Cryptocurrency Cafécs4501 Spring 2015David EvansUniversity of Virginia

Class 2:Cryptography

Goal for Today

• Notion of ownership of non-physical good

• Conceptual understanding of key terms and principles in cryptography– Cryptosystem

– Attacks

– Asymmetry

• Underlying foundation of bitcoin

1

Comments about “Magic of Mining”

2

3

4

5

Selected Contributed Comments

6

Submitting google forms is a silly way to have a discussion! We’ll have a course discussion forum set up by next week…

“The enigmatic Mr Nakamotodesigned the system to keep everybody honest.” (Tara Raj, Jake Rosenberg)

“Bitcoins have three useful qualities in a currency: they are hard to earn, limited in supply and easy to verify.” (Jake Shankman, Kevin Hoffman )

“A more fundamental worry is that digital-currency mining, like other sorts of mining, has environmental costs: all that number-crunching uses a lot of electricity, and not all of it comes from renewable sources…” (Samuel Abbate, Elizabeth Kukla)

“He even worries that a hostile government might seize control of the bitcoin system.”(Richard Serpe)

7

Downloading entire blockchain (~20GB)…takes several days…

Recap

Currency is a medium of exchange

At a minimum, must be:

transferable – can be exchanged

scarce – limited supply

8

Can we make something scarce and transferable with just bits?

How can someone ownsomething made of bits?

9

10

How can someone ownanything easily reproduced?

11

Mechanized printingGutenberg movable type press: ~1450

12

Worshipful Company of Stationers and Newspaper Makers(“Stationer’s Company”)

London 1403Royal Charter 1557Monopoly on printingResponsibility to censor

13

“An Act for the Encouragement of Learning, by Vesting the Copies of Printed Books in the Authors or Purchasers of Copies, during the Times therein mentioned…”

Statute of Anne, 1710

Author has exclusive 14-year right to copy work (living author can extend for another 14 years)

US Copyright Law

1790: 14 years (+ 14)

1831: 28 years (+ 14)

1976: life of author + 50 (75 for “corporate”)

1998: life of author + 70 (120 for “corporate”)

14

Created 1928

How can someone ownsomething made of bits

without an army helping?

15

16

17

What is cryptology?

Greek: κρυπτ´oς = “kryptos” = hidden (secret)

Cryptography – secret writing

Cryptanalysis – analyzing (breaking) secretsCryptanalysis is what an attacker does

Decryption is what the intended receiver does

Cryptosystems – systems that use secrets

Cryptology – science of secrets

18

Security is an engineering goal: it involves mathematics, but is mostly about real implementations and people.

Cryptology is a branch of mathematics: about abstract numbers and functions.

19

Introductions

Encrypt DecryptPlaintextCiphertext

Plaintext

Alice Bob

Eve(passive attacker)

Insecure Channel

20

Active Attacker

Encrypt DecryptPlaintextCiphertext

Plaintext

Alice Bob

Insecure Channel (e.g., the Internet)

Mallory(active attacker)

21

Message CryptosystemEncrypt

DecryptPlaintext Ciphertext

PlaintextCiphertext

Two functions: E(m: byte[]) byte[]and D(c: byte[]) byte[]

Correctness property: for all possible messages m, D(E(m)) =m

Security property: given c E(m), it is “hard” to learn anything interesting about m.

22

It is possible to state the security property precisely (and prove a cryptosystem satisfies it given hardness assumptions).Shafi Goldwasser and Silvio Micali

2013 Turing Award Winners(for doing this in the 1980s)

23

Message CryptosystemEncrypt

DecryptPlaintext Ciphertext

PlaintextCiphertext

Two functions: E(m: byte[]) byte[]and D(c: byte[]) byte[]

Correctness property: for all possible messages m, D(E(m)) =m

Security property: given c E(m), it is “hard” to learn anything interesting about m.

24

Auguste Kerckhoffs

Kerckhoff’s Principle

25

“The enemy knows the system being used.”

Claude Shannon, Communication Theory

of Secrecy Systems(1949)

Claude Shannon1916-2001

(Keyed) Symmetric Cryptosystem

26

Encrypt DecryptPlaintextCiphertext

PlaintextInsecure Channel

Encrypt DecryptPlaintextCiphertext

PlaintextInsecure Channel

Key Key

Only secret is the key, not the E and Dfunctions that now take key as input

Asymmetric crypto:different keys for E and D, so you can reveal Ewithout revealing D.

Jefferson’s Wheel Cipher

27

Jefferson’s Wheel Cipher

26 wheels arranged in a secret order on a spindle, each wheel has randomly-permutated alphabet around rim

Encrypt: turn wheels to display plaintext, then pick a “random” row as ciphertext

Decrypt: arrange wheels in same (secret) order, line up ciphertext, look for plaintext

28

29

Auguste Kerckhoffs (1883)Thomas Jefferson (1790s)

Should it be “TJ’s

Principle”?

30

on the periphery of each, and between the black lines, put all the letters of the alphabet, not in their established order, but jumbled, & without order, so that no two shall be alike. now string them in their numerical order on an iron axis, one end of which has a head, and the other a nut and screw; the use of which is to hold them firm in any given position when you choose it.

Jefferson’s description of wheel cipher (1802)

Key SpaceKey space: K = set of possible keys

31

Key is order of wheels on spindle:|K | = 26 × 25 × … × 1 > 1026

Key is jumbling of letters on wheels:|K | = (26 × 25 × … × 1)26 > 10691

Brute Force Attack

32

def brute_force(ciphertext):for guess in all_possible_keys(N):

plaintext = decrypt(key, ciphertext)if plausible_message(plaintext):

return plaintext

Try all possible keys in some order, until you find one that works.

What is necessary for brute force attack to succeed?

(Im)Practicality of Brute Force Attacks

Minimum energy needed to flip one bit

(Landauer limit) ≈ kT ln 2 ≈ 2.8 zepto-Joules

33

k ≈ 1.4 × 10-23 J/K (Boltzmann’s constant)T = temperature (Kelvin) (300K)

34

Bit Flips Energy WolframAlpha Description

256 (DES) 2 × 10-3 J “acoustic energy in a whisper”

280 (“low security”) 3 × 103 J “metabolic energy of one gram of sugar”

26!(Jefferson+Kerkchoffs)

1 × 106 J “energy of one gram of gasoline”

2128 (AES minimum) 9 × 1017 J “twice energy consumption of Norway in 1998”

2256 (AES maximum) 3 × 1056 J “1/120th mass energy equivalent of galaxy’s visible mass”

35

Bit Flips Energy WolframAlpha Description

256 (DES) 2 × 10-3 J “acoustic energy in a whisper”

280 (“low security”) 3 × 103 J “metabolic energy of one gram of sugar”

26!(Jefferson+Kerkchoffs)

1 × 106 J “energy of one gram of gasoline”

2128 (AES minimum) 9 × 1017 J “twice energy consumption of Norway in 1998”

2256 (AES maximum) 3 × 1056 J “1/120th mass energy equivalent of galaxy’s visible mass”

This is the best (unrealistic) possible case for a brute force attack: don’t need to do anything other than represent key and physically most efficient bit flips.

36

Bit Flips Energy WolframAlpha Description

256 (DES) 2 × 10-3 J “acoustic energy in a whisper”

280 (“low security”) 3 × 103 J “metabolic energy of one gram of sugar”

26!(Jefferson+Kerkchoffs)

1 × 106 J “energy of one gram of gasoline”

2128 (AES minimum) 9 × 1017 J “twice energy consumption of Norway in 1998”

2256 (AES maximum) 3 × 1056 J “1/120th mass energy equivalent of galaxy’s visible mass”

But, assumes better than brute force attacks are not possible. All of these ciphers have weaknesses, and are much less secure than maximum security possible for that size key.

Can we use symmetric cryptosystems to own bits?

37

Encrypt DecryptPlaintextCiphertext

PlaintextInsecure Channel

Key Key

38

Asymmetry Required

39

Messages: send Alice a message that only Alice can read

Signatures: verify Alice signed a message, but not impersonate Alice

Need a way to show you own something without giving it away!

Asymmetric Cryptosystem

40

E DPlaintextCiphertext

PlaintextInsecure Channel

Alice Bob

Correctness: D(E(m)) = m

Security: given E(m) and E , cannot learn anything interesting about m or D

Asymmetric Cryptosystem(with Kerckhoffs’ Principle)

41

E DPlaintextCiphertext

PlaintextInsecure Channel

Alice Bob

Correctness: DKUA(EKRA

(m)) = m

Security: given EKRA(m), E, KUA, and D, cannot

learn anything interesting about m or KRA.

KUAKRA

Providing AsymmetryNeed a function f that is:Easy to compute:

given x, easy to compute f (x)

Hard to invert:given f (x), hard to compute x

Has a trap-door:given f (x) and t,

easy to compute x

42

No function (publicly) known with these properties until 1977…

43

Ron RivestLen Adleman Adi Shamir

44

RSA Cryptosystem

Ee(M ) = Me mod nDd(C ) = Cd mod n

n = pq p, q are primed is relatively prime to (p – 1)(q – 1)ed 1 mod (p – 1)(q – 1)

Bitcoin uses elliptic curves instead of RSA (next week).

45

Correctness of RSA

Ee(M ) = Me mod n

Dd(C ) = Cd mod n

46

Correctness of RSA

Ee(M ) = Me mod n

Dd(C ) = Cd mod n

Dd(Ee(M )) = (Me mod n)d mod n= Med mod n= M

This step depends on choosing e and d to have this property: uses Fermat’s little theorem and Euler’s Totient theorem

47

Bonus: Works in Both Orders

Ee(M ) = Me mod n

Dd(C ) = Cd mod n

Ee (Dd(M )) = (Md mod n)e mod n= Mde mod n= M

Providing AsymmetryNeed a function f that is:Easy to compute:

given x, easy to compute f (x)

Hard to invert:given f (x), hard to compute x

Has a trap-door:given f (x) and t,

easy to compute x

48

Does RSA satisfy these?

Using Asymmetric Crypto: Confidentiality

49

E DPlaintextCiphertext

PlaintextInsecure Channel

Alice Bob

KUBKRB

Generates key pair: KUB, KRB

Publishes KUB

Sends confidential messages to Bob using his public key

~10000x slower than AES! Only use when asymmetry is needed.

Using Asymmetric Crypto: Signatures?

50

E DPlaintextCiphertext

PlaintextInsecure Channel

Alice Bob

KUBKRB

Generates key pair: KUB, KRB

Publishes KUB

Sends confidential messages to Bob using his public key

Using Asymmetric Crypto: Signatures

51

E DVerified Message

Signed MessageMessage

Insecure Channel

KUBKRB

Bob

Generates key pair: KUB, KRB

Publishes KUB

Anyone

Get KUB from trusted provider

52

Owning a Coin

53

Getting Rich!

54

Charge

• Achieving scarcity is a hard problem!

• No class Monday (Martin Luther King Day)

• See notes for readings

• Project 1 will be posted in a few days

55