![Page 1: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/1.jpg)
Flexible Models for Secure Systems
Sarah Meiklejohn
![Page 2: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/2.jpg)
A creation story
2
Motivating scenario that founded modern cryptography:
![Page 3: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/3.jpg)
A creation story
2
Motivating scenario that founded modern cryptography:
![Page 4: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/4.jpg)
A creation story
Hi Bob!
2
Motivating scenario that founded modern cryptography:
![Page 5: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/5.jpg)
A creation story
Hi Bob!
2
(Browser) (Web server)
(CC#)Motivating scenario that founded modern cryptography:
![Page 6: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/6.jpg)
A creation story
Hi Bob!
Security model for this interaction is well established
2
(Browser) (Web server)
(CC#)Motivating scenario that founded modern cryptography:
![Page 7: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/7.jpg)
A creation story
Hi Bob!
Security model for this interaction is well established
2
?(Browser) (Web server)
(CC#)Motivating scenario that founded modern cryptography:
![Page 8: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/8.jpg)
A creation story
Hi Bob!
Security model for this interaction is well established
Encryption works for secure online communication: SSL/TLS [1996]
2
?(Browser) (Web server)
(CC#)Motivating scenario that founded modern cryptography:
![Page 9: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/9.jpg)
A creation story
Hi Bob!
Security model for this interaction is well established
Encryption works for secure online communication: SSL/TLS [1996]
2
encryption
(Browser) (Web server)
(CC#)Motivating scenario that founded modern cryptography:
![Page 10: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/10.jpg)
Fast-forward 15 years…
3
![Page 11: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/11.jpg)
Fast-forward 15 years…
3
![Page 12: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/12.jpg)
Fast-forward 15 years…
3
![Page 13: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/13.jpg)
Fast-forward 15 years…
3
![Page 14: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/14.jpg)
Fast-forward 15 years…
3
![Page 15: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/15.jpg)
Fast-forward 15 years…
3
![Page 16: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/16.jpg)
Fast-forward 15 years…
3
![Page 17: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/17.jpg)
Fast-forward 15 years…
3
Problem #1: everyone is an adversary!
![Page 18: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/18.jpg)
Fast-forward 15 years…
3
Problem #1: everyone is an adversary!
![Page 19: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/19.jpg)
Fast-forward 15 years…
3
Problem #1: everyone is an adversary!
![Page 20: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/20.jpg)
Fast-forward 15 years…
3
Problem #1: everyone is an adversary!
![Page 21: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/21.jpg)
Fast-forward 15 years…
3
Problem #1: everyone is an adversary!
![Page 22: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/22.jpg)
Fast-forward 15 years…
4
Problem #2: what are the security goals?
![Page 23: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/23.jpg)
Fast-forward 15 years…
4
Problem #2: what are the security goals?
![Page 24: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/24.jpg)
Fast-forward 15 years…
4
• can Bob retrieve Alice’s files?
Problem #2: what are the security goals?
![Page 25: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/25.jpg)
Fast-forward 15 years…
4
• can Bob retrieve Alice’s files?• can Dropbox read Alice’s files?
Problem #2: what are the security goals?
![Page 26: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/26.jpg)
Fast-forward 15 years…
4
• can Bob retrieve Alice’s files?• can Dropbox read Alice’s files?• did Dropbox delete Alice’s files?
Problem #2: what are the security goals?
![Page 27: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/27.jpg)
Fast-forward 15 years…
4
• can Bob retrieve Alice’s files?• can Dropbox read Alice’s files?• did Dropbox delete Alice’s files?• can Dropbox efficiently store files?
Problem #2: what are the security goals?
![Page 28: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/28.jpg)
Fast-forward 15 years…
4
• can Bob retrieve Alice’s files?• can Dropbox read Alice’s files?• did Dropbox delete Alice’s files?• can Dropbox efficiently store files?• ?
Problem #2: what are the security goals?
![Page 29: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/29.jpg)
A spectrum of solutions
5
![Page 30: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/30.jpg)
A spectrum of solutions
theory practice
5
![Page 31: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/31.jpg)
A spectrum of solutions
theory practice
5
![Page 32: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/32.jpg)
A spectrum of solutions
theory practicee-cash [C82]
5
![Page 33: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/33.jpg)
A spectrum of solutions
theory practicee-cash [C82]
5
![Page 34: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/34.jpg)
A spectrum of solutions
theory practicee-cash [C82]outsourced comp. [GGP10]
5
![Page 35: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/35.jpg)
A spectrum of solutions
theory practice
FHE [G09]
e-cash [C82]outsourced comp. [GGP10]
RKA [B93,K93]
5
ORAM [GO96]
MPC [Y82]
![Page 36: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/36.jpg)
A spectrum of solutions
theory practice
FHE [G09]
e-cash [C82]outsourced comp. [GGP10]
RKA [B93,K93]
5
ORAM [GO96]
MPC [Y82]
![Page 37: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/37.jpg)
A spectrum of solutions
theory practice
FHE [G09]
e-cash [C82]outsourced comp. [GGP10]
RKA [B93,K93]
5
Wickr
ORAM [GO96]
MPC [Y82]
![Page 38: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/38.jpg)
A spectrum of solutions
theory practice
FHE [G09]
e-cash [C82]outsourced comp. [GGP10]
RKA [B93,K93]
5
Wickr
ORAM [GO96]
MPC [Y82]
![Page 39: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/39.jpg)
A spectrum of solutions
theory practice
FHE [G09]
e-cash [C82]outsourced comp. [GGP10]
RKA [B93,K93]
5
Wickr
diaspora*ORAM [GO96]
MPC [Y82]
![Page 40: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/40.jpg)
A spectrum of solutions
theory practice
SSL/TLS
Tor
BitcoinFHE [G09]
e-cash [C82]outsourced comp. [GGP10]
RKA [B93,K93]
PGP
5
TrueCrypt Wickr
diaspora*ORAM [GO96]
MPC [Y82]
![Page 41: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/41.jpg)
A spectrum of solutions
theory practice
SSL/TLS
Tor
BitcoinFHE [G09]
e-cash [C82]outsourced comp. [GGP10]
RKA [B93,K93]
PGP
5
TrueCrypt Wickr
diaspora*ORAM [GO96]
MPC [Y82]
![Page 42: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/42.jpg)
A spectrum of solutions
theory practice
SSL/TLS
Tor
BitcoinFHE [G09]
e-cash [C82]outsourced comp. [GGP10]
RKA [B93,K93]
PGP
5
TrueCrypt Wickr
diaspora*ORAM [GO96]
MPC [Y82]
![Page 43: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/43.jpg)
My research
6
ZKPDL
[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]
[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]
![Page 44: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/44.jpg)
My research
6
ZKPDL
[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]
[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]
BitcoinRKA
![Page 45: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/45.jpg)
My research
6
ZKPDL
[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]
[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]
BitcoinRKA
![Page 46: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/46.jpg)
My research
6
ZKPDL
[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]
[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]
BitcoinRKA
![Page 47: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/47.jpg)
My research
6
ZKPDL
[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]
[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]
BitcoinRKA
![Page 48: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/48.jpg)
Digital signatures are everywhere
7
![Page 49: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/49.jpg)
Digital signatures are everywhere
7
![Page 50: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/50.jpg)
Digital signatures are everywhere
7
![Page 51: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/51.jpg)
Digital signatures are everywhere
7
![Page 52: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/52.jpg)
Digital signatures are everywhere
7
![Page 53: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/53.jpg)
Practical security of digital signatures
8
![Page 54: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/54.jpg)
Practical security of digital signaturesSignatures are proved secure in standard cryptographic models
8
skm
pk
σSign(sk,m) Verify(pk,m,σ)
KeyGen
![Page 55: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/55.jpg)
Practical security of digital signaturesSignatures are proved secure in standard cryptographic models
Standard model is useless against side channels and fault injection
8
skm
pk
σSign(sk,m) Verify(pk,m,σ)
KeyGen
![Page 56: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/56.jpg)
Practical security of digital signaturesSignatures are proved secure in standard cryptographic models
Standard model is useless against side channels and fault injection
8
skm
pk
σSign(sk,m) Verify(pk,m,σ)
KeyGen
![Page 57: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/57.jpg)
Practical security of digital signaturesSignatures are proved secure in standard cryptographic models
Standard model is useless against side channels and fault injection
8
skm
pk
σSign(sk,m) Verify(pk,m,σ)
KeyGen
![Page 58: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/58.jpg)
Practical security of digital signaturesSignatures are proved secure in standard cryptographic models
Standard model is useless against side channels and fault injection
8
skm
pk
σSign(sk,m) Verify(pk,m,σ)
KeyGen
![Page 59: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/59.jpg)
Practical security of digital signaturesSignatures are proved secure in standard cryptographic models
Standard model is useless against side channels and fault injection
RKA (related key attack) security considers these attacks
8
skm
pk
σSign(sk,m) Verify(pk,m,σ)
KeyGen
sk φ,m m′,σ′Sign(φ(sk),m)
pk
![Page 60: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/60.jpg)
Practical security of digital signaturesSignatures are proved secure in standard cryptographic models
Standard model is useless against side channels and fault injection
RKA (related key attack) security considers these attacks
Our research can help create better RKA schemes8
skm
pk
σSign(sk,m) Verify(pk,m,σ)
KeyGen
sk φ,m m′,σ′Sign(φ(sk),m)
pk
![Page 61: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/61.jpg)
Standard definitions for signatures [GMR88]
9
![Page 62: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/62.jpg)
Standard definitions for signatures [GMR88]
9
![Page 63: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/63.jpg)
Standard definitions for signatures [GMR88]
9
sk
pkKeyGen
![Page 64: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/64.jpg)
Standard definitions for signatures [GMR88]
9
skm
pk
σSign(sk,m)KeyGen
![Page 65: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/65.jpg)
Standard definitions for signatures [GMR88]
9
skm
pk
σSign(sk,m) Verify(pk,m,σ)KeyGen
![Page 66: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/66.jpg)
Standard definitions for signatures [GMR88]
sk
9
pk
skm
pk
σSign(sk,m) Verify(pk,m,σ)KeyGen
![Page 67: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/67.jpg)
Standard definitions for signatures [GMR88]
sk m
9
pk
skm
pk
σSign(sk,m) Verify(pk,m,σ)KeyGen
![Page 68: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/68.jpg)
Standard definitions for signatures [GMR88]
sk mσ
9
pk
skm
pk
σSign(sk,m) Verify(pk,m,σ)KeyGen
![Page 69: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/69.jpg)
Standard definitions for signatures [GMR88]
sk mσ
m′,σ′
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t query m′ to oracle
9
pk
skm
pk
σSign(sk,m) Verify(pk,m,σ)KeyGen
![Page 70: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/70.jpg)
Standard definitions for signatures [GMR88]
sk mσ
m′,σ′
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t query m′ to oracle
9
pk
skm
pk
σSign(sk,m) Verify(pk,m,σ)KeyGen
![Page 71: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/71.jpg)
Standard definitions for signatures [GMR88]
sk mσ
m′,σ′
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t query m′ to oracle
9
pk
skm
pk
σSign(sk,m) Verify(pk,m,σ)KeyGen
Problem: This assumption is violated by tampering [AK96,…], side channels [W91,KJJ99,…] and fault injection [BS97,BdML97,…]
![Page 72: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/72.jpg)
Related key attacks (RKA)
Attack on RSA-CRT [BdML97,L97] factors N given one faulty signature (attack also applies to Rabin signatures, and general RSA)
10
![Page 73: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/73.jpg)
Related key attacks (RKA)
Attack on RSA-CRT [BdML97,L97] factors N given one faulty signature (attack also applies to Rabin signatures, and general RSA)
dp
σ = H(m)d mod N
10
N,e
dq
![Page 74: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/74.jpg)
Related key attacks (RKA)
Attack on RSA-CRT [BdML97,L97] factors N given one faulty signature (attack also applies to Rabin signatures, and general RSA)
σ = H(m)d mod N
10
anyperturbation
at all! dp′
N,e
dq
![Page 75: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/75.jpg)
Related key attacks (RKA)
Attack on RSA-CRT [BdML97,L97] factors N given one faulty signature (attack also applies to Rabin signatures, and general RSA)
σ = H(m)d mod N
mσ′
10
anyperturbation
at all! dp′
N,e
dq
![Page 76: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/76.jpg)
Related key attacks (RKA)
Attack on RSA-CRT [BdML97,L97] factors N given one faulty signature (attack also applies to Rabin signatures, and general RSA)
σ = H(m)d mod N
mσ′ p,q
10
anyperturbation
at all! dp′
N,e
dq
![Page 77: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/77.jpg)
φ-RKA-secure signatures [BCM11]
sk
11
pk
![Page 78: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/78.jpg)
φ-RKA-secure signatures [BCM11]
sk φ,m
11
pk
![Page 79: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/79.jpg)
φ-RKA-secure signatures [BCM11]
sk φ,mSign(φ(sk),m)
11
pk
![Page 80: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/80.jpg)
φ-RKA-secure signatures [BCM11]
sk φ,m m′,σ′Sign(φ(sk),m)
11
pk
![Page 81: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/81.jpg)
φ-RKA-secure signatures [BCM11]
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)
sk φ,m m′,σ′Sign(φ(sk),m)
11
pk
![Page 82: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/82.jpg)
φ-RKA-secure signatures [BCM11]
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)
sk φ,m m′,σ′Sign(φ(sk),m)
11
pk
Φ={id} gives standard unforgeability
![Page 83: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/83.jpg)
φ-RKA-secure signatures [BCM11]
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)
sk φ,m m′,σ′Sign(φ(sk),m)
11
pk
Φ={id} gives standard unforgeability
Φ={all functions} isn’t possible [BK03]
![Page 84: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/84.jpg)
φ-RKA-secure signatures [BCM11]
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)
sk φ,m m′,σ′Sign(φ(sk),m)
11
pk
dp φ≠id mod p,mSign(φ(d),m)
p,qdq
![Page 85: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/85.jpg)
φ-RKA-secure signatures [BCM11]
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)
[BdML97] shows that RSA-CRT is not φ-RKA-secure for non-trivial φ
sk φ,m m′,σ′Sign(φ(sk),m)
11
pk
dp φ≠id mod p,mSign(φ(d),m)
p,qdq
![Page 86: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/86.jpg)
φ-RKA-secure signatures [BCM11]
A wins if (1) Verify(pk,m′,σ′) =1 and (2) it didn’t get σ′ from oracle (when querying on φ=id)
[BdML97] shows that RSA-CRT is not φ-RKA-secure for non-trivial φ
sk φ,m m′,σ′Sign(φ(sk),m)
11
pk
Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)
dp φ≠id mod p,mSign(φ(d),m)
p,qdq
![Page 87: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/87.jpg)
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
12
![Page 88: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/88.jpg)
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
12
![Page 89: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/89.jpg)
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZK
12
![Page 90: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/90.jpg)
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZKφ-RKA signature
12
![Page 91: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/91.jpg)
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZKφ-RKA signature
12
simple construction [DHLW10,CKLM14]
}• KeyGen: crs←CRSGen; x←Dom(f); y←f(x) return (pk=(crs,y),sk=x) • Sign(sk,m): return Prove(crs,y||m,x) • Verify(pk,σ,m): return Verify(crs,y||m,σ)
![Page 92: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/92.jpg)
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZKφ-RKA signature
12
simple construction [DHLW10,CKLM14]
}• KeyGen: crs←CRSGen; x←Dom(f); y←f(x) return (pk=(crs,y),sk=x) • Sign(sk,m): return Prove(crs,y||m,x) • Verify(pk,σ,m): return Verify(crs,y||m,σ)
proof of knowledgeof secret key
![Page 93: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/93.jpg)
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZKφ-RKA signature
12
KDM storage
Joint Enc/Sig
simple construction [DHLW10,CKLM14]
}• KeyGen: crs←CRSGen; x←Dom(f); y←f(x) return (pk=(crs,y),sk=x) • Sign(sk,m): return Prove(crs,y||m,x) • Verify(pk,σ,m): return Verify(crs,y||m,σ)
proof of knowledgeof secret key
![Page 94: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/94.jpg)
Signature inherits Φ-RKA security from one-way function
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZKφ-RKA signature
12
simple construction [DHLW10,CKLM14]
}
![Page 95: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/95.jpg)
Signature inherits Φ-RKA security from one-way function
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZKφ-RKA signature
12
actuallyquite natural
simple construction [DHLW10,CKLM14]
}
![Page 96: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/96.jpg)
Signature inherits Φ-RKA security from one-way function
Many natural one-way functions (e.g., RSA) are Φ-RKA-secure with no additional assumptions
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZKφ-RKA signature
12
actuallyquite natural
simple construction [DHLW10,CKLM14]
}
![Page 97: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/97.jpg)
Signature inherits Φ-RKA security from one-way function
Many natural one-way functions (e.g., RSA) are Φ-RKA-secure with no additional assumptions
Creating new RKA-secure signatures is easier!
Our construction [Bellare M Thomson Eurocrypt14]
φ-RKA-OWF
SE-NIZKφ-RKA signature
12
actuallyquite natural
simple construction [DHLW10,CKLM14]
}
![Page 98: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/98.jpg)
Takeaway
13
Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)
![Page 99: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/99.jpg)
Takeaway
Φ-RKA-secure one-way functions are natural
13
Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)
![Page 100: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/100.jpg)
Takeaway
Φ-RKA-secure one-way functions are natural
• RSA function is secure w.r.t. exponentiation
13
Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)
![Page 101: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/101.jpg)
Takeaway
Φ-RKA-secure one-way functions are natural
• RSA function is secure w.r.t. exponentiation
• Exponentiation (f(x)=gx) is secure w.r.t. linear functions
13
Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)
![Page 102: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/102.jpg)
Takeaway
Φ-RKA-secure one-way functions are natural
• RSA function is secure w.r.t. exponentiation
• Exponentiation (f(x)=gx) is secure w.r.t. linear functions
• Learning with errors (f(s,e) = As+e mod q) is secure w.r.t. addition
13
Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)
![Page 103: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/103.jpg)
Takeaway
Φ-RKA-secure one-way functions are natural
• RSA function is secure w.r.t. exponentiation
• Exponentiation (f(x)=gx) is secure w.r.t. linear functions
• Learning with errors (f(s,e) = As+e mod q) is secure w.r.t. addition
Our result can pave the way for easier RKA constructions
13
Problem: φ-RKA schemes are really hard to construct (for interesting classes φ; for most primitives)
![Page 104: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/104.jpg)
My research
14
ZKPDL
[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]
[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]
RKA Bitcoin
![Page 105: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/105.jpg)
My research
14
ZKPDL
[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]
[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]
RKA Bitcoin
![Page 106: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/106.jpg)
What is Bitcoin?
15
![Page 107: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/107.jpg)
What is Bitcoin?
15
![Page 108: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/108.jpg)
What is Bitcoin?
15
Centralized
![Page 109: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/109.jpg)
What is Bitcoin?
15
DecentralizedCentralized
![Page 110: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/110.jpg)
What is Bitcoin?
15
DecentralizedCentralizedReal-world identities
![Page 111: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/111.jpg)
What is Bitcoin?
15
DecentralizedPseudonyms
CentralizedReal-world identities
![Page 112: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/112.jpg)
What is Bitcoin?
15
DecentralizedPseudonyms
CentralizedReal-world identitiesNon-public transactions
![Page 113: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/113.jpg)
What is Bitcoin?
15
DecentralizedPseudonymsPublic transactions
CentralizedReal-world identitiesNon-public transactions
![Page 114: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/114.jpg)
What is Bitcoin?
15
DecentralizedPseudonymsPublic transactions
CentralizedReal-world identitiesNon-public transactionsRegulated
![Page 115: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/115.jpg)
What is Bitcoin?
15
DecentralizedPseudonymsPublic transactionsUnregulated*
CentralizedReal-world identitiesNon-public transactionsRegulated
![Page 116: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/116.jpg)
What is Bitcoin?
15
DecentralizedPseudonymsPublic transactionsUnregulated*
CentralizedReal-world identitiesNon-public transactionsRegulatedNot anonymous
![Page 117: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/117.jpg)
What is Bitcoin?
15
DecentralizedPseudonymsPublic transactionsUnregulated*Potentially anonymous
CentralizedReal-world identitiesNon-public transactionsRegulatedNot anonymous
![Page 118: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/118.jpg)
Why study Bitcoin?
16
![Page 119: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/119.jpg)
Why study Bitcoin?
16
![Page 120: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/120.jpg)
Why study Bitcoin?
16
![Page 121: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/121.jpg)
Why study Bitcoin?
16
![Page 122: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/122.jpg)
Why study Bitcoin?
16
How much anonymity does Bitcoin really provide?
![Page 123: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/123.jpg)
Bitcoin’s explosive growth
17Jan’11 Jan’13
$/BT
C
![Page 124: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/124.jpg)
Bitcoin’s explosive growth
17Jan’11 Jan’13
we buy 30 bitcoins at $5/BTC
$/BT
C
![Page 125: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/125.jpg)
Bitcoin’s explosive growth
17Jan’11 Jan’13 Jan’14
we buy 30 bitcoins at $5/BTC
$/BT
C
![Page 126: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/126.jpg)
Bitcoin’s explosive growth
17Jan’11 Jan’13
250
Jan’14
we buy 30 bitcoins at $5/BTC
$/BT
C
![Page 127: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/127.jpg)
Bitcoin’s explosive growth
17Jan’11 Jan’13
250
1,200
Jan’14
we buy 30 bitcoins at $5/BTC
$/BT
C
![Page 128: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/128.jpg)
Bitcoin’s explosive growth
17Jan’11 Jan’13
250
1,200
Jan’14
we buy 30 bitcoins at $5/BTC
1,000*
$/BT
C
![Page 129: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/129.jpg)
Bitcoin’s explosive growth
17Jan’11 Jan’13
250
1,200
current market capitalization of > $10B!*
Jan’14
we buy 30 bitcoins at $5/BTC
1,000*
$/BT
C
![Page 130: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/130.jpg)
How does Bitcoin work?
18
![Page 131: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/131.jpg)
How does Bitcoin work?
18
• decentralized
![Page 132: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/132.jpg)
How does Bitcoin work?
18
• decentralized • decentralized• transfer money
![Page 133: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/133.jpg)
How does Bitcoin work?
18
pkB
public key address
pkA
• decentralized • decentralized• transfer money
![Page 134: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/134.jpg)
How does Bitcoin work?
18
pkB
public key address
pkA1
• decentralized • decentralized• transfer money
![Page 135: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/135.jpg)
How does Bitcoin work?
18
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
• decentralized • decentralized• transfer money
![Page 136: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/136.jpg)
How does Bitcoin work?
18
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
Verify
Verify
• decentralized • decentralized• transfer money
![Page 137: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/137.jpg)
How does Bitcoin work?
18
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
• decentralized • decentralized• transfer money
![Page 138: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/138.jpg)
How does Bitcoin work?
18
tx
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
• decentralized • decentralized• transfer money • decentralized• transfer money• generate money
![Page 139: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/139.jpg)
How does Bitcoin work?
18
tx
tx
tx
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
• decentralized • decentralized• transfer money • decentralized• transfer money• generate money
![Page 140: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/140.jpg)
How does Bitcoin work?
18
tx
tx
tx
tx
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
• decentralized • decentralized• transfer money • decentralized• transfer money• generate money
![Page 141: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/141.jpg)
How does Bitcoin work?
18
txtx
tx
txtx
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
• decentralized • decentralized• transfer money • decentralized• transfer money• generate money
![Page 142: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/142.jpg)
How does Bitcoin work?
18
txtxtxtx
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
• decentralized • decentralized• transfer money • decentralized• transfer money• generate money
![Page 143: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/143.jpg)
How does Bitcoin work?
18
txtxtxtx
pkB
public key address
pkA1
m = (pkA,pkB,1) σ = Sign(skA,m) tx = (m,σ)
• decentralized • decentralized• transfer money • decentralized• transfer money• generate money
![Page 144: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/144.jpg)
How do bitcoins get spent?
19
• decentralized• transfer money• generate money• prevent double-spending
![Page 145: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/145.jpg)
How do bitcoins get spent?
19
25
25
tx1
• decentralized• transfer money• generate money• prevent double-spending
![Page 146: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/146.jpg)
How do bitcoins get spent?
19
25
25
10
34
1tx1tx2
• decentralized• transfer money• generate money• prevent double-spending
![Page 147: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/147.jpg)
To spend bitcoins, a user must indicate the previous transaction
How do bitcoins get spent?
19
25
25
10
34
1tx1tx2
m = (tx1, , )
• decentralized• transfer money• generate money• prevent double-spending
![Page 148: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/148.jpg)
To spend bitcoins, a user must indicate the previous transaction
How do bitcoins get spent?
19
25
25
10
34
1 2
32
tx1tx2
tx3
m = (tx1, , )
• decentralized• transfer money• generate money• prevent double-spending
![Page 149: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/149.jpg)
To spend bitcoins, a user must indicate the previous transaction
How do bitcoins get spent?
19
25
25
10
34
1 2
32
tx1tx2
tx3
m = (tx1, , ) m = (tx2, , )
• decentralized• transfer money• generate money• prevent double-spending
![Page 150: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/150.jpg)
To spend bitcoins, a user must indicate the previous transaction
All bitcoins received in a transaction must be spent all at once
How do bitcoins get spent?
19
25
25
10
34
1 2
32
tx1tx2
tx3
m = (tx1, , ) m = (tx2, , )
• decentralized• transfer money• generate money• prevent double-spending
![Page 151: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/151.jpg)
How to identify users? [MPGLMVS IMC13]
20
Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys
![Page 152: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/152.jpg)
How to identify users? [MPGLMVS IMC13]
20
Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys
![Page 153: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/153.jpg)
How to identify users? [MPGLMVS IMC13]
Cluster
20
Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys
![Page 154: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/154.jpg)
How to identify users? [MPGLMVS IMC13]
Cluster
Collapse into a more manageable graph of clusters of public keys representing distinct entities
20
Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys
![Page 155: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/155.jpg)
How to identify users? [MPGLMVS IMC13]
Cluster
Transactus
them
Collapse into a more manageable graph of clusters of public keys representing distinct entities
20
Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys
![Page 156: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/156.jpg)
How to identify users? [MPGLMVS IMC13]
Cluster
Transactus
them
Collapse into a more manageable graph of clusters of public keys representing distinct entities
Collect ground truth data by participating in transactions
20
Users can use arbitrarily many public keys (pseudonyms); as a result the Bitcoin graph is complicated and has 12 million public keys
![Page 157: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/157.jpg)
Clustering by inputs
21
![Page 158: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/158.jpg)
Clustering by inputs
2
1
3
21
7
15
![Page 159: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/159.jpg)
Clustering by inputs
2
1
3
21
7
15
![Page 160: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/160.jpg)
Clustering by inputs
2
1
3
21
7
156
![Page 161: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/161.jpg)
Clustering by inputs
2
1
3
21
7
15
Heuristic #1: the same user controls these addresses [N08,RH11,RS13,A+13]
6
![Page 162: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/162.jpg)
Change addresses
2
1
3
22
7
15
![Page 163: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/163.jpg)
Change addresses
2
1
3
22
7
15
![Page 164: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/164.jpg)
Change addresses
2
1
3
22
7
15 1414
![Page 165: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/165.jpg)
Change addresses
2
1
3
22
7
15 14114
![Page 166: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/166.jpg)
Change addresses
2
1
3
22
7
15
All bitcoins received in a transaction must be spent all at once
14114
![Page 167: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/167.jpg)
Change addresses
2
1
3
22
7
15
All bitcoins received in a transaction must be spent all at once
![Page 168: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/168.jpg)
Change addresses
2
1
3
22
7
15
All bitcoins received in a transaction must be spent all at once
![Page 169: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/169.jpg)
Change addresses
2
1
3
22
7
15
All bitcoins received in a transaction must be spent all at once
![Page 170: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/170.jpg)
Change addresses
2
1
3
22
7
15
All bitcoins received in a transaction must be spent all at once
11
0 1414
![Page 171: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/171.jpg)
Change addresses
2
1
3
22
7
15
All bitcoins received in a transaction must be spent all at once
In the standard idiom, change addresses are used at most twice: to receive change and to spend it
pk
11
0 1414
![Page 172: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/172.jpg)
Clustering by change
2
1
3 14
23
7
0 14
11
![Page 173: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/173.jpg)
Clustering by change
2
1
3 14
23
7
0
pk
14
11
identify using one-time behavior
![Page 174: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/174.jpg)
Clustering by change
2
1
3 14
23
7
0
pk
14
11
identify using one-time behavior
Heuristic #2: the same user also controls this address
![Page 175: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/175.jpg)
Data collection
24
![Page 176: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/176.jpg)
Data collection
24
Engaged in transactions with:
![Page 177: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/177.jpg)
Data collection
24
Engaged in transactions with:
• Exchanges
![Page 178: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/178.jpg)
Data collection
24
Engaged in transactions with:
• Exchanges • Vendors
![Page 179: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/179.jpg)
Data collection
24
Engaged in transactions with:
• Exchanges
• Mining pools
• Vendors
![Page 180: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/180.jpg)
Data collection
24
Engaged in transactions with:
• Exchanges
• Mining pools
• Vendors
• Gambling sites
![Page 181: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/181.jpg)
Data collection
24
Engaged in transactions with:
• Exchanges
• Mining pools
• Wallet services
• Vendors
• Gambling sites
![Page 182: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/182.jpg)
Data collection
24
Engaged in transactions with:
• Exchanges
• Mining pools
• Wallet services
• Vendors
• Gambling sites
• Mix services
![Page 183: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/183.jpg)
Data collection
24
Engaged in transactions with:
• Exchanges
• Mining pools
• Wallet services
Scraped published tags
• Vendors
• Gambling sites
• Mix services
![Page 184: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/184.jpg)
Data collection
24
Engaged in transactions with:
• Exchanges
• Mining pools
• Wallet services
Scraped published tags
Found addresses discussed on forums
• Vendors
• Gambling sites
• Mix services
![Page 185: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/185.jpg)
Exchanges
25
![Page 186: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/186.jpg)
Vendors
26
![Page 187: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/187.jpg)
Putting it all together
27
![Page 188: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/188.jpg)
Putting it all together
Transactus
them
27
![Page 189: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/189.jpg)
Putting it all together
Transactus
them
27
![Page 190: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/190.jpg)
Putting it all together
ClusterTransactus
them
27
![Page 191: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/191.jpg)
Putting it all together
ClusterTransactus
them
27
![Page 192: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/192.jpg)
Putting it all together
ClusterTransactus
them
Bootstrap
27
![Page 193: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/193.jpg)
Putting it all together
ClusterTransactus
them
Bootstrap
27
![Page 194: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/194.jpg)
Putting it all together
ClusterTransactus
them
Bootstrap
27
Interacted with 31 MtGox addresses, tagged 518,723!
Participated in 344 transactions and tagged 1.3M public keys
![Page 195: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/195.jpg)
Clustering using Heuristic 2
satoshi dicebtc dice
clone dice
mtgox
silk road
instawallet
28
![Page 196: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/196.jpg)
Clustering using Heuristic 2
satoshi dicebtc dice
clone dice
mtgox
silk road
instawallet
bicycle wheel withgambling at center
28
![Page 197: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/197.jpg)
Clustering using Heuristic 2
satoshi dicebtc dice
clone dice
mtgox
silk road
instawallet
bicycle wheel withgambling at center
strongly connected componentwith most of our named users
28
![Page 198: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/198.jpg)
Following bitcoins
29
![Page 199: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/199.jpg)
Following bitcoins
Can see when bitcoins meaningfully cross cluster boundaries
29
![Page 200: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/200.jpg)
Following bitcoins
Can see when bitcoins meaningfully cross cluster boundaries
29
![Page 201: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/201.jpg)
Following bitcoins
Can see when bitcoins meaningfully cross cluster boundaries
29
![Page 202: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/202.jpg)
Following bitcoins
Can see when bitcoins meaningfully cross cluster boundaries
29
change address
![Page 203: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/203.jpg)
Following bitcoins
Can see when bitcoins meaningfully cross cluster boundaries
29
meaningfulrecipient change address
![Page 204: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/204.jpg)
Following bitcoins
Can see when bitcoins meaningfully cross cluster boundaries
Identifying recipients potentially de-anonymizes user
29
meaningfulrecipient change address
![Page 205: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/205.jpg)
Following bitcoins
Can see when bitcoins meaningfully cross cluster boundaries
Identifying recipients potentially de-anonymizes user
29
meaningfulrecipient change address
Hypothesis: if you subpoena exchanges, you can identify users
![Page 206: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/206.jpg)
Tracking technique
30
![Page 207: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/207.jpg)
Tracking technique
...
tracking heists
= exchange
30
![Page 208: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/208.jpg)
Tracking technique
[HDM+ NDSS’14]
...
tracking heists
= exchange
30
![Page 209: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/209.jpg)
Tracking technique
[HDM+ NDSS’14]
...
tracking heists
= exchange
30
individual thefts
![Page 210: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/210.jpg)
Tracking technique
[HDM+ NDSS’14]
...
tracking heists
= exchange
service interaction
30
individual thefts
![Page 211: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/211.jpg)
Tracking technique
[HDM+ NDSS’14]
...
tracking heists
= exchange
service interaction
30
individual thefts
>1,794 BTC ≈2,084 BTC
![Page 212: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/212.jpg)
Tracking technique
[HDM+ NDSS’14]
...
tracking heists
= exchange
service interaction
30
individual thefts
>1,794 BTC ≈2,084 BTC
We traced over $3M back to illicit activities!
![Page 213: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/213.jpg)
Takeaway
31
How much anonymity does Bitcoin really provide?
![Page 214: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/214.jpg)
Our analysis provides a real-world way to track flows of bitcoins
Takeaway
31
How much anonymity does Bitcoin really provide?
![Page 215: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/215.jpg)
Our analysis provides a real-world way to track flows of bitcoins
Seems hard to launder significant quantities of money
Takeaway
31
How much anonymity does Bitcoin really provide?
![Page 216: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/216.jpg)
My research
32
ZKPDL
[MSF10,LM13] [BMT14] [MEKHL10] [MMCS11] [MMS11]
[OMSK13][MP+13,HDM+14][CMZ13][CM14] [CKLM12,13a,13b]
RKA Bitcoin
![Page 217: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/217.jpg)
Acknowledgements
33
[CMZ14]
RKA Bitcoin
![Page 218: Flexible Models for Secure Systems · Practical security of digital signatures Signatures are proved secure in standard cryptographic models Standard model is useless against side](https://reader035.vdocument.in/reader035/viewer/2022070901/5f48b60d17b28731f42f348b/html5/thumbnails/218.jpg)
Acknowledgements
33
[CMZ14]
RKA BitcoinThanks! Any questions?