Elliptic Curve Digital Signature Algorithm - Bitcoin Wiki
Elliptic Curve Digital Signature Algorithm - Bitcoin Wiki
Threshold-optimal DSA/ECDSA signatures and an application
Securing Bitcoin wallets via a new DSA/ECDSA threshold
Bitcoin Elliptic Curve | CryptoCoins Info Club
How to Generate Bitcoin Wallet Address in Java | Develop Paper
Quantum computing question
I'm thinking about Bitcoin in the long run and how safe my investments are, etc and I have a question about the quantum computing vulnerability. All I really understand is that, with quantum computing, it may be relatively easy to get the private keys to a wallet address. If this problem occurs, Bitcoin could of course hard fork to address the issue, however, wouldn't it still be too late? Even if the community nearly 100% agreed to fork from a time in the past before the first attack occurred, how could a fork possibly allow for new private keys that somehow everyone would be able to know based on their current private keys without those being compromised as well? And asking every single Bitcoin holder to move their funds immediately after a fork seems unfeasible. Isn't the time to fork for quantum resistance now, before a successful attack occurs? Can anyone explain to me definitively how my Bitcoins are protected if Quatum computers become widely available?
Bitcoin (BTC) is a peer-to-peer cryptocurrency that aims to function as a means of exchange that is independent of any central authority. BTC can be transferred electronically in a secure, verifiable, and immutable way.
Launched in 2009, BTC is the first virtual currency to solve the double-spending issue by timestamping transactions before broadcasting them to all of the nodes in the Bitcoin network. The Bitcoin Protocol offered a solution to the Byzantine Generals’ Problem with ablockchainnetwork structure, a notion first created byStuart Haber and W. Scott Stornetta in 1991.
Bitcoin’s whitepaper was published pseudonymously in 2008 by an individual, or a group, with the pseudonym “Satoshi Nakamoto”, whose underlying identity has still not been verified.
The Bitcoin protocol uses an SHA-256d-based Proof-of-Work (PoW) algorithm to reach network consensus. Its network has a target block time of 10 minutes and a maximum supply of 21 million tokens, with a decaying token emission rate. To prevent fluctuation of the block time, the network’s block difficulty is re-adjusted through an algorithm based on the past 2016 block times.
With a block size limit capped at 1 megabyte, the Bitcoin Protocol has supported both the Lightning Network, a second-layer infrastructure for payment channels, and Segregated Witness, a soft-fork to increase the number of transactions on a block, as solutions to network scalability.
Bitcoin is a peer-to-peer cryptocurrency that aims to function as a means of exchange and is independent of any central authority. Bitcoins are transferred electronically in a secure, verifiable, and immutable way.
Network validators, whom are often referred to as miners, participate in the SHA-256d-based Proof-of-Work consensus mechanism to determine the next global state of the blockchain.
The Bitcoin protocol has a target block time of 10 minutes, and a maximum supply of 21 million tokens. The only way new bitcoins can be produced is when a block producer generates a new valid block.
The protocol has a token emission rate that halves every 210,000 blocks, or approximately every 4 years.
Unlike public blockchain infrastructures supporting the development of decentralized applications (Ethereum), the Bitcoin protocol is primarily used only for payments, and has only very limited support for smart contract-like functionalities (Bitcoin “Script” is mostly used to create certain conditions before bitcoins are used to be spent).
In the Bitcoin network, anyone can join the network and become a bookkeeping service provider i.e., a validator. All validators are allowed in the race to become the block producer for the next block, yet only the first to complete a computationally heavy task will win. This feature is called Proof of Work (PoW). The probability of any single validator to finish the task first is equal to the percentage of the total network computation power, or hash power, the validator has. For instance, a validator with 5% of the total network computation power will have a 5% chance of completing the task first, and therefore becoming the next block producer. Since anyone can join the race, competition is prone to increase. In the early days, Bitcoin mining was mostly done by personal computer CPUs. As of today, Bitcoin validators, or miners, have opted for dedicated and more powerful devices such as machines based on Application-Specific Integrated Circuit (“ASIC”). Proof of Work secures the network as block producers must have spent resources external to the network (i.e., money to pay electricity), and can provide proof to other participants that they did so. With various miners competing for block rewards, it becomes difficult for one single malicious party to gain network majority (defined as more than 51% of the network’s hash power in the Nakamoto consensus mechanism). The ability to rearrange transactions via 51% attacks indicates another feature of the Nakamoto consensus: the finality of transactions is only probabilistic. Once a block is produced, it is then propagated by the block producer to all other validators to check on the validity of all transactions in that block. The block producer will receive rewards in the network’s native currency (i.e., bitcoin) as all validators approve the block and update their ledgers.
The Bitcoin protocol utilizes the Merkle tree data structure in order to organize hashes of numerous individual transactions into each block. This concept is named after Ralph Merkle, who patented it in 1979. With the use of a Merkle tree, though each block might contain thousands of transactions, it will have the ability to combine all of their hashes and condense them into one, allowing efficient and secure verification of this group of transactions. This single hash called is a Merkle root, which is stored in the Block Header of a block. The Block Header also stores other meta information of a block, such as a hash of the previous Block Header, which enables blocks to be associated in a chain-like structure (hence the name “blockchain”). An illustration of block production in the Bitcoin Protocol is demonstrated below. https://preview.redd.it/m6texxicf3151.png?width=1591&format=png&auto=webp&s=f4253304912ed8370948b9c524e08fef28f1c78d
Block time and mining difficulty
Block time is the period required to create the next block in a network. As mentioned above, the node who solves the computationally intensive task will be allowed to produce the next block. Therefore, block time is directly correlated to the amount of time it takes for a node to find a solution to the task. The Bitcoin protocol sets a target block time of 10 minutes, and attempts to achieve this by introducing a variable named mining difficulty. Mining difficulty refers to how difficult it is for the node to solve the computationally intensive task. If the network sets a high difficulty for the task, while miners have low computational power, which is often referred to as “hashrate”, it would statistically take longer for the nodes to get an answer for the task. If the difficulty is low, but miners have rather strong computational power, statistically, some nodes will be able to solve the task quickly. Therefore, the 10 minute target block time is achieved by constantly and automatically adjusting the mining difficulty according to how much computational power there is amongst the nodes. The average block time of the network is evaluated after a certain number of blocks, and if it is greater than the expected block time, the difficulty level will decrease; if it is less than the expected block time, the difficulty level will increase.
What are orphan blocks?
In a PoW blockchain network, if the block time is too low, it would increase the likelihood of nodes producingorphan blocks, for which they would receive no reward. Orphan blocks are produced by nodes who solved the task but did not broadcast their results to the whole network the quickest due to network latency. It takes time for a message to travel through a network, and it is entirely possible for 2 nodes to complete the task and start to broadcast their results to the network at roughly the same time, while one’s messages are received by all other nodes earlier as the node has low latency. Imagine there is a network latency of 1 minute and a target block time of 2 minutes. A node could solve the task in around 1 minute but his message would take 1 minute to reach the rest of the nodes that are still working on the solution. While his message travels through the network, all the work done by all other nodes during that 1 minute, even if these nodes also complete the task, would go to waste. In this case, 50% of the computational power contributed to the network is wasted. The percentage of wasted computational power would proportionally decrease if the mining difficulty were higher, as it would statistically take longer for miners to complete the task. In other words, if the mining difficulty, and therefore targeted block time is low, miners with powerful and often centralized mining facilities would get a higher chance of becoming the block producer, while the participation of weaker miners would become in vain. This introduces possible centralization and weakens the overall security of the network. However, given a limited amount of transactions that can be stored in a block, making the block time too longwould decrease the number of transactions the network can process per second, negatively affecting network scalability.
3. Bitcoin’s additional features
Segregated Witness (SegWit)
Segregated Witness, often abbreviated as SegWit, is a protocol upgrade proposal that went live in August 2017. SegWit separates witness signatures from transaction-related data. Witness signatures in legacy Bitcoin blocks often take more than 50% of the block size. By removing witness signatures from the transaction block, this protocol upgrade effectively increases the number of transactions that can be stored in a single block, enabling the network to handle more transactions per second. As a result, SegWit increases the scalability of Nakamoto consensus-based blockchain networks like Bitcoin and Litecoin. SegWit also makes transactions cheaper. Since transaction fees are derived from how much data is being processed by the block producer, the more transactions that can be stored in a 1MB block, the cheaper individual transactions become. https://preview.redd.it/depya70mf3151.png?width=1601&format=png&auto=webp&s=a6499aa2131fbf347f8ffd812930b2f7d66be48e The legacy Bitcoin block has a block size limit of 1 megabyte, and any change on the block size would require a network hard-fork. On August 1st 2017, the first hard-fork occurred, leading to the creation of Bitcoin Cash (“BCH”), which introduced an 8 megabyte block size limit. Conversely, Segregated Witness was a soft-fork: it never changed the transaction block size limit of the network. Instead, it added an extended block with an upper limit of 3 megabytes, which contains solely witness signatures, to the 1 megabyte block that contains only transaction data. This new block type can be processed even by nodes that have not completed the SegWit protocol upgrade. Furthermore, the separation of witness signatures from transaction data solves the malleability issue with the original Bitcoin protocol. Without Segregated Witness, these signatures could be altered before the block is validated by miners. Indeed, alterations can be done in such a way that if the system does a mathematical check, the signature would still be valid. However, since the values in the signature are changed, the two signatures would create vastly different hash values. For instance, if a witness signature states “6,” it has a mathematical value of 6, and would create a hash value of 12345. However, if the witness signature were changed to “06”, it would maintain a mathematical value of 6 while creating a (faulty) hash value of 67890. Since the mathematical values are the same, the altered signature remains a valid signature. This would create a bookkeeping issue, as transactions in Nakamoto consensus-based blockchain networks are documented with these hash values, or transaction IDs. Effectively, one can alter a transaction ID to a new one, and the new ID can still be valid. This can create many issues, as illustrated in the below example:
Alice sends Bob 1 BTC, and Bob sends Merchant Carol this 1 BTC for some goods.
Bob sends Carols this 1 BTC, while the transaction from Alice to Bob is not yet validated. Carol sees this incoming transaction of 1 BTC to him, and immediately ships goods to B.
At the moment, the transaction from Alice to Bob is still not confirmed by the network, and Bob can change the witness signature, therefore changing this transaction ID from 12345 to 67890.
Now Carol will not receive his 1 BTC, as the network looks for transaction 12345 to ensure that Bob’s wallet balance is valid.
As this particular transaction ID changed from 12345 to 67890, the transaction from Bob to Carol will fail, and Bob will get his goods while still holding his BTC.
With the Segregated Witness upgrade, such instances can not happen again. This is because the witness signatures are moved outside of the transaction block into an extended block, and altering the witness signature won’t affect the transaction ID. Since the transaction malleability issue is fixed, Segregated Witness also enables the proper functioning of second-layer scalability solutions on the Bitcoin protocol, such as the Lightning Network.
Lightning Network is a second-layer micropayment solution for scalability. Specifically, Lightning Network aims to enable near-instant and low-cost payments between merchants and customers that wish to use bitcoins. Lightning Network was conceptualized in a whitepaper by Joseph Poon and Thaddeus Dryja in 2015. Since then, it has been implemented by multiple companies. The most prominent of them include Blockstream, Lightning Labs, and ACINQ. A list of curated resources relevant to Lightning Network can be found here. In the Lightning Network, if a customer wishes to transact with a merchant, both of them need to open a payment channel, which operates off the Bitcoin blockchain (i.e., off-chain vs. on-chain). None of the transaction details from this payment channel are recorded on the blockchain, and only when the channel is closed will the end result of both party’s wallet balances be updated to the blockchain. The blockchain only serves as a settlement layer for Lightning transactions. Since all transactions done via the payment channel are conducted independently of the Nakamoto consensus, both parties involved in transactions do not need to wait for network confirmation on transactions. Instead, transacting parties would pay transaction fees to Bitcoin miners only when they decide to close the channel. https://preview.redd.it/cy56icarf3151.png?width=1601&format=png&auto=webp&s=b239a63c6a87ec6cc1b18ce2cbd0355f8831c3a8 One limitation to the Lightning Network is that it requires a person to be online to receive transactions attributing towards him. Another limitation in user experience could be that one needs to lock up some funds every time he wishes to open a payment channel, and is only able to use that fund within the channel. However, this does not mean he needs to create new channels every time he wishes to transact with a different person on the Lightning Network. If Alice wants to send money to Carol, but they do not have a payment channel open, they can ask Bob, who has payment channels open to both Alice and Carol, to help make that transaction. Alice will be able to send funds to Bob, and Bob to Carol. Hence, the number of “payment hubs” (i.e., Bob in the previous example) correlates with both the convenience and the usability of the Lightning Network for real-world applications.
Schnorr Signature upgrade proposal
Elliptic Curve Digital Signature Algorithm (“ECDSA”) signatures are used to sign transactions on the Bitcoin blockchain. https://preview.redd.it/hjeqe4l7g3151.png?width=1601&format=png&auto=webp&s=8014fb08fe62ac4d91645499bc0c7e1c04c5d7c4 However, many developers now advocate for replacing ECDSA with Schnorr Signature. Once Schnorr Signatures are implemented, multiple parties can collaborate in producing a signature that is valid for the sum of their public keys. This would primarily be beneficial for network scalability. When multiple addresses were to conduct transactions to a single address, each transaction would require their own signature. With Schnorr Signature, all these signatures would be combined into one. As a result, the network would be able to store more transactions in a single block. https://preview.redd.it/axg3wayag3151.png?width=1601&format=png&auto=webp&s=93d958fa6b0e623caa82ca71fe457b4daa88c71e The reduced size in signatures implies a reduced cost on transaction fees. The group of senders can split the transaction fees for that one group signature, instead of paying for one personal signature individually. Schnorr Signature also improves network privacy and token fungibility. A third-party observer will not be able to detect if a user is sending a multi-signature transaction, since the signature will be in the same format as a single-signature transaction.
4. Economics and supply distribution
The Bitcoin protocol utilizes the Nakamoto consensus, and nodes validate blocks via Proof-of-Work mining. The bitcoin token was not pre-mined, and has a maximum supply of 21 million. The initial reward for a block was 50 BTC per block. Block mining rewards halve every 210,000 blocks. Since the average time for block production on the blockchain is 10 minutes, it implies that the block reward halving events will approximately take place every 4 years. As of May 12th 2020, the block mining rewards are 6.25 BTC per block. Transaction fees also represent a minor revenue stream for miners.
Can a quantum computer be used for bitcoin mining?
This has been bothering me for a while. I'm a newbie in computer science, and I just found out about Grover’s algorithm, which can only be implemented on a quantum computer. Supposedly it can achieve a quadratic speedup over a classical computer, brute-forcing a solution to a n-bit symmetric encryption key in 2^n/2 iterations. This led me to think that, by utilizing a quantum computer or quantum simulator of about 40-qubits that runs Grover's algorithm, is it possible to mine bitcoins this way? The current difficulty of bitcoin mining is about 15,466,098,935,554 (approximately 2^44), which means that it would take about 2^44*2^32=2^76 SHA256 hashes before a valid block header hash is found. However, by implementing Grover's algorithm, we would only need to sort through 2^76/2=2^38 hashes to discover a valid block header hash. A 38-qubit quantum computer should be sufficient in this case - which means the 40-qubit quantum computer should be more than enough to handle bitcoin mining. Therefore - is it possible to use quantum computers to mine bitcoins this way? I'm not too familiar with quantum computers, so please correct me if I missed something....... NOTE: I am NOT asking whether it is possible to use quantum computers to break the ECDSA secp256k1 algorithm, which would effectively allow anyone to steal bitcoins from wallets. I know that this would require much more than 40 qubits, and is definitely not happening in the near-future. Rather, I'm asking about bitcoin mining, which is a much easier problem than trying to break ECDSA secp256k1.
https://preview.redd.it/umh8ivbsua841.png?width=554&format=png&auto=webp&s=5c16d9d9e61503e4c9d44212eecd176eda11550a As 2020 is now here, Bottos has solemnly released its “2020 Research and development scheme”. On one hand, we adhere to the principle of transparency so that the whole community can comprehend our next step as a whole, but more importantly, it also helps our whole team to think deeply about the future and reach consensus. It is strongly believed that following these consistent follow-ups will help us to in order to achieve the best results. Based on the efficient development of Bottos, the team’s technical achievements in consensus algorithms and smart contracts are used to deeply implement and optimize the existing technical architecture. At the same time using the community’s technical capabilities, horizontal development, expanding new functional modules and technical directions it stays closely integrated with the whole community. In the future, we will keep on striving to achieve in-depth thinking, comprehensive planning, and flexible adjustment. Overview of Technical Routes https://preview.redd.it/rk9tpg2uua841.png?width=554&format=png&auto=webp&s=77e607b81f31c0d20feaa90eca81f09a23addca4 User feedback within the community is the driving force behind Bottos progress. In the development route of the community and industry we have formulated a roadmap for technical development, pointing out the right path for the team towards the right direction among the massive routes of modern technology. As part of our 2020 research and development objective we have the following arrangements: 1.Intensifying enormous number of smart contracts and related infrastructures After many years of development, smart contracts have gradually become the core and standard function in blockchain projects. The strength of smart contracts, ease of use, and stability represent the key capabilities of a blockchain project. As a good start, Bottos has already made great progress in the field of smart contracts. In smart contracts we still need to increase development efforts, making the ease of use and stability of smart contracts the top priority of our future development. Reducing the barriers for developers and ordinary users to use, shortening the contract development cycle and saving users time is another important task for the team to accomplish. To this end, we have planned an efficient and easy-to-use one-stop contract development, debugging, and deployment tool that will provide multiple access methods and interfaces to the test network to support rapid deployment and rapid debugging. 2.Establishing an excellent client and user portal The main goal here is to add an entrance point to the creation and deployment of smart contracts in the wallet client. To this end, the wallet needs to be transformed, a local compiler for smart contracts must be added, and an easy-to-use UI interface can be provided for the purpose of creating, deploying, and managing contracts to meet the needs of users with a single mouse click only. 3.Expanding distributed storage Distributed storage is another focus of our development in the upcoming year. Only by using a distributed architecture can completely solve the issue of performance and scalability of stand-alone storage. Distributed storage suitable for blockchain needs to provide no less than single machine performance, extremely high availability, no single point of failure, easy expansion, and strong consistent transactions. These are the main key points and difficulties of Bottos in field of distributed storage in the upcoming days. 4.Reinforcing multi party secured computing Privacy in computing is also a very important branch to deal with. In this research direction, Bottos has invested a lot of time and produced many research results on multi-party secured computing, such as technical articles and test cases. In the future, we will continue to give efforts in the direction of multi-party secured computing and apply mature technology achievements into the functions of the chain.
2020 Bottos — Product Development
Support for smart contract deployment in wallets The built-in smart contract compiler inside the wallet supports compilation of the smart contracts in all languages provided by Bottos and integrates with the functions in the wallet. It also supports one-click deployment of the compiled contract source code in the wallet. When compiling a contract, one can choose whether to pre-execute the contract code. If pre-execution is selected, it will connect to the remote contract pre-execution service and return the execution result to the wallet. When deploying a contract, one can choose to deploy to the test network or main network and the corresponding account and private key of the test network or main network should be provided.
2020 Bottos-Technical Research
https://preview.redd.it/x2k65j7xua841.png?width=553&format=png&auto=webp&s=a40eae3c56b664c031b3db96f608923e670ff331 1.Intelligent smart contract development platform (BISDP) The smart contract development platform BISDP is mainly composed of user-oriented interfaces, as well as back-end compilation and deployment tools, debugging tools, and pre-execution frameworks. The user-oriented interface provides access methods based on WEB, PC, and mobile apps, allowing developers to quickly and easily compile and deploy contracts and provide contract template management functions. It can also manage the contract remotely by viewing the contract execution status, the consumed resources and other information. In the compilation and deployment tool a set of smart contract source code editing, running, debugging, and deployment solutions as well as smart contract templates for common tasks are provided, which greatly reduces the threshold for developers to learn and use smart contracts. At the same time, developers and ordinary users are provided with a smart contract pre-execution framework, which can check the logical defects and security risks in smart contracts before actual deployment and promptly remind users a series of problems even before the smart contracts are actually run. In the debugging tool, there are built-in local debugging and remote debugging tools. Multiple breakpoints can be set in the debugging tool. When the code reaches the breakpoint, one can view the variables and their contents in the current execution stack. One can also make conditional breakpoints based on the value of the variable. The code will not execute until the value reaches a preset value in memory. In the pre-execution framework, developers can choose to pre-execute contract code in a virtual environment or a test net, checking out problems in some code that cannot be detected during compilation time and perform deeper code inspection. The pre-execution framework can also prompt the user in advance about the time and space resources required for execution. 2.Supporting Python and PHP in BVM virtual machine for writing smart contracts We have added smart contract writing tools based on Python and PHP languages. These languages can be compiled into the corresponding BVM instruction set for implementation. These two reasons are used as the programming language for smart contracts. For the Python language, the basic language elements supported by the first phase are: - Logic control: If, Else, Eli, While, Break, method calls, for x in y - Arithmetic and relational operators: ADD, SUB, MUL, DIV, ABS, LSHIFT, RSHIFT, AND, OR, XOR, MODULE, INVERT, GT, GTE, LT, LTE, EQ, NOTEQ - Data structure: - Supports creation, addition, deletion, replacement, and calculation of length of list data structure - Supports creation, append, delete, replace, and calculation of length of dict data structure Function: Supports function definition and function calls For the PHP language, the basic language elements supported by the first phase are : - Logic control: If, Else, Eli, While, Break, method calls - Arithmetic and relational operators: ADD, SUB, MUL, DIV, ABS, LSHIFT, RSHIFT, AND, OR, XOR, MODULE, INVERT, GT, GTE, LT, LTE, EQ, NOTEQ Data structure: - Support for creating, appending, deleting, replacing, and calculating length of associative arrays Function: Supports the definition and calling of functions For these two above mentioned languages, the syntax highlighting and code hinting functions are also provided in BISDP, which is very convenient for developers to debug any errors. 3.Continuous exploration of distributed storage solutions Distributed storage in blockchain technology actually refers to a distributed database. Compared with the traditional DMBS, in addition to the ACID characteristics of the traditional DBMS, the distributed database also provides the high availability and horizontal expansion of the distributed system. The CAP principle of distributed system reveals that for a common distributed system there is an impossible triangle, only two of them can be selected among its three directions, consistency, availability, and partition fault tolerance. Distributed databases in China must require strong consistency. This is due to the characteristics of the blockchain system itself, because it needs to provide reliable distributed transaction capabilities. For these technical issues, before ensuring that the distributed storage solution reaches 100% availability, we will continue to invest more time and technical strength, do more functional and performance testing, and conduct targeted tests for distributed storage systems. 4.Boosting secured multi-party computing research and development Secured multi-party Computing (MPC) is a cryptographic mechanism that enables multiple entities to share data while protecting the confidentiality of the data without exposing the secret encryption key. Its performance indicators, such as security and reliability are important for the realization of the blockchain. The transparent sharing of the data privacy on the distributed ledger and the privacy protection of the client wallet’s private key are truly essential. At present, the research and development status of the platform provided by Bottos in terms of privacy-enhanced secured multi-party computing is based on the BIP32 / 44 standard in Bitcoin wallets to implement distributed management of client wallet keys and privacy protection. Considering the higher level of data security and the distributed blockchain account as the public data of each node, further research and development are being planned on: (1) Based on RSA, Pailliar, ECDSA and other public key cryptosystems with homomorphic attributes, as well as the GC protocol, OT protocol, and ZKP protocol to generate and verify transaction signatures between two parties; (2) Introduce the international mainstream public key system with higher security and performance, national secret public key encryption system, and fewer or non-interactive ZKP protocols to achieve secured multi-party computing with more than two parties, allowing more nodes to participate Privacy protection of ledger data.
After years of exploration, we are now full of confidence in our current research and development direction. We are totally determined to move forward by continuous hard work. In the end, all members of Bottos also want to thank all the friends in the community for their continuous support and outstanding contributions. Your certainty is our greatest comfort and strongest motivation. Be smart. Be data-driven. Be Bottos. If you aren’t already in our group, please join now! https://t.me/bottosofficial Join Our Community and Stay Updated! Bottos Website | Twitter |Facebook | Telegram | Reddit
In our last article, we explored the fundamentals of TBU (or Tachyon Booster UDP). TBU is the core of Tachyon’s architecture which will replace the Application, Transport and Internet layers of the conventional TCP/IP protocol. What Is TBU? How Does TBU Work? The core of Tachyon Protocol includes four parts — TBU(Tachyon Booster UDP), TSP(Tachyon Security Protocol)… medium.com Today we will take a look at TSP, or Tachyon Security Protocol. As the name suggests, TSP is that part of Tachyon which ensures that the ecosystem remains safe from hackers and user data remains hidden from the outside world. The two main weapons in TSP’s arsenal are Asymmetric end-to-end Encryption and Protocol Simulation Scheme. ECDHE-ECDSA Asymmetric end-to-end Encryption The data that you send over the Internet passes through a host of servers, routers, and devices. There’s simply no way of knowing how secure any of these data gateways are. For all you know, your data might be intercepted by hackers at multiple points. The most reliable safeguard against this problem is end-to-end encryption, which scrambles user data such that only the recipient can make any sense out of it. Even if a hacker intercepts this data, it would seem all gibberish. It’s only when the data reaches its correct destination that it is unscrambled and the original message is revealed. Let’s say at a birthday party, Jim wants to send a secret message to his friend Rob; but the party is teeming with other kids, and he can’t risk the secret being let out. Luckily for Jim, both he and Rob have been taking French classes outside their school hours. Jim jots down the message in French on a piece of paper, and asks the other kids to relay it over to Rob. Now even if any of his friends open the chit, he won’t be able to make any meaning out of it. Smart move, Jim! Ordinary point-to-point networking suffers from 2 major threats: 1.Network Sniffing Hackers can use Network Sniffing tools to intercept and analyze the data flowing over computer network links. Most of these Sniffers work mainly with TCP/IP packets, but more sophisticated tools can work lower in the network hierarchy and even intercept Ethernet frames. To counter such data hacking techniques, TSP creates encryption keys in insecure channels (where data points are unfamiliar with the credentials of each other) by implementing ECDH — ECDSA and Ephemeral Key. ECDH — ECDSA are a class of cryptographic algorithms which come under what is known as Elliptic Curve Cryptography. TSP also uses AES (Advanced Encryption Standard) to ensure that even if the message is intercepted, the attacker wouldn’t be able to read it. In addition to this, a set of hash algorithms, such as HMAC, SHA2 and Keccak, are deployed so that in case the attacker is able to alter the data, the message would be automatically ignored. In some instances, although the attacker is unable to decode the message, he might still be able to acquire some statistical feature information from it. TSP safeguards against this through a combination of different techniques, such as using a public symmetric encryption key, adding random data to the transmitted message, and encrypting the information part (such as the frame byte of the data packet). Moreover, the likelihood of an encryption key being deciphered increases with multiple usages. TSP avoids any such risks by automatically renegotiating the encryption key after the connection transmits a certain length of data.
Man-in-the-middle Attack (MITM)
In MITM, the attacker actually pretends to be one of the communicating parties and intercepts the communication. In 2018, well known hardware wallet manufacturer Ledger became the victim of MITM attacks. A piece of malware that made its way into the user’s computer would simply modify the “Bitcoin receive address” as displayed on the Ledger Wallet app. The satoshis that were supposed to make their way to the user’s wallet ended up being directed to the attacker’s public address instead. TSP protects against MITM attacks by using ECDH (or Elliptic-Curve Diffie–Hellman), a key agreement protocol that allows two parties to establish a shared secret communication over an insecure channel. This makes it possible for the identities of both parties to be verified before any data is transmitted. Through ECDH, each of these parties generates an elliptic-curve public-private key pair. As long as this private key is not exposed, MITM attacks can be prevented. Protocol Simulation Scheme A distinct feature of TSP is the Protocol Simulation Scheme, which allows Tachyon to simulate well known communication protocols, such as UDP, TCP, HTTP, HTTPS, FTP and SMTP. So while Tachyon encrypts data packets using its own TBU protocol stack (discussed in our last article), anyone who intercepts this data would assume that the data belongs to the communication protocol being simulated. Though Protocol Simulation, TSP guarantees that the real content of the communication is concealed, in order to avoid information unwarranted interception and exposure. It also fools firewalls and other third party applications into letting Tachyon data flow unhindered — a feature that is really useful in Tachyon’s VPN application. Today, HTTP/HTTPS is the most commonly used communication protocol in the World Wide Web. However, in most cases, the data that is transmitted is completely unencrypted, which makes it vulnerable to hacking. Moreover, HTTP-based communication checks neither the identity of the node with which communicating is being established, nor the integrity of the message being transmitted. In case of Tachyon, not only is the data encrypted in multiple levels, but the nature of the data packet is concealed as well. For example, in case of SMTP simulation, the data will resemble an ordinary e-mail; while in case of HTTPS simulation, the data traffic will appear like the user is visiting a website such as Google or BBC News.
What's this? I don't make a Technical post for a month and now BitPay is censoring the Hong Kong Free Press? Shit I'm sorry, it's all my fault for not posting a Technical post regularly!! Now posting one so that we have a censorship-free Bitcoin universe! Pay-to-contract and sign-to-contract are actually cryptographic techniques to allow you to embed a commitment in a public key (pay-to-contract) or signature (sign-to-contract). This commitment can be revealed independently of the public key / signature without leaking your private key, and the existence of the commitment does not prevent you from using the public key / signature as a normal pubkey/signature for a normal digital signing algorithm. Both techniques utilize elliptic curve homomorphism. Let's digress into that a little first.
Elliptic Curve Homomorphism
Let's get an oversimplified view of the maths involved first. First, we have two "kinds" of things we can compute on.
One kind is "scalars". These are just very large single numbers. Traditionally represented by small letters.
The other kind is "points". These are just pairs of large numbers. Traditionally represented by large letters.
Now, an "Elliptic Curve" is just a special kind of curve with particular mathematical properties. I won't go into those properties, for the very reasonable reason that I don't actually understand them (I'm not a cryptographer, I only play one on reddit!). If you have an Elliptic Curve, and require that all points you work with are on some Elliptic Curve, then you can do these operations.
Add, subtract, multiply, and divide scalars. Remember, scalars are just very big numbers. So those basic mathematical operations still work on big numbers, they're just big numbers.
"Multiply" a scalar by a point, resulting in a point. This is written as a * B, where a is the scalar and B is a point. This is not just multiplying the scalar to the point coordinates, this is some special Elliptic Curve thing that I don't understand either.
"Add" two points together. This is written as A + B. Again, this is some special Elliptic Curve thing.
The important part is that if you have:
A = a * G B = b * G Q = A + B
q = a + b Q = q * G
That is, if you add together two points that were each derived from multiplying an arbitarry scalar with the same point (G in the above), you get the same result as adding the scalars together first, then multiplying their sum with the same point will yield the same number. Or:
a * G + b * G = (a + b) * G
And because multiplication is just repeated addition, the same concept applies when multiplying:
a * (b * G) = (a * b) * G = (b * a) * G = b * (a * G)
Something to note in particular is that there are few operations on points. One operation that's missing is "dividing" a point by a point to yield a scalar. That is, if you have:
A = a * G
Then, if you know A but don't know the scalar a, you can't do the below:
a = A / G
You can't get a even if you know both the points A and G. In Elliptic Curve Cryptography, scalars are used as private keys, while points are used as public keys. This is particularly useful since if you have a private key (scalar), you can derive a public key (point) from it (by multiplying the scalar with a certain standard point, which we call the "generator point", traditionally G). But there is no reverse operation to get the private key from the public key.
Let's have another mild digression. Sometimes, you want to "commit' to something that you want to keep hidden for now. This is actually important in some games and so on. For example, if you are paying a game of Twenty Questions, one player must first write the object they are thinking of, then fold or hide it in such a way that what they wrote is not visible. Then, after the guessing player has asked twenty questions to narrow down what the object is and has revealed what he or she thinks the object being guessed was, the guessee reveals the object by unfodling and showing the paper. The act of writing down commits you to the specific thing you wrote down. Folding the paper and/or hiding it, err, hides what you wrote down. Later, when you unfold the paper, you reveal your commitment. The above is the analogy to the development of cryptographic commitments.
First you select some thing --- it could be anything, a song, a random number, a promise to deliver products and services, the real identity of Satoshi Nakamoto.
You commit to it by giving it as input to a one-way function. A one-way function is a function which allows you to get an output from an input, but after you perform that there is no way to reverse it and determine the original input knowing only the final output. Hash functions like SHA are traditionally used as one-way functions. As a one-way function, this hides your original input.
You give the commitment (the output of the one-way function given your original input) to whoever wants you to commit.
Later, when somebody demands to show what you committed to (for example after playing Twenty Questions), you reveal the commitment by giving the original input to the one-way function (i.e. the thing you selected in the first step, which was the thing you wanted to commit to).
Whoever challenged you can verify your commitment by feeding your supposed original input to the same one-way function. If you honestly gave the correct input, then the challenger will get the output that you published above in step 3.
Now, sometimes there are only a few possible things you can select from. For example, instead of Twenty Questions you might be playing a Coin Toss Guess game. What we'd do would be that, for example, I am the guesser and you the guessee. You select either "heads" or "tails" and put it in a commitment which you hand over to me. Then, I say "heads" or "tails" and have you reveal your commitment. If I guessed correctly I win, if not you win. Unfortunately, if we were to just use a one-way function like an SHA hash function, it would be very trivial for me to win. All I would need to do would be to try passing "heads" and "tails" to the one-way function and see which one matches the commitment you gave me. Then I can very easily find out what your committed value was, winning the game consistently. In hacking, this can be made easier by making Rainbow Tables, and is precisely the technique used to derive passwords from password databases containing hashes of the passwords. The way to solve this is to add a salt. This is basically just a large random number that we prepend (or append, order doesn't matter) to the actual value you want to commit to. This means that not only do I have to feed "heads" or "tails", I also have to guess the large random number (the salt). If the possible space of large random numbers is large enough, this prevents me from being able to peek at your committed data. The salt is sometimes called a blinding factor.
Hiding commitments in pubkeys! Pay-to-contract allows you to publish a public key, whose private key you can derive, while also being a cryptographic commitment. In particular, your private key is also used to derive a salt. The key insight here is to realize that "one-way function" is not restricted to hash functions like SHA. The operation below is an example of a one-way function too:
h(a) = a * G
This results in a point, but once the point (the output) is known, it is not possible to derive the input (the scalar a above). This is of course restricted to having the input be a scalar only, instead of an arbitrary-length message, but you can add a hash function (which can accept an arbitrary-length input) and then make its output (a fixed-length scalar) as the scalar to use. First, pay-to-contract requires you to have a public and private keypair.
; p is private key P = p * G ; P is now public key
Then, you have to select a contract. This is just any arbitrary message containing any arbitrary thing (it could be an object for Twenty Questions, or "heads" or "tails" for Coin Toss Guessing). Traditionally, this is symbolized as the small letter s. In order to have a pay-to-contract public key, you need to compute the below from your public key P (called the internal public key; by analogy the private key p is the internal private key):
Q = P + h(P | s) * G
"h()" is any convenient hash function, which takes anything of arbitrary length, and outputs a scalar, which you can multiply by G. The syntax "P | s" simply means that you are prepending the point P to the contract s. The cute thing is that P serves as your salt. Any private key is just an arbitrary random scalar. Multiplying the private key by the generator results in an arbitrary-seeming point. That random point is now your salt, which makes this into a genuine bonafide hiding cryptographic commitment! Now Q is a point, i.e. a public key. You might be interested in knowing its private key, a scalar. Suppose you postulate the existence of a scalar q such that:
Q = q * G
Then you can do the below:
Q = P + h(P | s) * G Q = p * G + h(P | s) * G Q = (p + h(P | s)) * G
Then we can conclude that:
q = p + h(P | s)
Of note is that somebody else cannot learn the private key q unless they already know the private key p. Knowing the internal public key P is not enough to learn the private key q. Thus, as long as you are the only one who knows the internal private key p, and you keep it secret, then only you can learn the private key q that can be used to sign with the public key Q (that is also a pay-to-contract commitment). Now Q is supposed to be a commitment, and once somebody else knows Q, they can challenge you to reveal your committed value, the contract s. Revealing the pay-to-contract commitment is done by simply giving the internal public key P (which doubles as the salt) and the committed value contract s. The challenger then simply computes:
P + h(P | s) * G
And verifies that it matches the Q you gave before. Some very important properties are:
If you reveal first, then you still remain in sole control of the private key. This is because revelation only shows the internal public key and the contract, neither of which can be used to learn the internal private key. So you can reveal and sign in any order you want, without precluding the possibility of performing the other operation in the future.
If you sign with the public key Q first, then you do not need to reveal the internal public key P or the contract s. You can compute q simply from the internal private key p and the contract s. You don't even need to pass those in to your signing algorithm, it could just be given the computed q and the message you want to sign!
Anyone verifying your signature using the public key Q is unaware that it is also used as a cryptographic commitment.
Another property is going to blow your mind:
You don't have to know the internal private key p in order to create a commitment pay-to-contract public key Q that commits to a contract s you select.
Q = P + h(P | s) * G
The above equation for Q does not require that you know the internal private key p. All you need to know is the internal public key P. Since public keys are often revealed publicly, you can use somebody else's public key as the internal public key in a pay-to-contract construction. Of course, you can't sign for Q (you need to know p to compute the private key q) but this is sometimes an interesting use. The original proposal for pay-to-contract was that a merchant would publish their public key, then a customer would "order" by writing the contract s with what they wanted to buy. Then, the customer would generate the public key Q (committing to s) using the merchant's public key as the internal public key P, then use that in a P2PKH or P2WPKH. Then the customer would reveal the contract s to the merchant, placing their order, and the merchant would now be able to claim the money. Another general use for pay-to-contract include publishing a commitment on the blockchain without using an OP_RETURN output. Instead, you just move some of your funds to yourself, using your own public key as the internal public key, then selecting a contract s that commits or indicates what you want to anchor onchain. This should be the preferred technique rather than OP_RETURN. For example, colored coin implementations over Bitcoin usually used OP_RETURN, but the new RGB colored coin technique uses pay-to-contract instead, reducing onchain bloat.
Pay-to-contract is also used in the nice new Taproot concept. Briefly, taproot anchors a Merkle tree of scripts. The root of this tree is the contract s committed to. Then, you pay to a SegWit v1 public key, where the public key is the Q pay-to-contract commitment. When spending a coin paying to a SegWit v1 output with a Taprooted commitment to a set of scripts s, you can do one of two things:
Sign directly with the key. If you used Taproot, use the commitment private key q.
Reveal the commitment, then select the script you want to execute in the Merkle tree of scripts (prove the Markle tree path to the script). Then satisfy the conditions of the script.
Taproot utilizes the characteristics of pay-to-contract:
If you reveal first, then you still remain in sole control of the private key.
This is important if you take the Taproot path and reveal the commitment to the set of scripts s. If your transaction gets stalled on the mempool, others can know your commitment details. However, revealing the commitment will not reveal the internal private key p (which is needed to derive the commitment private key q), so nobody can RBF out your transaction by using the sign-directly path.
If you sign with the public key Q first, then you do not need to reveal the internal public key P or the contract s.
This is important for privacy. If you are able to sign with the commitment public key, then that automatically hides the fact that you could have used an alternate script s instead of the key Q.
Anyone verifying your signature using the public key Q is unaware that it is also used as a cryptographic commitment.
Again, privacy. Fullnodes will not know that you had the ability to use an alternate script path.
Taproot is intended to be deployed with the switch to Schnorr-based signatures in SegWit v1. In particular, Schnorr-based signatures have the following ability that ECDSA cannot do except with much more difficulty:
It is possible to generate a single public key that cannot be signed, except by the agreement of multiple signers who each contribute part of the public key. I.e. this is MuSig, which allows to create an n-of-n signing group that has a single public key.
As public keys can, with Schnorr-based signatures, easily represent an n-of-n signing set, the internal public key P can also actually be a MuSig n-of-n signing set. This allows for a number of interesting protocols, which have a "good path" that will be private if that is taken, but still have fallbacks to ensure proper execution of the protocol and prevent attempts at subverting the protocol.
Escrow Under Taproot
Traditionally, escrow is done with a 2-of-3 multisignature script. However, by use of Taproot and pay-to-contract, it's possible to get more privacy than traditional escrow services. Suppose we have a buyer, a seller, and an escrow service. They have keypairs B = b * G, S = s * G, and E = e * G. The buyer and seller then generate a Taproot output (which the buyer will pay to before the seller sends the product). The Taproot itself uses an internal public key that is the 2-of-2 MuSig of B and S, i.e. MuSig(B, S). Then it commits to a pair of possible scripts:
Release to a 2-of-2 MuSig of seller and escrow. This path is the "escrow sides with seller" path.
Release to a 2-of-2 MuSig of buyer and escrow. This path is the "escrow sides with buyer" path.
Now of course, the escrow also needs to learn what the transaction was supposed to be about. So what we do is that the escrow key is actually used as the internal public key of another pay-to-contract, this time with the script s containing the details of the transaction. For example, if the buyer wants to buy some USD, the contract could be "Purchase of 50 pieces of United States Federal Reserve Green Historical Commemoration papers for 0.357 satoshis". This takes advantage of the fact that the committer need not know the private key behind the public key being used in a pay-to-contract commitment. The actual transaction it is being used for is committed to onchain, because the public key published on the blockchain ultimately commits (via a taproot to a merkle tree to a script containing a MuSig of a public key modified with the committed contract) to the contract between the buyer and seller. Thus, the cases are:
Buyer and seller are satisfied, and cooperatively create a signature that spends the output to the seller.
The escrow service never learns it could have been an escrow. The details of their transaction remain hidden and private, so the buyer is never embarrassed over being so tacky as to waste their hard money buying USD.
The buyer and seller disagree (the buyer denies having received the goods in proper quality).
They contact the escrow, and reveal the existence of the onchain contract, and provide the data needed to validate just what, exactly, the transaction was supposed to be about. This includes revealing the "Purchase of 50 pieces of United States Federal Reserve Green Historical Commemoration papers for 0.357 satoshis", as well as all the data needed to validate up to that level. The escrow then investigates the situation and then decides in favor of one or the other. It signs whatever transaction it decides (either giving it to the seller or buyer), and possibly also extracts an escrow fee.
Smart Contracts Unchained
Developed by ZmnSCPxj here: https://zmnscpxj.github.io/bitcoin/unchained.html A logical extension of the above escrow case is to realize that the "contract" being given to the escrow service is simply some text that is interpreted by the escrow, and which is then executed by the escrow to determine where the funds should go. Now, the language given in the previous escrow example is English. But nothing prevents the contract from being written in another language, including a machine-interpretable one. Smart Contracts Unchained simply makes the escrow service an interpreter for some Smart Contract scripting language. The cute thing is that there still remains an "everything good" path where the participants in the smart contract all agree on what the result is. In that case, with Taproot, there is no need to publish the smart contract --- only the participants know, and nobody else has to. This is an improvement in not only privacy, but also blockchain size --- the smart contract itself never has to be published onchain, only the commitment to it is (and that is embedded in a public key, which is necessary for basic security on the blockchain anyway!).
Hiding commitments in signatures! Sign-to-contract is something like the dual or inverse of pay-to-contract. Instead of hiding a commitment in the public key, it is hidden in the signature. Sign-to-contract utilizes the fact that signatures need to have a random scalar r which is then published as the point R = r * G. Similarly to pay-to-contract, we can have an internal random scalar p and internal point P that is used to compute R:
R = P + h(P | s) * G
The corresponding random scalar r is:
r = p + h(P | s)
The signing algorithm then uses the modified scalar r. This is in fact just the same method of commitment as in pay-to-contract. The operations of committing and revealing are the same. The only difference is where the commitment is stored. Importantly, however, is that you cannot take somebody else's signature and then create an alternate signature that commits to some s you select. This is in contrast with pay-to-contract, where you can take somebody else's public key and then create an alternate public key that commits to some s you select. Sign-to-contract is somewhat newer as a concept than pay-to-contract. It seems there are not as many applications of pay-to-contract yet.
Sign-to-contract can be used, like pay-to-contract, to publish commitments onchain. The difference is below:
Signatures are attached to transaction inputs.
Public keys are attached to transaction outputs.
One possible use is in a competitor to Open Timestamps. Open Timestamps currently uses OP_RETURN to commit to a Merkle Tree root of commitments aggregated by an Open Timestamps server. Instead of using such an OP_RETURN, individual wallets can publish a timestamped commitment by making a self-paying transaction, embedding the commitment inside the signature for that transaction. Such a feature can be added to any individual wallet software. https://blog.eternitywall.com/2018/04/13/sign-to-contract/ This does not require any additional infrastructure (i.e. no aggregating servers like in Open Timestamps).
R Reuse Concerns
ECDSA and Schnorr-based signature schemes are vulnerable to something called "R reuse". Basically, if the same R is used for different messages (transactions) with the same public key, a third party with both signatures can compute the private key. This is concerning especially if the signing algorithm is executed in an environment with insufficient entropy. By complete accident, the environment might yield the same random scalar r in two different runs. Combined with address reuse (which implies public key reuse) this can leak the private key inadvertently. For example, most hardware wallets will not have any kind of entropy at all. The usual solution to this is, instead of selecting an arbitrary random r (which might be impossible in limited environments with no available entropy), is to hash the message and use the hash as the r. This ensures that if the same public key is used again for a different message, then the random r is also different, preventing reuse at all. Of course, if you are using sign-to-contract, then you can't use the above "best practice". It seems to me plausible that computing the internal random scalar p using the hash of the message (transaction) should work, then add the commitment on top of that. However, I'm not an actual cryptographer, I just play one on Reddit. Maybe apoelstra or pwuille can explain in more detail. Copyright 2019 Alan Manuel K. Gloria. Released under CC-BY.
I'm writing a series about blockchain tech and possible future security risks. This is the third part of the series introducing Quantum resistant blockchains.
Part 1 and part 2 will give you usefull basic blockchain knowledge that is not explained in this part. Part 1 here Part 2 here Quantum resistant blockchains explained. - How would quantum computers pose a threat to blockchain? - Expectations in the field of quantum computer development. - Quantum resistant blockchains - Why is it easier to change cryptography for centralized systems such as banks and websites than for blockchain? - Conclusion The fact that whatever is registered on a blockchain can’t be tampered with is one of the great reasons for the success of blockchain. Looking ahead, awareness is growing in the blockchain ecosystem that quantum computers might cause the need for some changes in the cryptography that is used by blockchains to prevent hackers from forging transactions. How would quantum computers pose a threat to blockchain? First, let’s get a misconception out of the way. When talking about the risk quantum computers could pose for blockchain, some people think about the risk of quantum computers out-hashing classical computers. This, however, is not expected to pose a real threat when the time comes. This paper explains why: https://arxiv.org/pdf/1710.10377.pdf "In this section, we investigate the advantage a quantum computer would have in performing the hashcash PoW used by Bitcoin. Our findings can be summarized as follows: Using Grover search, a quantum computer can perform the hashcash PoW by performing quadratically fewer hashes than is needed by a classical computer. However, the extreme speed of current specialized ASIC hardware for performing the hashcash PoW, coupled with much slower projected gate speeds for current quantum architectures, essentially negates this quadratic speedup, at the current difficulty level, giving quantum computers no advantage. Future improvements to quantum technology allowing gate speeds up to 100GHz could allow quantum computers to solve the PoW about 100 times faster than current technology. However, such a development is unlikely in the next decade, at which point classical hardware may be much faster, and quantum technology might be so widespread that no single quantum enabled agent could dominate the PoW problem." The real point of vulnerability is this: attacks on signatures wherein the private key is derived from the public key. That means that if someone has your public key, they can also calculate your private key, which is unthinkable using even today’s most powerful classical computers. So in the days of quantum computers, the public-private keypair will be the weak link. Quantum computers have the potential to perform specific kinds of calculations significantly faster than any normal computer. Besides that, quantum computers can run algorithms that take fewer steps to get to an outcome, taking advantage of quantum phenomena like quantum entanglement and quantum superposition. So quantum computers can run these certain algorithms that could be used to make calculations that can crack cryptography used today. https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Quantum_computing_attacks and https://eprint.iacr.org/2017/598.pdf Most blockchains use Elliptic Curve Digital Signature Algorithm (ECDSA) cryptography. Using a quantum computer, Shor's algorithm can be used to break ECDSA. (See for reference: https://arxiv.org/abs/quant-ph/0301141 and pdf: https://arxiv.org/pdf/quant-ph/0301141.pdf ) Meaning: they can derive the private key from the public key. So if they got your public key (and a quantum computer), then they got your private key and they can create a transaction and empty your wallet. RSA has the same vulnerability while RSA will need a stronger quantum computer to be broken than ECDSA. At this point in time, it is already possible to run Shor’s algorithm on a quantum computer. However, the amount of qubits available right now makes its application limited. But it has been proven to work, we have exited the era of pure theory and entered the era of practical applications:
2001: First execution of Shor's algorithm at IBM's Almaden Research Center and Stanford University. The paper here: (Experimental realization of Shor's quantum factoring algorithm using nuclear magnetic resonance Lieven M. K. Vandersypen, https://arxiv.org/abs/quant-ph/0112176 )
So far Shor's algorithm has the most potential, but new algorithms might appear which are more efficient. Algorithms are another area of development that makes progress and pushes quantum computer progress forward. A new algorithm called Variational Quantum Factoring is being developed and it looks quite promising. " The advantage of this new approach is that it is much less sensitive to error, does not require massive error correction, and consumes far fewer resources than would be needed with Shor’s algorithm. As such, it may be more amenable for use with the current NISQ (Noisy Intermediate Scale Quantum) computers that will be available in the near and medium term." https://quantumcomputingreport.com/news/zapata-develops-potential-alternative-to-shors-factoring-algorithm-for-nisq-quantum-computers/ It is however still in development, and only works for 18 binary bits at the time of this writing, but it shows new developments that could mean that, rather than a speedup in quantum computing development posing the most imminent threat to RSA and ECDSA, a speedup in the mathematical developments could be even more consequential. More info on VQF here: https://arxiv.org/abs/1808.08927 It all comes down to this: when your public key is visible, which is always necessary to make transactions, you are at some point in the future vulnerable for quantum attacks. (This also goes for BTC, which uses the hash of the public key as an address, but more on that in the following articles.) If you would have keypairs based on post quantum cryptography, you would not have to worry about that since in that case not even a quantum computer could derive your private key from your public key. The conclusion is that future blockchains should be quantum resistant, using post-quantum cryptography. It’s very important to realize that post quantum cryptography is not just adding some extra characters to standard signature schemes. It’s the mathematical concept that makes it quantum resistant. to become quantm resistant, the algorithm needs to be changed. “The problem with currently popular algorithms is that their security relies on one of three hard mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems can be easily solved on a sufficiently powerful quantum computer running Shor's algorithm. Even though current, publicly known, experimental quantum computers lack processing power to break any real cryptographic algorithm, many cryptographers are designing new algorithms to prepare for a time when quantum computing becomes a threat.” https://en.wikipedia.org/wiki/Post-quantum_cryptography Expectations in the field of quantum computer development. To give you an idea what the expectations of quantum computer development are in the field (Take note of the fact that the type and error rate of the qubits is not specified in the article. It is not said these will be enough to break ECDSA or RSA, neither is it said these will not be enough. What these articles do show, is that a huge speed up in development is expected.):
When will ECDSA be at risk? Estimates are only estimates, there are several to be found so it's hard to really tell. The National Academy of Sciences (NAS) has made a very thourough report on the development of quantum computing. The report came out in the end of 2018. They brought together a group of scientists of over 70 people from different interconnecting fields in quantum computing who, as a group, have come up with a close to 200 pages report on the development, funding, implications and upcoming challenges for quantum computing development. But, even though this report is one of the most thourough up to date, it doesn't make an estimate on when the risk for ECDSA or RSA would occur. They acknowledge this is quite impossible due to the fact there are a lot of unknowns and due to the fact that they have to base any findings only on publicly available information, obviously excluding any non available advancements from commercial companies and national efforts. So if this group of specialized scientists can’t make an estimate, who can make that assessment? Is there any credible source to make an accurate prediction? The conclusion at this point of time can only be that we do not know the answer to the big question "when". Now if we don't have an answer to the question "when", then why act? The answer is simple. If we’re talking about security, most take certainty over uncertainty. To answer the question when the threat materializes, we need to guess. Whether you guess soon, or you guess not for the next three decades, both are guesses. Going for certain means you'd have to plan for the worst, hope for the best. No matter how sceptical you are, having some sort of a plan ready is a responsible thing to do. Obviously not if you're just running a blog about knitting. But for systems that carry a lot of important, private and valuable information, planning starts today. The NAS describes it quite well. What they lack in guessing, they make up in advice. They have a very clear advice:
"Even if a quantum computer that can decrypt current cryptographic ciphers is more than a decade off, the hazard of such a machine is high enough—and the time frame for transitioning to a new security protocol is sufficiently long and uncertain—that prioritization of the development, standardization, and deployment of post-quantum cryptography is critical for minimizing the chance of a potential security and privacy disaster."
Another organization that looks ahead is the National Security Agency (NSA) They have made a threat assessment in 2015. In August 2015, NSA announced that it is planning to transition "in the not too distant future" (statement of 2015) to a new cipher suite that is resistant to quantum attacks. "Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy." NSA advised: "For those partners and vendors that have not yet made the transition to Suite B algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition.” https://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography#cite_note-nsa-suite-b-1 What these organizations both advice is to start taking action. They don't say "implement this type of quantum resistant cryptography now". They don't say when at all. As said before, the "when" question is one that is a hard one to specify. It depends on the system you have, the value of the data, the consequences of postponing a security upgrade. Like I said before: you just run a blog, or a bank or a cryptocurrency? It's an individual risk assesment that's different for every organization and system. Assesments do need to be made now though. What time frame should organisationds think about when changing cryptography? How long would it take to go from the current level of security to fully quantum resistant security? What changes does it require to handle bigger signatures and is it possible to use certain types of cryptography that require to keep state? Do your users need to act, or can al work be done behind the user interface? These are important questions that one should start asking. I will elaborate on these challenges in the next articles. Besides the unsnswered question on "when", the question on what type of quantum resistant cryptography to use is unanswered too. This also depends on the type of system you use. The NSA and NAS both point to NIST as the authority on developments and standardization of quantum resistant cryptography. NIST is running a competition right now that should end up in one or more standards for quantum resistant cryptography. The NIST competition handles criteria that should filter out a type of quantum resistant cryptography that is feasable for a wide range of systems. This takes time though. There are some new algorithms submitted and assessing the new and the more well known ones must be done thouroughly. They intend to wrap things up around 2022 - 2024. From a blockchain perspective it is important to notice that a specific type of quantum resistant cryptography is excluded from the NIST competition: Stateful Hash-Based Signatures. (LMS and XMSS) This is not because these are no good. In fact they are excelent and XMSS is accepted to be provable quantum resistant. It's due to the fact that implementations will need to be able to securely deal with the requirement to keep state. And this is not a given for most systems. At this moment NIST intends to approve both LMS and XMSS for a specific group of applications that can deal with the statefull properties. The only loose end at this point is an advice for which applications LMS and XMSS will be adviced and for what applications it is discouraged. These questions will be answered in the beginning of april this year: https://csrc.nist.gov/news/2019/stateful-hbs-request-for-public-comments This means that quite likely LMS and XMSS will be the first type of standardized quantum resistant cryptography ever. To give a small hint: keeping state, is pretty much a naturally added property of blockchain. Quantum resistant blockchains “Quantum resistant” is only used to describe networks and cryptography that are secure against any attack by a quantum computer of any size in the sense that there is no algorithm known that makes it possible for a quantum computer to break the applied cryptography and thus that system. Also, to determine if a project is fully quantum resistant, you would need to take in account not only how a separate element that is implemented in that blockchain is quantum resistant, but also the way it is implemented. As with any type of security check, there should be no backdoors, in which case your blockchain would be just a cardboard box with bulletproof glass windows. Sounds obvious, but since this is kind of new territory, there are still some misconceptions. What is considered safe now, might not be safe in the age of quantum computers. I will address some of these in the following chapters, but first I will elaborate a bit about the special vulnerability of blockchain compared to centralized systems. Why is it easier to change cryptography for centralized systems such as banks and websites than for blockchain? Developers of a centralized system can decide from one day to the other that they make changes and update the system without the need for consensus from the nodes. They are in charge, and they can dictate the future of the system. But a decentralized blockchain will need to reach consensus amongst the nodes to update. Meaning that the majority of the nodes will need to upgrade and thus force the blockchain to only have the new signatures to be valid. We can’t have the old signature scheme to be valid besides the new quantum resistant signature scheme. Because that would mean that the blockchain would still allow the use of vulnerable, old public- and private keys and thus the old vulnerable signatures for transactions. So at least the majority of the nodes need to upgrade to make sure that blocks which are constructed using the old rules and thus the old vulnerable signature scheme, are rejected by the network. This will eventually result in a fully upgraded network which only accepts the new post quantum signature scheme in transactions. So, consensus is needed. The most well-known example of how that can be a slow process is Bitcoin’s need to scale. Even though everybody agrees on the need for a certain result, reaching consensus amongst the community on how to get to that result is a slow and political process. Going quantum resistant will be no different, and since it will cause lesser performance due to bigger signatures and it will need hardware upgrades quite likely it will be postponed rather than be done fast and smooth due to lack of consensus. And because there are several quantum resistant signature schemes to choose from, agreement an automatic given. The discussion will be which one to use, and how and when to implement it. The need for consensus is exclusively a problem decentralized systems like blockchain will face. Another issue for decentralized systems that change their signature scheme, is that users of decentralized blockchains will have to manually transfe migrate their coins/ tokens to a quantum safe address and that way decouple their old private key and activate a new quantum resistant private key that is part of an upgraded quantum resistant network. Users of centralized networks, on the other hand, do not need to do much, since it would be taken care of by their centralized managed system. As you know, for example, if you forget your password of your online bank account, or some website, they can always send you a link, or secret question, or in the worst case they can send you mail by post to your house address and you would be back in business. With the decentralized systems, there is no centralized entity who has your data. It is you who has this data, and only you. So in the centralized system there is a central entity who has access to all the data including all the private accessing data, and therefore this entity can pull all the strings. It can all be done behind your user interface, and you probably wouldn’t notice a thing. And a third issue will be the lost addresses. Since no one but you has access to your funds, your funds will become inaccessible once you lose your private key. From that point, an address is lost, and the funds on that address can never be moved. So after an upgrade, those funds will never be moved to a quantum resistant address, and thus will always be vulnerable to a quantum hack. To summarize: banks and websites are centralized systems, they will face challenges, but decentralized systems like blockchain will face some extra challenges that won't apply for centralized systems.
Updating the signature scheme will need consensus in the sense that all nodes need to update after implementation of a quantum resistant signature scheme.
Users of blockchain will personally need to move their funds from old addresses to new quantum resistant addresses. You won't need to move your bank funds.
Lost addresses where people lost access to their funds will never be moved and stay vulnerable to quantum hacks. Blockchain doesn't know their users, can't communicate with them and won't be able to distinguish coins on lost addresses from coins from users who still have access but somehow have not migrated their coins after a quantum resistant update. So burning lost coins will be legally a big issue.
/u/igadjeed on Using my Bitcoin wallet to sign messages using OpenSSL
Bitcoin Core still has a message signing function The simplest approach would be to copy the C++ code for message signing and verification from Core and make your minor changes OpenSSL expects to read keys in ASN.1 format Make a key: openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve -outform pem -out ecdsa.pem The key: -----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgZa5q6NrWzR6B56mI waDL9Fi8nCOII+hwnkqTehbebPqhRANCAAStY0pj0OIu/1JsTe1c2EoVaKs5pG3R JPTLxHD/1/lKSIwwmC4mlrrVFRy6+iptnqFVGQSL180xvrN6Vq21zyok -----END PRIVATE KEY----- Use asn1parse to peek inside: openssl asn1parse 17:d=2 hl=2 l= 8 prim: OBJECT :prime256v1 27:d=1 hl=2 l= 109 prim: OCTET STRING [HEX DUMP]:306B020101042065AE6AE8DAD6CD1E81E7A988C1A0CBF458BC9C238823E8709E4A937A16DE6CFAA14403420004AD634A63D0E22EFF526C4DED5CD84A1568AB39A46DD124F4CBC470FFD7F94A488C30982E2696BAD5151CBAFA2A6D9EA15519048BD7CD31BEB37A56ADB5CF2A24 That's helpful, and there are better ASN.1 parsers available which display the 32-byte private key and the 65-byte public key separately, and display the byte values of the meta data fields Now, to the question. We have a bunch of 32-byte private keys stored in a Bitcoin wallet and we would like to put them into ASN.1 format so we can use openssl commands to sign a message with a wallet key and then verify the message signature This appears to be possible, but it is impossible to find examples. This discussion: https://security.stackexchange.com/questions/29786/generating-private-key-from-hex-string-with-openssl suggests using the -genconf option with "openssl asn1parse". This makes asn1parse into a builder of ASN.1 files, as well as a parser. You still have work to do, to work out the correct values for each element of the genconf file. If it works as claimed, you should be able to create a key which is in the correct format for using openssl to sign messages igadjeed
I decided to post this here as I saw some questions on the QRL discord.
Is elliptic curve cryptography quantum resistant?
Why do people say that BTC is quantum resistant, while they use elliptic curve cryptography? (Here comes the idea from that never reusing a private key (and public key since they form a pair) from elliptic curve cryptography would be quantum resistant.)
Why would Nexus be any differtent?
Why are WOTS+ signatures (and by extension XMSS) quantum resistant?
What is WOTS+?
What are the risks of WOTS+?
How is XMSS different?
Is elliptic curve cryptography quantum resistant? No. Using a quantum computer, Shor's algorithm can be used to break Elliptic Curve Digital Signature Algorithm (ECDSA). Meaning: they can derive the private key from the public key. So if they got your public key, they got your private key, and they can empty your funds. https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Quantum_computing_attackshttps://eprint.iacr.org/2017/598.pdf Why do people say that BTC is quantum resistant, while they use elliptic curve cryptography? (Here comes the idea from that never reusing a private key from elliptic curve cryptography (and public key since they form a pair) would be quantum resistant.) Ok, just gonna start with the basics here. Your address, where you have your coins stalled, is locked by your public- private key pair. See it as your e-mail address (public key) and your password (Private key). Many people got your email address, but only you have your password. If you got your address and your password, then you can access your mail and send emails (Transactions). Now if there would be a quantum computer, people could use that to calculate your password/ private key, if they have your email address/ public key. What is the case with BTC: they don't show your public key anywhere, untill you make a transaction. So your public key is private untill you make a transaction. How do they do that while your funds must be registered on the ledger? Wel, they only show the Hash of your public key (A hash is an outcome of an equation. Usually one-way hash functions are used, where you can not derive the original input from the output. But everytime you use the same hash function on the same original input (For example IFUHE8392ISHF), you will always get the same output (For example G). That way you can have your coins on public key IFUHE8392ISHF, while on the chain, they are on G.) So your funds are registered on the blockchain on the "Hash" of the public key. The Hash of the public key is also your "email address" in this case. So you give "G" as your address to send BTC to. By the way, in the early days you could use your actual public key as your address. And miners would receive coins on their public key, not on the hashed public key. That is why all the Satoshi funds are vulnerable to quantum attacks even though these addresses have never been used to make transactions from. These public keys are already public instead of hashed. Also certain hard forks have exposed the public keys of unused addresses. So it's really a false sense of security that most people hang on to in the first place. But it's actually a false sense of security over all. Since it is impossible to derive a public key from the Hash of a public key, your coins are safe for quantum computers as long as you don't make any transaction. Now here follows the biggest misconseption: Pretty much everyone will think, great, so BTC is quantum secure! It's not that simple. Here it is important to understand two things: 1 How is a transaction sent? The owner has the private key and the public key and uses that to log into the secured environment, the wallet. This can be online or offline. Once he is in his wallet, he states how much he wants to send and to what address. When he sends the transaction, it will be broadcasted to the blockchain network. But before the actual transaction that will be sent, it is formed into a package, created by the wallet. This happens out of sight of the sender. That package ends up carrying roughly the following info: The public key to point to the address where the funds will be coming from, the amount that will be transferred, the public key of the address the funds will be transferred to. Then this package caries the most important thing: a signature, created by the wallet, derived from the private- public key combination. This signature proves to the miners that you are the rightfull owner and you can send funds from that public key. So this package is then sent out of the secure wallet environment to multiple nodes. The nodes don’t need to trust the sender or establish the sender’s "identity." And because the transaction is signed and contains no confidential information, private keys, or credentials, it can be publicly broadcast using any underlying network transport that is convenient. As long as the transaction can reach a node that will propagate it into the network, it doesn’t matter how it is transported to the first node. 2 How is a transaction confirmed/ fullfilled and registered on the blockchain? After the transaction is sent to the network, it is ready to be processed. The nodes have a bundle of transactions to verify and register on the next block. This is done during a period called the block time. In the case of BTC that is 10 minutes. If you comprehend the information written above, you can see that there are two moments where you can actually see the public key, while the transaction is not fullfilled and registered on the blockchain yet. 1: during the time the transaction is sent from the sender to the nodes 2: during the time the nodes verify the transaction. This paper describes how you could hijack a transaction and make a new transaction of your own, using someone elses address to send his coins to an address you own during moment 2: the time the nodes verify the transaction: https://arxiv.org/pdf/1710.10377.pdf "(Unprocessed transactions) After a transaction has been broadcast to the network, but before it is placed on the blockchain it is at risk from a quantum attack. If the secret key can be derived from the broadcast public key before the transaction is placed on the blockchain, then an attacker could use this secret key to broadcast a new transaction from the same address to his own address. If the attacker then ensures that this new transaction is placed on the blockchain first, then he can effectively steal all the bitcoin behind the original address." So this means that practically, you can't call BTC a quantum secure blockchain. Because as soon as you will touch your coins and use them for payment, or send them to another address, you will have to make a transaction and you risk a quantum attack. Why would Nexus be any differtent? If you ask the wrong person they will tell you "Nexus uses a combination of the Skein and Keccak algorithms which are the 2 recognized quantum resistant algorithms (keccal is used by the NSA) so instead of sha-256, Nexus has SK-1024 making it much harder to break." Which would be the same as saying BTC is quantum resistant because they use a Hashing function to hash the private key as long as no transaction is made. No, this is their sollid try to be quantum resistant: Nexus states it's different because they have instant transactions (So there wouldn't be a period during which time the nodes verify the transaction. This period would be instant.) Also they use a particular order in which the miners verify transactions: First-In-First-Out (FIFO) (So even if instant is not instant after all, and you would be able to catch a public key and derive the private key, you would n't be able to have your transaction signed before the original one. The original one is first in line, and will therefore be confirmed first. Also for some reason Nexus has standardized fees which are burned after a transaction. So if FIFO wouldn't do the trick you would not be able to use a higher fee to get prioritized and get an earlyer confirmation. So, during during the time the nodes verify the transaction, you would not be able to hijack a transaction. GREAT, you say? Yes, great-ish. Because there is still moment # 1: during the time the transaction is sent from the sender to the nodes. This is where network based attacks could do the trick: There are network based attacks that can be used to delay or prevent transactions to reach nodes. In the mean time the transactions can be hijacked before they reach the nodes. And thus one could hijack the non quantum secure public keys (they are openly included in sent signed transactions) who then can be used to derive privatekeys before the original transaction is made. So this means that even if Nexus has instant transactions in FIFO order, it is totally useless, because the public key would be obtained by the attacker before they reach the nodes. Conclusion: Nexus is Nnot quantum resistant. You simply can't be without using a post quantum signature scheme. Performing a DDoS attack or BGP routing attacks or NSA Quantum Insert attacks on a peer to peer newtork would be hard. But when provided with an opportunitiy to steal billions, hackers would find a way. For example: https://bitcoinmagazine.com/articles/researchers-explore-eclipse-attacks-ethereum-blockchain/ For BTC: https://eprint.iacr.org/2015/263.pdf "An eclipse attack is a network-level attack on a blockchain, where an attacker essentially takes control of the peer-to-peer network, obscuring a node’s view of the blockchain." That is exactly the receipe for what you would need to create extra time to find public keys and derive private keys from them. Then you could sign transactions of your own and confirm them before the originals do. By the way, yes this seems to be fixed now, but it most definately shows it's possible. And there are other creative options. Either you stop tranasctions from the base to get out, while the sender thinks they're sent, or you blind the network and catch transactions there. There are always options, and they will be exploited when billions are at stake. The keys can also be hijacked when a transaction is sent from the users device to the blockchain network using a MITM attack. The result is the same as for network based attacks, only now you don't mess with the network itself. These attacks make it possible to 1) retrieve the original public key that is included in the transaction message. 2) Stop or delay the transaction message to arrive at the blockchain network. So, using a quantum computer, you could hijack transactions and create forged transactions, which you then send to the nodes to be confirmed before the nodes even receive the original transaction. There is nothing you could change to the Nexus network to prevent this. The only thing they can do is implement a quantum resistant signature scheme. They plan to do this in the future, like any other serious blockchain project. Yet Nexus is the only of these future quantum resistant projects to prematurely claim to be quantum resistant. There is only one way to get quantum resistancy: POST QUANTUM SIGNATURE SCHEMES. All the rest is just a shitty shortcut that won't work in the end. (If you use this info on BTC, you will find that the 10 minutes blocktime that is used to estimate when BTC will be vulnerable for quantum attacks, can actually be more then 10 minutes if you catch the public key before the nodes receive them. This makes BTC vulnerable sooner thatn the 10 min blocktime would make you think.) By the way, Nexus using FIFO and standadrized fees which are burned after the transaction comes with some huge downsides:
FIFO: If there are a lot of transactions, there would be nothing you can do to create a faster transaction. If you need a quick transaction during rush hours, you can’t pay a higher fee to get priority.
Fees are burned after the transactions. This means they are not sent to miners, which would lesser the incentive to mine. Also, because only Blockrewards pay miners, what if the max supply is reached in the future and there is nothing to pay out blockrewards? What would be the incentive to mine or stake?
The risk that comes with small standardized fees is that when someone is willing to pay to harm or spam your chain, they can force spam or small transactions into the system without you being able to stop them. (Miners wouldn't be able to exclude lower fee transactions containing spam or extremely small amounts meant for clogging the chain)
Another risk that comes with small standardized fees would be this: How do you prevent big backlog if there is no higher fee incentive for miners at rush hours to come mine? Usually fees follow the free market? So the larger the backlog of transactions, the higher the fees usually are. This then leads to more miners joining in and that way reducing backlog. Having fixed fees would cancel out that possibility. So the risk of backlog would be huge.
Why are WOTS+ signatures (and by extension XMSS) more quantum resistant? First of all, this is where the top notch mathematicians work their magic. Cryptography is mostly maths. As Jackalyst puts it talking about post quantum signature schemes: "Having papers written and cryptographers review and discuss it to nauseating levels might not be important for butler, but it's really important with signature schemes and other cryptocraphic methods, as they're highly technical in nature." If you don't believe in math, think about Einstein using math predicting things most coudldn't even emagine, let alone measure back then. Then there is implementing it the right way into your blockchain without leaving any backdoors open. So why is WOTS+ and by extension XMSS quantum resistant? Because math papers say so. With WOTS it would even take a quantum computer too much time to derive a private key from a public key. https://en.wikipedia.org/wiki/Hash-based_cryptographyhttps://eprint.iacr.org/2011/484.pdf What is WOTS+? It's basiclally an optimized version of Lamport-signatures. WOTS+ (Winternitz one-time signature) is a hash-based, post-quantum signature scheme. So it's a post quantum signature scheme meant to be used once. What are the risks of WOTS+? Because each WOTS publishes some part of the private key, they rapidly become less secure as more signatures created by the same public/private key are published. The first signature won't have enough info to work with, but after two or three signatures you will be in trouble. IOTA uses WOTS. Here's what the people over at the cryptography subreddit have to say about that: https://www.reddit.com/crypto/comments/84c4ni/iota_signatures_private_keys_and_address_reuse/?utm_content=comments&utm_medium=user&utm_source=reddit&utm_name=u_QRCollector With the article: http://blog.lekkertech.net/blog/2018/03/07/iota-signatures/ Mochimo uses WOTS+. They kinda solved the problem: A transaction consists of a "Source Address", a "Destination Address" and a "Change Address". When you transact to a Destination Address, any remaining funds in your Source Address will move to the Change Address. To transact again, your Change Address then becomes your Source Address. But what if someone already has your first address and is unaware of the fact you already send funds from that address? He might just send funds there. (I mean in a business environment this would make Mochimo highly impractical.) They need to solve that. Who knows, it's still a young project. But then again, for some reason they also use FIFO and fixed fees, so there I have the same objections as for Nexus. How is XMSS different? XMSS uses WOTS in a way that you can actually reuse your address. WOTS creates a quantum resistant one time signature and XMSS creates a tree of those signatures attached to one address so that the address can be reused for sending an asset.
Peer-to-peer smart derivatives for any asset over any network!
Taurus0x Overview Distributed off-chain / on-chain protocol powering smart derivatives from end to end, for any asset over any network. Background of Taurus0x Remember around September 2017 when the world lost its cool over Bitcoin prices? It was nearly an ideological war for many. It occurred to me to create an app for people to bid on Bitcoin prices, and I would connect that app to a smart contract to execute bids on the blockchain. It took me a long couple of weeks to figure out how many licenses I would need to acquire to run such a business in the United States. It became evident that market making is a huge undertaking and is better off decentralized in a an open-standard protocol to generate liquidity. The protocol needed to be fully decentralized as a primary requirement. Why? because I believe in the philosophy of decentralization and creating fair market makers, governed by a public community. It is the right thing to do in order to create equal opportunity for consumers without centralized control and special privileges. It comes at no surprise to anyone at this point that the vast majority of “ICOs” were empty promises. Real life utility was and is a necessity for any viable project. Transitioning from a centralized world to a tokenized and decentralized one cannot be abrupt. The protocol needed to support both worlds and allow for a free market outcome as far as adoption. Scalability-wise and as of today, Ethereum could not handle a real-time full DEX that could compete with advanced and well-known centralized exchanges. And quite frankly, maybe it’s not meant to. This is when the off-chain thinking started, especially after witnessing a couple of the most successful projects adopting this approach, like Lighting and 0xProject. The trade-off was the complexity of handling cryptographic communications without the help of the blockchain. I had met my co-founder Brett Hayes at the time. I would need another 3 or 4 articles to explain Brett for you. To the substance. What is Asymmetrical Cryptography? Asymmetrical cryptography is a form of cryptography that uses public and private key pairs. Each public key comes with its associated and unique private key. If you encrypt a piece of data with a private, only the associated public key may be used to decrypt the data. And vice versa. If I send you a “hello” encrypted with my private key, and you try to decrypt it with my public key (which is no secret). If it decrypts fine, then you are positive that this “hello” came from me. This is what we call digital signatures. The figure below is from Taurus0x whitepaper and describes the chosen digital signature algorithm (ECDSA). https://preview.redd.it/n8kavgofbm211.png?width=1000&format=png&auto=webp&s=289695a17cd413b68105b249d615b82bae1fe1dc What are Smart Derivatives? Well, what are derivatives in the first place? In the financial world, a derivative is a contract between two or more parties based upon an asset. Its price is determined by fluctuations in the underlying asset. The most common underlying assets include stocks, bonds, commodities, currencies, interest rates and market indexes. Futures contracts, forward contracts, options, swaps, cryptocurrency prices and warrants are common derivatives. Smart Derivatives are smart contracts that behave like financial derivatives. They possess enough information and funds to allow for execution with guaranteed and trusted outcomes. What is Taurus0x? Taurus0x is a distributed off-chain / on-chain protocol powering smart derivatives from end to end. Taurus0x is both asset and network-agnostic. The philosophy is to also become blockchain-agnostic as more blockchains come to life. Distributed = fully decentralized set of smart contracts and libraries. Off-chain = ad-hoc protocol not limited to a blockchain. On-chain= trusted outcome without intermediaries. Asset-agnostic = supports any asset, not limited to cryptocurrency. Network-agnostic = contracts can be transmitted over any network (email, text, twitter, facebook, pen and paper, etc.) Who can use Taurus0x? Taurus0x protocol is ultimately built to serve end consumers who trade derivative contracts. Participants may engage in a peer-to-peer derivative contracts among each other without the need for a house in the middle. The Taurus0x team and advisory realize that the migration from a centralized world to a decentralized one cannot be abrupt, specifically in FinTech. Taurus0x is built to support existing business models as well as C2C peer-to-peer. Exchanges who want to take on the derivative market may use an open-source protocol without worrying about building a full backend to handle contract engagement and settlement. Taurus0x Exchanges would simply connect participants to each other, using matching algorithms. Taurus0x intends to standardize derivative trading in an open way. Having more exchanges using the protocol allows for creating public and permission-ed pools to generate compounded liquidity of contracts. This helps smaller exchanges by lowering the entry-to-market barrier. How does Taurus0x work? The process is simple and straightforward. Implementation details are masked by the protocol making it very easy to build on top. The first 2 steps represent off-chain contract agreement, while 3 and 4 solidify and execute the contract on-chain. 1- Create A producer creates a contract from any client using Taurus0x protocol, whether from an app, a website or a browser extension. The producer specifies a condition that is expected to happen sometime in the future. For example, I (the producer) might create a binary contract with the following condition: Apple stock > $200 by July 1, 2018 with a premium of 10 TOKENs (any ERC20 token) The contract will be automatically signed with my private key, which confirms that I created it. I can then share it (a long hexadecimal text) with anyone over any network I choose. 2- Sign When the consumer receives the signed contract, they will be able to load it via any client using Taurus0x. If the consumer disagrees with the producer on the specified condition, they will go ahead and sign the contract with their private key. Back to our example above, the consumer would think that Apple stock will remain under $200 by July 1, 2018. Now that the we have collected both signatures, the contract is ready to get published on blockchain. 3- Publish Anyone who possesses the MultiSig contract and its 2 signatures can go ahead and publish it to the Ethereum blockchain. That would most likely be either the producer, the consumer or a party like an exchange in the middle hosting off-chain orders. As soon as the contract is published, Taurus0x proxy (an open-source smart contract) will pull necessary funds from participating wallets into the newly created Smart Derivative. The funds will live in the derivative contract until successful execution. 4- Execute If at any point before the contract expiration date the specified condition becomes true (i.e. Apple Stock > $200), the producer can go ahead and execute the derivative contract. The contract will calculate the outcome and transfer funds accordingly. In this binary derivative example, the producer will receive 20 TOKENs in their wallet upon executing the contract. If the expiration date comes and the producer had never successfully executed the contract, the consumer may execute it themselves and collect the 20 TOKENs. This figure is from the Taurus0x whitepaper depicts the process: https://preview.redd.it/vr2y9b8ibm211.png?width=1250&format=png&auto=webp&s=1b7a8144fe2a41116a4f64d7418d3dacb4f42fc5 Summary Taurus0x is a highly versatile and modular protocol built using Ethereum-based smart contracts and wrapper JS libraries to bootstrap developer adoption. While Smart Derivatives are the first application of Taurus0x, it is worth noting that the protocol is not limited to cryptocurrencies or even derivatives for that matter. It is an ad-hoc and scalable contract management solution meant to guarantee trusted outcomes in the future based on conditions specified today. The semi off-chain nature of the protocol helps remediate Ethereum’s scalability limitations and makes it a viable product. Finally, the plan for Taurus0x is to be governed by a Decentralized Autonomous Organization or DAO as outlined in the roadmap on https://taurus0x.com. This is an area of research and development as of today. Decentralization does not fulfill its purpose if governance remains centralized, therefore it is without compromise that Taurus0x follows a decentralized governance structure.
With the impending release of Segregated Witness, implementation of the Schnorr cryptographic signature algorithm might follow soon after, potentially improving Bitcoin's scalability, efficiency and privacy, all in one go. Many cryptographers consider Schnorr signatures the best in the field, as they offer a strong level of correctness, do not suffer from malleability, are relatively fast to verify, and ‒ importantly ‒ support multisignature: several signatures can be aggregated into a single, new signature. However, until now it has not been possible to utilize Schnorr in Bitcoin. Another type of signature scheme, Elliptic Curve Digital Signature Algorithm (ECDSA), is baked into the Bitcoin protocol, and changing that would require a hard fork. That's where Segregated Witness comes in. With Segregated Witness, all signature data is moved to a separate part of the transaction: the witness, which is not embedded in the “old” Bitcoin protocol. And thanks to script versioning, almost any rule applied in the witness can be changed through a soft fork. Including the type of signature scheme used.
Both Roger Ver and Andrew Stone seem to be anti-segwit for inexplicable reasons. BU supporters seem to think SegWit is favorable, but only as a hard fork - an argument that I don't think is smart and is quite frankly disingenuous. If anything it seems they simply object to it because Core developers designed and implemented it (the responsible way IMO, as a soft-fork). Why does Andrew Stone largely dismiss the desire for segwit integration into BU? He claims there's too much "technical debt" w/ SegWit @~ 52 minutes into the interview; example given is a ridiculous cop-out. He also claims "if we're going to do a hardfork anyway, why not take SegWit and make it into a hard fork?" as an argument against Core's implementation, yet his software is the software that is actually set to hard-fork, yet he hasn't ported SegWit in to activate when/if his miner-controlled blocksize hard-fork activates! At least he encourages everyone that's not a sock-puppet and can demonstrate that to register on their forum to propose any changes they want to BU which will be voted up or down by the members. Whether your membership will be rejected outright if you have voiced any pro-core opinions or not is an open question. On to Ver. Why has Roger Ver chosen a demonstrably anti-segwit approach (despite his politically safe, but practically meaningless rhetoric about not blocking SegWit), even though I have yet to find a single retail/wallet/actual-nonminer-btc-adoption-entity that is against the SegWit approach? It enables so many pro-fungibility features in the future that it seems to me to be a no-brainer to activate. My suspicion about Ver is that he's hedging his bets with massive investments in altcoins with better anonymity features anyway, such as ZCash, Monero and DASH, so even if Bitcoin fails or falters due to fungibility issues, his anon-coin investments will offset his BTC losses. What do you think?
Schnorr can do multisignature in a very straightforward and scalable way
-Gregory Maxwell, 2015 The theory is that Schnorr signatures are linear so if (r1,s1) and (r2,s2) are two signatures, then (r1+r2,s1+s2) is the signature of both signatures put together. This is cannot be applied directly to Bitcoin multisig because if the signature work linearly it means someone could forge a signature using the other public keys and “cancel out” the other signature. This problem is best described by Pieter Wuille:
This would mean that he could sign for both of them while everyone is assuming that we have created an address that is multisig that actually requires both of their signatures. This is the cancellation problem. You can choose your keys in such a way that other people's keys get canceled out.
-Pieter Wuille, 2016. So the linear formula which allow native supports of multisig wallets also native support of one member of a multisig wallet taking over the whole wallet. This problem could be fixed through delinearization but this introduces new issues. Specifically that it isn’t proven to be secure or not to be a breaking change to the cryptographic algorithm. Which is why the Schnorr signatures implementation has been delayed over and over (it is now, I believe, 18 months away at least).
Myth 2: reduction of at least a 25% in terms of storage and bandwidth
Estimates are that this upgrade would reduce the use of storage and bandwidth by at least 25%.
-Bitcoincore.org, March 2017. This estimate is pure fantasy. The same article states “Assuming every historical signature would be reduced to 1 byte”. Never, ever, Schnorr signatures will reduce signatures to 1 Byte. Just never. But do not believe me, once again Pieter Wuille says it: Schnorr signature are of 64 bytes fixed size. For comparison, current signatures are at max 73 bytes (12% bigger). This assumes that the delinearization process described in myth 1 does not incur a bigger signature than that or some additional data transfer. Also, This is of course assuming that everyone that use multisig decides to use the Schnorr alternative.
Myth 3: Schnorr signature will improve privacy
This one is a bit tricky and to be fair it is highly dependent on actual implementation.
Schnorr allows the entire policy of the multisig to be obscured and indistinguishable from a conventional single pubkey. In a threshold setup, it also becomes impossible for participants to reveal which of them authorized, or not, a transaction.
-Bitcoincore.org, March 2017. By design 1 Schnorr signature would replace all the signatures that would normally be involved in a multisig transaction. Thus hiding them. But this is only the theory. In practice the holders of the keys in the multisig still need to communicate and exchange their signature in order to generate that one Schnorr signature. It is extremely naive to believe that this communication step would not leave any public traces. This is particularly true if (as it has been mentioned) a bitcoin node acts as an aggregator.
The idea behind signature aggregation is to enable system validators ie. Bitcoin nodes to compute a single key and signature for every inputs of all transactions at the protocol level.
-Bitcoincore.org, March 2017. In that use case, the privacy would disappear the instant the third party node is involved in the transaction. Let’s remember that anyone can run a node which by default is decentralized and permissionless.
Why remove the ECDSA for another cryptographic system?? This seems quite pointless and quite a waste of time. While it is undeniable that he could yield some bandwidth reduction (nowhere near 25%!), the gains are far from offsetting the efforts. If anything, the cryptographic system should be changed for a quantum computing secure algorithm but not for another variant of the same. edit: spelling and link.
Quantum Computing and the Difference Between Public Keys and Bitcoin Addresses
I had a conversation recently with someone that made me wonder if there is a lot of confusion about the relation between public keys and Bitcoin addresses, so I thought I'd make a brief post explaining for interested parties this difference. As most people know public key cryptography, particularly the Elliptic Curve Digital Signature Algorithm (ECDSA), is important to Bitcoin. In this cryptographic scheme an asymmetric key-pair is generated, a public key, which can be shared with anyone, and a private key which should be known by only you. In Bitcoin, with ECDSA, your private key is used to sign a transaction, confirming that it was in fact you, the rightful owner of a given UTXO or some set of UTXOs who is sending them off to some other address. Any arbitrary person (miners, people running validation nodes or SPV wallets) can confirm that it was you who sent the transaction because included in the transaction is your public key. Your public key will revert the cryptographic transformation done by your private key, thus allowing people to verify that the transaction being signed is in fact the one under consideration, and that it originates from the holder of the private key corresponding to this public key. Missing from my explanation above is how transaction validators know the public key for a given Bitcoin address. A natural assumption might be that Bitcoin addresses are ECDSA public keys. This assumption is natural, but incorrect. Bitcoin Address are hashes of public keys (pubkey hashes). With this scheme, your public key is only ever exposed when you transact with Bitcoin. Validators verify that a public key you provide for a transaction is correct for your Bitcoin address by hashing that public key and making sure that the hash of the public key is equivalent with the pubkey hash. Some corollaries of using the pubkey hash instead of the public key for Bitcoin Addresses are:
Compression. Bitcoin Public Keys are 256 bits and pubkey hashes are 160 bits
Expanding on the second point, suppose tomorrow a Quantum Computer came out with enough qubits to solve the currently intractable discrete logarithm problem of determining an ECDSA private key from a public key. If you had been following the Bitcoin best practice of not re-using addresses when you transact your Bitcoin, then the only window of opportunity for a thief would be the time before your Bitcoin gets added to a block when you were transacting with it. Unlike public key cryptography, cryptographic hashes themselves are not particularly vulnerable to the advent of quantum computing.
Let me clarify common misconceptions about Bitcoin. Myth # 1. It's just something similar to other virtual currencies, nothing new All other virtual currencies are controlled by their regulatory center. This means that: they can be printed on the subjective whims of the currency regulator; they could be destroyed by an attack on this regulatory center.; arbitrary rules can be imposed by the currency regulator. Bitcoins, being initially a decentralized currency, solve all these problems. Myth # 2. Bitcoins do not solve any problems that gold and/or Fiat money cannot solve Unlike gold bitcoins: easy to carry and store; easy to authenticate. Unlike Fiat money, bitcoins: have predictable and decreasing emissions; not controlled by any regulatory center. Unlike Fiat electronic money, bitcoins: can be anonymous (like cash); there's no way the accounts can be frozen. Myth # 3. Bitcoins are secured by CPU time It is incorrect to say that bitcoins are secured by CPU time. When it is said that a currency is "secured" by something, it is meant to be centrally tied to something at the exchange rate. You can not exchange bitcoins for the computing power spent on their generation (it is too high). In this sense, bitcoins are not secured by anything. This is a self-valuable product. Think, unless gold is provided with something? No, it's just gold. It's the same with bitcoins. Bitcoin currency is created with the use of processor power: the integrity of the block chain is protected from all sorts of attacks by the existence of a large computer network. That's it. Myth # 4. Bitcoins are worthless because they are not secured by anything Gold is not secured by anything, but is used and valued everywhere. See the previous myth. Myth # 5. The value of bitcoins is based on how much electricity and processing power is required to generate them This myth is an attempt to apply labor value theory to bitcoins, which is not applicable to them and is probably false. Just because something requires X resources to create doesn't mean that the final product will cost X. it can cost more or less X, depending on the usefulness to users. In fact, there is a broken causal relationship (this applies to the above theory as a whole). The value of bitcoins is based on how valuable they are. If bitcoins rise in price, more people will try to generate them (because bitcoin generation becomes more profitable), this will increase the difficulty of generating, which in turn only leads to the difficulty of mining them. If bitcoins fall in price, then the reverse process occurs. These processes maintain a balance between the cost of generation and the cost of bitcoins generated. Myth # 6. Bitcoins have no value of their own (unlike some other things) Many things have their own value, but it is usually well below the market value of the thing. Consider gold: if it were not used as an inflation-resistant value, and used only for industrial purposes, it would not have today's value, since the industrial need for gold is much lower than it is available. Historical value has helped establish some things as a means of exchange, but it is certainly not a necessary condition. Perhaps bitcoins will not be used as a raw material for industrial purposes, but they have many other useful qualities that are necessary for the means of exchange. The value of bitcoins is determined solely by people's desire to trade them - supply and demand. Myth # 7. Bitcoins are illegal because they are not a legal tender Short answer: chickens are not a legal tender, but bartering with chickens is not illegal. There are many currencies that are not legal tender. Currency, after all, is just a convenient unit of account. Although national laws may vary from country to country (you should definitely check the laws of your state), in General - trading with any commodity exchange, including digital goods (e.g.: bitcoins, virtual worlds second Life or WoW game currencies), is not illegal. Myth # 8. Bitcoins are a form of domestic terrorism because they only harm the economic stability of the state and the state currency Read the relevant Wikipedia article. Action will not be considered terrorism if it is not violent. Bitcoins are not imposed on anyone with violence, so they are not terrorism. Also, bitcoins are not "internal". It's a worldwide product. Look at the auto-generated node map. Myth # 9. Bitcoins will only facilitate tax evasion, which will lead to a possible fall of civilization It's up to you whether you follow the laws of the country or face the consequences of breaking the laws. Myth # 10. Bitcoins can print/mint everyone, therefore they're useless To generate coins requires significant computing power, in addition, over time, all the coins will be generated. Myth # 11. Bitcoins are useless because they are based on unverified / unproven cryptography The Sha-256 and ECDSA algorithms that are used in the #Bitcoin program are well-known industrial encryption standards. Myth # 12. First bitcoin users are unfairly rewarded The first users were rewarded for taking on a higher risk of losing their time and money. From a more pragmatic point of view, the term "equity" is a conditional concept, making it unlikely to be agreed upon by a large number of people. Establishing "fairness" is not the goal of the Bitcoin project, as it would be simply impossible. The vast majority of the 21 million bitcoins still haven't been distributed among people. If you start generating or purchasing bitcoins today, you can become one of the "first users"yourself. Myth # 13. 21 million coins is not enough, it is not commensurate with the needs of mankind In fact, the Bitcoin project will exist 2099999997690000 (just over two quadrillions) of the maximum possible indivisible units. One bitcoin is 100 million (one hundred million) of them. In other words, each bitcoin can be divided into 10^8 parts. If the value of bitcoins rises too much, then people for convenience can start working with smaller pieces such as Milli-bitcoins (mBTC) and micro-bitcoins (µbtc). However, it is possible and denomination with coefficients 1:10, 1: 100 and so on. Myth # 14. Bitcoins are stored in wallet files, just copy the wallet and get more coins! No, Your wallet file contains secret private keys that give you the right to dispose of your bitcoins. Imagine that you have a key issued by your Bank to manage your account. If you give it to someone else, it will not increase the funds in your Bank account. The funds will be spent either by You or by this third party. Myth # 15. Lost coins cannot be replaced, which is bad The minimum bitcoin unit is 0.00000001, so this is not a problem. If you lose coins, all other coins will rise in price a little. Consider this a donation to all other bitcoin users. There is a related question (and the answer to it). Why is there no mechanism to replace lost coins? It is impossible to distinguish between the lost coin and the one that is simply not used at the moment and waiting in someone's purse of his time to be useful. Myth # 16. It's a giant pyramid scheme. In financial pyramids (see Ponzi scheme and MMM), the founders convince investors that they will be in profit. Bitcoins do not give such guarantees. There is no regulatory center, there is just a group of people who are building a new economy. However, one should not confuse bitcoins by themselves with various projects on the Internet, which can accept bitcoins as a contribution and be financial pyramids. Myth # 17. Limited emissions and lost coins generate a deflationary spiral Both deflationary forces can manifest themselves, and economic factors such as hoarding counteract the human factor, which can reduce the chances of a deflationary spiral. Myth # 18. The idea of bitcoin may not work because there is no way to control inflation Inflation is simply an increase in prices over time, which is usually a consequence of currency depreciation. It is a function of supply and demand. Given the fact that the supply of bitcoins is fixed (due to the peculiarities of their issue), unlike Fiat money, the only way out of control of inflation is the disappearance of demand for bitcoins. It should also be taken into account that bitcoins are a currency with a predictable decentralized issue. If demand falls to almost zero, then bitcoins will be doomed in any case. However, it is unlikely that this can actually happen. The key point here is that bitcoins cannot be impaired by a sharp increase in inflation by any person, organization or government, since there is no way to increase the supply too much due to the peculiarities of the issue. In fact, a more likely scenario is an increase in demand for bitcoins due to the growing popularity, which should lead to a constant increase in the exchange rate and deflation. Myth # 19. Bitcoin community is anarchists, conspiracy theorists, supporters of the gold standard and geeks Confirm. However, it is necessary to consider that it is only a part of all color of community. https://preview.redd.it/qkk7hybryqg21.jpg?width=1980&format=pjpg&auto=webp&s=a373d5483cc87c1e2c651ff864fc324273fa3f08
Ardor Improvement Proposal (AIP001?) - Adding Support for the "ed25591" Digital Signature Algorithm
This post is inspired by some of the ideas in this thread - https://www.reddit.com/Ardocomments/7qane0/confusion_and_inconsistent_instructions_about/. Is there a way to improve the Addresses and Public Keys in Ardor? Yes, there are a few ways... but a really good option might be to smuggle in some extra features too. Like killing two birds with one stone. Basically, since Bitcoin and NXT launched there has been a lot of very impressive work done on Digital Signatures Algorithms and specifically in relation to Elliptical Curves. A lot of this work has even been motivated by the cryptocurrency space. Ardor has an opportunity to benefit from some of this innovation by making some simple but clever modifications to it's code. Different cryptocurrencies settled on competing standards for their Digital Signature Algorithms during the design phase. For example, Bitcoin uses an elliptical curve called Secp2561 with a Digital Signature Algorithm called ECDSA. Ardor uses an elliptical curve called Curve25519 with a Digital Signature Algorithm called EC-KCDSA. There are various reasons why these choices were selected. The history might be of interest to some of you, but I won't go into that now. The elliptic curves are constants so the progress over time is on the Digital Signature Algorithms. Curiously some of the most impressive progress has been made on a DSA that neither Bitcoin nor Ardor use, called ed25591. But at least ed25591 builds on the same curve that Ardor already uses - Curve25519. So what is so great about ed25591? Well, it's new. You might say that's not necessarily a good thing. We want to see stability with a component like this. Well, it's seeing some rapid adoption because of it's awesome new features. See here for adoption insight - https://ianix.com/pub/ed25519-deployment.html. I.e. it's quickly becoming a standard. So with out further ado - what makes ed25591 really cool:
Hardware Wallets are ready for it (unlike EC-KCDSA which is why Ardor and NXT haven't had access to any hardware wallets yet! And because it's fast becoming a standard, future Hardware Wallets will handle it even better!)
Native Multi-Sig with Schnorr-like signatures
Compact Signatures (even less blockchain-bloat/more scalability!)
Could potentially implement Ardor Account Control using two different crypto-systems (EC-KDSA and ed25519) diffusing any possible single point of failure
Fast signature verification (good for nodes, minimizes their work/energy expenditure)
Some of the really technical benefits can be seen on the projects' homepage here - https://ed25519.cr.yp.to/. Oh and it's completely unencumbered by patents or licenses. And the reference code is "public domain". I probably haven't done ed25591 enough justice. It's really great and you can read more about it on the web. But what's this about killing two birds with one stone? Well, by making a reasonably big modification to the Ardor software like this, you could also take the opportunity to fix the Ardor Address Problem. Currently the address derivation scheme prioritizes short human-readable addresses at the expense of security. You can win back that lost security by making an outgoing transaction from your Ardor Address/Account (or making sure the incoming transaction broadcasts the recipients public key). But even that's not ideal. If anyone followed the development of Bitcoin they'll know that moving from Pay-to-Pub-Key to P2PKH was a big step up. But with Ardor it seems like you have to regress to increase your account security, even though you've lost the security benefit of the extra Address being derived (hashing) from the public-key step. So, while making the change of adding support for ed25519, that would be the perfect time to update the Ardor Address format (make the addresses longer to remove the collision problem with the short addresses). The market seems to have decided that long difficult-to-read addresses are not a problem. Wallets and the infrastructure around them has meant that people don't often have to resort to typing out these addresses anyway. If we do this right we can have stronger cold-storage than Bitcoin does and a more flexible DSA than Bitcoin does. Not to mention a more scalable Blockchain, faster block-times, a decentralized exchange, increased transaction capacity, less wasteful consensus algorithm... etc. etc. =D Let me know what you, the community, think. I'm happy to take any questions.
Abstract Bitcoin, being the most successful cryptocurrency, has been repeatedly attacked with many users losing their funds. The industry's response to securing the user's assets is to offer tamper-resistant hardware wallets. Although such wallets are considered to be the most secure means for managing an account, no formal attempt has been previously done to identify, model and formally verify their properties. This paper provides the first formal model of the Bitcoin hardware wallet operations. We identify the properties and security parameters of a Bitcoin wallet and formally define them in the Universal Composition (UC) Framework. We present a modular treatment of a hardware wallet ecosystem, by realizing the wallet functionality in a hybrid setting defined by a set of protocols. This approach allows us to capture in detail the wallet's components, their interaction and the potential threats. We deduce the wallet's security by proving that it is secure under common cryptographic assumptions, provided that there is no deviation in the protocol execution. Finally, we define the attacks that are successful under a protocol deviation, and analyze the security of commercially available wallets. References
Alois, J.: Ethereum parity hack may impact eth 500.000 or 146 million (2017)
Atzei, N., Bartoletti, M., Lande, S., Zunino, R.: A formal model of bitcoin transactions. Financial Cryptography and Data Security. LNCS, Springer (2018)
Badertscher, C., Maurer, U., Tschudi, D., Zikas, V.: Bitcoin as a transaction ledger: A composable treatment. pp. 324–356 (2017)
Bamert, T., Decker, C., Wattenhofer, R., Welten, S.: Bluewallet: The secure bitcoin wallet. In: International Workshop on Security and Trust Management. pp. 65–80. Springer (2014)
Bonneau, J., Miller, A., Clark, J., Narayanan, A., Kroll, J.A., Felten, E.W.: Sok: Research perspectives and challenges for bitcoin and cryptocurrencies. In: Security and Privacy (SP), 2015 IEEE Symposium on. pp. 104–121. IEEE (2015)
Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. pp. 136–145 (2001)
Canetti, R.: Universally composable signatures, certification and authentication. Cryptology ePrint Archive, Report 2003/239 (2003), http://eprint.iacr.org/2003/239
Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. Cryptology ePrint Archive, Report 2002/059 (2002), http://eprint.iacr.org/2002/059
Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: Analysis and applications. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. pp. 281–310. Springer (2015)
Gentilal, M., Martins, P., Sousa, L.: Trustzone-backed bitcoin wallet. In: Proceedings of the Fourth Workshop on Cryptography and Security in Computing Systems. pp. 25–28. ACM (2017)
Gkaniatsou, A., Arapinis, M., Kiayias, A.: Low-level attacks in bitcoin wallets. In: International Conference on Information Security. pp. 233–253. Springer (2017)
Heilman, E., Kendler, A., Zohar, A.: Eclipse attacks on bitcoin’s peer-to-peer network.
Hsiao, H.C., Lin, Y.H., Studer, A., Studer, C., Wang, K.H., Kikuchi, H., Perrig, A., Sun, H.M., Yang, B.Y.: A study of user-friendly hash comparison schemes. In: Computer Security Applications Conference, 2009. ACSAC’09. Annual. pp. 105–114. IEEE (2009)
Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ecdsa). International journal of information security 1(1), 36–63 (2001)
Lim, I.K., Kim, Y.H., Lee, J.G., Lee, J.P., Nam-Gung, H., Lee, J.K.: The analysis and countermeasures on security breach of bitcoin. In: International Conference on Computational Science and Its Applications. pp. 720–732. Springer (2014)
Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (2008)
Pass, R., Seeman, L., Shelat, A.: Analysis of the blockchain protocol in asynchronous networks. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. pp. 643–673. Springer (2017)
Penard, W., van Werkhoven, T.: On the secure hash algorithm family. Cryptography in Context pp. 1–18 (2008)
Tan, J., Bauer, L., Bonneau, J., Cranor, L.F., Thomas, J., Ur, B.: Can unicorns help users compare crypto key fingerprints? In: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. pp. 3787–3798. ACM (2017)
Uzun, E., Karvonen, K., Asokan, N.: Usability analysis of secure pairing methods. In: International Conference on Financial Cryptography and Data Security. pp. 307–324. Springer (2007)
Vasek, M., Bonneau, J., Ryan Castellucci, C.K., Moore, T.: The bitcoin brain drain: a short paper on the use and abuse of bitcoin brain wallets. Financial Cryptography and Data Security, Lecture Notes in Computer Science. Springer (2016)
Volotikin, S.: Software attacks on hardware wallets. Black Hat USA 2018 (2018)
Bitcoin uses ECDSA signatures , the elliptic curve variant of the Digital Signature Algorithm (DSA) , to validate transactions. Unfortunately, ECDSA (and DSA in general) is not a particularly friendly signature scheme for threshold cryptography3 The best known scheme is a 2-party threshold DSA signature protocol due Macken-zie and Reiter The underlying blockchain technology of Bitcoin is based on several classical cryptography and distributed system technologies , such as anti-sybil attack Proof-of-Work mechanism, Elliptic Curve Digital Signature Algorithm (ECDSA), consensus and Merkle tree proof. However, the security of Bitcoin or other alternative coins (altcoins) may be Efficient weighted threshold ECDSA for securing bitcoin wallet Abstract: Bitcoin is a digital currency based on cryptographic algorithms. All the transactions of this currency are recorded and stored in a publically available database called blockchain. This value is usually stored in a digital wallet. ECDSA public key. The public part of the key generated above is encoded as a bitcoin address. First, the ECDSA key is represented by points on the elliptic curve. The X and Y coordinates of the point include the public key. They are connected to “04” at the beginning to represent the public key. Elliptic Curve Digital Signature Algorithm or ECDSA is a cryptographic algorithm used by Bitcoin to ensure that funds can only be spent by their rightful owners.. A few concepts related to ECDSA: private key: A secret number, known only to the person that generated it.A private key is essentially a randomly generated number.