SSI LEcture 5 Applications

(1)

Pascal Lafourcade

(2)

Outline

1 ToR 2 ZKP 3 OTR 4 Bitcoin

Money

The Bitcoin revolution Technical context Bitcoin explained 5 Altcoins

6 NFT

7 Cloud Security 8 SSE

9 Privacy in DB

10 Conclusion

(3)

SSI LEcture 5 Applications ToR

Application : The Onion Router (TOR)

Serveur Client

Nœud d’entrée

Nœud de sortie

(4)

Application :

(K(X) : clef de circuit du Relais Oignon X) Protection par K(C)

Message

Protection par K(B) Protection par K(A)

Proxy Oignon

Relais A Relais B Relais C

Serveur

(5)

SSI LEcture 5 Applications ZKP

Outline

1 ToR 2 ZKP 3 OTR 4 Bitcoin

Money

The Bitcoin revolution Technical context Bitcoin explained 5 Altcoins

6 NFT

7 Cloud Security 8 SSE

9 Privacy in DB

10 Conclusion

(6)

Idea of Zero Knowledge Proof

Prover (P)

(P) convinces (V) that it knows something without revealing any information

Verifier (V)

• Authentication systems: prove its identity to someone using a password without reavealing anything about the secret.

• Prove that a praticipant behavior is correct according to the protocol (e.g. integrity of ballots in vote).

• Group signature, secure multiparty computation, e-cash ...

(7)

Idea of Zero Knowledge Proof

Prover (P)

(P) convinces (V) that it knows something without revealing any information

Verifier (V) Applications:

• Authentication systems: prove its identity to someone using a password without reavealing anything about the secret.

• Prove that a praticipant behavior is correct according to the protocol (e.g. integrity of ballots in vote).

• Group signature, secure multiparty computation, e-cash ...

(8)

Cave example (0)

Door with a secret code

(9)

Cave example (I)

V waits outside while P chooses a path

(10)

Cave example (II)

V enters and shouts the name of a path

(11)

Cave example (III)

P returns along the desired path (using the secret if necessary)

A = “P does not know the secret” is equivalent to say “P is lucky”

Pr [A] = 1 2 After k tries,

Pr [A] = ( 1 2 ) ^k

A = “P knows the secret”, then Pr [A] = 1 − Pr [A] = 1 − ( 1

2 ) ^k

(12)

Cave example (III)

P returns along the desired path (using the secret if necessary) A = “P does not know the secret”

is equivalent to say “P is lucky”

Pr [A] = 1 2

Pr [A] = ( 1 2 ) ^k

A = “P knows the secret”, then Pr [A] = 1 − Pr [A] = 1 − ( 1

2 ) ^k

(13)

Cave example (III)

P returns along the desired path (using the secret if necessary) A = “P does not know the secret”

is equivalent to say “P is lucky”

Pr [A] = 1 2 After k tries,

Pr [A] = ( 1 2 ) ^k

A = “P knows the secret”, then Pr [A] = 1 − Pr [A] = 1 − ( 1

2 ) ^k

(14)

Cave example (III)

P returns along the desired path (using the secret if necessary) A = “P does not know the secret”

is equivalent to say “P is lucky”

Pr [A] = 1 2 After k tries,

Pr [A] = ( 1 2 ) ^k

A = “P knows the secret”, then Pr [A] = 1 − Pr [A] = 1 − ( 1

2 ) ^k

(15)

Graph 3-coloring is NP-complete: • • •

1 2

3 4

5 6 7

8

9

10 Petersen graph

(16)

Graph 3-coloring is NP-complete: • • •

1 2

3 4

5 6 7

8

9

10 Petersen graph

(17)

P wants to prove to V his 3-coloring of G = (E , V )

P selects a permutation π of the 3 colors.

π(

1 2

4 3 5

6 7

8 9

10 )=

1 2

4 3 5

6 7

8 9

10 Chooses ∀ u ∈ V , r _u

→ ∀ u ∈ V , e u = H(π(c (u)) || r u ) →

←− u _i , u _j ←−

−→ r _u

_i

, r _u

_j

, π(c (u _i )), π(c (v _j )) −→ V accepts, if e u

_i

= H(π(c (u _i )) || r u

_i

) and

e _u

_j

= H(π(c(u _j )) || r _u

_j

) Chooses i and j

(18)

P wants to prove to V his 3-coloring of G = (E , V )

P selects a permutation π of the 3 colors.

π(

1 2

4 3 5

6 7

8 9

10 )=

1 2

4 3 5

6 7

8 9

10 −→ r _u

_i

, r _u

_j

, π(c (u _i )), π(c(v _j )) −→ V accepts, if e _u

_i

= H(π(c (u _i )) || r _u

_i

) and

e _u

_j

= H(π(c(u _j )) || r _u

_j

) Chooses i and j

(19)

P wants to prove to V his 3-coloring of G = (E , V )

P selects a permutation π of the 3 colors.

π(

1 2

4 3 5

6 7

8 9

10 )=

1 2

4 3 5

6 7

8 9

10 → ∀ u ∈ V , e u = H(π(c (u)) || r u ) →

←− u _i , u _j ←−

−→ r _u

_i

, r _u

_j

, π(c (u _i )), π(c(v _j )) −→ V accepts, if e _u

_i

= H(π(c (u _i )) || r _u

_i

) and

e _u

_j

= H(π(c(u _j )) || r _u

_j

) Chooses i and j

(20)

P wants to prove to V his 3-coloring of G = (E , V )

P selects a permutation π of the 3 colors.

π(

1 2

4 3 5

6 7

8 9

10 )=

1 2

4 3 5

6 7

8 9

10 → ∀ u ∈ V , e u = H(π(c (u)) || r u ) →

V accepts, if e _u

_i

= H(π(c (u _i )) || r _u

_i

) and

e _u

_j

= H(π(c(u _j )) || r _u

_j

)

(21)

P wants to prove to V his 3-coloring of G = (E , V )

P selects a permutation π of the 3 colors.

π(

1 2

4 3 5

6 7

8 9

10 )=

1 2

4 3 5

6 7

8 9

10 → ∀ u ∈ V , e u = H(π(c (u)) || r u ) →

←− u _i , u _j ←−

−→ r _u

_i

, r _u

_j

, π(c (u _i )), π(c(v _j )) −→ V accepts, if e _u

_i

= H(π(c (u _i )) || r _u

_i

) and

e _u

_j

= H(π(c(u _j )) || r _u

_j

)

Chooses i and j

(22)

P wants to prove to V his 3-coloring of G = (E , V )

P selects a permutation π of the 3 colors.

π(

1 2

4 3 5

6 7

8 9

10 )=

1 2

4 3 5

6 7

8 9

10 → ∀ u ∈ V , e u = H(π(c (u)) || r u ) →

←− u _i , u _j ←−

−→ r _u

_i

, r _u

_j

, π(c (u _i )), π(c(v _j )) −→

(23)

P wants to prove to V his 3-coloring of G = (E , V )

P selects a permutation π of the 3 colors.

π(

1 2

4 3 5

6 7

8 9

10 )=

1 2

4 3 5

6 7

8 9

10 → ∀ u ∈ V , e u = H(π(c (u)) || r u ) →

←− u _i , u _j ←−

−→ r _u

_i

, r _u

_j

, π(c (u _i )), π(c(v _j )) −→

V accepts, if e _u

_i

= H(π(c (u _i )) || r _u

_i

) and

e = H(π(c (u )) || r ) Chooses i and j

(24)

Schnorr Protocol, 1991

Let G _q a cyclic group of order q with a public generator g Goal

P wants to prove the knowledge of x, where y = g ^x

Chooses a random r

←− c ←−

−→ s = r + x · c −→

V accepts, if t · y ^c = g ^s Chooses a random c

t · y ^c = g ^r · (g ^x ) ^c = g ^r ^+x·c = g ^s

(25)

Schnorr Protocol, 1991

Let G _q a cyclic group of order q with a public generator g Goal

P wants to prove the knowledge of x, where y = g ^x

Chooses a random r

−→ t = g ^r −→

←− c ←−

−→ s = r + x · c −→

V accepts, if t · y ^c = g ^s Chooses a random c

t · y ^c = g ^r · (g ^x ) ^c = g ^r ^+x·c = g ^s

(26)

Schnorr Protocol, 1991

Let G _q a cyclic group of order q with a public generator g Goal

P wants to prove the knowledge of x, where y = g ^x

Chooses a random r

−→ t = g ^r −→

−→ s = r + x · c −→

V accepts, if t · y ^c = g ^s Chooses a random c

t · y ^c = g ^r · (g ^x ) ^c = g ^r ^+x·c = g ^s

(27)

Schnorr Protocol, 1991

Let G _q a cyclic group of order q with a public generator g Goal

P wants to prove the knowledge of x, where y = g ^x

Chooses a random r

−→ t = g ^r −→

←− c ←−

−→ s = r + x · c −→ V accepts, if t · y ^c = g ^s

Chooses a random c

t · y ^c = g ^r · (g ^x ) ^c = g ^r ^+x·c = g ^s

(28)

Schnorr Protocol, 1991

Let G _q a cyclic group of order q with a public generator g Goal

P wants to prove the knowledge of x, where y = g ^x

Chooses a random r

−→ t = g ^r −→

←− c ←−

V accepts, if t · y ^c = g ^s

Chooses a random c

t · y ^c = g ^r · (g ^x ) ^c = g ^r ^+x·c = g ^s

(29)

Schnorr Protocol, 1991

Let G _q a cyclic group of order q with a public generator g Goal

P wants to prove the knowledge of x, where y = g ^x

Chooses a random r

−→ t = g ^r −→

←− c ←−

−→ s = r + x · c −→

V accepts, if t · y ^c = g ^s

Chooses a random c

t · y ^c = g ^r · (g ^x ) ^c = g ^r ^+x·c = g ^s

(30)

Schnorr Protocol, 1991

Let G _q a cyclic group of order q with a public generator g Goal

P wants to prove the knowledge of x, where y = g ^x

Chooses a random r

−→ t = g ^r −→

←− c ←−

−→ s = r + x · c −→

V accepts, if t · y ^c = g ^s Chooses a random c

(31)

Schnorr Protocol, 1991

Let G _q a cyclic group of order q with a public generator g Goal

P wants to prove the knowledge of x, where y = g ^x

Chooses a random r

−→ t = g ^r −→

←− c ←−

−→ s = r + x · c −→

V accepts, if t · y ^c = g ^s Chooses a random c

t · y ^c = g ^r · (g ^x ) ^c = g ^r+x·c = g ^s

(32)

Outline

1 ToR 2 ZKP 3 OTR 4 Bitcoin

Money

The Bitcoin revolution Technical context Bitcoin explained 5 Altcoins

6 NFT

7 Cloud Security 8 SSE

9 Privacy in DB

10 Conclusion

(33)

SSI LEcture 5 Applications OTR

Application : Chat

Adium, Jitsi, Xabber, Been, Pidgin, Gajim, Trillian, Kopete,

Miranda IM, logoXChat, Irssi, Cryptocat, Poezio.

(34)

Application : Off-the-Record Messaging (OTR)

Invented by N. Borisov, I. Goldberg et E. Brewer in 2004.

• Confidentiality : Nobofy can read your messages

• Authentication : Sure to talk to your friend

• Deniability of conversations : nobody can be able to prove that you are the author of messages

• Messages are authentic and not modificable

• Perfect forward secrecy : Revaling private key does not compromise previous messages.

Use AES, SHA-1, Diffie-Hellman in the protocole AKE.

(35)

SSI LEcture 5 Applications OTR

Application : AKE

(1) ^AES

^r

^(g

x

)||HASH(g

^x

)

−−−−−−−−−−−−−−−−−−−−−−−→

g

^y

←−−−−−−−−−−−−−−−−−−−−−−− (2)

Bob (3) −−−−−−−−−−−−−−−−−−−−−−−→ ^r||AES

^c

^(X

^B

^)||MAC

^m²

^(AES

^c

^(X

^B

⁾⁾ Alice

AES

_c0

(X

A

)||MAC

_m0

2

(AES

_c0

(X

A

))

←−−−−−−−−−−−−−−−−−−−−−−− (4) (5) ^T

^A

^||MAC

^mk

^(T

^A

)||oldmackeys

−−−−−−−−−−−−−−−−−−−−−−−→

From s := (g y ) ^x we genreate :

• 2 symmetric keys c and c ⁰

• 4 MAC keys m ₁ , m ⁰ ₁ , m ₂ et m ⁰ ₂ X _B := Kpub _B || keyid _B || SIGB ₍ M _B ) X A := Kpub A || keyid A || SIG A (M A )

M _B := MAC m

1

(g ^x || g ^y || Kpub _B || keyid _B ) ; M _A := MAC _m

⁰

1

(g ^y || g ^x || Kpub _A || keyid _A ) ;

T A := (keyid A || keyid B || next dh || ctr || AES − CTR ek,ctr (msg ))

(36)

Outline

1 ToR 2 ZKP 3 OTR 4 Bitcoin

Money

The Bitcoin revolution Technical context Bitcoin explained 5 Altcoins

6 NFT

7 Cloud Security 8 SSE

9 Privacy in DB

10 Conclusion

(37)

SSI LEcture 5 Applications Bitcoin

Money

Sumerians around 3.500 bef. J.C

(38)

Money as a functionality: a currency

1 Medium of Exchange of goods and services between people

2 Store of Value

3 Unit of Account (measure of value)

(39)

Money

Many currencies

(40)

Principle: central Bank

1.

(41)

Money

Principle: central Bank

1.

2.

(42)

Principle: central Bank

1.

2.

3.

(43)

Money

Principle: central Bank

1.

2. 3. 4.

(44)

1988: Digitcash

• Preserves privacy

• Use cryptographic primitives

• Requires a third party

(bank)

(45)

Money

Cryptocurrency

• Money

1 Medium of exchange

2 Store of value

3 Unit of account

• Cryptocurrency: electronic cash, without a third party

4 Preserving privacy

5 Unforgeable

6 Preventing double-spending

(46)

Properties: Unforgeability

(47)

Money

Properties: Preventing double spending

• Fraud identification

• Presumption of innocence

(48)

Properties: Preserving privacy

• Weak anonymity: non identification of a buyer

• Strong anonymity: non tractability of a buyer

(49)

Money

What is a currency? (money creation)

• Standard currency

• Guaranteed by gold,

• Then by US Dollars (Bretton-Woods),

• Then simply fiduciary:

• Legal tender & forced tender

• Creation by authorized institutions

• Guaranteed by a central bank

• Cryptocurrency

• Various creation mechanisms:

• Fixed number

• Capped/linear/bounded growth / year

• etc.

4 ! Gathering of mining farms (money supply)

Nowadays: only

debt

(50)

What is a currency? (money creation)

• Standard currency

• Guaranteed by gold,

• Then by US Dollars (Bretton-Woods),

• Then simply fiduciary:

• Legal tender & forced tender

• Creation by authorized institutions

• Guaranteed by a central bank

• Cryptocurrency

• Various creation mechanisms:

• Fixed number

• Capped/linear/bounded growth / year

• etc.

4 ! Gathering of mining farms (money supply)

Nowadays: only

debt

(51)

Money

Classical and cryptographic currencies

Classical currency

Cryptocurrency Cash Electronic

Medium of exchange Store of value Unit of account

Creation central Bank Debt Automatic

Privacy Peer 2 peer Legal guaranty,

stabilization

(52)

The Bitcoin revolution 2009

(53)

The Bitcoin revolution

Bitcoin

• Decentralized and distributed cryptocurrency

• Uses a blockchain: a shared ledger, known

to all participants

(54)

Unstoppable, because distributed

• Broadcast of all the transactions to all the nodes of the

network

(55)

Unforgeable

• A fingerprint (hash) of each transaction block is added to

each new block of transaction (chain of hashes) ...

(56)

Auditable

• Every participant owns, locally, a copy of the complete history

of every transactions

(57)

Bitcoin: electronic cash

Created at the end of 2008 by Satoshi Nakamoto

• 1 BTC ≈ 15 401 e (December 5, 2021)

1 BTC = 1 Bitcoin

0, 01 BTC = 1 cBTC = 1 centiBitcoin (or bitcent) 0, 001 BTC = 1 mBTC = 1 milliBitcoin

0, 000 001 BTC = 1 µBTC = 1 microBitcoin

(58)

Bitcoin e exchange rates

2013/01 2013/06 2014/01 2014/06 2015/01 2015/06 2016/01 2016/06 2017/01 2017/06 2018/01 2018/06 2019/01 2019/06 020/01

0e 5 000e 10 000e 15 000e

Euros

C o u r s d u b i t c o i n e n

e

(59)

Technical context

encipher decipher

Clef symétrique Clef symétrique

Examples

• 3DES

• AES

(60)

Public key cryptography

encipher decipher

Clef publique

Clef privée

Examples

• RSA: c = m ^e mod n

• ElGamal: c ≡ (g ^r , h ^r · m)

(61)

Technical context

signature

private key public key

verification

Clef privée

Clef publique

• RSA: m ^d mod n

• ElGamal: (g ^k ; (H(m) − xg ^k )k ⁻¹ mod p − 1)

(62)

signature

private key public key

verification

Clef privée

Clef publique

• RSA: m ^d mod n

• ElGamal: (g ^k ; (H(m) − xg ^k )k ⁻¹ mod p − 1)

(63)

Technical context

Cryptographic hash function (RIPEMD-160, SHA-256, SHA-3)

n

Chaîne d’entrée

Taille fixe

bits

Taille quelconque

F o n c t i o n d e h a c h a g e

e m p r e i n t e

• uniformity property: ∀ a 6 =b ← ^$ , P (h(a) = h(b)) ≈ 1

n

(64)

Technical context

Cryptographic hash function (RIPEMD-160, SHA-256, SHA-3)

Resisting properties

• Pre-image

• Collision

(65)

Technical context

Cryptographic hash function (RIPEMD-160, SHA-256, SHA-3)

Resisting properties

• Pre-image

• Second Pre-image

• Collision

(66)

Cryptographic hash function (RIPEMD-160, SHA-256, SHA-3)

Resisting properties

• Pre-image

• Second Pre-image

• Collision

(67)

Bitcoin explained

Bitcoins: main characteristics

• the total number of bitcoins is finite 21 millions BTC

• Transactions use electronic signatures

• Account number:

RIPEMD-160(SHA-256(ECDSA _pub ))

• All the transactions are public

• Blockchain: a peer-to-peer system

guaranteeing the validity of transactions

(68)

How to perform a transaction?

Alice gives 12345 Satochis (a few cents) to Bob.

12345 Satoshis Bob Clef publique

Précédent bloc de transactions

Signature

Nouvelle transaction

Clef privée d’Alice

Fonction

hachage de

(69)

Bitcoin explained

Electronic wallet

• Consultation of the balance

• Completion of a transaction

• Coins storage management

• Creation of new account keys

4 ! Where are my private keys?

(70)

Bitcoin explained

Digital wallet solutions

1 Security

2 Availability

3 Ease of access

(71)

Bitcoin explained

Digital wallet solutions

1 Security

2 Availability

3 Ease of access

Hardware Digital Clouded

(72)

Main digital wallets

Type Storage Security Example #currencies mobile ver- sion Hardware physical

(cold wallet) +++

Ledger Nano S

27 n/a

KeepKey 7 n/a

Trezor 8 n/a

Software local +

Bither 1 X

Coplay 150 X

Electrum 1 X (Android)

Exodus 30 ×

Jaxx 60 X

Cloud distant –

Blockchain.info 2 n/a

Coinbase 3 n/a

Kraken 1 n/a

Bittrex 190 n/a

(march 2018)

(73)

Bitcoin explained

Pay 18 BTC with coins

f r a i s =X

e n t r é e s -X

s o r t i e s

Portefeuille d’Alice

A l i c e

→

B o b 1 8 B T C

S o r t i e 2→^{B o b}

+

T r a n s a c t i o n S o r t i e 1→^{A l i c e}

E n t r é e 1 : 1 3 B T C E n t r é e 2 : 6 B T C

1 3

1 5 1 8

Liste de transactions au solde non dépensé

1 1 8 6

6 1 1 1

• Only owned bitcoins can be spend

(74)

Pay 18 BTC with coins

f r a i s =X

e n t r é e s -X

s o r t i e s

Portefeuille d’Alice

A l i c e

→

B o b 1 8 B T C

S o r t i e 2→^{B o b}

+

T r a n s a c t i o n S o r t i e 1→^{A l i c e}

E n t r é e 1 : 1 3 B T C E n t r é e 2 : 6 B T C

1 3

1 5 1 8

Liste de transactions au solde non dépensé

1 1 8 6

6 1 1 1

• Only owned bitcoins can be spend

(75)

Bitcoin explained

Mining Bitcoins

The “miners” validate transactions and are paid in bitcoins

(76)

Mining Bitcoins

The “miners” validate transactions and are paid in bitcoins

(77)

Bitcoin explained

Mining security

4 ! Who is going to mine my transaction?

• Will validate or not (accounts verifications), independently

A miner is randomly chosen

• Prevents collusions

OK, as soon as a majority of miners is honest

• Correct validations are rewarded

(78)

Bitcoin explained

Mining security

4 ! Who is going to mine my transaction?

• Will validate or not (accounts verifications), independently A miner is randomly chosen

• Prevents collusions

(79)

Bitcoin explained

Mining security

4 ! Who is going to mine my transaction?

• Will validate or not (accounts verifications), independently A miner is randomly chosen

• Prevents collusions

OK, as soon as a majority of miners is honest

• Correct validations are rewarded

(80)

Bitcoin explained

Mining Bitcoins = race to be selected

• Mining = solving hashing target

• Proof of work: hard puzzle to solve & easy to check

• Uniform partition of the validators

32 X

i=0

50 2 ⁱ × 210 000 = 21 millions BTC

(81)

Bitcoin explained

Mining Bitcoins = race to be selected

• Mining = solving hashing target

• Proof of work: hard puzzle to solve & easy to check

• Uniform partition of the validators

• Initial reward: 50 BTC for a validation

• Divided by 2 every 210000 validations (4 years)

32 X

i=0

50 2 ⁱ × 210 000 = 21 millions BTC

(82)

Bitcoin explained

Mining: hashing target as a Proof-of-work

Example target:

0000 0000 0000 0000 002e 8fcc c211 838c 7d12 c913 d13b 9686 e8f6 3127 cb57 e712

Find a number n such that:

SHA-256(SHA-256(Transactions, nonce)) = x < Target Must have at least 18 zeroes (even 18 ∗ 4 + 2 = 74 bits) for the

msb of x

Randomly try the possible values for nonce

(83)

Bitcoin explained

Mining: hashing target as a Proof-of-work

Example target:

0000 0000 0000 0000 002e 8fcc c211 838c 7d12 c913 d13b 9686 e8f6 3127 cb57 e712

Find a number n such that:

SHA-256(SHA-256(Transactions, nonce)) = x < Target Must have at least 18 zeroes (even 18 ∗ 4 + 2 = 74 bits) for the

msb of x Strategy: brute force

Randomly try the possible values for nonce

(84)

Mining Algorithm

1: Nonce := random value;

2: repeat

3: hashPrevBlock := last validated (by the network) block;

4: Fetch all the not yet validated transactions;

5: hashMerkleRoot := hash of the transactions to be validated;

6: Time := time in seconds;

7: Bits := current hashing target;

8: Nonce := Nonce + 1;

9: header :=

(Version || hashPrevBlock || hashMerkleRoot || Time || Bits || Nonce);

10: until SHA-256(SHA-256(block header)) < Target

(85)

Bitcoin explained

Verify that transactions are present within the chain?

hash 100 hash 10 hash 00

T2 T1

hash 000 hash 001

hash 01

T3 T4

hash 010 hash 011

T5 Merkle root

hash 0 hash 1

Recompute the Merkle tree + check coherency of the root

• a double arrow is a duplication

• only log ₂ (n) fingerprints are recomputed/added

(86)

Bitcoin explained

Efficiently add transactions as they come?

hash 100 hash 10 hash 00

T2 T1

hash 000 hash 001

hash 01

T3 T4

hash 010 hash 011

T5 Merkle root

hash 0 hash 1

dashed zones are not preserved:

• a double arrow is a duplication

(87)

Bitcoin explained

Efficiently add transactions as they come?

hash 101

T5 T6

hash 00

T2 T1

hash 000 hash 001

hash 01

T3 T4

hash 010 hash 011 hash 0

hash 100 Merkle root

hash 1

hash 10

dashed zones are not preserved:

• a double arrow is a duplication

• only log ₂ (n) fingerprints are recomputed/added

(88)

Bitcoin explained

ASCII proof of work simulator

dec 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 char - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @

dec 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84

char A B C D E F G H I J K L M N O P Q R S T

dec 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104

char U V W X Y Z [ \ ] ˆ ‘ a b c d e f g h

Validator

ASCIISUM( ASCIISUM( A, B, 1234, nonce ) ) divisible by 15

= ASCIISUM ( 333 + 48 ) = ASCIISUM ( 381 )

= 51+56+49 = 156

(89)

Bitcoin explained

ASCII proof of work simulator

dec 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 char - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @

dec 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84

char A B C D E F G H I J K L M N O P Q R S T

dec 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104

char U V W X Y Z [ \ ] ˆ ‘ a b c d e f g h

Validator

ASCIISUM( ASCIISUM( A, B, 1234, nonce ) ) divisible by 15

Example:

ASCIISUM( ASCIISUM( A, B, 1234, 0 ) )

= ASCIISUM(65+66+49+50+51+52+48)

= ASCIISUM ( 333 + 48 ) = ASCIISUM ( 381 )

= 51+56+49 = 156

(90)

Mining: chain of blocks

E n - t ê t e d u b l o c d e t r a n s a c t i o n s

H a s h d u b l o c c o u r a n t

F u t u r e n - t ê t e d ’ u n n o u v e a u b l o c d e t r a n s a c t i o n s p r é c é d e n t b l o c

H a s h d u

M e r k l e r o o t T i m e s t a m p C i b l e N o n c e

d e u x f o i s S H A - 2 5 6

• previous transactions

• to be validated transactions (max.

1MB/block)

• seconds since 01/01/1970

• a nonce

SHA-256(SHA-256(header))

(91)

Bitcoin explained

Mining = Validation of transactions

• Validation every 10 minutes (6 confirmations recommended)

• Larger blocks make full nodes more expensive to operate

d a t e ⇒O K p o u r - 4 B T C

a u j o u r d ’ h u i s o l d e>^{+ 7 B T C}

+ 2 B T C - 3 B T C + 2 B T C + 1 B T C

+ 5 B T C

0 100 000 200 000 300 000 400 000

Transactions/day

55 / 128

(92)

Bitcoin explained

Forks: Longest Chain Rule

• Longest Chain Rule: chain with most work is the main chain (51 % attack)

1 Simultaneously: Alice mines B _a & Bob mines B b

Both chains are valid for now: Fork

2 Longest chain wins: (. . . → C ₀ → B _b → B ₂ )

C0

t1t2t3t4 Ba

t1t2t5t6 Bb

t3t7t8 B2

Double spending?

If transactions t ₄ & t ₅ are mutually ex-

clusive then t 4 will never be included by

honest miners

(93)

Bitcoin explained

Forks: Longest Chain Rule

• Longest Chain Rule: chain with most work is the main chain (51 % attack)

1 Simultaneously: Alice mines B _a & Bob mines B b

Both chains are valid for now: Fork

2 Next miners mine either after B a or B _b

3 Charlie mines B 2

Longest chain wins: (. . . → C ₀ → B _b → B ₂ )

C0

t1t2t3t4 Ba

t1t2t5t6 Bb

t3t7t8 B2

Double spending?

If transactions t ₄ & t ₅ are mutually ex-

clusive then t 4 will never be included by

honest miners

(94)

Bitcoin explained

Forks: Longest Chain Rule

• Longest Chain Rule: chain with most work is the main chain (51 % attack)

1 Simultaneously: Alice mines B _a & Bob mines B b

Both chains are valid for now: Fork

2 Next miners mine either after B a or B _b

3 Charlie mines B 2

Longest chain wins:

(. . . → C ₀ → B _b → B ₂ )

C0

t1t2t3t4 Ba

t1t2t5t6 Bb

t3t7t8 B2

If transactions t ₄ & t ₅ are mutually ex-

clusive then t 4 will never be included by

honest miners

(95)

Bitcoin explained

Forks: Longest Chain Rule

• Longest Chain Rule: chain with most work is the main chain (51 % attack)

1 Simultaneously: Alice mines B _a & Bob mines B b

Both chains are valid for now: Fork

2 Next miners mine either after B a or B _b

3 Charlie mines B 2

Longest chain wins:

(. . . → C ₀ → B _b → B ₂ )

C0

t1t2t3t4 Ba

t1t2t5t6 Bb

t3t7t8 B2

Double spending?

If transactions t ₄ & t ₅ are mutually ex-

clusive then t 4 will never be included by

^{56 / 128}

(96)

Bitcoin explained

Low Probability of simultaneous mining, except attacks

• # Nodes in the network at a given time

• Respective power, stake, activity, communication speed, etc.

P (fake longest chain) < 1/1000

(97)

Bitcoin explained

Low Probability of simultaneous mining, except attacks

• # Nodes in the network at a given time

• Respective power, stake, activity, communication speed, etc.

Example: 10% of the world computing power, 6 confirmations

P (fake longest chain) < 1/1000

(98)

Bitcoin explained

Overdraft is not allowed

d a t e ⇒O K p o u r - 4 B T C

+ 2 B T C - 3 B T C

+ 2 B T C + 1 B T C

+ 5 B T C

• • Chain of two distinct honest minors cannot differ much;

• Chain of blocks: any modification must modify all the following blocks

(depth and length of forks);

• The network adapts (every 2 weeks) to validate on average

every 10 minutes.

(99)

Bitcoin explained

Overdraft is not allowed

d a t e ⇒O K p o u r - 4 B T C

+ 2 B T C - 3 B T C

+ 2 B T C + 1 B T C

+ 5 B T C

Preventing double spending

• All the balances must be positive

• Chain of two distinct honest minors cannot differ much;

• Chain of blocks: any modification must modify all the following blocks

(depth and length of forks);

• The network adapts (every 2 weeks) to validate on average

every 10 minutes.

(100)

Other separations: Soft Fork

Modification of the code

• Bug corrections

(101)

Bitcoin explained

Hard Fork

(102)

Hard or Soft Fork

(103)

Bitcoin explained

Bitcoin Hard Fork History

• BCH (Bitcoin Cash) for Bitcoin

• August 1, 2017: block 478558

• BTG (Bitcoin Gold, ASIC → GPU) for Bitcoin

• October 24, 2017: bloc 491407

• BSV (Bitcoin SV, Satoshi Version, 64MB) for Bitcoin Cash

• November 15, 2018: bloc 556766

(104)

Hard Fork History

(105)

Bitcoin explained

Can a hard fork make you richer?

• Instantaneous: doubles the number of coins (same balance in each branch)

• Purchasing power is in fact unchanged at the time of the fork (split in both currencies)

• Then: each cryptocurrency fluctuates in its own right

Example of Bitcoin Gold

23/10/2017: BTC≈ 5 910$ 24/10/2017: BTG≈ 480$ 25/10/2017: BTC≈ 5 380$

10/03/2019: BTC≈ 3 895$ 09/11/2020: BTC≈ 15 523$

BTG≈ 12$ BTG≈ 7$

(106)

Can a hard fork make you richer?

• Instantaneous: doubles the number of coins (same balance in each branch)

• Purchasing power is in fact unchanged at the time of the fork (split in both currencies)

• Then: each cryptocurrency fluctuates in its own right Example of Bitcoin Gold

23/10/2017: BTC≈ 5 910$ 24/10/2017: BTG≈ 480$ 25/10/2017: BTC≈ 5 380$

10/03/2019: BTC≈ 3 895$ 09/11/2020: BTC≈ 15 523$

BTG≈ 12$ BTG≈ 7$

(107)

Bitcoin explained

Traceability

Tracking criminals:

• The list of all the transactions is public!

• Waiving the anonymity (legally) at entry/exit (classical

currencies)

(108)

Traceability

Tracking criminals:

• The list of all the transactions is public!

• Waiving the anonymity (legally) at entry/exit (classical

currencies)

(109)

Bitcoin explained

Limitations

10 minutes = 1 block

Size of transactions 1 MB (4MB, after SegWit, 1st August 2017)

Lightning Network 12 seconds

(110)

Limitations

10 minutes = 1 block

Size of transactions 1 MB (4MB, after SegWit, 1st

August 2017)

(111)

Bitcoin explained

Energy intensive: Bitcoin power requirements (hashrate)

(112)

Energy intensive: Bitcoin power requirements (hashrate)

/01 /01 1/01 /01 /01 /06 /01 /06 /01 /06 /01 /06 7/01 /06 /01 /06 /01 /06 /01

0 2·10⁷ 4·10⁷ 6·10⁷ 8·10⁷ 1·10⁸ 1.2·10⁸

TH/s

(113)

Bitcoin explained

Energy intensive: Bitcoin power requirements (hashrate)

Estimation: several yearly TWh (comparable to a small state comsumption)

4 ! Estimated from 15 to 70 TWh in 2018 (whole of France:

1800 TWh in 2017)

Other consensus algorithm (e.g., Proof of Stake)

(114)

Energy intensive: Bitcoin power requirements (hashrate)

Estimation: several yearly TWh (comparable to a small state comsumption)

Lightning Network

Other consensus algorithm (e.g., Proof of Stake)

(115)

Bitcoin explained

New block every 10 minutes

Speed Efficiency Cost Average Mining Machine Type

MH/s MH/J MH/s/ e Years/block Core i5-2400 CPU 14 0.15 0.09 25.3 Millions

PS3 Cell 21 0.35 0.09 16.9 Millions

ATI 830 GPU 325 1.98 3.30 1.1 Millions

Ebit E11++ ASIC 44 000 000 22 200.00 8 885.00 13.6

• Target: 74 initial zeroes, 1

2 ⁷⁴ chances to mine

• 44 000 000 MH/s = 4.4 10 ¹³ H/s ≈ 2 ^45.3 H/s

• 2 ^28.7 ≈ 4.3 10 ⁸ s ≈ 5 000 days ≈ 13.6 years of computations of an Ebit E11++

• World network ≈ 700 000 E11

(116)

Bitcoin explained

Bitcoin: Decentralized Cryptocurrency

• Proof of work = hashing target

• Money creation = reward to miners

• Miner = hard work + energy-intensive

(117)

Bitcoin explained

Bitcoin: Decentralized Cryptocurrency

• Proof of work = hashing target

• Money creation = reward to miners

• Miner = hard work + energy-intensive

• Loss or theft of the private key: permanent

• Anonymous and traceable currency

(118)

Outline

1 ToR 2 ZKP 3 OTR 4 Bitcoin

Money

The Bitcoin revolution Technical context Bitcoin explained 5 Altcoins

6 NFT

7 Cloud Security 8 SSE

9 Privacy in DB

10 Conclusion

(119)

SSI LEcture 5 Applications Altcoins

Monetary diversity: marketcap

65.61%

Bitcoin

11.07%

Ethereum

8.53%

Others 3.97%

Theter

2.62%

Ripple 1.09%

BTCash

0.93%

BinanceCoin 0.78%

Cardano

0.92%

Litecoin 0.68%

BSV

0.54%

EOS 0.42%

Tron

0.48%

Monero 0.37%

Stellar

0.16%

IOTA

(120)

Other crypto-currencies

(121)

Other crypto-currencies

0 50 100 150 200

2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019

Apparitionsdecrypto-monnaies

(122)

Classification I: lousy

(123)

Classification II: Bitcoin Clones

(124)

Classification III: more useful

primes rewarding medical computations HPC

(125)

Classification IV: other consensus algorithms

PeerCoin BurstCoin Ethereum Iota (miota)

PoS Storage Hybrid PoW/PoS gossiping (DAG)

gathering of transactions

(126)

Classification IV: other consensus algorithms

PeerCoin BurstCoin Ethereum Iota (miota)

PoS Storage Hybrid PoW/PoS gossiping (DAG)

(127)

Etherum

Speed: 12 seconds

Unit wei

wei 1 wei

Kwei (babbage) 10³wei Mwei (lovelace) 10⁶wei Gwei (shannon) 10⁹wei microether (szabo) 10¹²wei milliether (finney) 10¹⁵wei

ether 10¹⁸wei

Rewarding uncles

B0 B1 B2 B3 B4 B5 B6

Ba

Bb Bc

( B

₄

receives 3 × 1 +

₃₂²

= 3.185 ethers

B

b

receives

⁷₈

× 3 = 2.625 ethers, B

a

receives

⁵₈

× 3 = 1.875 ethers

(128)

Peercoin: coin age

For 10 coins

Days 0 1 2 ...

Age 10 10 20 ...

After V 0.3:

• Wait 30 days

• Maximum 90 days

Hash(. . .) < C × A × ₂

³²

¹ _×D

• C : number of coins

• A: Average Age (days) of the coins

• D: Hardness

(129)

Peercoin: coin age

For 10 coins

Days 0 1 2 ...

Age 10 10 20 ...

After V 0.3:

• Wait 30 days

• Maximum 90 days Hashing target

Hash(. . .) < C × A × ₂

³²

¹ _×D

• C : number of coins

• A: Average Age (days) of the coins

• D: Hardness

(130)

Lightning Network ^Xan ^−→ Zeke: signed commitments on open channels

(131)

Multiculturalism of money creation

(132)

Who embraces these crypto-currencies?

(133)

Another example: ˘ G1

• Freedom of access to resources

• Freedom of production

• Freedom of exchange in the currency

Universal Dividend: proof of existence

(134)

More obstacles

Computer hygiene Awareness

(135)

SSI LEcture 5 Applications NFT

Outline

1 ToR 2 ZKP 3 OTR 4 Bitcoin

Money

The Bitcoin revolution Technical context Bitcoin explained 5 Altcoins

6 NFT

7 Cloud Security 8 SSE

9 Privacy in DB

10 Conclusion

(136)

Two kinds of Token

Fongible

Gold, wine, oil, or coins are fongible objects.

Like an ETH or BTC since one can be swapped to another one.

Non Fongible

Are individualized, cannot be swapped but divisible: an house, a

Picasso painting.

(137)

CryptoKitties

#517810 #517135

(138)

ICO: InitialCoinOffering

Etherum founding

(139)

ERC

Etheria :

• ERC-20 fongibel tokens

• ERC-721 NFT

• ERC-1155 hybrid tokens

(140)

NFT Applications

(141)

SSI LEcture 5 Applications Cloud Security

Outline

1 ToR 2 ZKP 3 OTR 4 Bitcoin

Money

The Bitcoin revolution Technical context Bitcoin explained 5 Altcoins

6 NFT

7 Cloud Security 8 SSE

9 Privacy in DB

10 Conclusion

(142)

Should we trust our remote storage?

• Sysadmins have root access

• Hackers breaking in

Solution:

(143)

Should we trust our remote storage?

Many reasons not to

• Outsourced backups and storage

• Sysadmins have root access

• Hackers breaking in

Solution:

(144)

Should we trust our remote storage?

Many reasons not to

• Outsourced backups and storage

• Sysadmins have root access

• Hackers breaking in

Solution:

(145)

Clouds

(146)

Clouds

(147)

Properties

Acces from everywhere Avaible for everything:

• Store documents, photos, etc

• Share them with colleagues, friends, family

• Process the data

• Ask queries on the data

(148)

Current solutions

Cloud provider knows the content and claims to actually

• identify users and apply access rights

• safely store the data

• securely process the data

• protect privacy

(149)

Users need more Storage and Privacy guarantees

• confidentiality of the data

• anonymity of the users

• obliviousness of the queries

(150)

Broadcast encryption (Fiat-Noar 1994)

The sender can select the target group of receivers to control who

access to the data like in PAYTV

(151)

Functional encryption [Boneh-Sahai-Waters 2011]

The user generates sub-keys K _y according to the input y to control the amount of shared data.

From C = Encrypt(x), then Decrypt(K y , C ), outputs f (x, y )

(152)

Fully Homomorphic Encryption [Gentry 2009]

(153)

SSI LEcture 5 Applications