before bitcoin
TRANSCRIPT
![Page 1: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/1.jpg)
Class 23:Before Bitcoin
Cryptocurrency Cabalcs4501 Fall 2015
David Evans and Samee ZahurUniversity of Virginia
![Page 2: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/2.jpg)
2
PlanProjects
Elevator Speeches start WednesdayIn the News:
Graph IsomorphismTor Attack
Chaum’s Digicash(Post-Bitcoin Alternatives)
![Page 3: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/3.jpg)
3
ProjectsLots of interesting ideas: check out course siteElevator Pitches
Up to 2 minutesCan project something (but must be from URL)Explain:- Purpose (what problem are you solving)- What are you doing- Why should we care
Teams will be pseudo-randomly selected to give project pitches during class starting Wednesday. Be prepared to do this!
![Page 4: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/4.jpg)
4
Progress ReportsDue: Next Monday (8:29pm)See course site for details:
1. Link to project website2. What has changed since preliminary proposal3. Description of progress4. Plan to finish project5. Any questions you have
![Page 5: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/5.jpg)
5
Is Graph Isomorphism Hard?
![Page 6: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/6.jpg)
6
![Page 7: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/7.jpg)
7Photo: Jeremy Kun
![Page 8: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/8.jpg)
8
Complexity of Graph Isomorphism
Best previously known: Laszlo Babai’s (claimed) result:
How close is this to polynomial time?
![Page 9: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/9.jpg)
9
![Page 10: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/10.jpg)
10
Does this matter in practice?
Image from Botao Huhttp://amber.botao.hu/works/research/de-anonymizingsocialnetworks
![Page 11: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/11.jpg)
11
Should we be worried?
![Page 12: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/12.jpg)
12
Tor, CMU, and the FBI?
![Page 13: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/13.jpg)
13
Operation Onymous (Nov 2014)
Shutdown dark markets (including “Silk Road 2.0”)414 .onion domains seized17 Arrests17 Countries involved
![Page 15: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/15.jpg)
15
![Page 17: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/17.jpg)
17
![Page 18: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/18.jpg)
18
![Page 19: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/19.jpg)
19
![Page 20: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/20.jpg)
20
CRYPTO 1988David Chaum
Photo: Declan McCullagh (2002)
![Page 21: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/21.jpg)
21
Communications of the ACMOctober 1985
![Page 22: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/22.jpg)
22
Communications of the ACMOctober 1985
![Page 23: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/23.jpg)
23
CRYPTO 1988
![Page 24: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/24.jpg)
24
Alice{KUA, KRA}High Trust Bank
{KUTB, KRTB}MM = “The High Trust Bank owes the
holder of this message $100.”
EKRTB[H(M)]
Bank IOU Protocol
![Page 25: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/25.jpg)
25
Alice
High Trust Bank
{KUTB, KRTB}M
M = “The High Trust Bank owes the holder of this message $100.”
EKRTB[H(M)]Bob
![Page 26: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/26.jpg)
26
Alice
High Trust Bank
{KUTB, KRTB}M
M = “The High Trust Bank owes the holder of this message $100.”
EKRTB[H(M)]Bob M EKRTB[H(M)]
EKUA[secret curry recipe]
![Page 27: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/27.jpg)
27
Alice
High Trust Bank
{KUTB, KRTB}M
M = “The High Trust Bank owes the holder of this message $100.”
EKRTB[H(M)]Bob M EKRTB[H(M)]
EKUA[secret curry recipe]
M EKRTB[H(M)]
![Page 28: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/28.jpg)
28
Alice
High Trust Bank
{KUTB, KRTB}M
M = “The High Trust Bank owes the holder of this message $100.”
EKRTB[H(M)]Bob M EKRTB[H(M)]
EKUA[secret curry recipe]
M EKRTB[H(M)]
Both Alice and Bob can attempt to redeem the IOU (multiple times).
![Page 29: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/29.jpg)
29
Alice{KUA, KRA}
Bear’sTurnsBank
{KUTB, KRTB}MM = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB[H(M)]
Add Unique Identifiers
![Page 30: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/30.jpg)
30
Alice{KUA, KRA}
Bear’sTurnsBank
{KUTB, KRTB}MM = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB[H(M)]
Add Unique IdentifiersBill can only be redeemed once.
Bank cannot tell if it is Alice or Bob who cheated (first redeemer wins?)
Not anonymous; tracable
![Page 31: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/31.jpg)
31
Untraceable Cash
Can we make untraceable digital banknotes that can only be spent once?
![Page 32: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/32.jpg)
32
Key Technology: Blind Signatures
Normal RSA Signatures:Alice selects message mSends m to bankBank returns signature:SM = md mod n
Goal: Blind Signatures:Alice selects message mAlice obtains SMBank doesn’t learn m
Bank’s public key: (e, n)Bank’s private key: d
![Page 33: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/33.jpg)
33
Key Technology: Blind Signatures
Normal Signatures:Alice selects message mSM = md mod n
Blind Signatures:Alice selects message mPicks random k in [1, n)Sends bank t = mke mod nBank signs: td = (mke mod n)d mod nAlice computes md mod n: = (mke)d mod n mdked mod ndivide by k = md mod n
Bank’s public key: (e, n)Bank’s private key: d
![Page 34: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/34.jpg)
34
Bear’sTurnsBank
{KUTB, KRTB}
Mk
M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $100.”
EKRTB[Mk]
Client-Selected Identifiers
![Page 35: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/35.jpg)
35
Bear’sTurnsBank
{KUTB, KRTB}
Mk
M = “Bill #51342: Bear’s Turns Bank owes the holder of this message $10000000.”
EKRTB[Mk]
Client-Selected Identifiers
![Page 36: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/36.jpg)
36
Cut-and-ChooseM1k1M2k2
M256k256
…
Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.”
![Page 37: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/37.jpg)
37
Cut-and-ChooseM1k1M2k2
M256k256
…
Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.”
Alice generate N different messages, and blinds each with different k. Sends all of them to Bank.
Bank randomly selects N-1 of them, and challenges Alice to unblind.
If all are okay, Bank (blindly) signs the one un-opened message, and returns it to Alice.
![Page 38: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/38.jpg)
38
Cut-and-ChooseM1k1M2k2
M256k256
…
Alice generate N different messages, and blinds each with different k. Sends all of them to Bank.
Bank randomly selects N-1 of them, and challenges Alice to unblind.
If all are okay, Bank (blindly) signs the one un-opened message, and returns it to Alice.
What is probability Alice can cheat without getting caught?
![Page 39: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/39.jpg)
39
Alice{KUA, KRA}
Bear’sTurnsBank
{KUTB, KRTB}MM = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB[H(M)]
Add Unique IdentifiersBill can only be redeemed once.
Bank cannot tell if it is Alice or Bob who cheated (first redeemer wins?)
Not anonymous; tracable
![Page 40: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/40.jpg)
40
Alice{KUA, KRA}
Bear’sTurnsBank
{KUTB, KRTB}MM = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB[H(M)]
Blinded IdentifiersBill can only be redeemed once.
Bank cannot tell who cheated (first redeemer wins?)
Anonymous and untraceable
![Page 41: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/41.jpg)
41
Catching Cheaters
M EKRTB[H(M)] M EKRTB[H(M)]
Bear’sTurnsBank
Spend a bill once: anonymity preserved
M EKRTB[H(M)]Spend a bill twice: identity revealed
![Page 42: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/42.jpg)
42
Identity StringsM1k1M2k2
M256k256
…
I = “[email protected]”Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.” + identity strings:I1 = (h(I1L), h(I1R))...In = (h(InL), h(InR))where h is a one-way hash function and each IiL IiR = I
![Page 43: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/43.jpg)
43
Spending a Bill
M EKRTB[H(M)]I = “[email protected]”Mi = “Bill #[ri] : Bear’s Turns Bank owes the holder of this message $100.” + identity strings:I1 = (h(I1L), h(I1R))...In = (h(InL), h(InR))where h is a one-way hash function and each IiL IiR = I
Reveal request: LRRLRLR…(randomly select L or R for each pair)
I1L, I2R,I3R, I4L,… verifies hashes,accepts bill
![Page 44: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/44.jpg)
44
How well does this scheme work as a currency?
![Page 45: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/45.jpg)
45
Rise of DigiCash
David Chaum
![Page 46: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/46.jpg)
46
Collapse
Bankrupt, 1998
![Page 47: Before Bitcoin](https://reader035.vdocuments.us/reader035/viewer/2022070602/5879c41b1a28abb42a8b5c13/html5/thumbnails/47.jpg)
47
ChargeBe ready for project elevator pitches starting Wednesday!