Contenu connexe Similaire à Blockchain and Smart Contract Long Term Security (updated) (20) Blockchain and Smart Contract Long Term Security (updated)1. Copyright © 2016 Peter Robinson
Blockchain and Smart Contract Long Term Security
Peter Robinson, peter.robinson@sent.com
Updated November 18, 2016
2. Copyright © 2016 Peter Robinson
Overview
▪ Distributed Ledger and Smart Contract systems have as an underlying
assumption that once transactions are in a block chain, they are locked-in forever.
▪ This presentation analyses whether this immutability can actually be delivered in
the long term, given increasing traditional computational power, the emergence of
quantum computing, and the possibility of cryptographic algorithmic flaws.
▪ Additionally, an idea about distributed systems security is presented.
2
3. Copyright © 2016 Peter Robinson
Caveat on results in these slides
▪ Tentative results are presented herein.
▪ More detailed analysis is needed.
3
4. Copyright © 2016 Peter Robinson
Agenda
▪ Blockchain and Smart Contract Platforms Long Term Security:
▪ Cryptography and Cryptanalysis.
▪ Blockchain Platforms and Cryptanalysis.
▪ Mitigations.
▪ Mitigation for Active Attacks against Distributed Systems.
4
6. Copyright © 2016 Peter Robinson
Cryptography: Algorithms
▪ Digest Algorithm (Hash): SHA256, SHA512, RIPEMD160, KECCAK, SHA3/256:
▪ Variable length input -> Fixed Length Output.
▪ Signing: ECDSA (secp256k1)/Digest Algorithm, RSA/Digest Algorithm:
▪ Sign with private key, verify with public key.
6
7. Copyright © 2016 Peter Robinson
Cryptography: Message Digests / Hashes
7
?
Preimage
Resistance
Hash
n
h(x)
x
Second Preimage
Resistance
Hash
n
h(x)
?
Hash
h(x’)
≠
=
?
Collision
Resistance
Hash
n/2
h(x)
?
Hash
h(x’)
≠
=
8. Copyright © 2016 Peter Robinson
Cryptography: Signatures
▪ Forgeability: Recover private key from public key.
▪ Non-repudiation: Have two public keys P1 and P2 which verify the same
signature.
▪ Integrity: Have two message digests M1 and M2 which when signed with public
key P result in the same signature.
8
9. Copyright © 2016 Peter Robinson
Cryptography: Security Strength
(Assuming no Quantum Cryptanalysis)
9
Security
Strength
RSA ECC Hash
Preimage
Hash
Collision
80 1024 RIPEMD160
112 2048
128 3072 secp256k1 SHA256, Keccak-256,
SHA512/256
160 RIPEMD160
256 SHA256, Keccak-256,
SHA512/256
SHA512
SHA3,512
512 SHA512
SHA3,512
10. Copyright © 2016 Peter Robinson
Traditional Computing Power
10
Ref 1: http://www.extremetech.com/wp-content/uploads/2015/04/MooresLaw2.png
11. Copyright © 2016 Peter Robinson
Security
Strength
RSA ECC Hash
Preimage
Hash
Collision
80 1024 RIPEMD160
112 2048
128 3072 secp256k1 SHA256, Keccak-256,
SHA512/256
160 RIPEMD160
256 SHA256, Keccak-256,
SHA512/256
SHA512, SHA3,512
512 SHA512, SHA3,512
Cryptography: Security Strength
assuming no Quantum Cryptanalysis
11
2010
2030?
12. Copyright © 2016 Peter Robinson
Quantum Cryptanalysis
▪ Shor’s Algorithm: Allows ECC private key to be calculated from ECC public key.
▪ Gover’s Algorithm: Allows algorithms to be executed in square-root time:
▪ Affects message digest algorithms and symmetric key algorithms.
▪ Security Strength after Quantum = (Security Strength Before Quantum) / 2
12
13. Copyright © 2016 Peter Robinson
Quantum Cryptanalysis
▪ When will Quantum Computing and Quantum Cryptanalysis be a reality?
▪ Michele Mosca, Institute for Quantum Computing and Department of
Combinatorics and Optimization, University of Waterloo, said2:
▪ “I estimate a 1/7 chance of breaking RSA-2048 by 2026 and a 1/2 chance by 2031”
▪ Predicts a “Moore’s Law” type of increase in capability.
13
Ref 2: Mosca, M. (2015) “Cybersecurity in an era with quantum computers: will we be ready?”
Available: https://eprint.iacr.org/2015/1075.pdf
14. Copyright © 2016 Peter Robinson
Cryptography: Security Strength
assuming Quantum Cryptanalysis
14
Security
Strength*
RSA ECC Hash
Preimage
Hash
Collision
4 5
19 secp256k1
26 2048
40 RIPEMD160
64 SHA256, Keccak-256,
SHA512/256
80 RIPEMD160
128 SHA256, Keccak-256,
SHA512/256
SHA512, SHA3,512
256 SHA512, SHA3,512
2012
*: Shor algorithm security strength calculated as log2(K * K * log(K) * log(log(K)))
Late 2020s
or 2030s?
15. Copyright © 2016 Peter Robinson
Cryptographic Algorithmic Flaws
15
Ref 3: Preneel, B. (2013) “Introduction to the Design and Cryptanalysis of Cryptographic Hash Functions”
Available: https://www.cosic.esat.kuleuven.be/summer_school_albena/slides/preneel_hash_july2013_shortv1_print.pdf
17. Copyright © 2016 Peter Robinson
Three Attack Scenarios
▪ Attack existing blocks.
▪ Attacking new blocks as they are being made:
▪ Miners either altering transactions being included in blocks or being able to always mine
the best block.
▪ Users either craft transactions masquerading as other users or craft transactions to
double spend.
17
18. Copyright © 2016 Peter Robinson
Bitcoin: Cryptographic Usage4
▪ Main Hash: HM(x) = SHA256(SHA256(x))
▪ Address Hash: HA(x) = RIPEMD160(SHA256(x))
▪ Key Pairs: ECC using secp256k1 curve.
▪ Signatures: ECDSA, with Main Hash.
18
Ref 4: Giechaskiel, I., Cremers, C., Rasmussen, K. (2016) “On Bitcoin Security in the Presence of Broken Crypto Primitives”
19. Copyright © 2016 Peter Robinson
Ripple Cryptographic Usage
▪ Main Hash: HM(x) = 256 bit truncated SHA512(x)
▪ Address Hash: HA(x) = RIPEMD160(SHA256(x))
▪ Key Pairs: ECC using secp256k1 curve.
▪ Signatures: ECDSA, with Main Hash.
19
20. Copyright © 2016 Peter Robinson
Ethereum Cryptographic Usage
▪ Main Hash: HM(x) = KECCAK-256(x)
▪ Address Hash: HA(x) = 160 bit truncated KECCAK-256(x)
▪ Key Pairs: ECC using secp256k1 curve.
▪ Signatures: ECDSA, with Main Hash.
20
21. Copyright © 2016 Peter Robinson
Cryptography: Security Strength
assuming Quantum Cryptanalysis
21
Security
Strength
Hash
Preimage
Hash
Second Preimage
Hash
Collision
40 Keccak-256/160,
RIPEMD160(SHA256(x))
64 SHA256(SHA256(x)),
Keccak-256, SHA512/256
80 Keccak-256/160 Keccak-256/160,
RIPEMD160(SHA256(x))
128 SHA512/256 SHA256(SHA256(x)),
Keccak-256, SHA512/256
208 RIPEMD160(SHA256(x))
256 SHA256(SHA256(x))
22. Copyright © 2016 Peter Robinson
Attack Existing Blocks
Message Digest Algorithm Issues
Breakage Address Hash (HA) Main Hash (HM)
Collision None None
Second pre-image Repudiate transaction Repudiate transaction
Pre-image
Uncover public key associated
with address None
22
23. Copyright © 2016 Peter Robinson
Attack Existing Blocks
Signature Algorithm Issues
Breakage Effect
Selective forgery
Determine private key based on public
key, then execute transactions
Integrity break Repudiate transaction
Repudiation None
23
24. Copyright © 2016 Peter Robinson
Miner Attack
Message Digest Algorithm Issues
Breakage Address Hash (HA) Main Hash (HM)
Collision Repudiate transaction
Double spend and execute
transactions and then
repudiate them
Second pre-image Repudiate transaction
Double spend and execute
transactions and then
repudiate them
Pre-image
Uncover public key associated
with address
Complete failure of the
blockchain: be able to
determine best block more
easily than other miners.
24
25. Copyright © 2016 Peter Robinson
Miner Attack
Signature Algorithm Issues
Breakage Effect
Selective forgery
Determine private key based on
public key, then execute transactions
Integrity break Repudiate transaction
Repudiation None
25
26. Copyright © 2016 Peter Robinson
User Attack
Message Digest Algorithm Issues
Breakage Address Hash (HA) Main Hash (HM)
Collision Repudiate transaction
Double spend and execute
transactions and then
repudiate them
Second pre-image Repudiate transaction
Double spend and execute
transactions and then
repudiate them
Pre-image
Uncover key associated with
address None
26
27. Copyright © 2016 Peter Robinson
User Attack
Signature Algorithm Issues
Breakage Effect
Selective forgery None
Integrity break
Execute transactions and then
repudiate them
Repudiation
Execute transactions and then
repudiate them
27
29. Copyright © 2016 Peter Robinson
Mitigations: Better Use of Existing Algorithms
▪ Use stronger algorithms for Address Hash and Main Hash.
▪ Address Hash:
▪ SHA 512(SHA 512(x)) or
▪ SHA3/512(x)
▪ Main Hash:
▪ SHA 512(SHA 512(x)) or
▪ SHA3/512(x)
29
30. Copyright © 2016 Peter Robinson
Cryptography: Security Strength
assuming Quantum Cryptanalysis
30
Security
Strength
Hash
Preimage
Hash
Second Preimage
Hash
Collision
40 Keccak-256/160,
RIPEMD160(SHA256(x))
64 SHA256(SHA256(x)),
Keccak-256, SHA512/256
80 Keccak-256/160 Keccak-256/160,
RIPEMD160(SHA256(x))
128 SHA512/256 SHA256(SHA256(x)),
Keccak-256, SHA512/256
SHA 512(SHA 512(x)),
SHA3/512(x)
208 RIPEMD160(SHA256(x))
256 SHA256(SHA256(x)), SHA3/512(x) SHA 512(SHA 512(x)), SHA3/512(x)
512 SHA 512(SHA 512(x))
31. Copyright © 2016 Peter Robinson
Mitigations: Post-Quantum
▪ USA’s NIST are looking to standardize post-quantum algorithms by 20225.
▪ Lattice Based Signature Algorithms:
▪ Different type of mathematics to RSA and ECC.
▪ Historically, Lattice based algorithms have been found to be not as strong as first
thought after two to five years of cryptanalysis.
▪ Sphincs:
▪ Based on well understood message digest algorithms.
▪ Larger public keys, private keys and signatures.
31
Ref 5: http://csrc.nist.gov/groups/ST/post-quantum-crypto/documents/pqcrypto-2016-presentation.pdf
32. Copyright © 2016 Peter Robinson
Mitigations: Be Prepared to Change
▪ Blockchain platforms need to have migration plans in place.
▪ Allow for multiple algorithms:
▪ Should allow for faster transition in case of a sudden event: stop accepting transactions
which use one algorithm.
▪ Can lead to downgrade attacks.
▪ Learn from other domains such as Transport Layer Security.
▪ Plan for:
▪ Larger signatures and larger identifiers.
▪ Re-sign entire blockchain.
▪ Roll-over all keys to newer algorithms.
32
33. Copyright © 2016 Peter Robinson
Mitigation for
Active Attacks against
Distributed Systems
34. Copyright © 2016 Peter Robinson
Using Blockchain to provide
Defence in Depth against Active Attacks
▪ Web applications and SaaS can be delivered as scalable cloud services.
▪ These services can be viewed as distributed systems.
▪ Active attackers may Powerfully Own (POWN) parts of the distributed system.
▪ Distributed Ledgers could be used as a resilient distributed database.
▪ Challenges:
▪ Performance.
▪ Non-proof of work consensus algorithms which are resilient to active attack.
▪ Dynamic scaling.
34
36. Copyright © 2016 Peter Robinson
Future Work
▪ More detailed analysis to verify the results presented herein.
▪ Hyper Ledger needs to be reviewed.
▪ Proof of Stake protocols need to be considered.
36
37. Copyright © 2016 Peter Robinson
Summary
▪ Cryptography is a dynamic field. Things change:
▪ Quantum Cryptanalysis may become a reality.
▪ Processing power is still ever increasing despite declarations, “Moore’s Law is dead”.
▪ Breaks in cryptographic algorithms happen from time to time.
▪ Plan for change:
▪ Do mitigation planning and determine migration paths.
▪ Start executing changes now which can be done now.
37