overview of blockchain security · 2017-02-19 · in bitcoin we need to wait for 10 minutesand a...
TRANSCRIPT
Overview of Blockchain Security
- in Crypto we Trust -
Nicolas T. Courtois
- University College London, UK
Crypto Currencies
2 Nicolas T. Courtois 2009-2016
Need For Speed
http://video.ft.com/3667480923001/Camp-Alphaville-on-cashless-society/Editors-Choice,
2 July 2014.
At minute 02.48: Dr. Nicolas Courtois of UCL:
"[...]It's not true that bitcoin is 'the Internet of Money'.
Bitcoin is 'The Horse Carriage of Money'[...] “
Crypto Currencies
3 Nicolas T. Courtois 2009-2016
Need For Speed – Open Problems
Nicolas Courtois:
On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534
Nicolas T. Courtois, Pinar Emirdag and Daniel A. Nagy:
Could Bitcoin Transactions Be 100x Faster?
will appear in SECRYPT 2014, 28-30 August 2014, Vienna, Austria.
Poster: http://www.nicolascourtois.com/bitcoin/POSTER_100x_Secrypt2014_v1.0.pdf
Crypto Currencies
I Also Always Thought That..
Speed
Security 0
Crypto Currencies
We Can Have (At Least Sometimes)
Speed
Security
Crypto Currencies
6 Nicolas T. Courtois 2009-2016
Security => Speed?
Amazing, normally security and speed are opposites.
In financial markets one can execute trades microseconds.
In bitcoin we need to wait for 10 minutes and a large multiple of it for larger transactions.
Speed is slow mostly out fear of possible double spending attacks, which imposes certain precautions.
Fixing these security problems
simply allows to make bitcoin transactions much faster, or rather to accept them much earlier.
Groups and ECC
So Fix the Security Problems!
Crypto Currencies
8 Nicolas T. Courtois 2009-2016
Questions:
• How can a community of individuals can run a financial cooperative without being manipulated by powerful entities?
• Can we trust the source code and cryptography?
Security of Bitcoin
9
Dr. Nicolas T. Courtois
1. cryptologist and codebreaker
2. payment and smart cards (e.g. bank cards, Oyster cards etc…)
Crypto Currencies
10 Nicolas T. Courtois 2009-2014
“Cryptographer’s Dream”• Building “trust-less” systems and a “trust-less” society.
Crypto Currencies
11 Nicolas T. Courtois 2009-2014
“Cryptographer’s Dream”• Building “trust-less” systems and a “trust-less” society.
• How do we do it?
• Crypto “protocols” with several parties who do not know each other in advance and WITHOUT any trusted authorities: lawyers, notaries, CAs, bankers, accountants, auditors, policemen, law makers, government officials, etc…
– Modern cryptography makes such things possible…
Crypto Currencies
12 Nicolas T. Courtois 2009-2014
Cryptographers’ Magic Words• Non-repudiation
• Soundness
• Zero-Knowledge
• Ring signature
• Etc…
Crypto Currencies
13 Nicolas T. Courtois 2009-2014
My Blog and UCL Bitcoin Seminar
blog.bettercrypto.com / SEMINAR
or Google "UCL bitcoin seminar"
Crypto Currencies
14 Nicolas T. Courtois 2009-2016
UCL Student Research Competition 2016
We award cash prizes for students doing research on blockchain security.
• Best Paper / best thesis etc.
Crypto Currencies
15 Nicolas T. Courtois 2009-2016
Master Thesis Research Prize Fund 2016Prize Jury:
• Prof. Jan Aldert Bergstra, Institute of Informatics, University of Amsterdam
• Prof. Alex Biryukov, University of Luxembourg
• Dr. Nicolas T. Courtois, Senior Lecturer, University College London
• Ass. Prof. Stefan Dziembowski, University of Warsaw, Poland
• Prof. Jean-Paul Delahaye, Lille University of Science and Technology, France
• Dr. Aggelos Kiayias, National and Kapodistrian University of Athens, Greece
• Prof. David Naccache, Ecole Normale Supérieure and IngenicoLabs, France
• Dr. Paolo Tasca, Deutschebank, Frankfurt, Germany
Crypto Currencies
16 Nicolas T. Courtois 2009-2014
It Started with Bitcoin…
Crypto Currencies
17 Nicolas T. Courtois 2009-2014
Are They Crazy?Anything can be “money”
if sufficiently many people accept it… (e.g. salt).
• popularitylegal tender, government standardization and regulation
<= in Google searches and press/media bitcoin is a lot more famous than Snowden/NSA etc…
• trusttrustworthy authority
<= distributed computer system acting on self-interestNO NEED TO TRUST ANYONE
Crypto Currencies
18 Nicolas T. Courtois 2009-2014
Bitcoin
Based on cryptography and network effects.
Crypto Currencies
19 Nicolas T. Courtois 2009-2014
Bitcoins
• bitocoins are cryptographic money– public ledger: history shows how many bitcoins each user has…
• user has the right to transfer his bitcoins to any other user– user are known by their pseudonyms, H(PKeys)
– each person can use a unlimited number of distinct pseudonyms (accounts) Ak8SKske38
B2v8skd48k
Crypto Currencies
20 Nicolas T. Courtois 2009-2014
Digital Signatures
Digital Signatures
21
Digital Signature
Signature is attached to data.
Serves as a method of authentication for these data.
Data
Signature
Digital Signatures
22
Digital Signatures
Idea: cryptographic solution
Definition: 3 algorithms…
pk
(public key)
sk
(private key)
key generation algorithm
Digital Signatures
23
Digital Signature
signing algorithm
m
sk
(private key)
verification algorithm
pk
(public key)
s
(m,s)
yes/no
forgery
Digital Signatures
24
2x Link
• EU Directive 1999,
• National Laws…
e.g. UK Electronic Communications Act 2000
Digital Signatures
25
Signatures - Requirements
1. Authenticity – guarantees the document signed by…
2. Non-repudiation= Imputability
1. Public verify-ability -
anyone can verify!
0. Completeness –honest signer always accepted
1. Soundness –dishonest signer always rejected
Digital Signatures
Nicolas T. 26
Security Definitions
A triple
1. Adversarial Goal.
2. Resources of the Adversary:
3. Access / Attack to the system
Digital Signatures
Nicolas T. 27
Secure Public Key Signature
The “good” definition [Goldwasser-Micali-Rivest 1988]:EUF - CMA (Existential Unforgeability under CMA)
1. Adversarial Goal.
Find any new pair (m,s) (new m)!Strong version: even if m is old (signed before).
2. Resources of the Adversary: Any Probabilistic Turing Machine doing 280
computations.
3. Access / Attack: May sign any message except one (target). (Adaptively Chosen Message Attacks).
Digital Signatures
Nicolas T. 28
*Attacks on Signature Schemes
1. Adversarial Goal.
• BK - Recover the private key, • e.g. factor .
• UF - Universal forgery – sign any message, may be easier ! e.g. compute:
• SF - Selective Forgery – sign some messages
• EF - Existential Forgery – just sign any message, even if it means nothing useful.
• Malleability: sign a message that has been already signed by the legitimate user.
Digital Signatures
29
Trust Less!
Digital Signatures are important in order to build these TRUSTLESS systems.
Example: My bank card signs a transaction with RSA, the bank does NOT know the private key,
ONLY the public key.
We do NO LONGER need to trust the bank.
The banker cannot forge transactions done with my card!
Crypto Currencies
30 Nicolas T. Courtois 2009-2014
E-Cash[Chaum] and Bitcoin[Nakamoto]
Crypto Currencies
31 Nicolas T. Courtois 2009-2014
New Coins
1. initially X coins are attributed through Proof Of Work (POW)to one public key A
– to earn bitcoins one has to “work” (hashing) and consume energy (pay for electricity)
– do a difficult computation => you have earned 25 bitcoins
– works like a lottery (1 winner/10 minutes)
2. Major alternative option: bank/trusted authority/mintette can attribute coins initially
– everybody knows who has these bitcoins: A
PK A
Crypto Currencies
32 Nicolas T. Courtois 2009-2014
Transfer of Coins
• initially money: hard work/attribution => public key A
• money transfer from public key A to public key B:
– simply sign that you transfer the money to a new user,
PK A
PK B
Crypto Currencies
33 Nicolas T. Courtois 2009-2014
Transfer of Coins
• initially money: hard work/attribution => public key A
• money transfer from public key A to public key B:
– simply sign that you transfer the money to a new user,
– multiple confirmations: the network will re-confirm many times…
– we do NOT need to assume that ALL people are honest.• with time it becomes too costly to cheat
PK A
PK B
Crypto Currencies
34 Nicolas T. Courtois 2009-2014
Authorizing Transfer of Coins
• you have a private key => you have the money (right to transfer)
– keys stored on PCs or mobile phones
– publicly verifiable, only one entity can sign
• you can transfer ALL yet unspent attributions
• if Tx has several inputs => everybody must sign
• data to be signed:
•Origin Tx(s)•Amount(s)•New Owner(s)
Signature
Crypto Currencies
35 Nicolas T. Courtois 2009-2014
Block Chain
Def:
Public transaction databaseor a ledger.
Every transaction since ever is public.
Bitcoin blocks contain a Proof Of Work (POW)
(they are basically hard to make)
Wallets and Key Management
36 (c) Nicolas T. Courtois
Bitcoin Network
Three sorts of entities:
• Miner nodes – 50K– Hashing with public keys
• Peer Nodes – 5K– Relay and store transactions and blocks
• Wallet Nodes – 5.5M, 0.25M active – Store and release funds,
– Focus on management of private keys, master keys etc etc.
Wallets and Key Management
37 (c) Nicolas T. Courtois
Tx LifeCycle
It is possible to almost totally separate:
• Miner nodes– Hashing with public keys
• Peer Nodes– Relay and store transactions and blocks
• Wallet Nodes: – Store and release funds,
– Focus on management of private keys, master keys etc.
tx
tx
public ledgerburn
Cryptographic Security of ECDSA in Bitcoin
38 Nicolas T. Courtois 2009-2014
Bitcoin Address
Cryptographic Security of ECDSA in Bitcoin
39 Nicolas T. Courtois 2009-2014
Ledger-Based Currency
A “Bitcoin Address” = a sort of equivalent of a bank account.
Reamrks:
• PK is NOT public!
• only H(public key) is revealed!
• PK remains confidential until some money in this account is spent.
• SK = private key: always keep private, allows transfer of funds.
Cryptographic Security of ECDSA in Bitcoin
Bitcoin Ownership
Amounts of money are attributed to public keys.
Owner of a certain “Attribution to PK” can at any moment transfer it to some other PK (== another address).
Destructive, cannot spend twice:
not spent
Cryptographic Security of ECDSA in Bitcoin
41 Nicolas T. Courtois 2009-2014
*Multi-Signature Addresses
Cryptographic Security of ECDSA in Bitcoin
MultiSig = Addresses Starting with 3
Bitcoin can require simultaneously several private keys, in order to transfer the money. – For example 2 out of 3 signatures are required to spend bitcoins.
– The keys can be stored on different devices (highly secure).
– Can work without backups: if one device is lost, use other devices to transfer bitcoins to a new multisig address with another set of devices...
Cryptographic Security of ECDSA in Bitcoin
Multi-Sig Concept is NOT new…
1993
K. Itakura, K. Nakamura: A public-key cryptosystem suitable for digital multi-signatures
1983
Cryptographic Security of ECDSA in Bitcoin
44 Nicolas T. Courtois 2009-2014
BTC Transfer
Cryptographic Security of ECDSA in Bitcoin
45 Nicolas T. Courtois 2009-2014
Bitcoin Transfer
Transactions have multiple inputs and multiple outputs.
Transaction Signed by All Owners with their SK
Output Bitcoin Addresses
Input Bitcoin Addresses0.2 BTC 1.3 BTC
0.001 BTC
0.499 BTC1.0 BTC + Fees
Cryptographic Security of ECDSA in Bitcoin
46 Nicolas T. Courtois 2009-2014
Transaction Scripts
Cryptographic Security of ECDSA in Bitcoin
Signed Tx / Final Tx
byte by byte (similar but not identical to raw blocks seen before)(this is done twice, with different scriptSig)
2 scripts
scriptSig length 1 byte
scriptPubKey length 1 byte
scriptPubKey
scriptSig
(not widely used)
Cryptographic Security of ECDSA in Bitcoin
Second scriptSig
sign+PKey
scriptSig1signature(r,s)
scriptSig2=Pkey=(x,y)
len= 1+71+ 1+65 = 138 BUT NOT ALWAYS!
scriptSig
r
s
Crypto Currencies
49 Nicolas T. Courtois 2009-2014
Is Bitcoin Secure?Satoshi claimed it is…
Bitcoin Hardware Wallets
50 Nicolas T. Courtois 2009-2014
Wallets
Bitcoin Hardware Wallets
51 Nicolas T. Courtois 2009-2014
Bottom Line
Main Functionality:
-Private Key Generation
-Export public key
-ECDSA sign
-optional:
• sign full BTC transactions
• confirm recipient on the screen!(huge classical pb with all smart cards and digital signature devices, Ledger has a clever solution: regurgitates inputs on another device USB keyboard)
Trezorbitcointrezor.com
BTChip HW1hardwarewallet.com
Ledgerledgerwallet.com
Bitcoin Hardware Wallets
52 Nicolas T. Courtois 2009-2014
BTChip HW.1
since Jan 2013
Bitcoin Hardware Wallets
53 Nicolas T. Courtois 2009-2014
*Features of USB card ST23YT66
2K
6K
1.0
NESCRYPT crypto-processor for PK crypto
•900 ms for 1 ECDSA signature •900 ms for key gen•encrypts private keys on the card (‘content’ key) 3DES CBC
•content key can be protected with “a GlobalPlatform Secure Channel”
authentication mechanism
Bitcoin Hardware Wallets
54 Nicolas T. Courtois 2009-2014
Trezor
+ display: know to whom you send the money!
+- has open source firmware: https://github.com/trezor/trezor-mcu
by Satoshi Labs Prague, CZreleased March 2014
Crypto Currencies
55 Nicolas T. Courtois 2009-2014
Our Works on Bitcoin
-cf. also blog.bettercrypto.com-Nicolas Courtois, Marek Grajek, Rahul Naik: The Unreasonable Fundamental Incertitudes
Behind Bitcoin Mining, http://arxiv.org/abs/1310.7935
-Nicolas Courtois, Marek Grajek, Rahul Naik: Optimizing SHA256 in Bitcoin Mining, CSS 2014.
-Nicolas Courtois, Lear Bahack: On Subversive Miner Strategies and Block Withholding Attack
in Bitcoin Digital Currency http://arxiv.org/abs/1402.1718
-Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534
-Nicolas T. Courtois, Pinar Emirdag and Daniel A. Nagy: Could Bitcoin Transactions Be 100x Faster? In proceedings of SECRYPT 2014, 28-30 August 2014, Vienna, Austria.
-Nicolas T. Courtois, Pinar Emirdag and Filippo Valsorda: Private Key Recovery Combination Attacks: On Extreme Fragility of Popular Bitcoin Key Management, Wallet and Cold Storage Solutions in Presence of Poor RNG Events, 16 Oct 2014, http://eprint.iacr.org/2014/848
-Poster: http://www.nicolascourtois.com/bitcoin/POSTER_100x_Secrypt2014_v1.0.pdf
Crypto Currencies
56 Nicolas T. Courtois 2009-2014
Hash Power => Security???
Sams writes: "The amount of capital collectively burned hashing fixes the capital outlay required of an attacker […] to have a meaningful chance of orchestrating a successful double-spend attack […]
REMARK: THIS IS MISTAKEN,
read my papers
Crypto Currencies
57 Nicolas T. Courtois 2009-2014
Crazy Hash Power Increase
Nearly doubled every month… 1000x in 1 year.
Crypto Currencies
58 Nicolas T. Courtois 2009-2014
Jan 2015: Plateau/Peak Reached
Crypto Currencies
59 Nicolas T. Courtois 2009-2014
July 2016: Halving => Decline Predicted
Crypto Currencies
60 Nicolas T. Courtois 2009-2014
Decline?: NOT if price goes up!
Crypto Currencies
61 Nicolas T. Courtois 2009-2014
“Programmed Self-Destruction”
Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534
Nicolas T. Courtois 2009-2014
Crypto Currencies
62
Unobtanium– pump and dump: evidence
price (grey)
hash rate
volume (yellow)
Cause:
Effect:
Crypto Currencies
63 Nicolas T. Courtois 2009-2014
DogeCoin Predicted Decline [Courtois]– hash rate MUST decline, as a result of monetary policy
Crypto Currencies
64 Nicolas T. Courtois 2009-2014
Josh Mohland, 4 August 2014
Acknowledged that:
• Dogecoin was never "intended to function as a full-fledged transaction network",
• "Dogecoin was built to die quickly –none of us expected it to grow into the absurd entity it is today.
• With that said, there's absolutely an easy way to save the coin from its certain death (and by death I mean 51% attacked [...])”
=> after the reform Dogecoin Market price more than tripled…
Crypto Currencies
65 Nicolas T. Courtois 2009-2014
Cryptome Renamed My Paper:
=> Actually I show that quite possibly bitcoin is EXEMPT from destruction [natural monopoly].
=> Whatever is Bad with bitcoin is even worse with most alto-coins.
http://cryptome.org/2014/05/bitcoin-suicide.pdf ?????????
Security Engineering
66
Bitcoin vs.
Security Engineering
Re-Engineering Bitcoin
67
Re-Engineering Bitcoin:We postulate:
1. Open design.
2. Least Common Mechanism
3. Assume that attacker controls the Internet [Dolev-Yao model, 1983].
4. The specification should be engineered in such a way that it is hard for developers to make it insecure on purpose (e.g. embed backdoors in the system).
[Saltzer and Shroeder 1975]
Security Engineering
68
Least Common Mechanism
Violated in Bitcoin:
http://video.ft.com/3667480923001/Camp-Alphaville-on-cashless-society/Editors-Choice,
2 July 2014.
At minute 02.55: Dr. Nicolas Courtois of UCL:
“…One of the fundamental mistakes of bitcoin is that they use 'the Longest Chain Rule' to decide simultaneously
which block gets accepted and which transactions get accepted,
[…] a big mistake."
Security Engineering
69
Least Common Mechanism
Violated in Bitcoin also because it uses:
• Open SSL and other standard libraries with massive amounts of code which is not useful at all for bitcoin
• when using TOR
• etc..
Security Engineering
70
Open Design Principle
[Saltzer and Schroeder 1975]
Security Engineering
71
Open Design ≠ Open Source
Examples: cryptography such as SHA256 (used in bitcoin) is open source but NOT open design – it was designed behind closed doors!
Crypto Currencies
72 Nicolas T. Courtois 2009-2014
Anarchy? Dark Side• In Bitcoin many things which are BUGS
are presented as FEATURES:– monetary policy (or the lack of one) – frequent criticism
– problematic cryptography=• anonymous founder syndrome, standardized yet TOTTALLY disjoint
from normal industrial cryptography, NOBUS syndrome (NSA jargon)
– decision mechanisms (the Longest Chain Rule)• no reason why the same mechanism decides which blocks are valid
and which transactions are valid, by far too slow, too unstable, too easy to manipulate
– 51% attacks ARE realistic feasible and … INEXPENSIVE!
– sudden jumps in monetary policy => genetically-programmed self-destruction of many crypto currencies
See: Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534
Crypto Currencies
73 Nicolas T. Courtois 2009-2014
• the open-source nature of the developer population provides opportunities for frivolous or criminal behavior that can damage the participants in the same way that investors can be misled by promises of get rich quick schemes [...]
• one of the biggest risks that we face as a society in the digital age [...] is the quality of the codethat will be used to run our lives.
Cf. Vivian A. Maese: Divining the Regulatory Future of Illegitimate Cryptocurrencies, In Wall Street Lawyer, Vol. 18 Issue 5, May 2014.
Dangers of Open Source
Crypto Currencies
74 Nicolas T. Courtois 2009-2014
Citation
Bitcoin is:
• Wild West of our time [Anderson-Rosenberg]
Crypto Currencies
75 Nicolas T. Courtois 2009-2014
ECC - Certicom Challenges [1997, revised 2009]
Crypto Currencies
76 Nicolas T. Courtois 2009-2014
Official Bitcoin Wikihttps://en.bitcoin.it/wiki/Myths#Bitcoins_are_worthless_because_they.27re_based_
on_unproven_cryptography
“SHA256 and ECDSA which are used in Bitcoin are well-known industry standard algorithms. SHA256 is endorsed and used by the US Government and is standardized (FIPS180-3 Secure Hash Standard).
If you believe that these algorithms are untrustworthy then you should not trust Bitcoin, credit card transactions or any type of electronic bank transfer.”
Bitcoin has a sound basis in well understood cryptography.
Crypto Currencies
77 Nicolas T. Courtois 2009-2014
Official Bitcoin Wikihttps://en.bitcoin.it/wiki/Myths#Bitcoins_are_worthless_because_they.27re_based_
on_unproven_cryptography
“SHA256 and ECDSA which are used in Bitcoin are well-known industry standard algorithms. SHA256 is endorsed and used by the US Government and is standardized (FIPS180-3 Secure Hash Standard).
If you believe that these algorithms are untrustworthy then you should not trust Bitcoin, credit card transactions or any type of electronic bank transfer.”
Bitcoin has a sound basis in well understood cryptography.
Well…actually it has major bug in it.
Major security scandal in the making?
Expect a lawsuit??? for – failing to adopt the crypto/industry best practices,
– for supporting a dodgy cryptography standard,
– not giving users worried about security any choice,
– and lack of careful/pro-active/ preventive security approach etc...
Blame Satoshi
Crypto Currencies
78 Nicolas T. Courtois 2009-2014
Officially Not RecommendedDan Brown, chair of SEC [Certicom, Entrust, Fujitsu, Visa International…]
”I am surprised to see anybody use secp256k1”
September 2013,
https://bitcointalk.org/index.php?topic=289795.80
Security of Bitcoin
79
What If? CataCrypt Conference
Tried to improve the security baseline…
Bitcoin Crypto Bets
80
Wanna Bet?
80
2016
Crypto Currencies
81 Nicolas T. Courtois 2009-2016
Blockchain AnonymityPrivacy/Anonymity is NOT a concern for the 90%.
WRONG:
• Asymmetry of information market manipulation and big data used by dishonest competitors.
Blockchain technology WILL NEVER be adopted by banks if it INCREASES the disclosures => need for anonymity solutions.
• Ring signatures.
• Zero knowledge proofs.
• Other advanced crypto, e.g. attribute-based encryption.
Digital Signatures
82
Digital Signatures – 1 Signer
1. Authenticity – guarantees the document signed by…
2. Non-repudiation= Imputability
1. Public verify-ability -
anyone can verify!
0. Completeness –honest signer always accepted
1. Soundness –dishonest signer always rejected
Digital Signatures
83
Group Signatures
1. Authenticity – guarantees the document signed by…
2. Non-repudiation= Imputability
1. Public verify-ability -
anyone can verify!
0. Completeness –honest signer always accepted
1. Soundness –dishonest signer always rejected
2. Anonymity –the verifier does not know who signed!
signer∊ABCD
Crypto Currencies
84 Nicolas T. Courtois 2009-2016
Group Signatures-Big Brother Syndrome Centralized: a group leader/manager sets it up
Single Point of Failure
Trace-able:most schemes ALLOW to remove anonymity [by the manager].
Not flexible: groups are defined beforehand
Not permission-free: nobody will force me to be a part of group.
Crypto Currencies
85 Nicolas T. Courtois 2009-2016
Ring Signatures – Very Different De-Centralized: no group manager
Next weak point: it is sufficient to “crack” one key
In most schemes THERE IS NO WAY to remove anonymity
Super flexible: ad-hic groups not defined beforehand
Permission-less: I can be involved in one signature without doing anything
Deniable: it was not me… contrary of Non-repudiation/Imputability.
-Problems: there are ways to comprise anonymity: backdoors, covert channels…
-Potentially legal problems [Satoshi Nakamoto vs UK Law]
Main currency: XMR = Monero, 20 M$ market cap@0716, 8x increase in 2 weeks.
RST-style Ring Signatures
• Based on RSA/Rabin/other Trapdoor OWF
Linkable Ring Signatures• Linking signatures by the same signer, with
no revocation of anonymity!
• Needed to prevent double-spending.
Digital Signatures
Zero-Knowledge
1. Authenticity – guarantees the document signed by…
2. Non-repudiation= Imputability
1. Public verify-ability -
anyone can verify!
0. Completeness –honest signer always accepted
1. Soundness –dishonest signer always rejected
2. Zero-Knowledge –the verifier does not learn ANYTHINGmore than needed
Statement is True!
Prover Verifier
Transferability: Can the verifier convince a third party?
ZK
89
Attacks on Proofs of Knowledge
Prover
Verifier
Passive
Active
Impersonation
Extract the Secret
Crypto Currencies
90 Nicolas T. Courtois 2009-2014
“Cryptographer’s Job”• Claim:
– Blockchains do need A LOT MORE of “good” cryptography to be widely adopted.
– They cannot be adopted as they are today.
– The security of current blockchains is very bad.