ripple Tendermint
※PoUW(Proof of Useful Work) : Primecoin, Gridcoin / PoB(Proof of Burn) /
PoET(Proof of Elapsed Time)
(Unique Node List)
38. 고려대학교정보보호대학원
마스터 제목 스타일 편집
38
Basically the PoW(Proof of Work)
demonstrates that a participant has done
some work and gets a reward.
First? Not!
39. 고려대학교정보보호대학원
마스터 제목 스타일 편집
39
The Bitcoin protocol makes use of PoW to
prevent Sybil attacks (single user
pretends many fake/sybil identities), and to
synchronize the network loosely (i.e., to
ensure for block to reach every corner of
the network).
Idea : User solve moderately hard puzzle
First? Not!
Hard to find solution Easy to verify
40. 고려대학교정보보호대학원
마스터 제목 스타일 편집
40
First? Not!
fake IDA fake IDB fake IDC
The cumulative computing power from all the miners,
secures the network against potential attacks from a hacker!
41. 고려대학교정보보호대학원
마스터 제목 스타일 편집
41
Now new!
C.Dwork and M.Naor, “Pricing via Processing
or Combating Junk Mail”, CRYPTO 1992.
For combating email spam
A.Back, “Hashcash - A Denial of Service
Counter-Measure”, TR, August 2002.
For limiting Denial-of-Service attacks
First? Not!
42. 고려대학교정보보호대학원
마스터 제목 스타일 편집
42
Block 78A…
prev block:
#497…
hash of transactions:
txn a78… ‖ signature
txn ffe… ‖ signature
txn 111… ‖ signature
txn 223… ‖ signature
…
random nonce (guess):
9758…
Block 087…
prev block:
#78A…
hash of transactions:
txn 839… ‖ signature
txn a76… ‖ signature
txn 91c… ‖ signature
txn 383… ‖ signature
…
random nonce (guess):
3004…
Hash output of
prev block
43. 고려대학교정보보호대학원
마스터 제목 스타일 편집
43
Block 78A…
prev block:
#497…
hash of transactions:
txn a78… ‖ signature
txn ffe… ‖ signature
txn 111… ‖ signature
txn 223… ‖ signature
…
random nonce (guess):
9758…
Block 087…
prev block:
#78A…
hash of transactions:
txn 839… ‖ signature
txn a76… ‖ signature
txn 91c… ‖ signature
txn 383… ‖ signature
…
random nonce (guess):
3004…
Hash output of
prev block
Proof of Work
When 1 zero added, work will be doubled
Because 25 = 24 * 2
depends on D leading zero bits
45. 고려대학교정보보호대학원
마스터 제목 스타일 편집
45
[Note] Bitcoin Block Structure
(Kiran Vaidya, "Bitcoin's Implementation of Blockchain", Dec 7, 2016)
46. 고려대학교정보보호대학원
마스터 제목 스타일 편집
46
Merkle Tree
Patented by Ralph Merkle in 1979
Saves memory
Only the root (top) hash added to the
blockchain
Only own branch of the tree relevant
[Note] Bitcoin Block Structure
47. 고려대학교정보보호대학원
마스터 제목 스타일 편집
47
For preventing inflation, the rewarding
price halves approximately every 4 years.
The initial reward was 50 Bitcoins in 2009,
then 25 Bitcoins in 2013, 12.5 Bitcoins in
2016 and it will happen again in the future.
With the constant halving, eventually there
will only be about 21 million Bitcoins.
At around year 2140, all Bitcoins will have
been generated.
Block rewards → Transaction fees
Bitcoin Mining Block Reward
(* But, in ACM CCS 2016, Miles Carlsten et al. showed that the stability of bitcoin is
NOT guaranteed as mining rewards decline.)
48. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Soft Fork vs. Hard Fork
(Image : Invetopedia)
Follows
Old
Rules
Follows
Old
Rules
Follows Old Rules
But Violates
New Rules
Follows
Old & New
Rules
Follows
Old & New
Rules
Follows
Old
Rules
Blocks From
Non-Upgraded
Nodes
Blocks From
Upgraded
Nodes
A Soft Fork : Blocks Violating New Rules Are Made Stale By Upgraded Mining Majority
A Hard Fork : Non-Upgraded Nodes Reject The New Rules, Diverging The Chain
Follows
Old
Rules
Follows
Old
Rules
Blocks From
Non-Upgraded
Nodes
Blocks From
Upgraded
Nodes
Follows
Old
Rules
Follows
Old
Rules
Follows
New
Rules
Follows
New
Rules
Follows
New
Rules
Follows
New
Rules
49. 고려대학교정보보호대학원
마스터 제목 스타일 편집
49
Main Challenges with PoW Blockchain
Bitcoin has worked surprisingly
well in practice so far...
Will Bitcoin ‘still’ work in practice
in the future?
50. 고려대학교정보보호대학원
마스터 제목 스타일 편집
50
Decentralized
Scale Consensus
Main Challenges with PoW Blockchain
51. 고려대학교정보보호대학원
마스터 제목 스타일 편집
51
In the initial design stage of Bitcoin,
Satoshi Nakamoto hoped that all the
participants can use the CPU to mine.
So the hashing power can match the nodes
and each node has the opportunity to
participate in the decision-making of the
blockchain.
Q) Decentralized?
52. 고려대학교정보보호대학원
마스터 제목 스타일 편집
52
However, with the development of
technology and the appreciation of Bitcoin,
the machines that are specially designed
for mining are invented.
CPU → GPU → FPGA → ASIC
And the hashing power is grouped in the
participants that have large numbers of
mining machines.
The mining pools are operated centrally or are
designed in a P2P way.
Q) Decentralized?
55. 고려대학교정보보호대학원
마스터 제목 스타일 편집
55
Q) Decentralized?
(Financial Cryptography and Data Security 2018)
56. 고려대학교정보보호대학원
마스터 제목 스타일 편집
56
Q) Decentralized?
Neither are all that decentralized!
Both Bitcoin and Ethereum mining are very centralized,
with the top four miners in Bitcoin and the top three
miners in Ethereum controlling more than 50% of the
hash rate.
(Financial Cryptography and Data Security 2018)
57. 고려대학교정보보호대학원
마스터 제목 스타일 편집
57
Mining pools are groups of cooperating
miners who agree to share block
rewards in proportion to their
contributed mining hash power.
[Note] What is a Mining Pool?
(Jordan Tuwiner, "Bitcoin Mining Pools", July 13, 2017)
58. 고려대학교정보보호대학원
마스터 제목 스타일 편집
58
‘Decentralization’ means that every
participating node on the network
processes every transaction and maintains a
copy of the entire state. Possible?
Bitcoin's security heavily depends on the
assumption that the block propagation time
<< block generation time.
Bitcoin blockchain can only process nearly 7
transactions / 1 second (10 minutes / 1 block) to
ensure for block to reach every corner of the network.
VISA system can process 1700 transaction / 1 second.
In fact, the blockchain actually gets weaker
as more nodes are added to its network.
Q) Scalability?
(Preethi Kasireddy, "Blockchains Don’t Scale. Not Today, at Least. But There's Hope", Aug 23, 2017)
59. 고려대학교정보보호대학원
마스터 제목 스타일 편집[Note] Bitcoin vs. P2P File Sharing
The Bitcoin network has aims which
differ from those of peer-to-peer file
sharing systems.
In Bitcoin, the aim is not to find specific
files or data items, but to distribute
information as fast as possible to reach
consensus on the block chain.
(Florian Tschorsch Björn Scheuermann, "Bitcoin and Beyond: A Technical Survey on Decentralized Digital
Currencies", IEEE Communications Surveys & Tutorials (COMST), Mar 2, 2016)
60. 고려대학교정보보호대학원
마스터 제목 스타일 편집
60
In a traditional database system, the
solution to scalability is to add more
servers to handle the added transactions.
But in the decentralized blockchain world…
Increasing the block size
SegWit (Segregated Witness)
Off-chain state channels : Lightning Network,
Raiden Network
DB Sharding
Plasma
Off-chain computations : TrueBit
Q) Scalability?
61. 고려대학교정보보호대학원
마스터 제목 스타일 편집
61
Q) Scalability?
실험에서 9301건의 지급지시 처리에 기존 9시간보다 2시
간 33분이 추가로 소요됐다. 시스템 장애시 복구에도 어려
움을 겪었다.
62. 고려대학교정보보호대학원
마스터 제목 스타일 편집
62
[Note] Increasing Block Size (2017)
("Bitcoin Cash is Bitcoin", Oct 2017, www.bitcoin.com)
(SegWit Chain)
63. 고려대학교정보보호대학원
마스터 제목 스타일 편집
63
[Note] SegWit (2017)
Signatures are an integral part of the chain
Signatures are outside of the chain.
(Peter Rizun, “SegWit Coins Are Not Bitcoins”, The Future of Bitcoin Conference 2017)
66. 고려대학교정보보호대학원
마스터 제목 스타일 편집
66
[Note] Off-Chain State Channels
via
multi-signature
or some sort
of smart
contract
67. 고려대학교정보보호대학원
마스터 제목 스타일 편집
67
Consensus in asynchronous distributed
computing has been known to be
unsolvable since 1985.
Q) Security? – Algorithms
Short delay
Long delay
68. 고려대학교정보보호대학원
마스터 제목 스타일 편집
68
Blockchain consensus algorithms meet the
theoretical fault tolerance under the
assumptions of a fully synchronous
network (i.e. messages are instantly delivered without delays).
Juan Garay, Aggelos Kiayias, and Nikos
Leonardos, “The Bitcoin Backbone Protocol:
Analysis and Applications”, EUROCRYPT 2015.
It remains unclear what are the guarantees
offered by blockchain consensus algorithms
and what are the necessary conditions for
these guarantees to be satisfied.
Q) Security? – Algorithms
(* Asynchronous setting is even more complex and analyzed in 2016 under a-priori bounded adversarial
delays and random oracle model)
69. 고려대학교정보보호대학원
마스터 제목 스타일 편집
69
Finney attack or Zero-confirmation attack (2011)
Vector 76 or One-confirmation attack (2011)
Block withholding (BWH) attack (2011, 2016)
Time jacking (2011)
Double spending or Race attack (2012)
Brute force attack (2013)
>50% hashpower or Goldfinger (because it will probably destroy the Bitcoin
network) (2013)
Block discarding (2013, 2014) or Selfish mining (2014)
Punitive and Feather forking (2013, 2016)
Transaction malleability (2014, 2015)
Wallet theft (2014)
DDoS (2014)
Eclipse Attack or Netsplit (2015)
Tampering (2015)
Bribery attacks (2016)
Fork after withholding (FAW) attack (2017)
Refund attacks (2017)
Bitcoin Hijacking (2017), etc.
Q) Security? – Algorithms
70. 고려대학교정보보호대학원
마스터 제목 스타일 편집
70
(e.g.) Blockchain is vulnerable even if
only a small portion of the hashing
power is used to cheat.
Up to now, the top 5 mining pools together
owns larger than 51% of the total hash
power in the Bitcoin network.
Apart from that, selfish mining strategy
showed that pools with over 25% of total
computing power could get more revenue
than fair share.
Q) Security? – Algorithms
[1] "The Biggest Mining Pools," https://bitcoinworldwide.com/mining/pools/
[2] I.Eyal and E.G.Sirer, "Majority Is Not Enough: Bitcoin Mining Is Vulnerable", Financial Cryptography
and Data Security 2014.
71. 고려대학교정보보호대학원
마스터 제목 스타일 편집
71
[Note] Double Spending Attack
Idea : Since Bitcoin is basically a digital
file, it's easier to copy than actual
money. This means some people can
manipulate their way to paying more
than once with the same bitcoin.
Variants : Finney attack / Zero-confirmation
attack (2011), Vector 76 / One-confirmation
attack (2011), Brute force attack (2013), etc.
If a miner (or mining pool) is able to mine
blocks with a faster rate than the rest of the
Bitcoin network, the possibility of a successful
double spending attack is high.
72. 고려대학교정보보호대학원
마스터 제목 스타일 편집
72
[Note] Double Spending Attack
For now, there is NO solution that
guarantees the complete protection from
double spending in Bitcoin.
The most effective way to prevent them
is to wait for multiple numbers of
confirmations (e.g., 6 blocks x 10
minutes) before delivering goods or
services.
Not appropriate for fast payment scenarios!
73. 고려대학교정보보호대학원
마스터 제목 스타일 편집
73
[Note] Selfish Mining Attack (2014)
Idea : The attacker will mine his blocks
privately and release them at the right
time so that honest miners waste their
computational power.
Called ‘selfish mining’ or ‘block
discarding(or withholding)’
‘Block withholding’ is also sometimes used in the
context of mining pools - submitting shares but
withholding valid blocks
74. 고려대학교정보보호대학원
마스터 제목 스타일 편집
74
[Note] Selfish Mining Attack (2014)
…
State 0 : Only a single public chain.
(Philippe Camacho, "Analyzing Bitcoin Security", Jun 15, 2016)
75. 고려대학교정보보호대학원
마스터 제목 스타일 편집
75
[Note] Selfish Mining Attack (2014)
State 1 : Adversary manages to mine a
block. The block is kept private.
…
(Philippe Camacho, "Analyzing Bitcoin Security", Jun 15, 2016)
76. 고려대학교정보보호대학원
마스터 제목 스타일 편집
76
[Note] Selfish Mining Attack (2014)
State 2 : Adversary manages to mine a
block. The block is kept private.
…
(Philippe Camacho, "Analyzing Bitcoin Security", Jun 15, 2016)
77. 고려대학교정보보호대학원
마스터 제목 스타일 편집
77
[Note] Selfish Mining Attack (2014)
State 3 : Honest miners find a block.
…
In this
situation the
private
chain is
published
and the
honest
miners loose
their block.
(Philippe Camacho, "Analyzing Bitcoin Security", Jun 15, 2016)
78. 고려대학교정보보호대학원
마스터 제목 스타일 편집
78
[Note] Selfish Mining Attack (2014)
State 3 : After releasing the private chain,
back to state 0.
…
New head of
the public
chain.
(Philippe Camacho, "Analyzing Bitcoin Security", Jun 15, 2016)
79. 고려대학교정보보호대학원
마스터 제목 스타일 편집
79
[Note] Block Withholding Attack (2011)
☞ Partial PoW (or Share) : Nonce making hash value with d(<D) leading zeros
(e.g. (D=4)) Partial PoWs : Nonces making 0011X, 0010X, 0001X, etc.
Full PoWs : Nonces making 0000X
(by PPS(Pay-Per-Share), PPLNS, etc.)
80. 고려대학교정보보호대학원
마스터 제목 스타일 편집
80
[Note] Block Withholding Attack (2011)
Idea : Withholding certain blocks.
Sabotage Attack on Mining Pools : Not
submitting correct PoWs at all (but
submitting only the dud PoWs) to cause
financial harm to the pool or its participants.
Purely destructive! (i.e., Don't make any financial
sense. It just makes everybody loose!)
Lie-in-Wait Attack on Mining Pools : Delay
submitting of a correct PoW, and uses the
knowledge of the imminent block to focus
his mining on where it is most rewarding.
Profitable!
81. 고려대학교정보보호대학원
마스터 제목 스타일 편집
81
Sabotage Attack on Mining Pools
Results :
The pool looses money.
The dishonest miner doesn't earn anything (also
looses a very small amount).
Thus ‘purely destructive’!
[Note] Block Withholding Attack (2011)
Dishonest Miner Mining Pool Operator
Dud PoW
Money
Correct PoW
(excessively
rare case)
(Stefan Dziembowski, "Mining Pools and Attacks", Workshop on Bitcoin, Introduction to Cryptocurrencies, Jun 6-7, 2016)
82. 고려대학교정보보호대학원
마스터 제목 스타일 편집
82
Sabotage Attack on Mining Pools
Adversary's goal : Make the mining pool
bankrupt (e.g. he owns a competing pool).
It is rumored that in June 2014 such an attack
was executed against the mining pool Eligius.
Estimated loses : 300 BTC.
[Note] Block Withholding Attack (2011)
Dishonest Miner Mining Pool Operator
Dud PoW
Money
Correct PoW
(excessively
rare case)
(Stefan Dziembowski, "Mining Pools and Attacks", Workshop on Bitcoin, Introduction to Cryptocurrencies, Jun 6-7, 2016)
83. 고려대학교정보보호대학원
마스터 제목 스타일 편집
83
Lie-in-Wait Attack on Mining Pools
Mining for several mining pools and
strategically calculating the time to
submit his correct blocks.
[Note] Block Withholding Attack (2011)
Dishonest Miner
1/3 Computing Power
Mining Pool P1
Mining Pool P2
Mining Pool P3
(Stefan Dziembowski, "Mining Pools and Attacks", Workshop on Bitcoin, Introduction to Cryptocurrencies, Jun 6-7, 2016)
84. 고려대학교정보보호대학원
마스터 제목 스타일 편집
84
Lie-in-Wait Attack on Mining Pools
Once you find a correct PoW for P2 (say) :
1. Wait with submitting it.
2. Directs all mining capacity to P2.
3. Submit the solution to P2 after sometime.
It can be formally shown that this is
profitable. (Rosenfeld, 2011)
[Note] Block Withholding Attack (2011)
Intuition :
P2 is a very
likely winner
(Stefan Dziembowski, "Mining Pools and Attacks", Workshop on Bitcoin, Introduction to Cryptocurrencies, Jun 6-7, 2016)
85. 고려대학교정보보호대학원
마스터 제목 스타일 편집
85
[Note] The Miner’s Dilemma (2015)
If two pools attack each other with
block withholding attack, they arrive at a
Nash Equilibrium in which each earns
less than they would have if neither of
them attacked.
86. 고려대학교정보보호대학원
마스터 제목 스타일 편집
86
[Note] Eclipse Attack (2015)
Idea : The attacker surrounds the victim
in the P2P network so that it can filter
his view on the events.
(E.Heilman, A.Kendler, A.Zohar, and S.Goldberg, "Eclipse Attacks on Bitcoin’s Peer-to-Peer Network", USENIX Security 2015)
87. 고려대학교정보보호대학원
마스터 제목 스타일 편집
87
[Note] Transaction Malleability (2014)
txID (Transaction Identifier) : A SHA-256
hash of all the fields of the transaction data
Transaction Malleability : Changing the
txID without invalidating the signature
Actual Damage from Malleability :
A problem arises particularly with wallets that
use only txID to identify transactions.
If a tampered transaction is captured and confirmed
in the block before the correct transaction, the
balance in Wallet will be mismatched. Then the
correct transaction is considered double payment
from the node and it will be processed as an invalid
transaction.
88. 고려대학교정보보호대학원
마스터 제목 스타일 편집
88
[Note] Transaction Malleability (2014)
Bitcoin Transaction Message
91. 고려대학교정보보호대학원
마스터 제목 스타일 편집
91
[Note] Transaction Malleability (2014)
txID
(Ken Shirriff, "Bitcoin Transaction Malleability: Looking at The Bytes", Feb 13, 2014)
93. 고려대학교정보보호대학원
마스터 제목 스타일 편집
93
[Note] Transaction Malleability (2014)
We store some funds on Mt. Gox. We do a withdrawal. We find the
transaction and change it. We submit the changed transaction faster
than Mt. Gox. The new transaction sometimes wins and we have our
money. We wait 2 days and complain to Mt Gox that our money
hasn't arrived. They search with the old txID and see that the original
transaction wasn't processed (they think you weren't paid yet). They
pay you again with different money. Yay!!
96. 고려대학교정보보호대학원
마스터 제목 스타일 편집
96
Storing in plaintext on the PC - bad idea
(malware attacks)
Encrypting with a password - susceptible to the
dictionary attacks
Better : Split the key between several devices.
Two options :
Use the multi-signature feature of Bitcoin
Use secret sharing and the multi-party
computations
Store on the USB memory - also susceptible to
malware (once connected to the PC).
Use a smarter device - more secure, especially if
it has a display.
Q) Security? – Wallet Theft
(Stefan Dziembowski, "Mining Pools and Attacks", Workshop on Bitcoin, Introduction to Cryptocurrencies, Jun 6-7, 2016)
98. 고려대학교정보보호대학원
마스터 제목 스타일 편집
98
Recent studies have demonstrated that
about 40% of Bitcoin users are able to
be identified through these public
transaction logs. This is due, in part, to
Bitcoin’s increased reliance on a few
large accounts.
(Preston Miller, "Virtual Currencies and their Relevance to
Digital Forensics“, Apr 9, 2017)
Q) Anonymity & Privacy?
99. 고려대학교정보보호대학원
마스터 제목 스타일 편집
99
Q) Anonymity & Privacy?
Anonymity = Pseudonymity + Unlinkability
100. 고려대학교정보보호대학원
마스터 제목 스타일 편집
100
Pseudonymity of Bitcoin Transactions
Q) Anonymity & Privacy?
101. 고려대학교정보보호대학원
마스터 제목 스타일 편집
101
Unlinkability of Bitcoin Transactions
Q) Anonymity & Privacy?
If Alice conducts two bitcoin transactions
using different bitcoin addresses
("pseudonyms"), how hard is it for those
transactions to be linked?
103. 고려대학교정보보호대학원
마스터 제목 스타일 편집
103
Q) Anonymity & Privacy?
Trust Problem with Mixing Services! : From Bitcoin's
perspective, transferring coins means changing the
ownership in a irreversible way. At this point, the mix
(who might be malicious) is the legitimate owner of the
coins. Thus, he could spend them for whatever he likes.
This monetary aspect should not be underestimated, as
it amplifies the trust problem with mixing services.
104. 고려대학교정보보호대학원
마스터 제목 스타일 편집
104
Q) Anonymity & Privacy?
(√: zk-STARKs)
[1] Bitcoin Beginner, “Privacy Coin Comparison”, December 30, 2017
[2] Felix Küster, "Privacy Coins Guide: Comparison of Anonymous Cryptocurrencies", Aug 23, 2017
105. 고려대학교정보보호대학원
마스터 제목 스타일 편집
105
Q) Anonymity & Privacy?
(√: zk-STARKs)
Increasing privacy level at the price of a bloated
block chain and more complex operations!
[1] Bitcoin Beginner, “Privacy Coin Comparison”, December 30, 2017
[2] Felix Küster, "Privacy Coins Guide: Comparison of Anonymous Cryptocurrencies", Aug 23, 2017
111. 고려대학교정보보호대학원
마스터 제목 스타일 편집
111
[Note] zk-SNARKs (2012)
Zero-Knowledge Succinct Non-interactive
ARgument of Knowledge
Cryptographic method for proving/verifying, in
zero-knowledge, the integrity of computations.
In Bitcoin, transactions are validated by linking the
sender address, receiver address, and input and
output values on the public blockchain.
Zcash uses zk-SNARKs to prove that the conditions
for a valid transaction have been satisfied without
revealing any crucial information about the
addresses or values involved.
However, requires a trusted setup.
112. 고려대학교정보보호대학원
마스터 제목 스타일 편집
112
A block 74638 (Aug 2010) contained a
transaction with two output summing to
over 184 billion BTC - this was because of
an integer overflow in Bitcoin software.
Solved by a software update and a "manual
fork". One double spending observed (worth
10,000 USD).
A fork at block 225430 (March 2013)
caused by an error in the software update
of Bitcoin Core.
Lasted 6 hours, solved by reverting to an older
version of the software.
Q) Programming Errors
(Stefan Dziembowski, "Mining Pools and Attacks", Workshop on Bitcoin, Introduction to Cryptocurrencies,
Jun 6-7, 2016)
114. 고려대학교정보보호대학원
마스터 제목 스타일 편집
114
Decentralized unlicensed exchanges
(DEXs) vs. Centralized licensed exchanges
(e.g.) EtherDelta
Storage constraints
Lack of governance and standards
Quantum computing threat
… and more.
Other Challenges with PoW Blockchain
115. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Ethereum (2013)
Distributed Turing Machine with
Blockchain Protection (by Vitalik Buterin)
Distributed Turing Machine
A smart contract program is executed by a
network of miners who reach consensus on the
outcome of the execution,
Turing Machine with Blockchain Protection
and update the contract’s state on the
blockchain accordingly.
116. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Ethereum (2013)
Distributed Turing Machine with
Blockchain Protection (by Vitalik Buterin)
Distributed Turing Machine
A smart contract program is executed by a
network of miners who reach consensus on the
outcome of the execution,
Turing Machine with Blockchain Protection
and update the contract’s state on the
blockchain accordingly.
117. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Ethereum (2013)
Distributed Turing Machine with
Blockchain Protection (by Vitalik Buterin)
Distributed Turing Machine
A smart contract program is executed by a
network of miners who reach consensus on the
outcome of the execution,
Turing Machine with Blockchain Protection
and update the contract’s state on the
blockchain accordingly.
118. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Ethereum (2013)
Distributed Turing Machine
(https://bytescout.com/blog/ethereum-turing-blockchain.html)
119. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Ethereum (2013)
Distributed Turing Machine
It is better to think of smart contracts not as signing
a contract but as executing pieces of simple code
(executed inside of the virtual machine).
(https://bytescout.com/blog/ethereum-turing-blockchain.html)
120. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Ethereum (2013)
Distributed Turing Machine
The one who calls the contract must pay. To do this,
Ethereum uses the so-called Gas – this is a small
piece of Ether (ETH) – the domestic currency.
(https://bytescout.com/blog/ethereum-turing-blockchain.html)
121. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Ethereum (2013)
Distributed Turing Machine
(https://bytescout.com/blog/ethereum-turing-blockchain.html)
122. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Ethereum (2013)
TM (= Transaction-based State Machine)
with Blockchain Protection
In computer science, a state machine refers
to something that will read a series of
inputs and, based on those inputs, will
transition to a new state.
123. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Ethereum (2013)
TM (= Transaction-based State Machine)
with Blockchain Protection
State instead of History!
(https://bytescout.com/blog/ethereum-turing-blockchain.html)
124. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Ethereum (2013)
(very similar to Javascript)
(Ethereum VM is Turing-complete)
(Note : Bitcoin has a ad-hoc, non-Turing-complete stack-based
scripting language with fewer than 200 commands called 'opcodes'.)
Solidity
(very similar to Javascript)
Ethereum Bytecodes
Ethereum VM
(Ethereum VM is Turing-complete)
compiles to
executed by
125. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Ethereum (2013)
(very similar to Javascript)
(Ethereum VM is Turing-complete)
Solidity
(very similar to Javascript)
Ethereum Bytecodes
Ethereum VM
(Ethereum VM is Turing-complete)
compiles to
executed by
This makes Ethereum susceptible to the halting problem. If there were no fees, a malicious
actor could easily try to disrupt the network by executing an infinite loop within a transaction,
without any repercussions. Thus, fees protect the network from deliberate attacks.
126. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Ethereum (2013)
(https://bytescout.com/blog/ethereum-turing-blockchain.html)
128. 고려대학교정보보호대학원
마스터 제목 스타일 편집
128
[Note] Smart Contracts (1996)
Smart Contract : A set of promises, specified in digital
form, including protocols within which the parties
perform on these promises.
- Observability
- Verifiability
- Privity
- Enforceability
129. 고려대학교정보보호대학원
마스터 제목 스타일 편집
129
[Note] Smart Contracts (1996)
“Smart contracts often involve trusted third parties,
exemplified by an intermediary, who is involved in the
performance, and an arbitrator, who is invoked to
resolve disputes arising out of performance (or lack
thereof).”
130. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Mining Ether = Securing the network =
Verify computation
Ethereum’s PoW algorithm is called
Ethash
A modified version of Dagger-Hashimoto
Memory hard, making it basically ASIC-
resistant
Will be switched to PoS
Blocks are mined on average every 15
seconds.
Thus Ethereum’s blockchain can process
around 25 transactions / 1 second.
Ether Mining
131. 고려대학교정보보호대학원
마스터 제목 스타일 편집
131
Computing a valid proof of work should
require not only a large number of
computations, but also a large amount
of memory.
[Note] Memory Hardness
134. 고려대학교정보보호대학원
마스터 제목 스타일 편집
134
Idea : (Consensus by Bet) Someone
who has a lot of stake will not do
anything to endanger this stake, such as
cheating, because then it would become
less valuable.
However, PoS has not been as successful as
Proof-of-Work.
[Note] PoS (Proof of Stake)
135. 고려대학교정보보호대학원
마스터 제목 스타일 편집
135
Casper PoS Algorithm
1. The validators stake a portion of their Ethers as
stake.
2. After that, they will start validating the blocks.
Meaning, when they discover a block which
they think can be added to the chain, they will
validate it by placing a bet on it.
3. If the block gets appended, then the validators
will get a reward proportionate to their bets.
4. However, if a validator acts in a malicious
manner and tries to do a "nothing at stake",
they will immediately be reprimanded, and all
of their stake is going to get slashed.
[Note] PoS (Proof of Stake)
136. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Ethereum’s GHOST Protocol
Because of the way Ethereum is built,
block times are much lower (~15
seconds) than those of other blockchains,
like Bitcoin (~10 minutes).
This enables faster transaction
processing. However, one of the
downsides of shorter block times is that
more competing block solutions are
found by miners.
137. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Ethereum’s GHOST(Greedy Heaviest
Observed Subtree) was introduced in
2013 to solve this problem by rewarding
also to ommer/uncle block (i.e., inviting the entire
tree structure of transactions).
An ommer/uncle is a smaller reward than a
full block. And the reward rapidly diminishes,
ending at zero after seven blocks later.
You reward miners to "confirm" that they
are uncles, and this helps securing the
network by making the chain "heavier".
Ethereum’s GHOST Protocol
138. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Ethereum’s GHOST(Greedy Heaviest
Observed Subtree) was introduced in
2013 to solve this problem by rewarding
also to ommer/uncle block (i.e., inviting the entire
tree structure of transactions).
An ommer/uncle is a smaller reward than a
full block. And the reward rapidly diminishes,
ending at zero after seven blocks later.
You reward miners to "confirm" that they
are uncles, and this helps securing the
network by making the chain "heavier".
Ethereum’s GHOST Protocol
139. 고려대학교정보보호대학원
마스터 제목 스타일 편집
139
Lack of formal contract verification!
(e.g.) The launch of The DAO was anticipated
by almost everyone so immediately after the
launch, about $165 million was sent to the
fund. This was a great event in the community.
A week after the launch, an error was found in the
code of the smart contract in the very place where
the logic was implemented "to get out and take your
share out of the fund."
The essence of the bug was that instead of the address of
the recipient of the share, it was possible to use the
address of another smart contract.
So the hackers brought to their accounts more than
$65 million!
Main Challenges with Smart Contracts
140. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Decentralized Autonomous Organization
Launched on 30 April 2016
Crowdfunding using smart contracts
A smart contract was a guarantee that no one
will deceive anyone and there will be absolute
democracy in all aspects. It even took into
account the option that some participants will
want to leave the DAO and take their shares
out of the fund.
(e.g.) If they do not agree with the choice of projects
or just want to play for investors themselves
[Note] DAO (2016)
141. 고려대학교정보보호대학원
마스터 제목 스타일 편집
ICO
(Classic) Initial Coin Offering
Similar to an IPO, but here investor got
nothing other than the digital tokens
Investors
Company
New
Crypto
Currency
142. 고려대학교정보보호대학원
마스터 제목 스타일 편집
DApp
Decentralized Application
App
Frontend Code & UI : make calls to its
backend
Backend Code : runs on centralized servers
DApp
Frontend Code & UI : make calls to its
backend
Backend Code : runs on a decentralized
P2P network (i.e., Ethereum Contracts)
144. 고려대학교정보보호대학원
마스터 제목 스타일 편집
IOTA & Tangle (2015)
IOTA : Cryptocurrency for the IoT
Tangle : DAG for storing transactions
(Directed Acyclic Graph) (Sequential List)
145. 고려대학교정보보호대학원
마스터 제목 스타일 편집
IOTA & Tangle (2015)
IOTA : Cryptocurrency for the IoT
Tangle : DAG for storing transactions
(Directed Acyclic Graph) (Sequential List)
Our world is currently
entangled. The tangle with
bind it together.
146. 고려대학교정보보호대학원
마스터 제목 스타일 편집
IOTA & Tangle (2015)
Main focus of the IOTA is on the IOT
and M2M micropayment transactions.
IOTA scales almost infinitely, unlike
Blockchains.
IOTA is free in the sense that zero
transaction fee.
Essentially the transaction fee is verifying
other transactions.
IOTA has an integrated quantum-
resistant algorithm, the WOTS(Winternitz
One-Time Signature) scheme.
148. 고려대학교정보보호대학원
마스터 제목 스타일 편집
IOTA & Tangle (2015)
In order to issue a transaction, do the following:
1. Choose two other transactions (that you will verify)
according to a ’Transaction Selection Algorithm’.
2. If you find that there is a transaction conflicting
with the tangle history, you should not approve
the conflicting transaction in either a direct or
indirect manner.
3. When issuing a valid transaction, you must solve a
cryptographic puzzle similar to those in the
Bitcoin blockchain (On average, it is around 38).
Basic Idea: A newly issued transaction is obligated
to approve TWO old transactions.
Propagation Incentive for Users: You will be dropped by your neighbor, when you show
laziness toward propagating transactions (i.e., always approve a pair of very old
transactions, therefore not contributing to the approval of more recent transactions).
(Serguei Popov, “The Tangle”, Oct 1, 2017, Version 1.3)
149. 고려대학교정보보호대학원
마스터 제목 스타일 편집
149
[Note] Transaction Selection Algorithm
Random : Not good, for it does not
encourage approving tips.
Random among the top section
(section near tips) : Good. Tips have a
much higher probability to be selected
and approved.
MCMC(Markov Chain Monte Carlo)-based
algorithm
(Jeff Hu, "IOTA Tangle: Introductory Overview of White paper for Beginners", Sep 28, 2017)
150. 고려대학교정보보호대학원
마스터 제목 스타일 편집
IOTA & Tangle (2015)
(Tangle Visualization : https://simulation1.tangle.works/)
151. 고려대학교정보보호대학원
마스터 제목 스타일 편집
IOTA & Tangle (2015)
(Tangle Visualization : https://simulation1.tangle.works/)
Genesis transaction : approved either directly or indirectly by all other transactions
Tips : Unapproved transactions
152. 고려대학교정보보호대학원
마스터 제목 스타일 편집
IOTA & Tangle (2015)
(Tangle Visualization : https://simulation1.tangle.works/)
Here, each transaction has a cumulative weight that changes over time. It is defined as the number of subsequent transactions
that have approved it directly or indirectly. Morally, an honest transaction has a much greater weight than a fraudulent transaction.
153. 고려대학교정보보호대학원
마스터 제목 스타일 편집
153
34% Attacks
Blockchain is vulnerable if one party has 51% of
the computing power on the network.
Since IOTA uses the Tangle to verify its
transactions, it's theoretically vulnerable if one
party controls only 34% (greater than 1/3) of
the network's computing power.
Early in IOTA's implementation is when it's most
vulnerable to such an attack. Since the early network
is small, with fewer nodes, it's easier for an attacker
to accumulate a 34% share of the network. To
combat this threat, IOTA is using a "Coordinator" in
its implementation.
Main Challenges with Tangle
154. 고려대학교정보보호대학원
마스터 제목 스타일 편집
154
Centralization
Coordinator : Run by Iota Foundation and is not
open-source. Its main purpose is to protect the network
until it grows strong enough to sustain against a large
scale attack from those who own GPUs.
Milestone : A special transaction issued by a Coordinator.
Milestones set general direction for the tangle growth and do
some kind of checkpointing. Transactions (in)directly
referenced by milestones are considered as confirmed.
This means that IOTA in its current form does not
provide any censorship resistance, since the path of
the tree is centrally directed through a Coordinator node
run by the IOTA Foundation.
Even if the Coordinator is planned to become optional
someday, we currently have no way to verify that the
technology will ever actually work safely without it.
Main Challenges with Tangle
(Eric Wall, "IOTA Is Centralized", Jun 14, 2017)
155. 고려대학교정보보호대학원
마스터 제목 스타일 편집
155
Lack of Testing and Peer Review
A number of crypto experts have
questioned IOTA's viability as a platform. The
technology behind IOTA simply hasn't been
tested enough to know how it will work at
scale, and how it will hold up to attacks.
IOTA's developers chose their own homemade
cryptography instead of using established
standards.
Main Challenges with Tangle
156. 고려대학교정보보호대학원
마스터 제목 스타일 편집
156
Lack of Testing and Peer Review
Main Challenges with Tangle
(Note) On Aug 7 2017 IOTA deployed a hardfork to their system to stop using Curl for signature message hashing. The
signature forgery vulnerability was fixed in IOTA Reference Implementation (IRI) version 1.3, IOTA wallet version 2.4.0.
(July 14, 2017)
157. 고려대학교정보보호대학원
마스터 제목 스타일 편집
157
Lack of Testing and Peer Review
Main Challenges with Tangle
(IOTA Foundation, "Official IOTA Foundation Response to the Digital Currency Initiative at the MIT Media Lab — Part
4/4", Jan 7, 2018)
158. 고려대학교정보보호대학원
마스터 제목 스타일 편집
158
Lack of Testing and Peer Review
Main Challenges with Tangle
(IOTA Foundation, "Official IOTA Foundation Response to the Digital Currency Initiative at the MIT Media Lab — Part
4/4", Jan 7, 2018)
IOTA's Curl-P function is not a cryptographic
function nor was it intended to be. With Coordinator
IOTA's security depends on one-wayness of Curl-P,
without Coordinator the security depends on collision
resistance.
Curl-P was indeed deployed in the open-source IOTA
protocol code as a copy-protection mechanism to
prevent bad actors cloning the protocol and using it
for nefarious purposes.
159. 고려대학교정보보호대학원
마스터 제목 스타일 편집
Litecoin (2011)
Released on October 7, 2011 by Charlie Lee.
It was inspired by, and in technical details is
nearly identical to, Bitcoin.
The Litecoin Network aims to process a
block every 2.5 minutes, rather than
Bitcoin's 10 minutes.
Due to Litecoin's use of the scrypt
algorithm, FPGA and ASIC devices made for
mining Litecoin are more complicated to
create and more expensive to produce than
they are for Bitcoin, which uses SHA-256.
161. 고려대학교정보보호대학원
마스터 제목 스타일 편집
NEO (2015)
Released in June 2015 by Da Hongfei.
Formerly known as ‘AntShares’. Often
referred to as Chinese Ethereum.
162. 고려대학교정보보호대학원
마스터 제목 스타일 편집
162
What Happens in Korea Now!
recipe( )
(Satoshi
Nakamoto)
(Bitcoin) .
,
.
.
166. 고려대학교정보보호대학원
마스터 제목 스타일 편집
166
Conclusions
(Karl Wüst and Arthur Gervais, "Do You Need a Blockchain?", Cryptology ePrint Archive: Report 2017/375)
167. 고려대학교정보보호대학원
마스터 제목 스타일 편집
167
Steven Bellovin : “A lab experiment that
escaped into the wild.”
Matt Blaze : “Cryptocurrency somehow
combines everything we love about
religious fanatics with everything we love
about Ponzi schemes.”
Joseph Bonneau : ”Bitcoin works in
practice, but not in theory.”
Seungjoo Kim : ”Blockchain technology is
like stem cells. Promising but still many
challenges remain...”
Conclusions
179. 고려대학교정보보호대학원
마스터 제목 스타일 편집
179
바람직한 투자 환경이 조성되려면?
' (mining & reward)'
.
.
' '
,
ACM CCS 2016
.
(1)
(2)
.
180. 고려대학교정보보호대학원
마스터 제목 스타일 편집
180
.
:
.
showing .
: white paper
' ' ,
' ' .
.
:
,
,
.
바람직한 투자 환경이 조성되려면?
181. 고려대학교정보보호대학원
마스터 제목 스타일 편집
References
[경제금융협력연구위원회(GFIN) 세미나]
비트코인, 돌멩이인가? 신화폐인가?
https://youtu.be/OGgtyDrYHAs
[암호인의 보안이야기 블로그] Blockchain
and Crytocurrency 101 (Part 1)
http://amhoin.blog.me/221197974174
[암호인의 보안이야기 블로그] 블록체인
recipe와 비트코인 쿠폰 사이에는 무슨 일이
있었을까?
http://amhoin.blog.me/221189662029
182. 고려대학교정보보호대학원
마스터 제목 스타일 편집
고려대학교정보보호대학원
Virtual Currency
Myth and Reality(Ver. 3.0 : Extended Version of Seoul National Univ. CHAMP Seminar, Jan 24, 2018)
(Feb 21, 2018)