Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Class 12:
Script
Cryptocurrency Cabal
cs4501 Fall 2015
David Evans and Samee Zahur
University of Virginia
Plan for Today
Hash Collisions (Checkup 2 Revisions)
Bitcoin Script
Language
Transactions
1
Reminders
PS2 is due Friday at...
Cryptographic Hash Desiderata
2
Pre-image resistance:
given a z, hard to find any x such that H(x) = z.
Collision resistan...
Hash Functions in Bitcoin
3
A. Producing the public bitcoin address by hashing the public key.
B. Producing a transaction ...
Generating a Bitcoin Address
4
generate random secret key k
Image: http://spectrum.ieee.org/computing/hardware/behind-inte...
Generating a Bitcoin Address
5
generate random secret key k
256 random bits
Ux Uy
Compute point Gk on spec256k1 curve
G = ...
Generating a Bitcoin Address
6
generate random secret key k
256 random bits
Ux Uy
Compute point Gk on spec256k1 curve
G = ...
generate random secret key k
256 random bits
Ux Uy
Compute point Gk on spec256k1 curve
RIPEMD160(SHA256(Ux || Uy))1
SHA256...
generate random secret key k
256 random bits
Ux Uy
Compute point Gk on spec256k1 curve
RIPEMD160(SHA256(Ux || Uy))1
SHA256...
generate random secret key k
256 random bits
Ux Uy
Compute point Gk on spec256k1 curve
RIPEMD160(SHA256(Ux || Uy))1
SHA256...
generate random secret key k
256 random bits
Ux Uy
Compute point Gk on spec256k1 curve
RIPEMD160(SHA256(Ux || Uy))1
SHA256...
Is there anywhere a SHA-256 collision break would be exploitable?
11
A. Producing the public bitcoin address by hashing th...
Is there anywhere a SHA-256 pre-image break would be exploitable?
12
A. Producing the public bitcoin address by hashing th...
SHA-256 Collisions?
13
Do there exist two different values, x and y, such that:
SHA256(x) = SHA256(y)
SHA-256 Collisions?
14
Do there exist two different values, x and y, such that:
SHA256(x) = SHA256(y)
Recall birthday atta...
SHA-256 Collisions?
15
Do there exist two different values, x and y, such that:
SHA256(x) = SHA256(y)
Does anyone actually...
What about RIPEMD160?
16
Do there exist two different values, x and y, such that:
RIPEMD160(x) = RIPEMD160(y)
Does anyone ...
17
Xiaoyun Wang
Differential Cryptanalysis
18
Discovered openly
in 1991
Differential Cryptanalysis
19
Discovered openly
in 1991
Known secretly to IBM and NSA in 1974
(DES design strengthened aga...
Differential
Cryptanalysis
20
How worried should we be
about SHA-256?
21
How worried should we be
about SHA-256?
22
Best known collision attacks: work on reduced round version (31
instead of 64 r...
Bitcoin Transactions
23
http://blockexplorer.bitcoin-
class.org/rawtx/f2d90b4ee862c328f42fb24ca5a84051a495af1de0f8d129a5b3...
Script Language
24
Stack-based (similar to JVML)
~80 opcodes (many have been deprecated)
Late addition to bitcoin design
L...
Interpreting Script
25
OP_1
OP_DUP
OP_ADD
OP_DUP
OP_SUB
OP_VERIFY
Is Script Turing-Complete?
26
27
28
Interpreting Script
29
30
https://github.com/bitcoin/bitcoin/blob/v0.1.5/script.cpp#L41
31
https://github.com/bitcoin/bitcoin/blob/v0.1.5/script.cpp#L58
Interpreting Script
32
https://github.com/bitcoin/bitcoin/blob/41e6e4caba9899ce7c165b0784461c55c867ee24/src/script/interpr...
33
https://github.com/bitcoin/bitcoin/blob/41e6e4caba9899ce7c165b0784461c55c867ee24/src/script/interpreter.cpp#L524
Versio...
Charge
PS2 Due Friday
Monday’s class:
Tom Dukes
UVa Cyberlaw
State Department
34
Tom Dukes
Prochain SlideShare
Chargement dans…5
×

Bitcoin Script

14 997 vues

Publié le

bitcoin-class.org
University of Virginia cs4501
Fall 2015

Publié dans : Business
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Bitcoin Script

  1. 1. Class 12: Script Cryptocurrency Cabal cs4501 Fall 2015 David Evans and Samee Zahur University of Virginia
  2. 2. Plan for Today Hash Collisions (Checkup 2 Revisions) Bitcoin Script Language Transactions 1 Reminders PS2 is due Friday at 8:29pm Project Ideas Midterm October 19 Monday: Guest lecture from Tom Dukes
  3. 3. Cryptographic Hash Desiderata 2 Pre-image resistance: given a z, hard to find any x such that H(x) = z. Collision resistance: hard to find any pair of different values x, y such that H(x) = H(y). Efficient to compute (?)
  4. 4. Hash Functions in Bitcoin 3 A. Producing the public bitcoin address by hashing the public key. B. Producing a transaction digest for use as the input in signing a transaction. C. Producing the Merkle tree root for authenticating the transactions in a block (using hashes all the way up the tree). D. Producing the hash of the previous block to use in the block header. E. Producing the double hash of the block (with nonces) to find a block that satisfies the difficult needed in mining.
  5. 5. Generating a Bitcoin Address 4 generate random secret key k Image: http://spectrum.ieee.org/computing/hardware/behind-intels-new-randomnumber-generator 256 random bits
  6. 6. Generating a Bitcoin Address 5 generate random secret key k 256 random bits Ux Uy Compute point Gk on spec256k1 curve G = 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8
  7. 7. Generating a Bitcoin Address 6 generate random secret key k 256 random bits Ux Uy Compute point Gk on spec256k1 curve G = 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8 RIPEMD160(SHA256(Ux || Uy))
  8. 8. generate random secret key k 256 random bits Ux Uy Compute point Gk on spec256k1 curve RIPEMD160(SHA256(Ux || Uy))1 SHA256(SHA256( - ))RIPEMD160(SHA256(Ux || Uy))1 4bytes Public Bitcoin Address Base58 encoding (unambiguous printable characters)
  9. 9. generate random secret key k 256 random bits Ux Uy Compute point Gk on spec256k1 curve RIPEMD160(SHA256(Ux || Uy))1 SHA256(SHA256( - ))RIPEMD160(SHA256(Ux || Uy))1 4bytes Public Bitcoin Address Base58 encoding (unambiguous printable characters) How dangerous are RIPEMD160 collisions?
  10. 10. generate random secret key k 256 random bits Ux Uy Compute point Gk on spec256k1 curve RIPEMD160(SHA256(Ux || Uy))1 SHA256(SHA256( - ))RIPEMD160(SHA256(Ux || Uy))1 4bytes Public Bitcoin Address Base58 encoding (unambiguous printable characters) How dangerous are RIPEMD160 + SHA256 collisions?
  11. 11. generate random secret key k 256 random bits Ux Uy Compute point Gk on spec256k1 curve RIPEMD160(SHA256(Ux || Uy))1 SHA256(SHA256( - ))RIPEMD160(SHA256(Ux || Uy))1 4bytes Public Bitcoin Address Base58 encoding (unambiguous printable characters) How dangerous are RIPEMD160 + SHA256 pre-image break?
  12. 12. Is there anywhere a SHA-256 collision break would be exploitable? 11 A. Producing the public bitcoin address by hashing the public key. B. Producing a transaction digest for use as the input in signing a transaction. C. Producing the Merkle tree root for authenticating the transactions in a block (using hashes all the way up the tree). D. Producing the hash of the previous block to use in the block header. E. Producing the double hash of the block (with nonces) to find a block that satisfies the difficult needed in mining.
  13. 13. Is there anywhere a SHA-256 pre-image break would be exploitable? 12 A. Producing the public bitcoin address by hashing the public key. B. Producing a transaction digest for use as the input in signing a transaction. C. Producing the Merkle tree root for authenticating the transactions in a block (using hashes all the way up the tree). D. Producing the hash of the previous block to use in the block header. E. Producing the double hash of the block (with nonces) to find a block that satisfies the difficult needed in mining.
  14. 14. SHA-256 Collisions? 13 Do there exist two different values, x and y, such that: SHA256(x) = SHA256(y)
  15. 15. SHA-256 Collisions? 14 Do there exist two different values, x and y, such that: SHA256(x) = SHA256(y) Recall birthday attack: probability of finding collision negligible with less than 2128 inputs.
  16. 16. SHA-256 Collisions? 15 Do there exist two different values, x and y, such that: SHA256(x) = SHA256(y) Does anyone actually know such values today?
  17. 17. What about RIPEMD160? 16 Do there exist two different values, x and y, such that: RIPEMD160(x) = RIPEMD160(y) Does anyone actually know such values today?
  18. 18. 17 Xiaoyun Wang
  19. 19. Differential Cryptanalysis 18 Discovered openly in 1991
  20. 20. Differential Cryptanalysis 19 Discovered openly in 1991 Known secretly to IBM and NSA in 1974 (DES design strengthened against it)
  21. 21. Differential Cryptanalysis 20
  22. 22. How worried should we be about SHA-256? 21
  23. 23. How worried should we be about SHA-256? 22 Best known collision attacks: work on reduced round version (31 instead of 64 rounds) and have high complexity (265 instead of 2128)
  24. 24. Bitcoin Transactions 23 http://blockexplorer.bitcoin- class.org/rawtx/f2d90b4ee862c328f42fb24ca5a84051a495af1de0f8d129a5b33cd988 22719a Transaction outputs include programs written in “Script”
  25. 25. Script Language 24 Stack-based (similar to JVML) ~80 opcodes (many have been deprecated) Late addition to bitcoin design Lots of limitations in what nodes will accept: altcoins are taking different approaches
  26. 26. Interpreting Script 25 OP_1 OP_DUP OP_ADD OP_DUP OP_SUB OP_VERIFY
  27. 27. Is Script Turing-Complete? 26
  28. 28. 27
  29. 29. 28
  30. 30. Interpreting Script 29
  31. 31. 30 https://github.com/bitcoin/bitcoin/blob/v0.1.5/script.cpp#L41
  32. 32. 31 https://github.com/bitcoin/bitcoin/blob/v0.1.5/script.cpp#L58
  33. 33. Interpreting Script 32 https://github.com/bitcoin/bitcoin/blob/41e6e4caba9899ce7c165b0784461c55c867ee24/src/script/interpreter.cpp#L524
  34. 34. 33 https://github.com/bitcoin/bitcoin/blob/41e6e4caba9899ce7c165b0784461c55c867ee24/src/script/interpreter.cpp#L524 Version 0.1 Project idea: look at how bitcoin core code has evolved over time Latest
  35. 35. Charge PS2 Due Friday Monday’s class: Tom Dukes UVa Cyberlaw State Department 34 Tom Dukes

×