Distributed Public Key Infrastructure via the Blockchain Sean Pearl smp1697@cs.rit.edu April 28, 2015
Overview Motivation: Electronic Money Example TTP: PayPal Bitcoin (BTC) Background Structure Other Topics Motivation: Public Key Infrastructure MIT Certcoin Background Structure 2
Motivation: Electronic Money Currency held in digital form Motivations Instant payment, deposit, transfer Buyer protection systems Transaction histories Concerns Authorizing transactions Double-spending Centralized and Decentralized Systems 3
Motivation: Electronic Money Centralized Systems (Trusted Third Parties) Credit Cards Banking systems Internet Payment services PayPal Convertible Virtual Currencies Digital Wallets Google Wallet, Apple Pay, LoopPay 4
Example TTP: PayPal Client Web Interface TLS (SSL 3.0 and up) SSL Certificate (Symantec) CA Signiture RSA on 2048-bit SHA-1 Digest PayPal s Public Key 2048-bit RSA Key Agreement with RSA Symmetric Encryption with AES-256 in Cipher Block Chaining Mode 5
Example TTP: PayPal Back-end OpenID user authentication Proprietary balance/transaction model, database Fees on certain transactions Interest earned by PayPal on balances held in user accounts Proprietary bank, credit card interfaces Bank account/cc info stored securely Marketed as an additional layer of security 6
Motivation: Electronic Money Decentralized Systems Cryptocurrencies Bitcoin (BTC) At least 677 coin projects based on BTC Litecoin (LTC) Namecoin (NMC) Many defunct Bytecoin (BCN) Ripple (RPL) Map of Cryptocurrency Projects 7
Background: Bitcoin (BTC) "Satoshi's" 2008 White Paper bitcoind released as open-source in 2009 Coin as chain of digital signatures Verify past ownership to entry No inherent double-spending protection Distributed transaction ledger Chaining blocks of transactions Decentralized alternative to TTP Proof-of-work establishes legitimacy 8
Bitcoin Structure: Transaction Intent to transfer coins List of inputs Sources of coins being spent Number of inputs References to previous outputs Hash of previous transaction Index of output ECDSA Signature, Public Key (Generally) Establishes ownership of output address 9
Bitcoin Structure: Transaction List of outputs Destinations for coins being spent Number of outputs Destinations Bitcoin address (Generally) Amount Expressed in Satoshi (1:10-8 BTC) Change Unspent inputs? 10
Bitcoin Structure: Transaction Verification Inputs authorized Pay-to-address ECDSA Public Key hashes to address Addresses are intended single-use Digital signature corresponds to PK Pay-to-script Script in referenced output Valid solution in referencing input Multiple signature verfication (Generally) 11
Bitcoin Structure: Transaction 12
Bitcoin Structure: Transaction 13
Bitcoin Structure: Blockchain Public Distributed Cryptographic Ledger Public Fully visible to clients Distributed Decentralized, peer-to-peer transmission Cryptographic Digitally signed transactions, proof-of-work Ledger Transactional database 14
Bitcoin Structure: Blockchain Blocks Sequences of signed and verified transactions Published and distributed at ~1:600s Magic number, size Header Hash of previous block (chain) Merkle root hash of block Timestamp Target, nonce (mining) Number, list of transactions 15
Bitcoin Structure: Blockchain Chaining Order and timestamp transactions Prevent double-spending Reinforce legitimacy of previous blocks 16
Bitcoin Structure: Blockchain 17
Bitcoin Structure: Mining Transactions distributed among peers Miners Verify transactions Arrange and solve blocks Proof-of-work HashCash-SHA-256 2 Block hash starts with target number of 0 bits Nonce manipulation Exponential difficulty control Rolling average of block generation, every 2016 Blocks published at ~1:600s 18
Bitcoin Structure: Mining Network Verify and accept new blocks Reward miners New bitcoins Unspent inputs of transactions Synchronization Forking Multiple blocks chained to one predecessor Longer chain wins Largest proven body of work 19
Bitcoin Structure: Standards Hashes SHA-256 2 Blocks, transactions SHA-256/RIPEMD-160 Addresses Digital Signatures Elliptic Curve Digital Signature Algorithm (Proposed) Lamport Signatures Quantum security 20
Bitcoin Structure: Standards Merkle Trees Reduce storage Prune spent transactions After some number of blocks Simplified Verification User obtains only block headers Forms longest chain to transaction block Verifies presence of transaction Obtain Merkle branch Basis of network acceptance 21
Bitcoin Structure: Pruning 22
Bitcoin Structure: Verification 23
Bitcoin: Other Topics Wallets Exchanges Mt. Gox Privacy Anonymity Usage Overlay Networks Controversy 24
Other Blockchain Applications Cryptocurrencies Bitcoin, Litecoin... Data storage Namecoin (NMC), Emercoin NVS (EMC) Decentralized DNS Storj (SJCX) Decentralized encrypted cloud storage Darkleaks (BTC overlay) Decentralized leaks 25
Questions so far? 26
Motivation: Public Key Infrastructure Manage and Distribute Public Keys Motivations Digital signature systems Asymmetric key encryption Secure key agreement Concerns Identity spoofing Key revocation 27
Motivation: Public Key Infrastructure Certificate Authorities Trusted Third Parties Single point of failure DigiNotar, TrustWave Key recovery services Web of Trust Distributed system High barrier to entry (PGP) Key loss 28
Motivation: Public Key Infrastructure Blockchain PKI operations in transactions Built on a DNS/Identity system PKI Operations Register key/domain Update public key Look up public key Revoke lost key Others based on implementation 29
Background: Certcoin MIT, 2014; MIT, 2014; Fromknecht, Velicanu, Yakoubov Students of Ron Rivest Built on Namecoin (NMC) Fork of BTC Records vs Transactions Record expiry Record fees not given to miners Merged mining Provides DNS, some PKI 30
Certcoin Structure: Registration Low fixed fee Owner posts record to blockchain User ID (domain, email) User-generated public keys, algorithms Online for message authentication Offline for revocation Signatures, algorithms ID signed with Online private key ID signed with Offline private key 31
Certcoin Structure: Registration Verification Miners, network ID has not been previously registered If previous registry is valid Valid algorithm choice Verify online digital signature Verify offline digital signature Namecoin record expiration Renewal period 32
Certcoin Structure: Update Free Owner posts update record ID Key type Old public key New public key, algorithm ID, new key signed by old private key ID signed by new private key 33
Certcoin Structure: Update Verification Miners, network Verify ownership of old public key ID s most recent operation of that type Chains back to registration Verify signature using old public key Verify signature using new public key 34
Certcoin Structure: Revocation Owner posts revocation record ID Offline public key Old online public key New online public key, algorithm ID, new online key signed by offline private key ID signed by new online private key 35
Certcoin Structure: Revocation Verification Miners, network Verify ownership of old online public key Verify ownership of offline public key Verify signature using offline public key Verify signature using new online public key Does not cover loss of offline private key Proposed solution: Shamir secret sharing Perhaps in version 1 36
Certcoin Structure: Lookup Traverse the blockchain Verify ID registration Initialize public key of relevant type For each operation by ID, type Verify key == old key Verify old signature Verify new signature Set public key to new key 37
Certcoin Structure: Lookup Confirm owner has private key Before communicating Zero-knowledge proof Algorithm-dependent External to Certcoin 38
Example: PayPal Using Certcoin instead of CA Lookup PayPal by traversing blockchain Verifiable chain of ownership Proof of work establishing legitimacy PayPal s online public key 2048-bit RSA Key Agreement with RSA Symmetric Encryption with AES-256 in Cipher Block Chaining Mode 39
Questions? 40
References 1. C. Fromknecht, D. Velicanu and S. Yakoubov, CertCoin: A NameCoin Based Decentralized Authentication System, May 12, 2014. 2. C. Fromknecht, D. Velicanu and S. Yakoubov, A Decentralized Public Key Infrastructure with Identity Retention, November 11, 2014. 3. EmerCoin, Using EmerCoin NVS to deploy and manage Public Key Infrastructure (PKI). 4. J. Benaloh and M. de Mare, One-way accumulators: a decentralized alternative to digital signatures, Advances in Cryptology-Eurocrypt '93, LNCS, vol. 765, Springer-Verlag, 1993, pp. 274-285. 5. N. Fazio and A. Nicolos, Cryptographic Accumulators: Definitions, Constructions and Applications. 41