verifiably random
TRANSCRIPT
Cryptocurrency Cafécs4501 Spring 2015David EvansUniversity of Virginia
Class 4:Verifiably Random
Plan for This Week
Signing with Elliptic Curves (Sketch)
Elliptic Curve Parameters
Dual-EC Duel
Preventing Double Spending
Distributed Consensus
The Blockchain
1
Office Hours today!Me: after classNick: 5-7pm in Rice 442
Project 1 Due Friday, 11:59pm
Wed
ne
sday
Signing with Elliptic Curves
2
Elliptic curve discrete logarithm problem: given points P and Q, it is hard to find k such that Q = kP.
How can we use this hardness assumption to make asymmetric cryptosystem?
Signing with Elliptic Curves
3
Elliptic curve discrete logarithm problem: given points P and Q, it is hard to find k such that Q = kP.
How can we use this hardness assumption to make asymmetric cryptosystem?
Parameters: curve, G (a point on curve), (large) n such that nG = 0.
Key pair: Private key: d = pick a random integer in [1, n-1]Public key: point Q = dG
Signing with Elliptic Curves
4
Parameters: curve, G (a point on curve), (large) n such that nG = 0.
Key pair: Private key: d = pick a random integer in [1, n-1]Public key: point Q = dG
Signing with Elliptic Curves
5
Parameters: curve, G (a point on curve), (large) n such that nG = 0.
Key pair: Private key: d = pick a random integer in [1, n-1]Public key: point Q = dG
Sign (sketch): pick random integer k in [1, n-1]compute curve point: (x, y) = kGsignature = (x mod n, k-1(z + rd) mod n)
Verifying a Signature
6
1. Verify Q is valid. Q is on the curve, nQ = 0Q must not be 0
Parameters: curve, G (a point on curve), (large) n such that nG = 0. Key pair:
Private key: d = pick a random integer in [1, n-1]Public key: point Q = dG
Sign (sketch): pick random integer k in [1, n-1]compute curve point: (x, y) = kGsignature = (x mod n, k-1(z + rd) mod n)
Verifying a Signature
7
2. Verify signature is valid. Compute curve point using Q, z, and signature, and check it.
Parameters: curve, G (a point on curve), (large) n such that nG = 0. Key pair:
Private key: d = pick a random integer in [1, n-1]Public key: point Q = dG
Sign (sketch): pick random integer k in [1, n-1]compute curve point: (x, y) = kGsignature = (x mod n, k-1(z + rd) mod n)
Why Elliptic Curve instead of RSA?
8
9
RSA ECC
Discovery1977
(previously discovered in 1969 by GHCQ and perhaps earlier by NSA)
1985(adoption limited until ~2005)
“Hard” Problem Factoring Discrete Log on Elliptic Curve
Key Size (~112-bit) 2048 bits (768 bits broken) 224 bits (112 bits broken)
Backdoor Risk None Curves selected by NSA/Certicom/?
Quantum Computing RiskKnown fast factoring algorithms
(Shor’s)Similar (variation of Shor’s algorithm
solves Discrete Log)
Implementation ChallengesAvoiding weak keys, timing side
channelsFast operations on elliptic curves,
leaks on invalid inputs
Why are RSA keys so much bigger?
10
RSA ECC
“Hard” Problem Factoring Discrete Log on Elliptic Curve
11
RSA ECC
“Hard” Problem Factoring Discrete Log on Elliptic Curve
Naïve factoring: try division by all numbers up to √N
Best known factoring:
General Number Field Sieve [“Sneakers” 1992]
Largest challenge solved: RSA-768 (2009)(RSA stopped funding challenges in 2007.)NIST deprecated 1024-bit RSA in 2012
12
RSA ECC
Factoring Discrete Log on Elliptic Curve
Naïve algorithm: √N divisionsBest known factoring: ~ (e(ln n)1/3)Known vulnerable: 1024-bit
13
RSA ECC
Factoring Discrete Log on Elliptic Curve
Naïve algorithm: √N divisionsBest known factoring: ~ (e(ln n)1/3)Known vulnerable: 1024-bit
Naïve algorithm: p curve additionsBest known: ~ (√p) (Pollard’s Rho)Known vulnerable: 113-bit
(24 days x 18 FPGA cores, 2014)
Bitcoin’s Curve
14
15
16
Is 4 a random number?
17
010110000111101100001110111010000000011101100000001110110110010111110011011110010000011100000011101110000000111010100100010100000101000010011101110111111110011000101101010000001001100111000110000011
010110100110101100001110111010100010011101100010001110110110010110110011011010010010011100100011101110010000111010100100010101000101000010011101110110101110011000101101010100001001100111000110010011
Which of these is random?
88575272489122793818301194912983367336244065664308602139494639522473719070217986094370277053921717629317675238467481846766940513200056812714526356082778577134275778960917363717872146844090122495343014654958537105079227968925892354201995611212902196086403441815981362977477130996051870721134999999837297804995105973173281609631859502445945534690830264252230825334468503526193118817101000313783875288658753320838142061717766914730359825349042875546873115956286388235378759375195778185778053217122680661300192787661119590921642019893809525720106548586327886593615338182796823030195203530185296899577362259941389124
18
Is this sequence random?
88575272489122793818301194912983367336244065664308602139494639522473719070217986094370277053921717629317675238467481846766940513200056812714526356082778577134275778960917363717872146844090122495343014654958537105079227968925892354201995611212902196086403441815981362977477130996051870721134999999837297804995105973173281609631859502445945534690830264252230825334468503526193118817101000313783875288658753320838142061717766914730359825349042875546873115956286388235378759375195778185778053217122680661300192787661119590921642019893809525720106548586327886593615338182796823030195203530185296899577362259941389124
19
normal numbers look random
“Feynman point” (762nd digit of π)
20Source of images: http://boallen.com/random-numbers.html
21Source of images: http://boallen.com/random-numbers.html
PHP rand()(on Windows)
random.org(atmospheric noise)
Which should you use to generate your wallet’s private key?
Defining Randomness
22
Андре́й Колмого́ровAndrey Kolmogorov
(1903-1987)
For a sequence s, its Kolmogorov Complexity: K(s) = the length of the shortest description of s
A sequence s is random, if K(s) = |s| + C
(This is a somewhat informal version. A real definition would need to be more careful about stating this asymptotically.)
“He was to probability theory what Euclid was to
geometry.” (Peter Lax)
Kolmogorov Complexities
s = 000000000000000…
23
Kolmogorov Complexities
s = 000000000000000…
description = “N repeated 0s”
K(s) = log |s| + C1 < |s| + C
t = 010011000111000011110000011111…
24
Kolmogorov Complexities
t = 010011000111000011110000011111…
25
Kolmogorov Complexities
t = 010011000111000011110000011111…
26
description = “t = “”; for (i = 1; i < N; i++) {
for (j = 0; j < i; j++) t += ‘0’; for (j = 0; j < i; j++) t += ‘1’; }”
K(s) = log |s| + C1 < |s| + C
Kolmogorov Complexities
27
r=ce792b6c0d8c8a8431345e793ce43f6f55e8c44eb582c659cce7b0ef6135bc
a363a2529d2643d05d6d5616b090fb3fdea31708baaebf478ba176ffb9f3e5d9683201d907d1ff48c248636218e7e0ae34d7bed4a56ba298b887c1ff0ac30dc78d8261342411e0f694984e5bd645f7da03b348d7c0444c0010bc00c8f61d5e585ce8ece76076c1bddf9d87357e48995732cb11a080dc63bfb8280795456ee46b41d1977654a89c46e25b55b0f6ea2849290deebbcd722db3a5078eadb0b63d9b987e03e9bbf39f9619ed68b1db0a0cd260dbbc6909aac33c21a422413605c072846a9a27af617e417a8438f1666dbf5fe6f9e51767c2d1588ba99296273e4fb61cefec3580d2a5968314e0f65b5b419af1aa1be9b20c6db45288891f64ac5552d853e6101be2e37a1acecb4e2593a009ef54690e00d7477a06d1154dfc3f168ed399044d4f57842c33c39d2b515ab5acfcdf85aa3ec3af22d945c2774f87efbc7a188ce47093cbd25095498329a24542fc94f2f35179ec5d02c43bc51261258f85bfd10db6c1cfba08c171a351006d513a9736bc08f80ad083987429af7ce4eb6f71d7004a1f642502f4180c48dd0ad258298e8c8b2f1050b1f567bf46b9d3211aa
Kolmogorov Complexities
28
r=ce792b6c0d8c8a8431345e793ce43f6f55e8c44eb582c659cce7b0ef6135bc
a363a2529d2643d05d6d5616b090fb3fdea31708baaebf478ba176ffb9f3e5d9683201d907d1ff48c248636218e7e0ae34d7bed4a56ba298b887c1ff0ac30dc78d8261342411e0f694984e5bd645f7da03b348d7c0444c0010bc00c8f61d5e585ce8ece76076c1bddf9d87357e48995732cb11a080dc63bfb8280795456ee46b41d1977654a89c46e25b55b0f6ea2849290deebbcd722db3a5078eadb0b63d9b987e03e9bbf39f9619ed68b1db0a0cd260dbbc6909aac33c21a422413605c072846a9a27af617e417a8438f1666dbf5fe6f9e51767c2d1588ba99296273e4fb61cefec3580d2a5968314e0f65b5b419af1aa1be9b20c6db45288891f64ac5552d853e6101be2e37a1acecb4e2593a009ef54690e00d7477a06d1154dfc3f168ed399044d4f57842c33c39d2b515ab5acfcdf85aa3ec3af22d945c2774f87efbc7a188ce47093cbd25095498329a24542fc94f2f35179ec5d02c43bc51261258f85bfd10db6c1cfba08c171a351006d513a9736bc08f80ad083987429af7ce4eb6f71d7004a1f642502f4180c48dd0ad258298e8c8b2f1050b1f567bf46b9d3211aa
package mainimport (
"fmt""crypto/rand"
)
func main() {b := make([]byte, 16)for {
_, err := rand.Read(b)fmt.Printf("%x", b)
}}
Kolmogorov Complexities
29
r=ce792b6c0d8c8a8431345e793ce43f6f55e8c44eb582c659cce7b0ef6135bc
a363a2529d2643d05d6d5616b090fb3fdea31708baaebf478ba176ffb9f3e5d9683201d907d1ff48c248636218e7e0ae34d7bed4a56ba298b887c1ff0ac30dc78d8261342411e0f694984e5bd645f7da03b348d7c0444c0010bc00c8f61d5e585ce8ece76076c1bddf9d87357e48995732cb11a080dc63bfb8280795456ee46b41d1977654a89c46e25b55b0f6ea2849290deebbcd722db3a5078eadb0b63d9b987e03e9bbf39f9619ed68b1db0a0cd260dbbc6909aac33c21a422413605c072846a9a27af617e417a8438f1666dbf5fe6f9e51767c2d1588ba99296273e4fb61cefec3580d2a5968314e0f65b5b419af1aa1be9b20c6db45288891f64ac5552d853e6101be2e37a1acecb4e2593a009ef54690e00d7477a06d1154dfc3f168ed399044d4f57842c33c39d2b515ab5acfcdf85aa3ec3af22d945c2774f87efbc7a188ce47093cbd25095498329a24542fc94f2f35179ec5d02c43bc51261258f85bfd10db6c1cfba08c171a351006d513a9736bc08f80ad083987429af7ce4eb6f71d7004a1f642502f4180c48dd0ad258298e8c8b2f1050b1f567bf46b9d3211aa
package mainimport (
"fmt""crypto/rand"
)
func main() {b := make([]byte, 16)for {
_, err := rand.Read(b)fmt.Printf("%x", b)
}}
state of /dev/urandom
when I ran this
Amplifying Physical Randomness
Pseudo-Random Number Generator
30
AES
k = f(physical randomness)
0
k
AES1
k
AES2
k
output output output
3
Every once in a while, compute a new k using new physical randomness.
Computing Kolmogorov Complexity
31
Given s, how hard is it to compute K(s)?
Understanding Kolmogorov Randomness
32
What is the smallest natural number that cannot be described in eleven words?
33
What is the smallest natural number that cannot be described in eleven words?
The smallest natural number that
cannot be described in eleven words.
1 2 3 4 5
6 7 8 9 10 11
Computing Kolmogorov Complexity
34
Given s, how hard is it to compute K(s)?
Its not just hard, it is undecidable.
35
How many times does one need to write “verifiably random” to be convincing?
36
September 2013
37
38
Dual-EC PRNG
39
sisi +1= φ(si ×P)
s0 physical randomness
Update Internal State
P and Q are points on an elliptic curve
Generate Output Bits
16 least significant bits of ri’s x-coordinate
ri = φ(si ×Q)
Cu
rve
Use
d b
y D
ual
-EC
PR
NG
40
NIST P-256
y2 = x3 + ax + b (mod p)p = 2256 − 2224 + 2192 + 296 − 1a = p − 3b = 41058363725152142129326129780047268409114441015993725554835256314039467401291
Elliptic curve operations are expensive! Dual-EC PRNG is 1000xslower than strong PRNG’s built using symmetric ciphers.
Why use Elliptic Curves for PRNG?
• Easier to plant a back-door in it than designs based on symmetric ciphers
• Can be used to provide provable security properties based on number theory: hardness of discrete log on elliptic curves
– But not done for Dual EC PRNG
41
Dual-EC PRNG
42
sisi +1= φ(si ×P)
s0 randomness
Update Internal State
P and Q are (random?) points on P-256.
Generate Output Bits
ri = φ(si ×Q)16 least significant bits of ri’s x-coordinate
43
44
45
OpenSSL-FIPS Implementation (using NIST P and Q values)
Image credit: Matthew Green
46
“Rump session” talk at CRYPTO 2007:
Possible Back Door
P and Q are points on the curve
P is a generator of the curve
All points on curve are kP for some k
Curve is prime order: P = eQ for some e
47
Challenge: given oi, can you find si?
48
sisi +1= φ(si ×P)
s0
16 least significant bits of ri’s x-coord
ri = φ(si ×Q)
oi
Challenge: given oi, can you find si?
49
sisi +1= φ(si ×P)
s0
16 least significant bits of ri’s x-coord
ri = φ(si ×Q)
oi
Challenge: given oi, can you find si?
ri = (xi, yi) = (16 unknown bits | oi, yi)
Points on the curve: y2 = x3 – 3x + b (mod p)
50
sisi +1= φ(si ×P)
s0
16 least significant bits of ri’s x-coord
ri = φ(si ×Q)
oi
Challenge: given oi, can you find si?
ri = (xi, yi) = (16 unknown bits | oi, yi)
Points on the curve: y2 = x3 – 3x + b (mod p)
foreach u in [0, 216]:g = u | oi
z = g3 – 3g + b (mod p)if z1/2 mod p exists, on the curve
How expensive is this?How many are on the curve?
51
foreach u in [0, 216]:g = u | oi
z = g3 – 3g + b (mod p)if z1/2 mod p exists, on the curve
si +1= φ(si ×P) ri = φ(si ×Q)
P = eQ
52
foreach u in [0, 216]:g = u | oi
z = g3 – 3g + b (mod p)if z1/2 mod p exists, on the curve
si +1= φ(si ×P) ri = φ(si ×Q)
P = eQ
A = (x, y) = ri ×Q guessed point on curve φ(e × A) = φ(e × si ×Q) = φ(si ×P) = si +1
One output is enough to learn internal state (if you know e)!
53
Shumow and Ferguson’s conclusion:
54
2013 Intelligence Budget Request
Snowden Leak (5 September 2013)2013 Intelligence Budget Request ($250M)
55
56
September 2013
57
58
59
With hindsight, NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potentialfor a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable. …Furthermore, we realize that our advocacy for
the DUAL_EC_DRBG casts suspicion on the broader body of work NSA has done to promote secure standards. Indeed, some colleagues have extrapolated this single action to allege that NSA has a broader agenda to “undermine Internet encryption.”
Generating Randomness
for Your Private Key
60
61
Root Key
DNSSEC Key Ceremony
62
Charge
Project 1 is due Friday
If you haven’t already read Satoshi’s original bitcoin paper and Chapter 5, please do before Wednesday’s class
63
Office Hours today!Me: nowNick: 5-7pm in Rice 442
Project 1 Due Friday, 11:59pm