Virtual Currency Myth and Reality (Ver. 3.0 (182 pages) : Extended Version of Seoul National Univ. China AMP Seminar, Jan 24, 2018)

고려대학교정보보호대학원
마스터 제목 스타일 편집
Virtual Currency
Myth and Reality(Ver. 3.0 : Extended Version of Seoul National Univ. CHAMP Seminar, Jan 24, 2018)
(Feb 21, 2018)

보안성분석평가연구실
김승주 교수 (skim71@korea.ac.kr)
로봇융합관 306호
- Security Engineering : (1) Threat-Risk Modeling
(2) Provably Secure Design (3) Automated Verification of
Security Implementations (4) (Structured) Penetration
Testing (5) Secure Over-The-Air Software Updates
- Security Evaluation & Certification (including CMVP, CC,
C&A, SSE-CMM)
- SDL (Security Development Lifecycle)
연구분야
Security Analysis aNd Evaluation Lab
www.KimLab.net / gss.korea.ac.kr
주요 경력 :
1990.3~1999.2) 성균관대학교 공학 학사·석사·박사
1998.12~2004.2) KISA 암호기술팀장 및 CC평가1팀장
2004.3~2011.2) 성균관대학교 정보통신공학부 부교수
2011.3~현재) 고려대학교 사이버국방학과∙정보보호대학원 정교수
Founder of (사)HARU & SECUINSIDE
2017.4~현재) 고려대학교 사이버무기시험평가연구센터 부센터장
前) 육군사관학교 초빙교수
前) 선관위 DDoS 특별검사팀 자문위원
前) 개인정보분쟁조정위원회 위원
前) KBS ‘명견만리’, ‘장영실쇼’ 및 EBS ‘과학다큐 비욘드’ 출연
現) 카카오뱅크 정보보호부문 자문교수
現) 한국블록체인협회 정보보호 소위원회 위원
- ’96: Convertible Group Signatures (AsiaCrypt)
- ’97: Proxy Signatures, Revisited (ICICS): 700회이상 피인용
* 100회 이상 피인용 논문 건수: 6건
- ’06: 국가정보원 암호학술논문공모전 우수상
- ’07: 국가정보원장 국가사이버안전업무 유공자 표창
- ’12,’16: 고려대학교 석탑강의상
- ’13,’17: Smart TV Security (Black Hat USA 및 Hack In Paris): 삼성 및 LG 스마트TV 해킹(도청∙도촬) 및 해적방송 송출 시연
주요 R&D 성과
삼성전자와 공동으로
국내 최초 프린터복합기 보안 인증 획득 (2008년)
LG전자와 공동으로
세계 최초 스마트TV 보안 인증 획득 (2015년)

고려대학교 정보보호대학원
[1] “Smart TV Security - #1984 in 21st century”, SeungJin (beist) Lee et al., CanSecWest 2013
[2] “Hacking, Surveilling, and Deceiving Victims on Smart TV”,
SeungJin (beist) Lee et al., Black Hat USA 2013
[3] “Developing a Protection Profile for Smart TV”,
Minsu Park et al., International Common Criteria Conference 2014
[4] "(The First Experimental) Study on Smart TV Forensics”,
Heesoo Kang et al., Journal of the KIISC, 2014 (in Korean)
2013.3
2013.7
2014.9
2014.10
[5] (R&D with LG electronics) we got TTA-verified
security certification for Smart TV from TTA
2015.12
[6] ”Further Analysis on Smart TV Forensics",
Minsu Park et al., Journal of Internet Technology (SCI-Indexed Journal),
2016.11 (Accepted for Publication)
2016.11
[7] (R&D with LG electronics) We received 'world-first' Common Criteria EAL2 certification
for home appliances (Smart TV). 2017.4
[8] “Are you watching TV now? Is it real?: Hacking of smart TV with 0-day”
JongHo Lee et al., Hack in Paris 2017 2017.6
[10] “LG vs. Samsung Smart TV: Which Is Better for Tracking You?”
Sangmin Lee et al., CODE BLUE 2017
2017.11
[9] “How to Obtain Common Criteria Certification of Smart TV for Home IoT
Security and Reliability”, Sooyoung Kang et al., Symmetry-Basel (SCI-Indexed Journal)
2017.10
대표 연구 실적 – Smart TV

4
대표 연구 실적 – Security Evaluations

5
대표 연구 실적 – Data Forensics

CyKor @ DEFCON CTF 2015
(지도교수 : 김승주, 2011)

(설립자 & 등기이사 : 김승주, 2011)
(사)화이트해커연합 HARU

Contents – Part I –
 Virtual Currency
 Bitcoin
 Blockchain & Fork
 Classical Consensus Mechanisms
 Blockchain Consensus Mechanism
 Soft Fork vs. Hard Fork
 Main Challenges with PoW Blockchain
 Decentralized
 Scalability
 Consensus(or Security)
 Anonymity & Privacy
 Programming Errors
 Other Challenges with PoW Blockchain

Contents – Part II –
 Ethereum & Smart Contracts
 Ethereum
 Smart Contracts
 Main Challenges with Smart Contracts
 DAO, ICO, and DApp
 IOTA & Tangle
 IOTA
 Tangle(Not a Blockchain!)
 Main Challenges with Tangle
 Others : Litecoin, Cardano, NEO
 What Happens in Korea Now!
 Conclusions

Contents – FAQs –
 정부의 '거래소 폐쇄'에 대한 의견은?
 가상화폐는 화폐인가?
 블록체인과 가상화폐, 분리가 가능한가?
 바람직한 투자 환경이 조성되려면?

2018.1.18

SNU CHAMP (2018. 1. 24)

Myths
No Central Authority

Virtual Currency
(IMF Staff Discussion Note, "Virtual Currencies and Beyond: Initial Considerations", Jan 2016)

Bitcoin (2008)
(In October 2008, posted to the Cypherpunks mailing list)

First? Not!

17
 Anonymity (익명성)
 Transferability (양도성)
 Prevent copy & double-spending
(재사용 방지)
 Decentralized (분산 처리)
DigiCash (1988) vs. Bitcoin (2008)

18
 Anonymity (익명성)
 Transferability (양도성)
 Prevent copy & double-spending
(재사용 방지)
 Decentralized (분산 처리)
 by Blockchain
DigiCash (1988) vs. Bitcoin (2008)
Bitcoin is often called the first cryptocurrency,
although prior systems existed and it is more
correctly described as ‘the first decentralized
digital currency’. – Wikipedia –

DigiCash
(Jannik Dreier et al., "Formal Analysis of E-Cash Protocols", SECRYPT 2015)
Client
Seller
1. Withdrawal 3. Deposit
4. If a client spends a coin twice
(a.k.a. double-spending),
his identity is revealed. (by
online/offline)
2. Payment

Client
Seller
2. Payment
Bitcoin 4. Prevent double-spending by
blockchain consensus
mechanism

Client
Seller
2. Payment
Bitcoin 4. Prevent double-spending by
blockchain consensus
mechanism
“Whereas most technologies tend to automate
workers on the periphery doing menial tasks,
blockchains automate away the center. Instead
of putting the taxi driver out of a job, blockchain
puts Uber out of a job and lets the taxi drivers
work with the customer directly.”

22
[Note] Altcoin
 Aside from bitcoin, there are hundreds of
other digital currencies out there. These are
known as “altcoins,” or alternatives to
bitcoin.
 (e.g.) Ether, Ripple, Zcash, Monero and Dash, to
name just a few.
 However, Most altcoins offer no benefit
over Bitcoin at all. Plus, they have less hash
power securing them.
 This means that altcoins are typically riskier
than Bitcoin!

23
[Note] Altcoin (Source: CoinMarketCap, Note: As of midday Feb 17, 2018)

Consensus Mechanism
 Agreement in the presence of faults
 Coping with failures in computer systems
 Very well-studied since 1980 in distributed
computing, starting with Leslie Lamport et al.
 Failures (a.k.a. Byzantine failures) can be
 non-malicious (due to random SW/HW errors) or
 malicious (as a result of being attacked and
compromised)
???
Replicated data
But replication is
expensive! (consistency,
malicious attack etc.)

마스터 제목 스타일 편집[Note] Byzantine Generals Problem (1982)
(ACM Transactions on Programming Languages and Systems (TOPLAS), July 1982)

마스터 제목 스타일 편집[Note] Byzantine Generals Problem (1982)

Classical Consensus Mechanisms
 Crash failure model (Honest nodes that
may fail, but not deliberate act maliciously)
 2PC (Two Phase Commit)
 Paxos
 Quorum
 Chubby : Google File System (GFS), BigTable
 Byzantine failure model
 PBFT (Practical Byzantine Fault Tolerance)
 XFT (Cross Fault Tolerance)
 Honey Badger
 Hybster (Hybrids on Steroids : SGX-based high
performance BFT)
(Bano et al., "SoK: Consensus in The Age of Blockchains", arXiv 2017)

Classical Consensus Mechanisms
 Crash failure model (Honest nodes that
may fail, but not deliberate act maliciously)
 2PC (Two Phase Commit)
 Paxos
 Quorum
 Chubby : Google File System
 Byzantine failure model
 PBFT (Practical Byzantine Fault Tolerance)
 XFT (Cross Fault Tolerance)
 Honey Badger
 Hybster (Hybrids on Steroids : SGX-based high
performance BFT)
(Bano et al., "SoK: Consensus in The Age of Blockchains", arXiv 2017)
???
Classical BFT protocols works well in centralized
setting where nodes are controlled by the same
entity or federation (e.g., Google, Naver). However,
decentralized networks that rely on volunteer
nodes need to provide incentives for participation.

Blockchain (a.k.a Distributed Append-Only Ledger)
 ‘Practical’ distributed trustless
consensus mechanism
 Everyone is the bank!
 That is, every participant keeps a copy of the
record which would classically be stored at the
central bank.
 Type : Public / Consortium / Private
(Nick Szabo, "The God Protocols", 1997)

(Michele D'Aliessi, "How Does the Blockchain Work? Blockchain Technology Explained in Simple Words", Jun 2, 2016)
(Bitcoin address)

Chaining = Timestamping

34

Property
Public
blockchain
Consortium
blockchain
Private
Blockchain
Consensus
determination
All miners
Selected set of
nodes
One organization
Read permission Public
Could be public or
restricted
Could be public or
restricted
Immutability
Nearly impossible
to tamper
Could be
tampered
Could be
tampered
Efficiency Low High High
Centralized No Partial Yes
Consensus process Permissionless Permissioned Permissioned
(An Overview of Blockchain Technology: Architecture, Consensus, and Future Trends, 2017 IEEE International
Congress on Big Data)

Property
Public
blockchain
Consortium
blockchain
Private
Blockchain
Consensus
determination
All miners
Selected set of
nodes
One organization
Read permission Public
Could be public or
restricted
Could be public or
restricted
Immutability
Nearly impossible
to tamper
Could be
tampered
Could be
tampered
Efficiency Low High High
Centralized No Partial Yes
Consensus process Permissionless Permissioned Permissioned
Consensus Core
algorithm
PoW, PoS
DPoS, PBFT, Raft
Ripple,
Tendermint(DPoS+PBFT)
DPoS, PBFT, Raft
Ripple,
Tendermint(DPoS+PBFT)
Blockchain Consensus Core Algorithms
※PoW : Proof of Useful Work / PoS : Proof of Stake / DPoS : Delegated Proof
of Stake / PBFT : Practical Byzantine Fault Tolerance

Blockchain Consensus Core Algorithms
Property PoW PoS PBFT DPoS Ripple
Tender
mint
Node
identity
manage-
ment
open open
Permission-
ed
open open
Permission-
ed
Energy
saving
no partial yes partial yes yes
Tolerated
power of
adversary
<25%
computing
power
<51% stake
<33.3% fault
replicas
<51%
validators
<20%
faulty node
in UNL
<33.3%
byzantine
voting
power
Example
Bitcoin,
Ethereum
(Ethash)
Peercoin,
PPCoin, Nxt,
BlackCoin,
(Ethereum
(Slasher))
Hyperledger
Fabric
Bitshares Ripple Tendermint
※PoUW(Proof of Useful Work) : Primecoin, Gridcoin / PoB(Proof of Burn) /
PoET(Proof of Elapsed Time)
(Unique Node List)

38
 Basically the PoW(Proof of Work)
demonstrates that a participant has done
some work and gets a reward.
First? Not!

39
 The Bitcoin protocol makes use of PoW to
prevent Sybil attacks (single user
pretends many fake/sybil identities), and to
synchronize the network loosely (i.e., to
ensure for block to reach every corner of
the network).
 Idea : User solve moderately hard puzzle
First? Not!
Hard to find solution Easy to verify

40
First? Not!
fake IDA fake IDB fake IDC
The cumulative computing power from all the miners,
secures the network against potential attacks from a hacker!

41
 Now new!
 C.Dwork and M.Naor, “Pricing via Processing
or Combating Junk Mail”, CRYPTO 1992.
 For combating email spam
 A.Back, “Hashcash - A Denial of Service
Counter-Measure”, TR, August 2002.
 For limiting Denial-of-Service attacks
First? Not!

42
Block 78A…
prev block:
#497…
hash of transactions:
txn a78… ‖ signature
txn ffe… ‖ signature
txn 111… ‖ signature
…
random nonce (guess):
9758…
Block 087…
prev block:
#78A…
txn 91c… ‖ signature
…
3004…
Hash output of
prev block

43
Block 78A…
prev block:
#497…
txn ffe… ‖ signature
…
9758…
Block 087…
prev block:
#78A…
txn 91c… ‖ signature
…
3004…
Hash output of
prev block
Proof of Work
When 1 zero added, work will be doubled
Because 25 = 24 * 2
depends on D leading zero bits

44
[Note] (Cryptographic) Hash Function

45
[Note] Bitcoin Block Structure
(Kiran Vaidya, "Bitcoin's Implementation of Blockchain", Dec 7, 2016)

46
 Merkle Tree
 Patented by Ralph Merkle in 1979
 Saves memory
 Only the root (top) hash added to the
blockchain
 Only own branch of the tree relevant
[Note] Bitcoin Block Structure

47
 For preventing inflation, the rewarding
price halves approximately every 4 years.
 The initial reward was 50 Bitcoins in 2009,
then 25 Bitcoins in 2013, 12.5 Bitcoins in
2016 and it will happen again in the future.
 With the constant halving, eventually there
will only be about 21 million Bitcoins.
 At around year 2140, all Bitcoins will have
been generated.
 Block rewards → Transaction fees
Bitcoin Mining Block Reward
(* But, in ACM CCS 2016, Miles Carlsten et al. showed that the stability of bitcoin is
NOT guaranteed as mining rewards decline.)

Soft Fork vs. Hard Fork
(Image : Invetopedia)
Follows
Old
Rules
Follows
Old
Rules
Follows Old Rules
But Violates
New Rules
Follows
Old & New
Rules
Follows
Old & New
Rules
Follows
Old
Rules
Blocks From
Non-Upgraded
Nodes
Blocks From
Upgraded
Nodes
A Soft Fork : Blocks Violating New Rules Are Made Stale By Upgraded Mining Majority
A Hard Fork : Non-Upgraded Nodes Reject The New Rules, Diverging The Chain
Follows
Old
Rules
Follows
Old
Rules
Blocks From
Non-Upgraded
Nodes
Blocks From
Upgraded
Nodes
Follows
Old
Rules
Follows
Old
Rules
Follows
New
Rules
Follows
New
Rules
Follows
New
Rules
Follows
New
Rules

49
Main Challenges with PoW Blockchain
Bitcoin has worked surprisingly
well in practice so far...
Will Bitcoin ‘still’ work in practice
in the future?

50
Decentralized
Scale Consensus
Main Challenges with PoW Blockchain

51
 In the initial design stage of Bitcoin,
Satoshi Nakamoto hoped that all the
participants can use the CPU to mine.
 So the hashing power can match the nodes
and each node has the opportunity to
participate in the decision-making of the
blockchain.
Q) Decentralized?

52
 However, with the development of
technology and the appreciation of Bitcoin,
the machines that are specially designed
for mining are invented.
 CPU → GPU → FPGA → ASIC
 And the hashing power is grouped in the
participants that have large numbers of
mining machines.
 The mining pools are operated centrally or are
designed in a P2P way.
Q) Decentralized?

53
Q) Decentralized?

54
Q) Decentralized?

55
Q) Decentralized?
(Financial Cryptography and Data Security 2018)

56
Q) Decentralized?
Neither are all that decentralized!
Both Bitcoin and Ethereum mining are very centralized,
with the top four miners in Bitcoin and the top three
miners in Ethereum controlling more than 50% of the
hash rate.
(Financial Cryptography and Data Security 2018)

57
 Mining pools are groups of cooperating
miners who agree to share block
rewards in proportion to their
contributed mining hash power.
[Note] What is a Mining Pool?
(Jordan Tuwiner, "Bitcoin Mining Pools", July 13, 2017)

58
 ‘Decentralization’ means that every
participating node on the network
processes every transaction and maintains a
copy of the entire state. Possible?
 Bitcoin's security heavily depends on the
assumption that the block propagation time
<< block generation time.
 Bitcoin blockchain can only process nearly 7
transactions / 1 second (10 minutes / 1 block) to
ensure for block to reach every corner of the network.
 VISA system can process 1700 transaction / 1 second.
 In fact, the blockchain actually gets weaker
as more nodes are added to its network.
Q) Scalability?
(Preethi Kasireddy, "Blockchains Don’t Scale. Not Today, at Least. But There's Hope", Aug 23, 2017)

마스터 제목 스타일 편집[Note] Bitcoin vs. P2P File Sharing
 The Bitcoin network has aims which
differ from those of peer-to-peer file
sharing systems.
 In Bitcoin, the aim is not to find specific
files or data items, but to distribute
information as fast as possible to reach
consensus on the block chain.
(Florian Tschorsch Björn Scheuermann, "Bitcoin and Beyond: A Technical Survey on Decentralized Digital
Currencies", IEEE Communications Surveys & Tutorials (COMST), Mar 2, 2016)

60
 In a traditional database system, the
solution to scalability is to add more
servers to handle the added transactions.
 But in the decentralized blockchain world…
 Increasing the block size
 SegWit (Segregated Witness)
 Off-chain state channels : Lightning Network,
Raiden Network
 DB Sharding
 Plasma
 Off-chain computations : TrueBit
Q) Scalability?

61
Q) Scalability?
실험에서 9301건의 지급지시 처리에 기존 9시간보다 2시
간 33분이 추가로 소요됐다. 시스템 장애시 복구에도 어려
움을 겪었다.

62
[Note] Increasing Block Size (2017)
("Bitcoin Cash is Bitcoin", Oct 2017, www.bitcoin.com)
(SegWit Chain)

63
[Note] SegWit (2017)
Signatures are an integral part of the chain
Signatures are outside of the chain.
(Peter Rizun, “SegWit Coins Are Not Bitcoins”, The Future of Bitcoin Conference 2017)

64

65

66
[Note] Off-Chain State Channels
via
multi-signature
or some sort
of smart
contract

67
 Consensus in asynchronous distributed
computing has been known to be
unsolvable since 1985.
Q) Security? – Algorithms
Short delay
Long delay

68
 Blockchain consensus algorithms meet the
theoretical fault tolerance under the
assumptions of a fully synchronous
network (i.e. messages are instantly delivered without delays).
 Juan Garay, Aggelos Kiayias, and Nikos
Leonardos, “The Bitcoin Backbone Protocol:
Analysis and Applications”, EUROCRYPT 2015.
 It remains unclear what are the guarantees
offered by blockchain consensus algorithms
and what are the necessary conditions for
these guarantees to be satisfied.
(* Asynchronous setting is even more complex and analyzed in 2016 under a-priori bounded adversarial
delays and random oracle model)

69
 Finney attack or Zero-confirmation attack (2011)
 Vector 76 or One-confirmation attack (2011)
 Block withholding (BWH) attack (2011, 2016)
 Time jacking (2011)
 Double spending or Race attack (2012)
 Brute force attack (2013)
 >50% hashpower or Goldfinger (because it will probably destroy the Bitcoin
network) (2013)
 Block discarding (2013, 2014) or Selfish mining (2014)
 Punitive and Feather forking (2013, 2016)
 Transaction malleability (2014, 2015)
 Wallet theft (2014)
 DDoS (2014)
 Eclipse Attack or Netsplit (2015)
 Tampering (2015)
 Bribery attacks (2016)
 Fork after withholding (FAW) attack (2017)
 Refund attacks (2017)
 Bitcoin Hijacking (2017), etc.

70
 (e.g.) Blockchain is vulnerable even if
only a small portion of the hashing
power is used to cheat.
 Up to now, the top 5 mining pools together
owns larger than 51% of the total hash
power in the Bitcoin network.
 Apart from that, selfish mining strategy
showed that pools with over 25% of total
computing power could get more revenue
than fair share.
[1] "The Biggest Mining Pools," https://bitcoinworldwide.com/mining/pools/
[2] I.Eyal and E.G.Sirer, "Majority Is Not Enough: Bitcoin Mining Is Vulnerable", Financial Cryptography
and Data Security 2014.

71
[Note] Double Spending Attack
 Idea : Since Bitcoin is basically a digital
file, it's easier to copy than actual
money. This means some people can
manipulate their way to paying more
than once with the same bitcoin.
 Variants : Finney attack / Zero-confirmation
attack (2011), Vector 76 / One-confirmation
attack (2011), Brute force attack (2013), etc.
 If a miner (or mining pool) is able to mine
blocks with a faster rate than the rest of the
Bitcoin network, the possibility of a successful
double spending attack is high.

72
[Note] Double Spending Attack
 For now, there is NO solution that
guarantees the complete protection from
double spending in Bitcoin.
 The most effective way to prevent them
is to wait for multiple numbers of
confirmations (e.g., 6 blocks x 10
minutes) before delivering goods or
services.
 Not appropriate for fast payment scenarios!

73
[Note] Selfish Mining Attack (2014)
 Idea : The attacker will mine his blocks
privately and release them at the right
time so that honest miners waste their
computational power.
 Called ‘selfish mining’ or ‘block
discarding(or withholding)’
 ‘Block withholding’ is also sometimes used in the
context of mining pools - submitting shares but
withholding valid blocks

74
…
State 0 : Only a single public chain.
(Philippe Camacho, "Analyzing Bitcoin Security", Jun 15, 2016)

75
State 1 : Adversary manages to mine a
block. The block is kept private.
…

76
State 2 : Adversary manages to mine a
block. The block is kept private.
…

77
State 3 : Honest miners find a block.
…
In this
situation the
private
chain is
published
and the
honest
miners loose
their block.

78
State 3 : After releasing the private chain,
back to state 0.
…
New head of
the public
chain.

79
[Note] Block Withholding Attack (2011)
☞ Partial PoW (or Share) : Nonce making hash value with d(<D) leading zeros
(e.g. (D=4)) Partial PoWs : Nonces making 0011X, 0010X, 0001X, etc.
Full PoWs : Nonces making 0000X
(by PPS(Pay-Per-Share), PPLNS, etc.)

80
 Idea : Withholding certain blocks.
 Sabotage Attack on Mining Pools : Not
submitting correct PoWs at all (but
submitting only the dud PoWs) to cause
financial harm to the pool or its participants.
 Purely destructive! (i.e., Don't make any financial
sense. It just makes everybody loose!)
 Lie-in-Wait Attack on Mining Pools : Delay
submitting of a correct PoW, and uses the
knowledge of the imminent block to focus
his mining on where it is most rewarding.
 Profitable!

81
 Sabotage Attack on Mining Pools
 Results :
 The pool looses money.
 The dishonest miner doesn't earn anything (also
looses a very small amount).
 Thus ‘purely destructive’!
Dishonest Miner Mining Pool Operator
Dud PoW
Money
Correct PoW
(excessively
rare case)
(Stefan Dziembowski, "Mining Pools and Attacks", Workshop on Bitcoin, Introduction to Cryptocurrencies, Jun 6-7, 2016)

82
 Sabotage Attack on Mining Pools
 Adversary's goal : Make the mining pool
bankrupt (e.g. he owns a competing pool).
 It is rumored that in June 2014 such an attack
was executed against the mining pool Eligius.
Estimated loses : 300 BTC.
Dishonest Miner Mining Pool Operator
Dud PoW
Money
Correct PoW
(excessively
rare case)

83
 Lie-in-Wait Attack on Mining Pools
 Mining for several mining pools and
strategically calculating the time to
submit his correct blocks.
Dishonest Miner
1/3 Computing Power
Mining Pool P1
Mining Pool P2
Mining Pool P3

84
 Lie-in-Wait Attack on Mining Pools
 Once you find a correct PoW for P2 (say) :
1. Wait with submitting it.
2. Directs all mining capacity to P2.
3. Submit the solution to P2 after sometime.
It can be formally shown that this is
profitable. (Rosenfeld, 2011)
Intuition :
P2 is a very
likely winner

85
[Note] The Miner’s Dilemma (2015)
 If two pools attack each other with
block withholding attack, they arrive at a
Nash Equilibrium in which each earns
less than they would have if neither of
them attacked.

86
[Note] Eclipse Attack (2015)
 Idea : The attacker surrounds the victim
in the P2P network so that it can filter
his view on the events.
(E.Heilman, A.Kendler, A.Zohar, and S.Goldberg, "Eclipse Attacks on Bitcoin’s Peer-to-Peer Network", USENIX Security 2015)

87
[Note] Transaction Malleability (2014)
 txID (Transaction Identifier) : A SHA-256
hash of all the fields of the transaction data
 Transaction Malleability : Changing the
txID without invalidating the signature
 Actual Damage from Malleability :
 A problem arises particularly with wallets that
use only txID to identify transactions.
 If a tampered transaction is captured and confirmed
in the block before the correct transaction, the
balance in Wallet will be mismatched. Then the
correct transaction is considered double payment
from the node and it will be processed as an invalid
transaction.

88
 Bitcoin Transaction Message

89
 Original scriptSig

90
 Changed scriptSig

91
 txID
(Ken Shirriff, "Bitcoin Transaction Malleability: Looking at The Bytes", Feb 13, 2014)

92

93
We store some funds on Mt. Gox. We do a withdrawal. We find the
transaction and change it. We submit the changed transaction faster
than Mt. Gox. The new transaction sometimes wins and we have our
money. We wait 2 days and complain to Mt Gox that our money
hasn't arrived. They search with the old txID and see that the original
transaction wasn't processed (they think you weren't paid yet). They
pay you again with different money. Yay!!

94
Q) Security? – Source Code

95
Q) Security? – Exchanges

96
 Storing in plaintext on the PC - bad idea
(malware attacks)
 Encrypting with a password - susceptible to the
dictionary attacks
 Better : Split the key between several devices.
Two options :
 Use the multi-signature feature of Bitcoin
 Use secret sharing and the multi-party
computations
 Store on the USB memory - also susceptible to
malware (once connected to the PC).
 Use a smarter device - more secure, especially if
it has a display.
Q) Security? – Wallet Theft

97
Q) Security? – Price Manipulation

98
 Recent studies have demonstrated that
about 40% of Bitcoin users are able to
be identified through these public
transaction logs. This is due, in part, to
Bitcoin’s increased reliance on a few
large accounts.
(Preston Miller, "Virtual Currencies and their Relevance to
Digital Forensics“, Apr 9, 2017)
Q) Anonymity & Privacy?

99
Anonymity = Pseudonymity + Unlinkability

100
 Pseudonymity of Bitcoin Transactions

101
 Unlinkability of Bitcoin Transactions
If Alice conducts two bitcoin transactions
using different bitcoin addresses
("pseudonyms"), how hard is it for those
transactions to be linked?

102

103
Trust Problem with Mixing Services! : From Bitcoin's
perspective, transferring coins means changing the
ownership in a irreversible way. At this point, the mix
(who might be malicious) is the legitimate owner of the
coins. Thus, he could spend them for whatever he likes.
This monetary aspect should not be underestimated, as
it amplifies the trust problem with mixing services.

104
(√: zk-STARKs)
[1] Bitcoin Beginner, “Privacy Coin Comparison”, December 30, 2017
[2] Felix Küster, "Privacy Coins Guide: Comparison of Anonymous Cryptocurrencies", Aug 23, 2017

105
(√: zk-STARKs)
Increasing privacy level at the price of a bloated
block chain and more complex operations!
[1] Bitcoin Beginner, “Privacy Coin Comparison”, December 30, 2017
[2] Felix Küster, "Privacy Coins Guide: Comparison of Anonymous Cryptocurrencies", Aug 23, 2017

106
[Note] Ring Signature (2001)

107
[Note] zk-SNARKs (2012)

108
(CRYPTO’86)

109
(CRYPTO’86)

110

111
 Zero-Knowledge Succinct Non-interactive
ARgument of Knowledge
 Cryptographic method for proving/verifying, in
zero-knowledge, the integrity of computations.
 In Bitcoin, transactions are validated by linking the
sender address, receiver address, and input and
output values on the public blockchain.
 Zcash uses zk-SNARKs to prove that the conditions
for a valid transaction have been satisfied without
revealing any crucial information about the
addresses or values involved.
 However, requires a trusted setup.

112
 A block 74638 (Aug 2010) contained a
transaction with two output summing to
over 184 billion BTC - this was because of
an integer overflow in Bitcoin software.
 Solved by a software update and a "manual
fork". One double spending observed (worth
10,000 USD).
 A fork at block 225430 (March 2013)
caused by an error in the software update
of Bitcoin Core.
 Lasted 6 hours, solved by reverting to an older
version of the software.
Q) Programming Errors
(Stefan Dziembowski, "Mining Pools and Attacks", Workshop on Bitcoin, Introduction to Cryptocurrencies,
Jun 6-7, 2016)

113
Q) Wastes Vast Amounts of Energy?
(√: zk-STARKs)

114
 Decentralized unlicensed exchanges
(DEXs) vs. Centralized licensed exchanges
 (e.g.) EtherDelta
 Storage constraints
 Lack of governance and standards
 Quantum computing threat
 … and more.
Other Challenges with PoW Blockchain

Ethereum (2013)
 Distributed Turing Machine with
Blockchain Protection (by Vitalik Buterin)
 Distributed Turing Machine
 A smart contract program is executed by a
network of miners who reach consensus on the
outcome of the execution,
 Turing Machine with Blockchain Protection
 and update the contract’s state on the
blockchain accordingly.

Ethereum (2013)
(https://bytescout.com/blog/ethereum-turing-blockchain.html)

Ethereum (2013)
It is better to think of smart contracts not as signing
a contract but as executing pieces of simple code
(executed inside of the virtual machine).

Ethereum (2013)
The one who calls the contract must pay. To do this,
Ethereum uses the so-called Gas – this is a small
piece of Ether (ETH) – the domestic currency.

Ethereum (2013)
 TM (= Transaction-based State Machine)
with Blockchain Protection
 In computer science, a state machine refers
to something that will read a series of
inputs and, based on those inputs, will
transition to a new state.

Ethereum (2013)
 TM (= Transaction-based State Machine)
with Blockchain Protection
State instead of History!

Ethereum (2013)
(very similar to Javascript)
(Ethereum VM is Turing-complete)
(Note : Bitcoin has a ad-hoc, non-Turing-complete stack-based
scripting language with fewer than 200 commands called 'opcodes'.)
Solidity
Ethereum Bytecodes
Ethereum VM
compiles to
executed by

Ethereum (2013)
Solidity
Ethereum Bytecodes
Ethereum VM
compiles to
executed by
This makes Ethereum susceptible to the halting problem. If there were no fees, a malicious
actor could easily try to disrupt the network by executing an infinite loop within a transaction,
without any repercussions. Thus, fees protect the network from deliberate attacks.

Ethereum (2013)

127
[Note] Smart Contracts (1996)

128
Smart Contract : A set of promises, specified in digital
form, including protocols within which the parties
perform on these promises.
- Observability
- Verifiability
- Privity
- Enforceability

129
“Smart contracts often involve trusted third parties,
exemplified by an intermediary, who is involved in the
performance, and an arbitrator, who is invoked to
resolve disputes arising out of performance (or lack
thereof).”

 Mining Ether = Securing the network =
Verify computation
 Ethereum’s PoW algorithm is called
Ethash
 A modified version of Dagger-Hashimoto
 Memory hard, making it basically ASIC-
resistant
 Will be switched to PoS
 Blocks are mined on average every 15
seconds.
 Thus Ethereum’s blockchain can process
around 25 transactions / 1 second.
Ether Mining

131
 Computing a valid proof of work should
require not only a large number of
computations, but also a large amount
of memory.
[Note] Memory Hardness

132
[Note] Memory Hardness

133
[Note] PoS (Proof of Stake)

134
 Idea : (Consensus by Bet) Someone
who has a lot of stake will not do
anything to endanger this stake, such as
cheating, because then it would become
less valuable.
 However, PoS has not been as successful as
Proof-of-Work.

135
 Casper PoS Algorithm
1. The validators stake a portion of their Ethers as
stake.
2. After that, they will start validating the blocks.
Meaning, when they discover a block which
they think can be added to the chain, they will
validate it by placing a bet on it.
3. If the block gets appended, then the validators
will get a reward proportionate to their bets.
4. However, if a validator acts in a malicious
manner and tries to do a "nothing at stake",
they will immediately be reprimanded, and all
of their stake is going to get slashed.

Ethereum’s GHOST Protocol
 Because of the way Ethereum is built,
block times are much lower (~15
seconds) than those of other blockchains,
like Bitcoin (~10 minutes).
 This enables faster transaction
processing. However, one of the
downsides of shorter block times is that
more competing block solutions are
found by miners.

 Ethereum’s GHOST(Greedy Heaviest
Observed Subtree) was introduced in
2013 to solve this problem by rewarding
also to ommer/uncle block (i.e., inviting the entire
tree structure of transactions).
 An ommer/uncle is a smaller reward than a
full block. And the reward rapidly diminishes,
ending at zero after seven blocks later.
 You reward miners to "confirm" that they
are uncles, and this helps securing the
network by making the chain "heavier".
Ethereum’s GHOST Protocol

139
 Lack of formal contract verification!
 (e.g.) The launch of The DAO was anticipated
by almost everyone so immediately after the
launch, about $165 million was sent to the
fund. This was a great event in the community.
 A week after the launch, an error was found in the
code of the smart contract in the very place where
the logic was implemented "to get out and take your
share out of the fund."
 The essence of the bug was that instead of the address of
the recipient of the share, it was possible to use the
address of another smart contract.
 So the hackers brought to their accounts more than
$65 million!
Main Challenges with Smart Contracts

 Decentralized Autonomous Organization
 Launched on 30 April 2016
 Crowdfunding using smart contracts
 A smart contract was a guarantee that no one
will deceive anyone and there will be absolute
democracy in all aspects. It even took into
account the option that some participants will
want to leave the DAO and take their shares
out of the fund.
 (e.g.) If they do not agree with the choice of projects
or just want to play for investors themselves
[Note] DAO (2016)

ICO
 (Classic) Initial Coin Offering
 Similar to an IPO, but here investor got
nothing other than the digital tokens
Investors
Company
New
Crypto
Currency

DApp
 Decentralized Application
 App
 Frontend Code & UI : make calls to its
backend
 Backend Code : runs on centralized servers
 DApp
 Frontend Code & UI : make calls to its
backend
 Backend Code : runs on a decentralized
P2P network (i.e., Ethereum Contracts)

DApp

IOTA & Tangle (2015)
 IOTA : Cryptocurrency for the IoT
 Tangle : DAG for storing transactions
(Directed Acyclic Graph) (Sequential List)

 IOTA : Cryptocurrency for the IoT
 Tangle : DAG for storing transactions
(Directed Acyclic Graph) (Sequential List)
Our world is currently
entangled. The tangle with
bind it together.

 Main focus of the IOTA is on the IOT
and M2M micropayment transactions.
 IOTA scales almost infinitely, unlike
Blockchains.
 IOTA is free in the sense that zero
transaction fee.
 Essentially the transaction fee is verifying
other transactions.
 IOTA has an integrated quantum-
resistant algorithm, the WOTS(Winternitz
One-Time Signature) scheme.

147
[Note] One-Time Signature (1979)

 In order to issue a transaction, do the following:
1. Choose two other transactions (that you will verify)
according to a ’Transaction Selection Algorithm’.
2. If you find that there is a transaction conflicting
with the tangle history, you should not approve
the conflicting transaction in either a direct or
indirect manner.
3. When issuing a valid transaction, you must solve a
cryptographic puzzle similar to those in the
Bitcoin blockchain (On average, it is around 38).
Basic Idea: A newly issued transaction is obligated
to approve TWO old transactions.
Propagation Incentive for Users: You will be dropped by your neighbor, when you show
laziness toward propagating transactions (i.e., always approve a pair of very old
transactions, therefore not contributing to the approval of more recent transactions).
(Serguei Popov, “The Tangle”, Oct 1, 2017, Version 1.3)

149
[Note] Transaction Selection Algorithm
 Random : Not good, for it does not
encourage approving tips.
 Random among the top section
(section near tips) : Good. Tips have a
much higher probability to be selected
and approved.
 MCMC(Markov Chain Monte Carlo)-based
algorithm
(Jeff Hu, "IOTA Tangle: Introductory Overview of White paper for Beginners", Sep 28, 2017)

(Tangle Visualization : https://simulation1.tangle.works/)

Genesis transaction : approved either directly or indirectly by all other transactions
Tips : Unapproved transactions

Here, each transaction has a cumulative weight that changes over time. It is defined as the number of subsequent transactions
that have approved it directly or indirectly. Morally, an honest transaction has a much greater weight than a fraudulent transaction.

153
 34% Attacks
 Blockchain is vulnerable if one party has 51% of
the computing power on the network.
 Since IOTA uses the Tangle to verify its
transactions, it's theoretically vulnerable if one
party controls only 34% (greater than 1/3) of
the network's computing power.
 Early in IOTA's implementation is when it's most
vulnerable to such an attack. Since the early network
is small, with fewer nodes, it's easier for an attacker
to accumulate a 34% share of the network. To
combat this threat, IOTA is using a "Coordinator" in
its implementation.
Main Challenges with Tangle

154
 Centralization
 Coordinator : Run by Iota Foundation and is not
open-source. Its main purpose is to protect the network
until it grows strong enough to sustain against a large
scale attack from those who own GPUs.
 Milestone : A special transaction issued by a Coordinator.
Milestones set general direction for the tangle growth and do
some kind of checkpointing. Transactions (in)directly
referenced by milestones are considered as confirmed.
 This means that IOTA in its current form does not
provide any censorship resistance, since the path of
the tree is centrally directed through a Coordinator node
run by the IOTA Foundation.
 Even if the Coordinator is planned to become optional
someday, we currently have no way to verify that the
technology will ever actually work safely without it.
(Eric Wall, "IOTA Is Centralized", Jun 14, 2017)

155
 Lack of Testing and Peer Review
 A number of crypto experts have
questioned IOTA's viability as a platform. The
technology behind IOTA simply hasn't been
tested enough to know how it will work at
scale, and how it will hold up to attacks.
 IOTA's developers chose their own homemade
cryptography instead of using established
standards.

156
(Note) On Aug 7 2017 IOTA deployed a hardfork to their system to stop using Curl for signature message hashing. The
signature forgery vulnerability was fixed in IOTA Reference Implementation (IRI) version 1.3, IOTA wallet version 2.4.0.
(July 14, 2017)

157
(IOTA Foundation, "Official IOTA Foundation Response to the Digital Currency Initiative at the MIT Media Lab — Part
4/4", Jan 7, 2018)

158
(IOTA Foundation, "Official IOTA Foundation Response to the Digital Currency Initiative at the MIT Media Lab — Part
4/4", Jan 7, 2018)
IOTA's Curl-P function is not a cryptographic
function nor was it intended to be. With Coordinator
IOTA's security depends on one-wayness of Curl-P,
without Coordinator the security depends on collision
resistance.
Curl-P was indeed deployed in the open-source IOTA
protocol code as a copy-protection mechanism to
prevent bad actors cloning the protocol and using it
for nefarious purposes.

Litecoin (2011)
 Released on October 7, 2011 by Charlie Lee.
 It was inspired by, and in technical details is
nearly identical to, Bitcoin.
 The Litecoin Network aims to process a
block every 2.5 minutes, rather than
Bitcoin's 10 minutes.
 Due to Litecoin's use of the scrypt
algorithm, FPGA and ASIC devices made for
mining Litecoin are more complicated to
create and more expensive to produce than
they are for Bitcoin, which uses SHA-256.

Cardano (2017)

NEO (2015)
 Released in June 2015 by Da Hongfei.
 Formerly known as ‘AntShares’. Often
referred to as Chinese Ethereum.

162
What Happens in Korea Now!
 recipe( )
(Satoshi
Nakamoto)
(Bitcoin) .

,
.
 .

163

recipe( )
( )
.

.
 ,
.
,
.

164
 recipe
.

- recipe
- "
recipe
recipe
" .

165
Conclusions

166
Conclusions
(Karl Wüst and Arthur Gervais, "Do You Need a Blockchain?", Cryptology ePrint Archive: Report 2017/375)

167
 Steven Bellovin : “A lab experiment that
escaped into the wild.”
 Matt Blaze : “Cryptocurrency somehow
combines everything we love about
religious fanatics with everything we love
about Ponzi schemes.”
 Joseph Bonneau : ”Bitcoin works in
practice, but not in theory.”
 Seungjoo Kim : ”Blockchain technology is
like stem cells. Promising but still many
challenges remain...”
Conclusions

168
Conclusions

169
Conclusions
(Feb 12, 2018)

170
Conclusions

171

172
정부의 '거래소 폐쇄'에 대한 의견은?
 ,
78.2% .
 42.6% ,
35.6% .
 1988 Electronic Cash
David Chaum
, 2008 Bitcoin
Satoshi Nakamoto
‘ ’ .
 ‘ (mining)’
.

173
정부의 '거래소 폐쇄'에 대한 의견은?
 ‘ ’ Electronic
Cash Bitcoin , ‘
’ ‘ ’ .
 DEXs
‧ ( : EtherDelta).
 ‘ ’
.

.
.

.

174
가상화폐는 화폐인가?
 ,
(1)
(2) .
 (1)
. (2)
.

175
블록체인과 가상화폐, 분리가 가능한가?
 2015 .
 ( , )
'
(consensus algorithm)' .
 ' (mining &
reward)'
(practical)
' '
.
.

176

81%
' '
' '
,
 ->
->
.

177
 "
"
,
.

BOScoin(BOS), ICON(ICX), Medibloc(MED),
PlusCoin(PLC), Linker coin(LNC), Hycoin
(HYCOI), HDAC, Berith coin, Aston, Fuze X
,
,
(
) .

178
 Killer App
,
.

179
바람직한 투자 환경이 조성되려면?

' (mining & reward)'
.
.
 ' ＇
,
ACM CCS 2016
.

 (1)
 (2)
.

180
 .
 :
.
showing .
 : white paper
' ' ,
' ' .
.
 :
,
,
.
바람직한 투자 환경이 조성되려면?

References
 [경제금융협력연구위원회(GFIN) 세미나]
비트코인, 돌멩이인가? 신화폐인가?
https://youtu.be/OGgtyDrYHAs
 [암호인의 보안이야기 블로그] Blockchain
and Crytocurrency 101 (Part 1)
http://amhoin.blog.me/221197974174
 [암호인의 보안이야기 블로그] 블록체인
recipe와 비트코인 쿠폰 사이에는 무슨 일이
있었을까?
http://amhoin.blog.me/221189662029

Virtual Currency Myth and Reality (Ver. 3.0 (182 pages) : Extended Version of Seoul National Univ. China AMP Seminar, Jan 24, 2018)

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Virtual Currency Myth and Reality (Ver. 3.0 (182 pages) : Extended Version of Seoul National Univ. China AMP Seminar, Jan 24, 2018)

Semelhante a Virtual Currency Myth and Reality (Ver. 3.0 (182 pages) : Extended Version of Seoul National Univ. China AMP Seminar, Jan 24, 2018) (20)

Mais de Seungjoo Kim

Mais de Seungjoo Kim (20)

Último

Último (20)

Virtual Currency Myth and Reality (Ver. 3.0 (182 pages) : Extended Version of Seoul National Univ. China AMP Seminar, Jan 24, 2018)