New Commitment Schemes with Applications to Anonymous Bitcoin!

Transcription

1 New Commitment Schemes with Applications to Anonymous Bitcoin! Henry Corrigan-Gibbs and Dan Boneh! (Work in progress)!! Stanford Security Forum! 14 April 2014!

2 Isn t Bitcoin already anonymous?! Yes and no!!! traffic analysis attacks!?! Meiklejohn, Sarah, et al. "A fistful of bitcoins: characterizing payments among men with no names. ACM IMC 2013.!

3 Zerocoin! Unlinkable!! Miers, Ian, et al. "Zerocoin: Anonymous distributed e-cash from bitcoin. IEEE Security and Privacy, 2013.!

4 Neat! But how?! Envelope with a secret digit number inside Proof

5 What s in the secret sauce?! ZK proof that Zed knows:! (a) the number inside one of the envelopes (without revealing which!)! (b) that the number is 0x1c3af76ef196!

6 What s in the secret sauce?! ZK proof that Zed knows:! (a) the number inside one of the envelopes (without revealing which!)! (b) that the number is 0x1c3af76ef196! Protects Zed s anonymity! Prevents Zed from spending the same coin twice! ( serial number )!

7

8 Are we done?! Well! Zerocoin requires an RSA modulus for which no one knows the factors! Zerocoin increases the spend TX size by 120x (500 bytes à 64 KB)! With new crypto, spend transactions are only 11 KB long!

9 Outline! Background! Shorter anonymous coins! New assumption! Evaluation!

10 Outline! Background! Shorter anonymous coins! New assumption! Evaluation!

11 Technical Challenge! ZK proof that Zed knows:! (a) the number inside one of the envelopes (without revealing which!)! (b) that the number is 0x1c3af76ef196!

12 Envelope = Commitment! 1. Hiding: Seeing the envelope C(m) does not leak information about m! 2. Binding: There is only valid opening of the envelope/commitment C(m)! Should be hard to find collision C(m) = C(m )! Prevents Zed from spending the same coin twice with two different serial numbers!

13 Pedersen Commitments! Cryptographic work-horse!!!c(m; r) = g m h r!!![g, h are DH generators]! 1. Hiding: C(m; r) leaks no information about m blinded with random r! 2. Binding: Opening C(m; r) to m m is as hard as finding Dlog g (h)! Pedersen, Torben Pryds. "Non-interactive and information-theoretic secure verifiable secret sharing. CRYPTO, 1991.!

14 Technical Challenge! Problem: Nested commitments are nasty! Length of proof varies with log(degree in exponent)! C(m;r) = g m h r Degree in exponent is 2 256! C(C(m;r);s) = gĝm ĥ r h s

15 Nesting Commitments (I)! Computationally one-way hiding! C(m) = m 3 mod N RSA modulus!! C'(C(m);s) = g m3 h s!!degree 3 à short proof! Down from deg !!Not randomized leaks!!information about hidden m! Order-N group!

16 Nesting Commitments (II)! Perfectly one-way hiding!!!! C(m;r) = m 7 + 3r 7 mod N C'(C(m);s) = g m7 +3r 7 h s!!degree 7 à short proof!!!the binding property follows!!from a new cryptographic assumption! m 7 + 3r 7 = ˆm 7 + 3ˆr 7 mod N

17 Outline! Background! Shorter anonymous coins! New assumption! Evaluation!

18 New Assumption! It s hard to find collisions:!! m 7 + 3r 7 = ˆm 7 + 3ˆr 7 mod N What is the basis for this assumption?! Why C(m;r) = m 7 + 3r 7?! Why not m 3? m 5? 2r 7?.!!!

19 Rational Functions! Consider what operations an adversary can perform modulo N = pq:! a + bmod N a bmod N a * bmod N a / bmod N a mod N Adversary can compute rational functions modulo N!

20 Rational Points on Curves (I)! Finding a collision in C(m;r) is equivalent to finding two points on a curve f(x, y) = c:! f (x, y) = f (x', y') = c If adv can only compute rational functions, then points (x,y) and (x, y ) are rational points on the curve!

21 Rational Points on Curves (II)! Now we have an easier problem!! Find a low-degree poly f(x,y) such that for all c, this curve has 1 rational point:!! f (x, y) = c!!!this is an open problem in!!!number theory.!!!!! If f(x,y) = c only has!!!but, 15-year suspicion one suggests rational that! point,!!! f!(x,! y)! = x! 7 +! 3y! 7!is rationally then a rational!!!collision-free! adversary cannot find collisions! Cornelissen, Gunther. "Stockage diophantien et hypothese abc généralisée." Comptes Rendus de l'académie des Sciences-Series I-Mathematics (1999): 3-8.! Poonen, Bjorn. "Multivariable polynomial injections on rational numbers." arxiv preprint arxiv: (2009).!!

22 Rational Points on Curves (III)! For most polynomials simpler than! f (x, y) = x 7 + 3y 7!we have a collision-finding attack! If you can find a collision in f(x, y) mod N, you either:! (a) answer an open question in num theory, or! (b) mount a irrational attack (a % b mod N)! Jager, Tibor, and Jörg Schwenk. "On the analysis of cryptographic assumptions in the generic ring model." Journal of cryptology 26.2 (2013): !

23 Other applications! This commitment scheme is much faster than existing ones! C(m;r) = m 7 + 3r 7 Potentially useful for chameleon hashing and in a Merkle-Damgard construction!

24 Outline! Background! Shorter anonymous coins! New assumption! Evaluation!

25 Evaluation: Length! 70! Spend Size (KB)! 60! 50! 40! 30! 20! 10! Zerocoin Hide Bind 0! 1024! 2048! 3072! RSA Modulus Size (bits)!

26 Evaluation: Time! 4! 3.5! Mint time (s)! 3! 2.5! 2! 1.5! 1! Zerocoin Hide Bind 0.5! 0! 1024! 2048! 3072! RSA Modulus Size (bits)!

27 Conclusion! Our new commitment schemes bring length of anonymous coins down to ~10 KB! Arguably practical! Schemes all still rely on RSA assumptions! TTP must generate the RSA modulus! Getting rid of RSA requires even stronger assumptions and/or large public params!

28 ! The End! Henry Corrigan-Gibbs! Thanks to Ian Miers, Zooko Wilcox-O Hearn, and Joe Zimmerman for helpful conversations.!!