CryptoCurrency Cafe Class 5: DigiCash http://bitcoin-class.org

1. Cryptocurrency Café
UVa cs4501 Spring 2015
David Evans
Class 5: DigiCash

2. Plan for Today
Hashing
Preventing Double Spending
DigiCash – Untraceable Cash
Distributed Consensus
1
Project 1 is due Friday (11:59pm)
Upcoming office hours:
Me: Thursday 4-5pm (Rice 507)
Nick: Friday noon-2pm (HackCville)

3. Price
Volatility
2

4. Size of Bitcoin
3
$0
$2
$4
$6
$8
$10
$12
$14
$16
$18
$20
Apple's Profits, last 3 months Bitcoin Market Cap
Apple’s Profits
(last 3 months) = $18B
(Revenues = $75B)
Value of all Bitcoin at
today’s price: $3.5B

5. Size of Bitcoin
4
$0
$2
$4
$6
$8
$10
$12
$14
$16
$18
$20
Apple's Profits, last 3 months Bitcoin Market Cap
$0
$2,000
$4,000
$6,000
$8,000
$10,000
$12,000
$14,000
$16,000
$18,000
$20,000
Apple's Profits, last
3 months
Bitcoin Market Cap Apple's Market Cap US National Debt
US National Debt:
$18.1 T

6. Using Asymmetric Crypto: Signatures
5
E D
Verified
Message
Signed Message
Message
Insecure Channel
KUB
KRB
Bob
Generates key pair: KUB, KRB
Publishes KUB
Anyone
Get KUB from
trusted provider

7. Signing Long Messages
6
Alice signs m1 = { “I give coin x = KUA, t to address KUB.”}
with KRA.
Bob signs m2 = { “I give coin x = KUA, t, given to me by
m1to address KUC.”} with KRB.
Asymmetric crypto is expensive: what is the longest m we can sign with 256-bit ECDSA?

8. Verified
Message
Message
Message Digests
7
E D
Verified
Message
Digest
Message
Alice Bob
KUB
KRB
H
MessageDigest
H=
SignedMessage
H is a cryptographic hash function:
one-way: given H(x) cannot find preimage x
strong collision-resistant:
hard to find pair x and y where H(x) = H(y)

9. Hash Functions
8
E
IV
K

P1
C1
E

P2
C2
... EK

Pn
Cn
Cipher Block Chaining

10. SHA-2
9http://opencores.org/project,sha256core
SHA-256
256-bit output
64 rounds
(best known
attacks break
preimage
resistance for
52 rounds)

11. Cryptographic Hashing in Bitcoin
• Transactions: message digests for signatures
• Public address: hash of public key
• Blockchain
10

12. 11

13. 12
Alice
{KUA, KRA}
High
Trust
Bank
{KUTB, KRTB}
M
M = “The High Trust Bank owes the
holder of this message $100.”
EKRTB
[H(M)]
Bank IOU Protocol

14. 13
Alice
High
Trust
Bank
{KUTB, KRTB}
M
M = “The High Trust Bank owes the
holder of this message $100.”
EKRTB
[H(M)]
Bob

15. 14
Alice
High
Trust
Bank
{KUTB, KRTB}
M
M = “The High Trust Bank owes the
holder of this message $100.”
EKRTB
[H(M)]
Bob
M EKRTB
[H(M)]
EKUA
[secret curry recipe]

16. 15
Alice
High
Trust
Bank
{KUTB, KRTB}
M
M = “The High Trust Bank owes the
holder of this message $100.”
EKRTB
[H(M)]
Bob
M EKRTB
[H(M)]
EKUA
[secret curry recipe]
M EKRTB
[H(M)]

17. 16
Alice
High
Trust
Bank
{KUTB, KRTB}
M
M = “The High Trust Bank owes the
holder of this message $100.”
EKRTB
[H(M)]
Bob
M EKRTB
[H(M)]
EKUA
[secret curry recipe]
M EKRTB
[H(M)]
Both Alice and Bob can
attempt to redeem the
IOU (multiple times).

18. 17
Alice
{KUA, KRA}
Bear’s
Turns
Bank
{KUTB, KRTB}
M
M = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB
[H(M)]
Add Unique Identifiers

19. 18
Alice
{KUA, KRA}
Bear’s
Turns
Bank
{KUTB, KRTB}
M
M = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB
[H(M)]
Add Unique Identifiers
Bill can only be
redeemed once.
Bank cannot tell if it is Alice
or Bob who cheated (first
redeemer wins?)
Not anonymous; tracable

20. CRYPTO 1988
David Chaum
Photo: Declan McCullagh (2002)19

21. 20

22. Key Technology: Blind Signatures
21
Normal Signatures:
Alice selects message m
Sends m to bank
Bank returns signature:
SM = md mod n
Blind Signatures:
Alice selects message m
Bank’s public key: (e, n)
Bank’s private key: d

23. Key Technology: Blind Signatures
22
Normal Signatures:
Alice selects message m
SM = md mod n
Blind Signatures:
Alice selects message m
Picks random k in [1, n)
Sends bank t = mke mod n
Bank signs:
td = (mke mod n)d mod n
Alice computes md mod n:
= (mke)d mod n  mdked mod n
divide by k = md mod n
Bank’s public key: (e, n)
Bank’s private key: d

24. 23
Bear’s
Turns
Bank
{KUTB, KRTB}
Mk
M = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB
[Mk]
Client-Selected Identifiers

25. 24
Bear’s
Turns
Bank
{KUTB, KRTB}
Mk
M = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $10000000.”
EKRTB
[Mk]
Client-Selected Identifiers

26. Cut-and-Choose
25
M1
k1
M2
k2
M256
k256
…
Mi = “Bill #[ri] : Bear’s Turns Bank owes the
holder of this message $100.”

27. Cut-and-Choose
26
M1
k1
M2
k2
M256
k256
…
Mi = “Bill #[ri] : Bear’s Turns Bank owes the
holder of this message $100.”
Alice generate N different messages, and blinds each
with different k. Sends all of them to Bank.
Bank randomly selects N-1 of them, and challenges
Alice to unblind.
If all are okay, Bank (blindly) signs the one un-opened
message, and returns it to Alice.

28. Cut-and-Choose
27
M1
k1
M2
k2
M256
k256
…
Alice generate N different messages, and blinds each
with different k. Sends all of them to Bank.
Bank randomly selects N-1 of them, and challenges
Alice to unblind.
If all are okay, Bank (blindly) signs the one un-opened
message, and returns it to Alice.
What is probability Alice can cheat without getting caught?

29. 28
Alice
{KUA, KRA}
Bear’s
Turns
Bank
{KUTB, KRTB}
M
M = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB
[H(M)]
Add Unique Identifiers
Bill can only be
redeemed once.
Bank cannot tell if it is Alice
or Bob who cheated (first
redeemer wins?)
Not anonymous; tracable

30. 29
Alice
{KUA, KRA}
Bear’s
Turns
Bank
{KUTB, KRTB}
M
M = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB
[H(M)]
Blinded Identifiers
Bill can only be
redeemed once.
Bank cannot tell who cheated
(first redeemer wins?)
Anonymous and untraceable

31. Catching Cheaters
30
M EKRTB
[H(M)] M EKRTB
[H(M)]
Bear’s
Turns
Bank
Spend a bill once: anonymity preserved
M EKRTB
[H(M)]
Spend a bill twice: identity revealed

32. Identity Strings
31
M1
k1
M2
k2
M256
k256
…
I = “alice@alice.org”
Mi = “Bill #[ri] : Bear’s Turns Bank owes the
holder of this message $100.”
+ identity strings:
I1 = (h(I1L), h(I1R))
...
In = (h(InL), h(InR))
where h is a one-way hash function and
each IiL  IiR = I

33. Spending a Bill
32
M EKRTB
[H(M)]
I = “alice@alice.org”
Mi = “Bill #[ri] : Bear’s Turns Bank owes the
holder of this message $100.”
+ identity strings:
I1 = (h(I1L), h(I1R))
...
In = (h(InL), h(InR))
where h is a one-way hash function and
each IiL  IiR = I
Reveal request: LRRLRLR…
(randomly select L or R for each pair)
I1L, I2R,I3R, I4L,… verifies hashes,
accepts bill

34. Charge
Next week: The Blockchain
Project 1 is due Friday
33
Upcoming office hours:
Me: Thursday 4-5pm (Rice 507)
Nick: Friday noon-2pm (HackCville)