overview of blockchain security · 2017-02-19 · in bitcoin we need to wait for 10 minutesand a...

Overview of Blockchain Security

- in Crypto we Trust -

Nicolas T. Courtois

- University College London, UK

Crypto Currencies

2 Nicolas T. Courtois 2009-2016

Need For Speed

http://video.ft.com/3667480923001/Camp-Alphaville-on-cashless-society/Editors-Choice,

2 July 2014.

At minute 02.48: Dr. Nicolas Courtois of UCL:

"[...]It's not true that bitcoin is 'the Internet of Money'.

Bitcoin is 'The Horse Carriage of Money'[...] “

Crypto Currencies


Need For Speed – Open Problems

Nicolas Courtois:

On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534

Nicolas T. Courtois, Pinar Emirdag and Daniel A. Nagy:

Could Bitcoin Transactions Be 100x Faster?

will appear in SECRYPT 2014, 28-30 August 2014, Vienna, Austria.

Poster: http://www.nicolascourtois.com/bitcoin/POSTER_100x_Secrypt2014_v1.0.pdf

Crypto Currencies

I Also Always Thought That..

Speed

Security 0

Crypto Currencies

We Can Have (At Least Sometimes)

Speed

Security

Crypto Currencies


Security => Speed?

Amazing, normally security and speed are opposites.

In financial markets one can execute trades microseconds.

In bitcoin we need to wait for 10 minutes and a large multiple of it for larger transactions.

Speed is slow mostly out fear of possible double spending attacks, which imposes certain precautions.

Fixing these security problems

simply allows to make bitcoin transactions much faster, or rather to accept them much earlier.

Groups and ECC

So Fix the Security Problems!

Crypto Currencies


Questions:

• How can a community of individuals can run a financial cooperative without being manipulated by powerful entities?

• Can we trust the source code and cryptography?

Security of Bitcoin

9

Dr. Nicolas T. Courtois

1. cryptologist and codebreaker

2. payment and smart cards (e.g. bank cards, Oyster cards etc…)

Crypto Currencies


“Cryptographer’s Dream”• Building “trust-less” systems and a “trust-less” society.

Crypto Currencies


“Cryptographer’s Dream”• Building “trust-less” systems and a “trust-less” society.

• How do we do it?

• Crypto “protocols” with several parties who do not know each other in advance and WITHOUT any trusted authorities: lawyers, notaries, CAs, bankers, accountants, auditors, policemen, law makers, government officials, etc…

– Modern cryptography makes such things possible…

Crypto Currencies


Cryptographers’ Magic Words• Non-repudiation

• Soundness

• Zero-Knowledge

• Ring signature

• Etc…

Crypto Currencies


My Blog and UCL Bitcoin Seminar

blog.bettercrypto.com / SEMINAR

or Google "UCL bitcoin seminar"

Crypto Currencies


UCL Student Research Competition 2016

We award cash prizes for students doing research on blockchain security.

• Best Paper / best thesis etc.

Crypto Currencies


Master Thesis Research Prize Fund 2016Prize Jury:

• Prof. Jan Aldert Bergstra, Institute of Informatics, University of Amsterdam

• Prof. Alex Biryukov, University of Luxembourg

• Dr. Nicolas T. Courtois, Senior Lecturer, University College London

• Ass. Prof. Stefan Dziembowski, University of Warsaw, Poland

• Prof. Jean-Paul Delahaye, Lille University of Science and Technology, France

• Dr. Aggelos Kiayias, National and Kapodistrian University of Athens, Greece

• Prof. David Naccache, Ecole Normale Supérieure and IngenicoLabs, France

• Dr. Paolo Tasca, Deutschebank, Frankfurt, Germany

Crypto Currencies


It Started with Bitcoin…

Crypto Currencies


Are They Crazy?Anything can be “money”

if sufficiently many people accept it… (e.g. salt).

• popularitylegal tender, government standardization and regulation

<= in Google searches and press/media bitcoin is a lot more famous than Snowden/NSA etc…

• trusttrustworthy authority

<= distributed computer system acting on self-interestNO NEED TO TRUST ANYONE

Crypto Currencies


Bitcoin

Based on cryptography and network effects.

Crypto Currencies


Bitcoins

• bitocoins are cryptographic money– public ledger: history shows how many bitcoins each user has…

• user has the right to transfer his bitcoins to any other user– user are known by their pseudonyms, H(PKeys)

– each person can use a unlimited number of distinct pseudonyms (accounts) Ak8SKske38

B2v8skd48k

Crypto Currencies


Digital Signatures

Digital Signatures

21

Digital Signature

Signature is attached to data.

Serves as a method of authentication for these data.

Data

Signature

Digital Signatures

22

Digital Signatures

Idea: cryptographic solution

Definition: 3 algorithms…

pk

(public key)

sk

(private key)

key generation algorithm

Digital Signatures

23

Digital Signature

signing algorithm

m

sk

(private key)

verification algorithm

pk

(public key)

s

(m,s)

yes/no

forgery

Digital Signatures

24

2x Link

• EU Directive 1999,

• National Laws…

e.g. UK Electronic Communications Act 2000

Digital Signatures

25

Signatures - Requirements

1. Authenticity – guarantees the document signed by…

2. Non-repudiation= Imputability

1. Public verify-ability -

anyone can verify!

0. Completeness –honest signer always accepted

1. Soundness –dishonest signer always rejected

Digital Signatures

Nicolas T. 26

Security Definitions

A triple

1. Adversarial Goal.

2. Resources of the Adversary:

3. Access / Attack to the system

Digital Signatures

Nicolas T. 27

Secure Public Key Signature

The “good” definition [Goldwasser-Micali-Rivest 1988]:EUF - CMA (Existential Unforgeability under CMA)


Find any new pair (m,s) (new m)!Strong version: even if m is old (signed before).

2. Resources of the Adversary: Any Probabilistic Turing Machine doing 280

computations.

3. Access / Attack: May sign any message except one (target). (Adaptively Chosen Message Attacks).

Digital Signatures

Nicolas T. 28

*Attacks on Signature Schemes


• BK - Recover the private key, • e.g. factor .

• UF - Universal forgery – sign any message, may be easier ! e.g. compute:

• SF - Selective Forgery – sign some messages

• EF - Existential Forgery – just sign any message, even if it means nothing useful.

• Malleability: sign a message that has been already signed by the legitimate user.

Digital Signatures

29

Trust Less!

Digital Signatures are important in order to build these TRUSTLESS systems.

Example: My bank card signs a transaction with RSA, the bank does NOT know the private key,

ONLY the public key.

We do NO LONGER need to trust the bank.

The banker cannot forge transactions done with my card!

Crypto Currencies


E-Cash[Chaum] and Bitcoin[Nakamoto]

Crypto Currencies


New Coins

1. initially X coins are attributed through Proof Of Work (POW)to one public key A

– to earn bitcoins one has to “work” (hashing) and consume energy (pay for electricity)

– do a difficult computation => you have earned 25 bitcoins

– works like a lottery (1 winner/10 minutes)

2. Major alternative option: bank/trusted authority/mintette can attribute coins initially

– everybody knows who has these bitcoins: A

PK A

Crypto Currencies


Transfer of Coins

• initially money: hard work/attribution => public key A

• money transfer from public key A to public key B:

– simply sign that you transfer the money to a new user,

PK A

PK B

Crypto Currencies


Transfer of Coins

• initially money: hard work/attribution => public key A

• money transfer from public key A to public key B:

– simply sign that you transfer the money to a new user,

– multiple confirmations: the network will re-confirm many times…

– we do NOT need to assume that ALL people are honest.• with time it becomes too costly to cheat

PK A

PK B

Crypto Currencies


Authorizing Transfer of Coins

• you have a private key => you have the money (right to transfer)

– keys stored on PCs or mobile phones

– publicly verifiable, only one entity can sign

• you can transfer ALL yet unspent attributions

• if Tx has several inputs => everybody must sign

• data to be signed:

•Origin Tx(s)•Amount(s)•New Owner(s)

Signature

Crypto Currencies


Block Chain

Def:

Public transaction databaseor a ledger.

Every transaction since ever is public.

Bitcoin blocks contain a Proof Of Work (POW)

(they are basically hard to make)

Wallets and Key Management

36 (c) Nicolas T. Courtois

Bitcoin Network

Three sorts of entities:

• Miner nodes – 50K– Hashing with public keys

• Peer Nodes – 5K– Relay and store transactions and blocks

• Wallet Nodes – 5.5M, 0.25M active – Store and release funds,

– Focus on management of private keys, master keys etc etc.

Wallets and Key Management

37 (c) Nicolas T. Courtois

Tx LifeCycle

It is possible to almost totally separate:

• Miner nodes– Hashing with public keys

• Peer Nodes– Relay and store transactions and blocks

• Wallet Nodes: – Store and release funds,

– Focus on management of private keys, master keys etc.

tx

tx

public ledgerburn

Cryptographic Security of ECDSA in Bitcoin


Bitcoin Address



Ledger-Based Currency

A “Bitcoin Address” = a sort of equivalent of a bank account.

Reamrks:

• PK is NOT public!

• only H(public key) is revealed!

• PK remains confidential until some money in this account is spent.

• SK = private key: always keep private, allows transfer of funds.


Bitcoin Ownership

Amounts of money are attributed to public keys.

Owner of a certain “Attribution to PK” can at any moment transfer it to some other PK (== another address).

Destructive, cannot spend twice:

not spent



*Multi-Signature Addresses


MultiSig = Addresses Starting with 3

Bitcoin can require simultaneously several private keys, in order to transfer the money. – For example 2 out of 3 signatures are required to spend bitcoins.

– The keys can be stored on different devices (highly secure).

– Can work without backups: if one device is lost, use other devices to transfer bitcoins to a new multisig address with another set of devices...


Multi-Sig Concept is NOT new…

1993

K. Itakura, K. Nakamura: A public-key cryptosystem suitable for digital multi-signatures

1983



BTC Transfer



Bitcoin Transfer

Transactions have multiple inputs and multiple outputs.

Transaction Signed by All Owners with their SK

Output Bitcoin Addresses

Input Bitcoin Addresses0.2 BTC 1.3 BTC

0.001 BTC

0.499 BTC1.0 BTC + Fees



Transaction Scripts


Signed Tx / Final Tx

byte by byte (similar but not identical to raw blocks seen before)(this is done twice, with different scriptSig)

2 scripts

scriptSig length 1 byte

scriptPubKey length 1 byte

scriptPubKey

scriptSig

(not widely used)


Second scriptSig

sign+PKey

scriptSig1signature(r,s)

scriptSig2=Pkey=(x,y)

len= 1+71+ 1+65 = 138 BUT NOT ALWAYS!

scriptSig

r

s

Crypto Currencies


Is Bitcoin Secure?Satoshi claimed it is…

Bitcoin Hardware Wallets


Wallets



Bottom Line

Main Functionality:

-Private Key Generation

-Export public key

-ECDSA sign

-optional:

• sign full BTC transactions

• confirm recipient on the screen!(huge classical pb with all smart cards and digital signature devices, Ledger has a clever solution: regurgitates inputs on another device USB keyboard)

Trezorbitcointrezor.com

BTChip HW1hardwarewallet.com

Ledgerledgerwallet.com



BTChip HW.1

since Jan 2013



*Features of USB card ST23YT66

2K

6K

1.0

NESCRYPT crypto-processor for PK crypto

•900 ms for 1 ECDSA signature •900 ms for key gen•encrypts private keys on the card (‘content’ key) 3DES CBC

•content key can be protected with “a GlobalPlatform Secure Channel”

authentication mechanism



Trezor

+ display: know to whom you send the money!

+- has open source firmware: https://github.com/trezor/trezor-mcu

by Satoshi Labs Prague, CZreleased March 2014

Crypto Currencies


Our Works on Bitcoin

-cf. also blog.bettercrypto.com-Nicolas Courtois, Marek Grajek, Rahul Naik: The Unreasonable Fundamental Incertitudes

Behind Bitcoin Mining, http://arxiv.org/abs/1310.7935

-Nicolas Courtois, Marek Grajek, Rahul Naik: Optimizing SHA256 in Bitcoin Mining, CSS 2014.

-Nicolas Courtois, Lear Bahack: On Subversive Miner Strategies and Block Withholding Attack

in Bitcoin Digital Currency http://arxiv.org/abs/1402.1718

-Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534

-Nicolas T. Courtois, Pinar Emirdag and Daniel A. Nagy: Could Bitcoin Transactions Be 100x Faster? In proceedings of SECRYPT 2014, 28-30 August 2014, Vienna, Austria.

-Nicolas T. Courtois, Pinar Emirdag and Filippo Valsorda: Private Key Recovery Combination Attacks: On Extreme Fragility of Popular Bitcoin Key Management, Wallet and Cold Storage Solutions in Presence of Poor RNG Events, 16 Oct 2014, http://eprint.iacr.org/2014/848

-Poster: http://www.nicolascourtois.com/bitcoin/POSTER_100x_Secrypt2014_v1.0.pdf

Crypto Currencies


Hash Power => Security???

Sams writes: "The amount of capital collectively burned hashing fixes the capital outlay required of an attacker […] to have a meaningful chance of orchestrating a successful double-spend attack […]

REMARK: THIS IS MISTAKEN,

read my papers

Crypto Currencies


Crazy Hash Power Increase

Nearly doubled every month… 1000x in 1 year.

Crypto Currencies


Jan 2015: Plateau/Peak Reached

Crypto Currencies


July 2016: Halving => Decline Predicted

Crypto Currencies


Decline?: NOT if price goes up!

Crypto Currencies


“Programmed Self-Destruction”

Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534

Nicolas T. Courtois 2009-2014

Crypto Currencies

62

Unobtanium– pump and dump: evidence

price (grey)

hash rate

volume (yellow)

Cause:

Effect:

Crypto Currencies


DogeCoin Predicted Decline [Courtois]– hash rate MUST decline, as a result of monetary policy

Crypto Currencies


Josh Mohland, 4 August 2014

Acknowledged that:

• Dogecoin was never "intended to function as a full-fledged transaction network",

• "Dogecoin was built to die quickly –none of us expected it to grow into the absurd entity it is today.

• With that said, there's absolutely an easy way to save the coin from its certain death (and by death I mean 51% attacked [...])”

=> after the reform Dogecoin Market price more than tripled…

Crypto Currencies


Cryptome Renamed My Paper:

=> Actually I show that quite possibly bitcoin is EXEMPT from destruction [natural monopoly].

=> Whatever is Bad with bitcoin is even worse with most alto-coins.

http://cryptome.org/2014/05/bitcoin-suicide.pdf ?????????

Security Engineering

66

Bitcoin vs.


Re-Engineering Bitcoin

67

Re-Engineering Bitcoin:We postulate:

1. Open design.

2. Least Common Mechanism

3. Assume that attacker controls the Internet [Dolev-Yao model, 1983].

4. The specification should be engineered in such a way that it is hard for developers to make it insecure on purpose (e.g. embed backdoors in the system).

[Saltzer and Shroeder 1975]


68

Least Common Mechanism

Violated in Bitcoin:

http://video.ft.com/3667480923001/Camp-Alphaville-on-cashless-society/Editors-Choice,

2 July 2014.

At minute 02.55: Dr. Nicolas Courtois of UCL:

“…One of the fundamental mistakes of bitcoin is that they use 'the Longest Chain Rule' to decide simultaneously

which block gets accepted and which transactions get accepted,

[…] a big mistake."


69

Least Common Mechanism

Violated in Bitcoin also because it uses:

• Open SSL and other standard libraries with massive amounts of code which is not useful at all for bitcoin

• when using TOR

• etc..


70

Open Design Principle

[Saltzer and Schroeder 1975]


71

Open Design ≠ Open Source

Examples: cryptography such as SHA256 (used in bitcoin) is open source but NOT open design – it was designed behind closed doors!

Crypto Currencies


Anarchy? Dark Side• In Bitcoin many things which are BUGS

are presented as FEATURES:– monetary policy (or the lack of one) – frequent criticism

– problematic cryptography=• anonymous founder syndrome, standardized yet TOTTALLY disjoint

from normal industrial cryptography, NOBUS syndrome (NSA jargon)

– decision mechanisms (the Longest Chain Rule)• no reason why the same mechanism decides which blocks are valid

and which transactions are valid, by far too slow, too unstable, too easy to manipulate

– 51% attacks ARE realistic feasible and … INEXPENSIVE!

– sudden jumps in monetary policy => genetically-programmed self-destruction of many crypto currencies

See: Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534

Crypto Currencies


• the open-source nature of the developer population provides opportunities for frivolous or criminal behavior that can damage the participants in the same way that investors can be misled by promises of get rich quick schemes [...]

• one of the biggest risks that we face as a society in the digital age [...] is the quality of the codethat will be used to run our lives.

Cf. Vivian A. Maese: Divining the Regulatory Future of Illegitimate Cryptocurrencies, In Wall Street Lawyer, Vol. 18 Issue 5, May 2014.

Dangers of Open Source

Crypto Currencies


Citation

Bitcoin is:

• Wild West of our time [Anderson-Rosenberg]

Crypto Currencies


ECC - Certicom Challenges [1997, revised 2009]

Crypto Currencies


Official Bitcoin Wikihttps://en.bitcoin.it/wiki/Myths#Bitcoins_are_worthless_because_they.27re_based_

on_unproven_cryptography

“SHA256 and ECDSA which are used in Bitcoin are well-known industry standard algorithms. SHA256 is endorsed and used by the US Government and is standardized (FIPS180-3 Secure Hash Standard).

If you believe that these algorithms are untrustworthy then you should not trust Bitcoin, credit card transactions or any type of electronic bank transfer.”

Bitcoin has a sound basis in well understood cryptography.

Crypto Currencies


Official Bitcoin Wikihttps://en.bitcoin.it/wiki/Myths#Bitcoins_are_worthless_because_they.27re_based_

on_unproven_cryptography

“SHA256 and ECDSA which are used in Bitcoin are well-known industry standard algorithms. SHA256 is endorsed and used by the US Government and is standardized (FIPS180-3 Secure Hash Standard).

If you believe that these algorithms are untrustworthy then you should not trust Bitcoin, credit card transactions or any type of electronic bank transfer.”

Bitcoin has a sound basis in well understood cryptography.

Well…actually it has major bug in it.

Major security scandal in the making?

Expect a lawsuit??? for – failing to adopt the crypto/industry best practices,

– for supporting a dodgy cryptography standard,

– not giving users worried about security any choice,

– and lack of careful/pro-active/ preventive security approach etc...

Blame Satoshi

Crypto Currencies


Officially Not RecommendedDan Brown, chair of SEC [Certicom, Entrust, Fujitsu, Visa International…]

”I am surprised to see anybody use secp256k1”

September 2013,

https://bitcointalk.org/index.php?topic=289795.80

Security of Bitcoin

79

What If? CataCrypt Conference

Tried to improve the security baseline…

Bitcoin Crypto Bets

80

Wanna Bet?

80

2016

Crypto Currencies


Blockchain AnonymityPrivacy/Anonymity is NOT a concern for the 90%.

WRONG:

• Asymmetry of information market manipulation and big data used by dishonest competitors.

Blockchain technology WILL NEVER be adopted by banks if it INCREASES the disclosures => need for anonymity solutions.

• Ring signatures.

• Zero knowledge proofs.

• Other advanced crypto, e.g. attribute-based encryption.

Digital Signatures

82

Digital Signatures – 1 Signer




anyone can verify!



Digital Signatures

83

Group Signatures




anyone can verify!



2. Anonymity –the verifier does not know who signed!

signer∊ABCD

Crypto Currencies


Group Signatures-Big Brother Syndrome Centralized: a group leader/manager sets it up

Single Point of Failure

Trace-able:most schemes ALLOW to remove anonymity [by the manager].

Not flexible: groups are defined beforehand

Not permission-free: nobody will force me to be a part of group.

Crypto Currencies


Ring Signatures – Very Different De-Centralized: no group manager

Next weak point: it is sufficient to “crack” one key

In most schemes THERE IS NO WAY to remove anonymity

Super flexible: ad-hic groups not defined beforehand

Permission-less: I can be involved in one signature without doing anything

Deniable: it was not me… contrary of Non-repudiation/Imputability.

-Problems: there are ways to comprise anonymity: backdoors, covert channels…

-Potentially legal problems [Satoshi Nakamoto vs UK Law]

Main currency: XMR = Monero, 20 M$ market cap@0716, 8x increase in 2 weeks.

RST-style Ring Signatures

• Based on RSA/Rabin/other Trapdoor OWF

Linkable Ring Signatures• Linking signatures by the same signer, with

no revocation of anonymity!

• Needed to prevent double-spending.

Digital Signatures

Zero-Knowledge




anyone can verify!



2. Zero-Knowledge –the verifier does not learn ANYTHINGmore than needed

Statement is True!

Prover Verifier

Transferability: Can the verifier convince a third party?

ZK

89

Attacks on Proofs of Knowledge

Prover

Verifier

Passive

Active

Impersonation

Extract the Secret

Crypto Currencies


“Cryptographer’s Job”• Claim:

– Blockchains do need A LOT MORE of “good” cryptography to be widely adopted.

– They cannot be adopted as they are today.

– The security of current blockchains is very bad.

overview of blockchain security · 2017-02-19 · in bitcoin we need to wait for 10 minutesand a...

Documents