blockchain and smart contract long term security (updated)
TRANSCRIPT
![Page 1: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/1.jpg)
Copyright © 2016 Peter Robinson
Blockchain and Smart Contract Long Term SecurityPeter Robinson, [email protected] November 18, 2016
![Page 2: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/2.jpg)
2
Copyright © 2016 Peter Robinson
Overview
▪ Distributed Ledger and Smart Contract systems have as an underlying assumption that once transactions are in a block chain, they are locked-in forever.
▪ This presentation analyses whether this immutability can actually be delivered in the long term, given increasing traditional computational power, the emergence of quantum computing, and the possibility of cryptographic algorithmic flaws.
▪ Additionally, an idea about distributed systems security is presented.
![Page 3: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/3.jpg)
3
Copyright © 2016 Peter Robinson
Caveat on results in these slides
▪ Tentative results are presented herein.
▪ More detailed analysis is needed.
![Page 4: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/4.jpg)
4
Copyright © 2016 Peter Robinson
Agenda
▪ Blockchain and Smart Contract Platforms Long Term Security:▪ Cryptography and Cryptanalysis.
▪ Blockchain Platforms and Cryptanalysis.
▪ Mitigations.
▪ Mitigation for Active Attacks against Distributed Systems.
![Page 5: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/5.jpg)
Copyright © 2016 Peter Robinson
Cryptography & Cryptanalysis
![Page 6: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/6.jpg)
6
Copyright © 2016 Peter Robinson
Cryptography: Algorithms
▪ Digest Algorithm (Hash): SHA256, SHA512, RIPEMD160, KECCAK, SHA3/256:▪ Variable length input -> Fixed Length Output.
▪ Signing: ECDSA (secp256k1)/Digest Algorithm, RSA/Digest Algorithm:▪ Sign with private key, verify with public key.
![Page 7: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/7.jpg)
7
Copyright © 2016 Peter Robinson
Cryptography: Message Digests / Hashes
?
Preimage Resistance
Hash
n
h(x)
x
Second Preimage Resistance
Hash
n
h(x)
?
Hash
h(x’)
≠
=
?
CollisionResistance
Hash
n/2
h(x)
?
Hash
h(x’)
≠
=
![Page 8: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/8.jpg)
8
Copyright © 2016 Peter Robinson
Cryptography: Signatures
▪ Forgeability: Recover private key from public key.
▪ Non-repudiation: Have two public keys P1 and P2 which verify the same signature.
▪ Integrity: Have two message digests M1 and M2 which when signed with public key P result in the same signature.
![Page 9: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/9.jpg)
9
Copyright © 2016 Peter Robinson
Cryptography: Security Strength (Assuming no Quantum Cryptanalysis)
Security Strength
RSA ECC HashPreimage
HashCollision
80 1024 RIPEMD160
112 2048
128 3072 secp256k1 SHA256, Keccak-256, SHA512/256
160 RIPEMD160
256 SHA256, Keccak-256, SHA512/256
SHA512SHA3,512
512 SHA512SHA3,512
![Page 10: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/10.jpg)
10
Copyright © 2016 Peter Robinson
Traditional Computing Power
Ref 1: http://www.extremetech.com/wp-content/uploads/2015/04/MooresLaw2.png
![Page 11: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/11.jpg)
11
Copyright © 2016 Peter Robinson
Security Strength
RSA ECC HashPreimage
HashCollision
80 1024 RIPEMD160
112 2048
128 3072 secp256k1 SHA256, Keccak-256, SHA512/256
160 RIPEMD160
256 SHA256, Keccak-256, SHA512/256
SHA512, SHA3,512
512 SHA512, SHA3,512
Cryptography: Security Strength assuming no Quantum Cryptanalysis
2010
2030?
![Page 12: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/12.jpg)
12
Copyright © 2016 Peter Robinson
Quantum Cryptanalysis
▪ Shor’s Algorithm: Allows ECC private key to be calculated from ECC public key.
▪ Gover’s Algorithm: Allows algorithms to be executed in square-root time:▪ Affects message digest algorithms and symmetric key algorithms.
▪ Security Strength after Quantum = (Security Strength Before Quantum) / 2
![Page 13: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/13.jpg)
13
Copyright © 2016 Peter Robinson
Quantum Cryptanalysis
▪ When will Quantum Computing and Quantum Cryptanalysis be a reality?
▪ Michele Mosca, Institute for Quantum Computing and Department of Combinatorics and Optimization, University of Waterloo, said2:▪ “I estimate a 1/7 chance of breaking RSA-2048 by 2026 and a 1/2 chance by 2031”
▪ Predicts a “Moore’s Law” type of increase in capability.
Ref 2: Mosca, M. (2015) “Cybersecurity in an era with quantum computers: will we be ready?”Available: https://eprint.iacr.org/2015/1075.pdf
![Page 14: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/14.jpg)
14
Copyright © 2016 Peter Robinson
Cryptography: Security Strength assuming Quantum Cryptanalysis
Security Strength*
RSA ECC HashPreimage
HashCollision
4 5
19 secp256k1
26 2048
40 RIPEMD160
64 SHA256, Keccak-256,SHA512/256
80 RIPEMD160
128 SHA256, Keccak-256,SHA512/256
SHA512, SHA3,512
256 SHA512, SHA3,512
2012
*: Shor algorithm security strength calculated as log2(K * K * log(K) * log(log(K)))
Late 2020s or 2030s?
![Page 15: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/15.jpg)
15
Copyright © 2016 Peter Robinson
Cryptographic Algorithmic Flaws
Ref 3: Preneel, B. (2013) “Introduction to the Design and Cryptanalysis of Cryptographic Hash Functions”Available: https://www.cosic.esat.kuleuven.be/summer_school_albena/slides/preneel_hash_july2013_shortv1_print.pdf
![Page 16: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/16.jpg)
Copyright © 2016 Peter Robinson
Blockchain Platforms and Cryptanalysis
![Page 17: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/17.jpg)
17
Copyright © 2016 Peter Robinson
Three Attack Scenarios
▪ Attack existing blocks.
▪ Attacking new blocks as they are being made:▪ Miners either altering transactions being included in blocks or being able to always mine
the best block.
▪ Users either craft transactions masquerading as other users or craft transactions to double spend.
![Page 18: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/18.jpg)
18
Copyright © 2016 Peter Robinson
Bitcoin: Cryptographic Usage4
▪ Main Hash: HM(x) = SHA256(SHA256(x))
▪ Address Hash: HA(x) = RIPEMD160(SHA256(x))
▪ Key Pairs: ECC using secp256k1 curve.
▪ Signatures: ECDSA, with Main Hash.
Ref 4: Giechaskiel, I., Cremers, C., Rasmussen, K. (2016) “On Bitcoin Security in the Presence of Broken Crypto Primitives”
![Page 19: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/19.jpg)
19
Copyright © 2016 Peter Robinson
Ripple Cryptographic Usage
▪ Main Hash: HM(x) = 256 bit truncated SHA512(x)
▪ Address Hash: HA(x) = RIPEMD160(SHA256(x))
▪ Key Pairs: ECC using secp256k1 curve.
▪ Signatures: ECDSA, with Main Hash.
![Page 20: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/20.jpg)
20
Copyright © 2016 Peter Robinson
Ethereum Cryptographic Usage
▪ Main Hash: HM(x) = KECCAK-256(x)
▪ Address Hash: HA(x) = 160 bit truncated KECCAK-256(x)
▪ Key Pairs: ECC using secp256k1 curve.
▪ Signatures: ECDSA, with Main Hash.
![Page 21: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/21.jpg)
21
Copyright © 2016 Peter Robinson
Cryptography: Security Strength assuming Quantum Cryptanalysis
Security Strength
HashPreimage
HashSecond Preimage
HashCollision
40 Keccak-256/160, RIPEMD160(SHA256(x))
64 SHA256(SHA256(x)), Keccak-256, SHA512/256
80 Keccak-256/160 Keccak-256/160, RIPEMD160(SHA256(x))
128 SHA512/256 SHA256(SHA256(x)), Keccak-256, SHA512/256
208 RIPEMD160(SHA256(x))
256 SHA256(SHA256(x))
![Page 22: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/22.jpg)
22
Copyright © 2016 Peter Robinson
Attack Existing BlocksMessage Digest Algorithm Issues
Breakage Address Hash (HA) Main Hash (HM)
Collision None None
Second pre-image Repudiate transaction Repudiate transaction
Pre-imageUncover public key associated with address None
![Page 23: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/23.jpg)
23
Copyright © 2016 Peter Robinson
Attack Existing BlocksSignature Algorithm Issues
Breakage Effect
Selective forgeryDetermine private key based on public key, then execute transactions
Integrity break Repudiate transaction
Repudiation None
![Page 24: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/24.jpg)
24
Copyright © 2016 Peter Robinson
Miner AttackMessage Digest Algorithm Issues
Breakage Address Hash (HA) Main Hash (HM)
Collision Repudiate transaction
Double spend and execute transactions and then repudiate them
Second pre-image Repudiate transaction
Double spend and execute transactions and then repudiate them
Pre-imageUncover public key associated with address
Complete failure of the blockchain: be able to determine best block more easily than other miners.
![Page 25: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/25.jpg)
25
Copyright © 2016 Peter Robinson
Miner AttackSignature Algorithm Issues
Breakage Effect
Selective forgeryDetermine private key based on public key, then execute transactions
Integrity break Repudiate transaction
Repudiation None
![Page 26: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/26.jpg)
26
Copyright © 2016 Peter Robinson
User AttackMessage Digest Algorithm Issues
Breakage Address Hash (HA) Main Hash (HM)
Collision Repudiate transaction
Double spend and execute transactions and then repudiate them
Second pre-image Repudiate transaction
Double spend and execute transactions and then repudiate them
Pre-imageUncover key associated with address None
![Page 27: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/27.jpg)
27
Copyright © 2016 Peter Robinson
User AttackSignature Algorithm Issues
Breakage EffectSelective forgery None
Integrity break Execute transactions and then repudiate them
RepudiationExecute transactions and then repudiate them
![Page 28: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/28.jpg)
Copyright © 2016 Peter Robinson
Mitigations
![Page 29: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/29.jpg)
29
Copyright © 2016 Peter Robinson
Mitigations: Better Use of Existing Algorithms
▪ Use stronger algorithms for Address Hash and Main Hash.
▪ Address Hash: ▪ SHA 512(SHA 512(x)) or
▪ SHA3/512(x)
▪ Main Hash: ▪ SHA 512(SHA 512(x)) or
▪ SHA3/512(x)
![Page 30: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/30.jpg)
30
Copyright © 2016 Peter Robinson
Cryptography: Security Strength assuming Quantum Cryptanalysis
Security Strength
HashPreimage
HashSecond Preimage
HashCollision
40 Keccak-256/160, RIPEMD160(SHA256(x))
64 SHA256(SHA256(x)), Keccak-256, SHA512/256
80 Keccak-256/160 Keccak-256/160, RIPEMD160(SHA256(x))
128 SHA512/256 SHA256(SHA256(x)), Keccak-256, SHA512/256
SHA 512(SHA 512(x)), SHA3/512(x)
208 RIPEMD160(SHA256(x))
256 SHA256(SHA256(x)), SHA3/512(x) SHA 512(SHA 512(x)), SHA3/512(x)
512 SHA 512(SHA 512(x))
![Page 31: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/31.jpg)
31
Copyright © 2016 Peter Robinson
Mitigations: Post-Quantum
▪ USA’s NIST are looking to standardize post-quantum algorithms by 20225.
▪ Lattice Based Signature Algorithms:▪ Different type of mathematics to RSA and ECC.
▪ Historically, Lattice based algorithms have been found to be not as strong as first thought after two to five years of cryptanalysis.
▪ Sphincs:▪ Based on well understood message digest algorithms.
▪ Larger public keys, private keys and signatures.
Ref 5: http://csrc.nist.gov/groups/ST/post-quantum-crypto/documents/pqcrypto-2016-presentation.pdf
![Page 32: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/32.jpg)
32
Copyright © 2016 Peter Robinson
Mitigations: Be Prepared to Change▪ Blockchain platforms need to have migration plans in place.
▪ Allow for multiple algorithms:▪ Should allow for faster transition in case of a sudden event: stop accepting transactions which
use one algorithm.
▪ Can lead to downgrade attacks.
▪ Learn from other domains such as Transport Layer Security.
▪ Plan for:▪ Larger signatures and larger identifiers.
▪ Re-sign entire blockchain.
▪ Roll-over all keys to newer algorithms.
![Page 33: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/33.jpg)
Copyright © 2016 Peter Robinson
Mitigation for Active Attacks against Distributed Systems
![Page 34: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/34.jpg)
34
Copyright © 2016 Peter Robinson
Using Blockchain to provide Defence in Depth against Active Attacks
▪ Web applications and SaaS can be delivered as scalable cloud services.
▪ These services can be viewed as distributed systems.
▪ Active attackers may Powerfully Own (POWN) parts of the distributed system.
▪ Distributed Ledgers could be used as a resilient distributed database.
▪ Challenges:▪ Performance.
▪ Non-proof of work consensus algorithms which are resilient to active attack.
▪ Dynamic scaling.
![Page 35: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/35.jpg)
Copyright © 2016 Peter Robinson
Closing
![Page 36: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/36.jpg)
36
Copyright © 2016 Peter Robinson
Future Work
▪ More detailed analysis to verify the results presented herein.
▪ Hyper Ledger needs to be reviewed.
▪ Proof of Stake protocols need to be considered.
![Page 37: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/37.jpg)
37
Copyright © 2016 Peter Robinson
Summary
▪ Cryptography is a dynamic field. Things change:▪ Quantum Cryptanalysis may become a reality.
▪ Processing power is still ever increasing despite declarations, “Moore’s Law is dead”.
▪ Breaks in cryptographic algorithms happen from time to time.
▪ Plan for change:▪ Do mitigation planning and determine migration paths.
▪ Start executing changes now which can be done now.
![Page 38: Blockchain and Smart Contract Long Term Security (updated)](https://reader035.vdocuments.us/reader035/viewer/2022070516/587331251a28ab596c8b6ab5/html5/thumbnails/38.jpg)
38
Copyright © 2016 Peter Robinson
Questions