基于區(qū)塊鏈的安全協(xié)議設(shè)計

1、基于區(qū)塊鏈的安全協(xié)議設(shè)計Blockchain & e-votingIntroduction to Blockchain12Blockchain & cryptocurrency3Blockchain & PDP4Road mapConclusion51 Introduction to BlockchainBlockchainA chain of blocksPublic ledger/databaseRecords all transactions across P2P networkShared between participantsHow Blockchain works ?- exam

2、plePublicDecentr alizedDistribu tedImmuta bleCan not be tampered Approved by most peersNo central party Publicly accessibleMain featuresFour characterized elementsComponentsRecord source, destination, amounts,etcTransactionBlockBlockchainA chain of blocksA list of transactionstrans: H()prev: H()tran

3、s: H()prev: H()trans: H()prev: H()H()H()H()H()H()H()transactiontransactiontransactiontransactionComponentstrans: H()prev: H()trans: H()prev: H()trans: H()prev: H()H()H()H()H()H()H()transactiontransactiontransactiontransactiontransactionBlockBlockchainComponents*Traditional blockchain protocols were

4、designed with script languagemake a protocols like thisBlockchain 2.0-EthereumorBlockchain with expressive programming languageProgramming language makes it ideal for smart contracts (Turing-complete)A smart contract is a computer program executed in a secure environment that directly controls digit

5、al assetsMost public blockchains are for cryptocurrencies (Can only transfer coins between users)Smart contracts enable much more applicationsEthereumDifference: Bitcoin vs Ethereum“A Peer-to-Peer Electronic Cash System”Satoshi Nakamoto (Pseudonymous)Intentionally-limited scripting languageUTXO-base

6、d frameworkReleased January 3, 200910 minutes block timeDifference: Bitcoin vs Ethereum“Generalized state-transition machine”Vitalik Buterin (co-founder of Bitcoin Magazine)Turing-complete programming languageAccount-based frameworkReleased July 30, 201515-second block timeEnergyShippingGovernment H

7、ealthcareFinanceCryptocurrencyBlockchainInsurance Trading Key managementManusfacturingVotingIoTTransportationFundingSmart Contract2 Blockchain & cryptocurrencyThousands of cryptocurrencies are launchedVarious features and demandsTop 2: Bitcoin & EthereumBitcoin privacyThe block chain is a history of

8、 every Bitcoin transaction ever!Identifiers are public keys not names (“pseudonyms”)You can make as many public keys as you wantBut these still leak information!Alice buys a teapot at Big box store5368SingletransactionLinking addressesShared spending is evidence of joint controlAddresses can be link

9、ed transitivelyChangeaddresses5368.5.5Which address is change?Privacy GuaranteePublic key does not need to be “Certified”.payers can generate as many public keys as he/she wishesPayees public key is hashed. It is revealed inthe spend transactionBitcoin transaction amount is knownMiers, Garman, Green

10、, Rubin. Zerocoin: Anonymous Distributed E-Cash from Bitcoin. IEEES&P2013Ben-Sasson, Chiesa, Garman, Green, Miers, Tromer, Virza. Zerocash: Decentralized Anonymous Payments from Bitcoin. IEEES&P2014Dash 20142013ZcoinZcash 20142014MoneroPrivacy-enhancing techniques:Main privacy-preserving techniques2

11、5PayerPayeeAmountBitcoinPseudonymPseudonymDashMixMixMixZerocoinCommitmentZerocashNested commitmentKey-private encryptionNested commitmentMoneroLinkable ring signatureCryptoNotePederson commitmentAnonymity is not always desirableMoney launderingDrug tradingCybercrimeExampleWannaCryBitcoinMoneroAnonym

12、ityAccountabilityOur solutionIntroduce the concept of Traceable MoneroFormalize the system model and the security modelDescribe two concrete mechanisms Implement the proposals31Traceable MoneroAnonymityTraceabilityMoneroVerifiable encryption+Signature of KnowledgeProtocol WorkflowTransactionInputOut

13、put.Output AccountTagTag*Input AccountPayeePayerpk1pknTag 1Tag nTag* .RPTracing Authority.Transaction phaseTracing phaseTag+Ciphertext of Input accountsOne-time Public keyLong-term Public keyCiphertext CpassiveTraceable Monero: Anonymous Cryptocurrency with Enhanced Accountability,IEEE Transactions

14、on Dependable and Secure Computing. 10.1109/TDSC.2019.2910058 (Accepted)(A1,B1)(A2,B2)(pk,sk)Trace long-term accountTrace long-term account- Recall CryptoNotePayees Long Term Public KeyPayees Long Term Private KeyTo send money to Bob, pick a random r, compute:P is used as the payees public key.Also

15、put R on blockchain.x is the private key for ”public key” P.Check:Trace long-term account- Recall CryptoNote0 = (For a fixed y generated by (A,B)Choose a random r and A, compute (Compute = /(Obtain (A, B)(A,B) spends the money, but (A,B) can be tracedOne can generate many key pairs for yTrace long-t

16、erm account-KeyGenGiven y, it is computational infeasible to find another key pair (A,B) that shares same y.Importantfor traceOne-time public key = (,0One-time private key = + (, Trace long-term account-KeyGen0 = (,Tag: for traceRing: privacyModified CryptoNoteVerifiable encryption: Variant ElGamalT

17、racing authority pkTrace one-time accountTrace one-time account-SpendEncrypt the column index ofinput accounts with tracing authoritys keyTrace one-time account-SpendEncrypt the column index of input accounts with tracing authoritys pkEfficiency AnalysisOverhead of Spend and Verify algorithmsTime co

18、st of Verify algorithmTrace real-world identitiesBlockchain categoryPrivatePermissioned, control over a central partyPublic BCGlobally, freely join and leave(Bitcoin, Ethereum)ConsortiumSemi-decentralized, authorized to join/leave (Hyperledger,R3)Our second solutionSuggest linkable group signatures

19、(LGS) to realize payers tracing based on consortium blockchain.Propose a concrete construction of LGS based onBoneh and Boyen (BB04/BS04/BBS04).Prove the security of our LGS in the random oracle model and implement the proposed scheme.D. Boneh, X. Boyen, Short signatures without random oracles, in:

20、International Conference on the Theory and Applications of Cryptographic Techniques, Springer, Berlin, Heidelberg, pp.56-73, 2004.Several banks form a consortium blockchain. Each bank is a group with their own registration & supervision authorityMore like real-life scenario, trade-off between anonym

21、ity andtraceabilityRegistrationsetup an account in a bankTracingidentified by a bank and punished by law-enforcing departmentTransactions are privacy-preserving among the banks, can onlyknow pay to a certain bank, rather than a specific payee.Users are anonymous if behave honestlyTransactions are li

22、nked if users double spendUsers could be traced to real-world identities if they misbehaveProtocol overviewProtocol workflow:Shared chainIn each bankAn Efficient Linkable Group Signature for Payer Tracing in Anonymous Cryptocurrencies, Future Generation Computer System, vol 101, 29-38, 2019.3 Blockc

23、hain & e-voting48Traditionale-voting ResultExample: FOO Protocol FOO92A. Fujioka, T. Okamoto, K. Ohta. “A practical secret voting scheme for large scale elections”. Proc. of Auscrypt 1992, LNCS 718, 244-251,1992.AdminCounterVotersNo central partyAutomatically compute the final results (Self-tallying

24、 e-voting)Privacy issues (blockchain is public)Fairness issuesAdaptive issue (the last voter knows the results ahead of schedule)Abortive issue (the last voter aborts)Blockchain-based e-voting problemsHomomorphic encryption (with all other voters pk)Achieve maximal ballots privacy: A partial tally o

25、f the ballots can be accessed only by a collusion of all remaining voters.Zero-knowledge proof: prove the ciphertext is in the correct formDispute-freeness: anybody can check whether the voters follow the protocol or not. This is an extension of universal verifiability KY02.Solutions-privacyA. Kiayi

26、as and M. Yung. “Self-tallying elections and perfect ballot secrecy”. In InternationalWorkshop on Public Key Cryptography, Springer, Berlin, Heidelberg, pp. 141-158, 2002.EfficiencyOn LaptopOn Andriod PhoneEfficiencyOn Raspberry PiLaptop:CPU: Intel Core (TM) i5-4300 2.49 GHzMemory: 8 GB RAMOS: Win 8

27、 64-bitAndriod Phone:CPU: Qualcomm MSSM8998 2.45(Octa-core)Memory: 6 GB RAMOS: Android 7.1.1Raspberry Pi:CPU: Broadcom BCM2837B0,1.4 GHz 64-bit quad-core ARM Cortex-A53Memroy: 1 GB LPDDR2 SDRAMOS: Raspbian with kernel v4.14Parameters4 Blockchain & PDPOutsourced storage relieve the burden of data man

28、agementData owner lost the physical controlProvable data possession Ate07Outsourced storageData ownersData ownersData flowSeparation between DataOwnership and ControlG. Ateniese, R. C. Burns, R. Curtmola, J. Herring, L. Kissner, Z. N. J. Peterson, D. X. Song, Provable Data Possession at Untrusted Stores, CCS 2007, pp. 598-