Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 4095 Lecture 22 – BlockChain Slides adapted from Claudio Orlandi.

Published byWinifred Todd Modified over 6 years ago

Similar presentations

Presentation on theme: "CSE 4095 Lecture 22 – BlockChain Slides adapted from Claudio Orlandi."— Presentation transcript:

1 CSE 4095 Lecture 22 – BlockChain Slides adapted from Claudio Orlandi

2 Bitcoin Privacy Each Bitcoin carries the entire transaction history with it This history should be verified before the coin is accepted A user can create multiple identities, however they have to transfer coins between them, it is possible to correlate these identities Only real anonymity is to transform bitcoin into some other commodity and then re-enter the system

3 Zerocoin – Adding privacy to Bitcoin
New approach to creating electronic coins Based on a technique due to Sander and Ta-shma Extends Bitcoin by adding a ‘decentralized laundry’ Requires only a trusted, append-only bulletin board Bitcoin block chain gives us this!

4 Making Zerocoin 823848273471012983 Zerocoins are just numbers
Each is a digital commitment to a random serial number Anyone can make one!

5 Commitments Two phase cryptographic protocol, Commitment and Open Commitment produces a value c that binds the committed value without revealing it Simultaneously hard to: Open to a different value Learn about committed value before it is opened Commitments are transferable, just need to transfer committed value and randomness used

6 Making Zerocoin Zerocoins are just numbers
They have value once you put them on the block chain This costs e.g., 1 bitcoin 1.0,A->B 1.0,J->Z .23,C->E .23,E->F .23,E->F 1.03,S->J bitcoins 1.0, 1.2,E->J .9,M->B .9,M->B 2.5,M->S .9B->D .2,M->J 1.0->Z 1.0->Z ... ... ... ... ... HASH HASH HASH HASH Block 1 Block 2 Block 3 Block 4 Block 5

7 Spending Zerocoin Block 1 Block 2 Block 3 Block 4 Block 5 bitcoins
1.0,A->B 1.0,J->Z .23,C->E .23,E->F .23,E->F 1.03,S->J bitcoins 1.0, 1.2,E->J .9,M->B 1.0,Z->B 2.5,M->S .9B->D .2,M->J 1.0->Z 1.0->Z bitcoins ... ... ... ... ... HASH HASH HASH HASH Block 1 Block 2 Block 3 Block 4 Block 5

8 Spending Zerocoin Where do the bitcoins go/come from?
Nowhere -- they get ‘escrowed’ in place A Zerocoin spend transaction allows you to claim the coins left by some other Zerocoin user 1.0,A->B 1.0,J->Z 1.0,C->E .23,E->F .23,E->F 1.03,S->J 1.0, 1.2,E->J .9,M->B 1.0,Z->B bitcoins 2.5,M->S .9B->D .2,M->J 1.0->Z 1.0->Z ... ... ... ... ... HASH HASH HASH HASH Block 1 Block 2 Block 3 Block 4 Block 5

9 Spending Zerocoin Why is this anonymous?
It’s all in the way we ‘prove’ we have a Zerocoin This is done using a zero knowledge proof 1.0,A->B 1.0,J->Z 1.0,C->E .23,E->F .23,E->F 1.03,S->J 1.0, 1.2,E->J .9,M->B .9,M->B 2.5,M->S .9B->D .2,M->J 1.0->Z 1.0->Z ... ... ... ... ... HASH HASH HASH HASH Block 1 Block 2 Block 3 Block 4 Block 5

10 Spending Zerocoin Zero knowledge [Goldwasser, Micali 1980s, and beyond] Prove a statement without revealing any other knowledge Specific variant: proof of knowledge Here we prove knowledge of: (a) a Zerocoin in the block chain (b) we just revealed the actual serial number inside of it The trick is doing this efficiently!

11 These ‘or’ proofs have cost O(N)
Spending Zerocoin Inefficient proof Identify all valid Zerocoins in the blockchain (call them ) Prove knowledge of such that: These ‘or’ proofs have cost O(N)

12 Spending Zerocoin Better approach Use an efficient one-way accumulator
Accumulate to produce accumulator Then prove knowledge of a witness s.t.

13 Spending Zerocoin Better approach Use an efficient one-way accumulator
Accumulate to produce accumulator Then prove knowledge of a witness s.t. A H(C1,C2) H(C3,C4) H(C1) H(C2) H(C3) H(C4)

14 Spending Zerocoin = sibling nodes Better approach
Use an efficient one-way accumulator Accumulate to produce accumulator Then prove knowledge of a witness s.t. A = sibling nodes H(C1,C2) H(C3,C4) H(C1) H(C2) H(C3) H(C4)

15 Merkle trees don’t (seem) to possess one
Spending Zerocoin Problem: There are relatively few accumulators that meet our criteria Computing the accumulator should not require any secrets (i.e., it’s publicly computable/verifiable) There must be an efficient ZK proof of knowledge of a witness. Merkle trees don’t (seem) to possess one

16 Strong RSA Accumulator (Benaloh & de Mare)
To accumulate primes compute: An efficient ZKPoK proposed by Camenisch/Lysyanskaya ’01!

17 The upshot I can take Bitcoin from my wallet Turn them into Zerocoins
Where they get ‘mixed up’ with many other users’ coins I can redeem them to a new fresh Wallet Nobody will be able to link the new ones to the old!

18 Use of Blockchain

19 Blockchain Structure P1 P3 P2 P4 x4=(P4, (m,s), i4)
SolvePuzzle(L,...){ repeat{ R = my_name||(m,s)|| i++ T = H(L,R) }while(T ≠ 0d) return R } P1 (m,s) P3 (m,s) P2 P4 (m,s) P3 broadcasts transaction, is not accepted until incorporated into block chain x4=(P4, (m,s), i4)

20 Preventing double spending /changes
The receiver wants to be sure that transaction is part of the “final” blockchain and cannot be undone x3=(P3, i3) x6=(P3, i6) x7=(P3, i7) x0=Start! x1=(P1, i1) x2=(P2, i2) x4=(P4, i4) x5=(P5, i5) Wait to accept until transaction is several blocks back in the chain Adversary’s ability to rewrite blocks decreases exponentially with number of blocks IF they control less than 50% of processing (of most popular branch)

21 Fundamental Characteristics of Blockchain
x7=(P3, i7) x6=(P3, i6) x5=(P5, i5) x0=Start! x1=(P1, i1) x2=(P2, i2) x3=(P3, i3) x4=(P4, i4) Main innovation is achieving these properties without a trusted third party Append only databases are easy with trusted party Currently lots of hype surrounding blockchain, many applications are silly Blockchain is a distributed append only database, correctness is guaranteed when the adversary is spending less resources on the chain than honest parties Honest participation requires incentive (costs compute cycles & electricity), achieved in Bitcoin using transaction fees & mining

22 Exercise: Useful or Silly, Financial Markets
The idea: use blockchain to distribute current markets like the NYSE removing the need for a trusted party The pitch: will make markets more inclusive, reduce cost by reducing collateral and settlements Is this a good application of blockchain technology? Does it use the fundamental characteristics of blockchain?

23 Exercise: Useful or Silly, Smart contracts
The idea: create digital self-enforcing digital contracts, remove the need for lawyers for external enforcement mechanisms, use the scripting language described last class The pitch: no more lawyers, no need to sue for breach of contract Is this a good application of blockchain technology? Does it use the fundamental characteristics of blockchain? Potential hangups with this application? Privacy, size of network?

24 Exercise: Useful or Silly, Voting
Is this a good application of blockchain technology? Does it use the fundamental characteristics of blockchain? Potential hangups with this application? Privacy, size of network?

25 Exercise: Useful or Silly, Data Provenance
Is this a good application of blockchain technology? Does it use the fundamental characteristics of blockchain? Potential hangups with this application? Privacy, size of network?

26 Exercise: Useful or Silly, Cloud Storage
The idea: Distributed files to blockchain participants, provide coins in return for faithful storage of data, use blockchain to distribute and check correctness The pitch: distributes trust from cloud storage providers, utilizes space that already exists Is this a good application of blockchain technology? Does it use the fundamental characteristics of blockchain? Potential hangups with this application? Privacy, size of network?

Download ppt "CSE 4095 Lecture 22 – BlockChain Slides adapted from Claudio Orlandi."

Similar presentations

Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.

Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Secure Digital Currency: Bitcoin Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the.

Secure Digital Currency: Bitcoin Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the.
Ian Miers Christina Garman | Matthew Green | Avi Rubin Zerocoin: Anonymous Distributed E-Cash from Bitcoin.

Ian Miers Christina Garman | Matthew Green | Avi Rubin Zerocoin: Anonymous Distributed E-Cash from Bitcoin.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.

Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
BITCOIN An introduction to a decentralised and anonymous currency. By Andy Brodie.

BITCOIN An introduction to a decentralised and anonymous currency. By Andy Brodie.
Bitcoin (what, why and how?)

Bitcoin (what, why and how?)
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
1 Bitcoin A Digital Currency. Functions of Money.

1 Bitcoin A Digital Currency. Functions of Money.
Presented by: Suparita Parakarn 50-7038-103-2 Kinzang Wangdi 51-7018-007-8 Research Report Presentation Computer Network Security.

Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Bitcoin 101 and Beyond Jonathan Levin VP Business Development, Chainalysis GmbH.

Bitcoin 101 and Beyond Jonathan Levin VP Business Development, Chainalysis GmbH.
Privacy Preserving Payments in Credit Networks By: Moreno-Sanchez et al from Saarland University Presented By: Cody Watson Some Slides Borrowed From NDSS’15.

Privacy Preserving Payments in Credit Networks By: Moreno-Sanchez et al from Saarland University Presented By: Cody Watson Some Slides Borrowed From NDSS’15.
SCP: A Computationally Scalable Byzantine Consensus Protocol for Blockchains Loi Luu, Viswesh Narayanan, Kunal Baweja, Chaodong Zheng, Seth Gilbert, Prateek.

SCP: A Computationally Scalable Byzantine Consensus Protocol for Blockchains Loi Luu, Viswesh Narayanan, Kunal Baweja, Chaodong Zheng, Seth Gilbert, Prateek.

Similar presentations

Ads by Google