基于区块链的安全协议设计

基于区块链的安全设计Blockchain&e-votingIntroductiontoBlockchain12 Blockchain&cryptocurrency3Blockchain&PDP4RoadmapConclusion51IntroductiontoBlockchainBlockchainAchainofblocksPublicledger/databaseRecordsalltransactionsacrossP2PnetworkSharedbetweenparticipantsHowBlockchainworks?-example…PublicDecentralizedDistributedImmutableCannotbetamperedApprovedbymostpeersNocentralpartyPubliclyaccessibleMainfeaturesFourcharacterizedelementsComponentsRecordsource,destination,amounts,etc…TransactionBlockBlockchainAchainofblocksAlistoftransactionstrans:H( )prev:H( )trans:H( )prev:H( )trans:H( )prev:H( )H( ) H( )H( ) H( )H( ) H( )transactiontransactiontransactiontransactionComponentstrans:H( )prev:H( )trans:H( )prev:H( )trans:H( )prev:H( )H( ) H( )H( ) H( )H( ) H( )transactiontransactiontransactiontransactiontransactionBlockBlockchainComponents******TraditionalblockchainprotocolsweredesignedwithscriptlanguagemakeaprotocolslikethisBlockchain2.0 ---- EthereumorBlockchainwithexpressiveprogramminglanguageProgramminglanguagemakesitidealforsmartcontracts(Turing-complete)AsmartcontractisacomputerprogramexecutedinasecureenvironmentthatdirectlycontrolsdigitalassetsMostpublicblockchainsareforcryptocurrencies(Canonlytransfercoinsbetweenusers)SmartcontractsenablemuchmoreapplicationsEthereumDifference:BitcoinvsEthereum“APeer-to-PeerElectronicCashSystem”SatoshiNakamoto(Pseudonymous)Intentionally-limitedscriptinglanguageUTXO-basedframeworkReleasedJanuary3,200910minutesblocktimeDifference:BitcoinvsEthereum“Generalizedstate-transitionmachine”VitalikButerin(co-founderofBitcoinMagazine)Turing-completeprogramminglanguageAccount-basedframeworkReleasedJuly30,201515-secondblocktimeEnergyShippingGovernmentHealthcareFinanceCryptocurrencyBlockchainInsuranceTradingKeymanagementManusfacturing VotingIoTTransportation FundingSmartContract2Blockchain&cryptocurrencyThousandsofcryptocurrenciesarelaunchedVariousfeaturesanddemandsTop2:Bitcoin&EthereumBitcoinprivacyTheblockchainisahistoryofeveryBitcointransactionever!Identifiersarepublickeysnotnames(“pseudonyms”)YoucanmakeasmanypublickeysasyouwantButthesestillleakinformation!AlicebuysateapotatBigboxstore5368SingletransactionLinkingaddressesSharedspendingisevidenceofjointcontrolAddressescanbelinkedtransitivelyChange addresses5368.5.5Whichaddressischange?PrivacyGuaranteePublickeydoesnotneedtobe“Certified”.payerscangenerateasmanypublickeysashe/shewishesPayee’spublickeyishashed.ItisrevealedinthespendtransactionBitcointransactionamountisknownMiers,Garman,Green,Rubin.Zerocoin:AnonymousDistributedE-CashfromBitcoin.IEEES&P’2013Ben-Sasson,Chiesa,Garman,Green,Miers,Tromer,Virza.Zerocash:DecentralizedAnonymousPaymentsfromBitcoin.IEEES&P’2014Dash20142013ZcoinZcash20142014MoneroPrivacy-enhancingtechniques:Mainprivacy-preservingtechniques25PayerPayeeAmountBitcoinPseudonymPseudonym×DashMixMixMixZerocoinCommitment××ZerocashNestedcommitmentKey-privateencryptionNestedcommitmentMoneroLinkableringsignatureCryptoNotePedersoncommitmentAnonymityisnotalwaysdesirableMoneylaunderingDrugtradingCybercrimeExample…WannaCryBitcoin→MoneroAnonymityAccountabilityOursolutionIntroducetheconceptofTraceableMoneroFormalizethesystemmodelandthesecuritymodelDescribetwoconcretemechanismsImplementtheproposals31TraceableMoneroAnonymityTraceabilityMoneroVerifiableencryption+SignatureofKnowledgeProtocolWorkflowTransactionInputOutput...OutputAccountTagTag*InputAccountPayeePayerpk1pknTag1TagnTag*...RPTracingAuthority...TransactionphaseTracingphaseTag+CiphertextofInputaccountsOne-timePublickeyLong-termPublickeyCiphertextCpassiveTraceableMonero:AnonymousCryptocurrencywithEnhancedAccountability,IEEETransactionsonDependableandSecureComputing.10.1109/TDSC.2019.2910058(Accepted)(A1,B1)(A2,B2)(pk,sk)Tracelong-termaccountTracelong-termaccount--RecallCryptoNotePayee’sLongTermPublicKeyPayee’sLongTermPrivateKeyTosendmoneytoBob,pickarandomr,compute:Pisusedasthepayee’spublickey.AlsoputRonblockchain.xistheprivatekeyfor”publickey”P.Check:Tracelong-termaccount--RecallCryptoNote0𝑟𝑦=𝐵⋅ℎ𝐻(𝐴 ሻForafixedygeneratedby(A,B)𝟎Choosearandomr’andA’,compute𝑯(𝑨′𝒓′ሻ𝒓′Compute𝑩′=𝒚/𝒉𝑯(𝑨′ ൯Obtain(A’,B’)(A,B)spendsthemoney,but(A’,B’)canbetracedOnecangeneratemanykeypairsforyTracelong-termaccount--KeyGenGiveny,itiscomputationalinfeasibletofindanotherkeypair(A’,B’)thatsharessamey.Importantfortrace𝑟One-timepublickey 𝑦=𝐵⋅ℎ𝐻(𝐴 ,𝐵ሻ0One-timeprivatekey𝑥=𝑏+𝐻(𝑅𝑎,𝑏ሻTracelong-termaccount--KeyGen0𝑟𝑦=𝐵⋅ℎ𝐻(𝐴 ,𝐵ሻTag:fortraceRing:privacyModifiedCryptoNoteVerifiableencryption:VariantElGamalTracingauthoritypkTraceone-timeaccountTraceone-timeaccount--SpendEncryptthecolumnindexofinputaccountswithtracingauthority’skeyTraceone-timeaccount--SpendEncryptthecolumnindexofinputaccountswithtracingauthority’spkEfficiencyAnalysisOverheadofSpendandVerifyalgorithmsTimecostofVerifyalgorithmTracereal-worldidentities…BlockchaincategoryPrivatePermissioned,controloveracentralpartyPublicBCGlobally,freelyjoinandleave(Bitcoin,Ethereum)ConsortiumSemi-decentralized,authorizedtojoin/leave(Hyperledger,R3)OursecondsolutionSuggestlinkablegroupsignatures(LGS)torealizepayers'tracingbasedonconsortiumblockchain.ProposeaconcreteconstructionofLGSbasedonBonehandBoyen(BB04/BS04/BBS04).ProvethesecurityofourLGSintherandomoraclemodelandimplementtheproposedscheme.D.Boneh,X.Boyen,Shortsignatureswithoutrandomoracles,in:InternationalConferenceontheTheoryandApplicationsofCryptographicTechniques,Springer,Berlin,Heidelberg,pp.56-73,2004.Severalbanksformaconsortiumblockchain.Eachbankisagroupwiththeirownregistration&supervisionauthorityMorelikereal-lifescenario,trade-offbetweenanonymityandtraceabilityRegistration—setupanaccountinabankTracing—identifiedbyabankandpunishedbylaw-enforcingdepartmentTransactionsareprivacy-preservingamongthebanks,canonlyknowpaytoacertainbank,ratherthanaspecificpayee.UsersareanonymousifbehavehonestlyTransactionsarelinkedifusersdoublespendUserscouldbetracedtoreal-worldidentitiesiftheymisbehaveProtocoloverviewProtocolworkflow:SharedchainIneachbankAnEfficientLinkableGroupSignatureforPayerTracinginAnonymousCryptocurrencies,FutureGenerationComputerSystem,vol101,29-38,2019.3Blockchain&e-voting48Traditionale-voting ResultExample:FOOProtocol[FOO92]A.Fujioka,T.Okamoto,K.Ohta.“Apracticalsecretvotingschemeforlargescaleelections”.Proc.ofAuscrypt1992,LNCS718,244-251,1992.AdminCounterVotersNocentralpartyAutomaticallycomputethefinalresults(Self-tallyinge-voting)Privacyissues(blockchainispublic)FairnessissuesAdaptiveissue(thelastvoterknowstheresultsaheadofschedule)Abortiveissue(thelastvoteraborts)Blockchain-basede-votingproblemsHomomorphicencryption(withallothervoters’pk)Achievemaximalballotsprivacy:Apartialtallyoftheballotscanbeaccessedonlybyacollusionofallremainingvoters.Zero-knowledgeproof:provetheciphertextisinthecorrectformDispute-freeness:anybodycancheckwhetherthevotersfollowtheprotocolornot.Thisisanextensionofuniversalverifiability[KY02].Solutions--privacyA.KiayiasandM.Yung.“Self-tallyingelectionsandperfectballotsecrecy”.InInternationalWorkshoponPublicKeyCryptography,Springer,Berlin,Heidelberg,pp.141-158,2002.EfficiencyOnLaptopOnAndriodPhoneEfficiencyOnRaspberryPiLaptop:CPU:IntelCore(TM)i5-4300@2.49GHzMemory:8GBRAMOS:Win864-bitAndriodPhone:CPU:QualcommMSSM8998@2.45(Octa-core)Memory:6GBRAMOS:Android7.1.1RaspberryPi:CPU:BroadcomBCM2837B0,1.4GHz64-bitquad-coreARMCortex-A53Memroy:1GBLPDDR2SDRAMOS:Raspbianwithkernelv4.14Parameters4Blockchain&PDPOutsourcedstoragerelievetheburdenofdatamanagementDataownerlostthephysicalcontrolProvabledatapossession[Ate07]OutsourcedstorageDataownersDataownersDataflowSeparationbetweenDataOwnershipandControlG.Ateniese,R.C.Burns,R.Curtmola,J.Herring,L.Kissner,Z.N.J.Peterson,D.X.Song,ProvableDataPossessionatUntrustedStores,CCS2007,pp.598-609.OurcontributionIntroduceIntegrityChain,apracticaldecentralizedoutsourcedstorageframeworkFormalizethesecuritymodelforIntegrityChainbasedonthesoundnessmodelofPDPprotocols.ProvideaconcreteprotocolofIntegrityChainusingtheMR-PDPandanalyzethesecurityoftheprotocol.Implementaprototypeoftheproposedprotocol,whichdemonstratesitspracticalityR.Curtmola,O.Khan,R.C.BurnsandG.Ateniese,“MR-PDP:Multiple-ReplicaProvableDataPossession”.ICDCS2008,pp.411-420,2008.IntegrityChain:ProvableDataPossessionforDecentralizedOutsourcedStorage,IEEEJournalonSelectedAreasinCommunications,1570456174Idea:5ConclusionConclusionReviewblockchainbasisandmoreSolutiontocryptocurrencies:privacyandregulationSolutionstoblockchain-basede-votingSolutionstodecentralizedstorageFuturework…PrivacytosmartcontractBlockchainandfaircomputation&fairexchangeBlockchainandIoT