Upload
david-evans
View
698
Download
2
Tags:
Embed Size (px)
Citation preview
Cryptocurrency Cafécs4501 Spring 2015David EvansUniversity of Virginia
Class 2:Cryptography
Goal for Today
• Notion of ownership of non-physical good
• Conceptual understanding of key terms and principles in cryptography– Cryptosystem
– Attacks
– Asymmetry
• Underlying foundation of bitcoin
1
Comments about “Magic of Mining”
2
3
4
5
Selected Contributed Comments
6
Submitting google forms is a silly way to have a discussion! We’ll have a course discussion forum set up by next week…
“The enigmatic Mr Nakamotodesigned the system to keep everybody honest.” (Tara Raj, Jake Rosenberg)
“Bitcoins have three useful qualities in a currency: they are hard to earn, limited in supply and easy to verify.” (Jake Shankman, Kevin Hoffman )
“A more fundamental worry is that digital-currency mining, like other sorts of mining, has environmental costs: all that number-crunching uses a lot of electricity, and not all of it comes from renewable sources…” (Samuel Abbate, Elizabeth Kukla)
“He even worries that a hostile government might seize control of the bitcoin system.”(Richard Serpe)
7
Downloading entire blockchain (~20GB)…takes several days…
Recap
Currency is a medium of exchange
At a minimum, must be:
transferable – can be exchanged
scarce – limited supply
8
Can we make something scarce and transferable with just bits?
How can someone ownsomething made of bits?
9
10
How can someone ownanything easily reproduced?
11
Mechanized printingGutenberg movable type press: ~1450
12
Worshipful Company of Stationers and Newspaper Makers(“Stationer’s Company”)
London 1403Royal Charter 1557Monopoly on printingResponsibility to censor
13
“An Act for the Encouragement of Learning, by Vesting the Copies of Printed Books in the Authors or Purchasers of Copies, during the Times therein mentioned…”
Statute of Anne, 1710
Author has exclusive 14-year right to copy work (living author can extend for another 14 years)
US Copyright Law
1790: 14 years (+ 14)
1831: 28 years (+ 14)
1976: life of author + 50 (75 for “corporate”)
1998: life of author + 70 (120 for “corporate”)
14
Created 1928
How can someone ownsomething made of bits
without an army helping?
15
16
17
What is cryptology?
Greek: κρυπτ´oς = “kryptos” = hidden (secret)
Cryptography – secret writing
Cryptanalysis – analyzing (breaking) secretsCryptanalysis is what an attacker does
Decryption is what the intended receiver does
Cryptosystems – systems that use secrets
Cryptology – science of secrets
18
Security is an engineering goal: it involves mathematics, but is mostly about real implementations and people.
Cryptology is a branch of mathematics: about abstract numbers and functions.
19
Introductions
Encrypt DecryptPlaintextCiphertext
Plaintext
Alice Bob
Eve(passive attacker)
Insecure Channel
20
Active Attacker
Encrypt DecryptPlaintextCiphertext
Plaintext
Alice Bob
Insecure Channel (e.g., the Internet)
Mallory(active attacker)
21
Message CryptosystemEncrypt
DecryptPlaintext Ciphertext
PlaintextCiphertext
Two functions: E(m: byte[]) byte[]and D(c: byte[]) byte[]
Correctness property: for all possible messages m, D(E(m)) =m
Security property: given c E(m), it is “hard” to learn anything interesting about m.
22
It is possible to state the security property precisely (and prove a cryptosystem satisfies it given hardness assumptions).Shafi Goldwasser and Silvio Micali
2013 Turing Award Winners(for doing this in the 1980s)
23
Message CryptosystemEncrypt
DecryptPlaintext Ciphertext
PlaintextCiphertext
Two functions: E(m: byte[]) byte[]and D(c: byte[]) byte[]
Correctness property: for all possible messages m, D(E(m)) =m
Security property: given c E(m), it is “hard” to learn anything interesting about m.
24
Auguste Kerckhoffs
Kerckhoff’s Principle
25
“The enemy knows the system being used.”
Claude Shannon, Communication Theory
of Secrecy Systems(1949)
Claude Shannon1916-2001
(Keyed) Symmetric Cryptosystem
26
Encrypt DecryptPlaintextCiphertext
PlaintextInsecure Channel
Encrypt DecryptPlaintextCiphertext
PlaintextInsecure Channel
Key Key
Only secret is the key, not the E and Dfunctions that now take key as input
Asymmetric crypto:different keys for E and D, so you can reveal Ewithout revealing D.
Jefferson’s Wheel Cipher
27
Jefferson’s Wheel Cipher
26 wheels arranged in a secret order on a spindle, each wheel has randomly-permutated alphabet around rim
Encrypt: turn wheels to display plaintext, then pick a “random” row as ciphertext
Decrypt: arrange wheels in same (secret) order, line up ciphertext, look for plaintext
28
29
Auguste Kerckhoffs (1883)Thomas Jefferson (1790s)
Should it be “TJ’s
Principle”?
30
on the periphery of each, and between the black lines, put all the letters of the alphabet, not in their established order, but jumbled, & without order, so that no two shall be alike. now string them in their numerical order on an iron axis, one end of which has a head, and the other a nut and screw; the use of which is to hold them firm in any given position when you choose it.
Jefferson’s description of wheel cipher (1802)
Key SpaceKey space: K = set of possible keys
31
Key is order of wheels on spindle:|K | = 26 × 25 × … × 1 > 1026
Key is jumbling of letters on wheels:|K | = (26 × 25 × … × 1)26 > 10691
Brute Force Attack
32
def brute_force(ciphertext):for guess in all_possible_keys(N):
plaintext = decrypt(key, ciphertext)if plausible_message(plaintext):
return plaintext
Try all possible keys in some order, until you find one that works.
What is necessary for brute force attack to succeed?
(Im)Practicality of Brute Force Attacks
Minimum energy needed to flip one bit
(Landauer limit) ≈ kT ln 2 ≈ 2.8 zepto-Joules
33
k ≈ 1.4 × 10-23 J/K (Boltzmann’s constant)T = temperature (Kelvin) (300K)
34
Bit Flips Energy WolframAlpha Description
256 (DES) 2 × 10-3 J “acoustic energy in a whisper”
280 (“low security”) 3 × 103 J “metabolic energy of one gram of sugar”
26!(Jefferson+Kerkchoffs)
1 × 106 J “energy of one gram of gasoline”
2128 (AES minimum) 9 × 1017 J “twice energy consumption of Norway in 1998”
2256 (AES maximum) 3 × 1056 J “1/120th mass energy equivalent of galaxy’s visible mass”
35
Bit Flips Energy WolframAlpha Description
256 (DES) 2 × 10-3 J “acoustic energy in a whisper”
280 (“low security”) 3 × 103 J “metabolic energy of one gram of sugar”
26!(Jefferson+Kerkchoffs)
1 × 106 J “energy of one gram of gasoline”
2128 (AES minimum) 9 × 1017 J “twice energy consumption of Norway in 1998”
2256 (AES maximum) 3 × 1056 J “1/120th mass energy equivalent of galaxy’s visible mass”
This is the best (unrealistic) possible case for a brute force attack: don’t need to do anything other than represent key and physically most efficient bit flips.
36
Bit Flips Energy WolframAlpha Description
256 (DES) 2 × 10-3 J “acoustic energy in a whisper”
280 (“low security”) 3 × 103 J “metabolic energy of one gram of sugar”
26!(Jefferson+Kerkchoffs)
1 × 106 J “energy of one gram of gasoline”
2128 (AES minimum) 9 × 1017 J “twice energy consumption of Norway in 1998”
2256 (AES maximum) 3 × 1056 J “1/120th mass energy equivalent of galaxy’s visible mass”
But, assumes better than brute force attacks are not possible. All of these ciphers have weaknesses, and are much less secure than maximum security possible for that size key.
Can we use symmetric cryptosystems to own bits?
37
Encrypt DecryptPlaintextCiphertext
PlaintextInsecure Channel
Key Key
38
Asymmetry Required
39
Messages: send Alice a message that only Alice can read
Signatures: verify Alice signed a message, but not impersonate Alice
Need a way to show you own something without giving it away!
Asymmetric Cryptosystem
40
E DPlaintextCiphertext
PlaintextInsecure Channel
Alice Bob
Correctness: D(E(m)) = m
Security: given E(m) and E , cannot learn anything interesting about m or D
Asymmetric Cryptosystem(with Kerckhoffs’ Principle)
41
E DPlaintextCiphertext
PlaintextInsecure Channel
Alice Bob
Correctness: DKUA(EKRA
(m)) = m
Security: given EKRA(m), E, KUA, and D, cannot
learn anything interesting about m or KRA.
KUAKRA
Providing AsymmetryNeed a function f that is:Easy to compute:
given x, easy to compute f (x)
Hard to invert:given f (x), hard to compute x
Has a trap-door:given f (x) and t,
easy to compute x
42
No function (publicly) known with these properties until 1977…
43
Ron RivestLen Adleman Adi Shamir
44
RSA Cryptosystem
Ee(M ) = Me mod nDd(C ) = Cd mod n
n = pq p, q are primed is relatively prime to (p – 1)(q – 1)ed 1 mod (p – 1)(q – 1)
Bitcoin uses elliptic curves instead of RSA (next week).
45
Correctness of RSA
Ee(M ) = Me mod n
Dd(C ) = Cd mod n
46
Correctness of RSA
Ee(M ) = Me mod n
Dd(C ) = Cd mod n
Dd(Ee(M )) = (Me mod n)d mod n= Med mod n= M
This step depends on choosing e and d to have this property: uses Fermat’s little theorem and Euler’s Totient theorem
47
Bonus: Works in Both Orders
Ee(M ) = Me mod n
Dd(C ) = Cd mod n
Ee (Dd(M )) = (Md mod n)e mod n= Mde mod n= M
Providing AsymmetryNeed a function f that is:Easy to compute:
given x, easy to compute f (x)
Hard to invert:given f (x), hard to compute x
Has a trap-door:given f (x) and t,
easy to compute x
48
Does RSA satisfy these?
Using Asymmetric Crypto: Confidentiality
49
E DPlaintextCiphertext
PlaintextInsecure Channel
Alice Bob
KUBKRB
Generates key pair: KUB, KRB
Publishes KUB
Sends confidential messages to Bob using his public key
~10000x slower than AES! Only use when asymmetry is needed.
Using Asymmetric Crypto: Signatures?
50
E DPlaintextCiphertext
PlaintextInsecure Channel
Alice Bob
KUBKRB
Generates key pair: KUB, KRB
Publishes KUB
Sends confidential messages to Bob using his public key
Using Asymmetric Crypto: Signatures
51
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair: KUB, KRB
Publishes KUB
Anyone
Get KUB from trusted provider
52
Owning a Coin
53
Getting Rich!
54
Charge
• Achieving scarcity is a hard problem!
• No class Monday (Martin Luther King Day)
• See notes for readings
• Project 1 will be posted in a few days
55