Office of Contract Administration Updated: January 2014 Purchasing Contract Training.
Blockchain and Smart Contract Long Term Security (updated)
-
Upload
peter-robinson -
Category
Technology
-
view
58 -
download
0
Transcript of Blockchain and Smart Contract Long Term Security (updated)
Copyright © 2016 Peter Robinson
Blockchain and Smart Contract Long Term SecurityPeter Robinson, [email protected] November 18, 2016
2
Copyright © 2016 Peter Robinson
Overview
▪ Distributed Ledger and Smart Contract systems have as an underlying assumption that once transactions are in a block chain, they are locked-in forever.
▪ This presentation analyses whether this immutability can actually be delivered in the long term, given increasing traditional computational power, the emergence of quantum computing, and the possibility of cryptographic algorithmic flaws.
▪ Additionally, an idea about distributed systems security is presented.
3
Copyright © 2016 Peter Robinson
Caveat on results in these slides
▪ Tentative results are presented herein.
▪ More detailed analysis is needed.
4
Copyright © 2016 Peter Robinson
Agenda
▪ Blockchain and Smart Contract Platforms Long Term Security:▪ Cryptography and Cryptanalysis.
▪ Blockchain Platforms and Cryptanalysis.
▪ Mitigations.
▪ Mitigation for Active Attacks against Distributed Systems.
Copyright © 2016 Peter Robinson
Cryptography & Cryptanalysis
6
Copyright © 2016 Peter Robinson
Cryptography: Algorithms
▪ Digest Algorithm (Hash): SHA256, SHA512, RIPEMD160, KECCAK, SHA3/256:▪ Variable length input -> Fixed Length Output.
▪ Signing: ECDSA (secp256k1)/Digest Algorithm, RSA/Digest Algorithm:▪ Sign with private key, verify with public key.
7
Copyright © 2016 Peter Robinson
Cryptography: Message Digests / Hashes
?
Preimage Resistance
Hash
n
h(x)
x
Second Preimage Resistance
Hash
n
h(x)
?
Hash
h(x’)
≠
=
?
CollisionResistance
Hash
n/2
h(x)
?
Hash
h(x’)
≠
=
8
Copyright © 2016 Peter Robinson
Cryptography: Signatures
▪ Forgeability: Recover private key from public key.
▪ Non-repudiation: Have two public keys P1 and P2 which verify the same signature.
▪ Integrity: Have two message digests M1 and M2 which when signed with public key P result in the same signature.
9
Copyright © 2016 Peter Robinson
Cryptography: Security Strength (Assuming no Quantum Cryptanalysis)
Security Strength
RSA ECC HashPreimage
HashCollision
80 1024 RIPEMD160
112 2048
128 3072 secp256k1 SHA256, Keccak-256, SHA512/256
160 RIPEMD160
256 SHA256, Keccak-256, SHA512/256
SHA512SHA3,512
512 SHA512SHA3,512
10
Copyright © 2016 Peter Robinson
Traditional Computing Power
Ref 1: http://www.extremetech.com/wp-content/uploads/2015/04/MooresLaw2.png
11
Copyright © 2016 Peter Robinson
Security Strength
RSA ECC HashPreimage
HashCollision
80 1024 RIPEMD160
112 2048
128 3072 secp256k1 SHA256, Keccak-256, SHA512/256
160 RIPEMD160
256 SHA256, Keccak-256, SHA512/256
SHA512, SHA3,512
512 SHA512, SHA3,512
Cryptography: Security Strength assuming no Quantum Cryptanalysis
2010
2030?
12
Copyright © 2016 Peter Robinson
Quantum Cryptanalysis
▪ Shor’s Algorithm: Allows ECC private key to be calculated from ECC public key.
▪ Gover’s Algorithm: Allows algorithms to be executed in square-root time:▪ Affects message digest algorithms and symmetric key algorithms.
▪ Security Strength after Quantum = (Security Strength Before Quantum) / 2
13
Copyright © 2016 Peter Robinson
Quantum Cryptanalysis
▪ When will Quantum Computing and Quantum Cryptanalysis be a reality?
▪ Michele Mosca, Institute for Quantum Computing and Department of Combinatorics and Optimization, University of Waterloo, said2:▪ “I estimate a 1/7 chance of breaking RSA-2048 by 2026 and a 1/2 chance by 2031”
▪ Predicts a “Moore’s Law” type of increase in capability.
Ref 2: Mosca, M. (2015) “Cybersecurity in an era with quantum computers: will we be ready?”Available: https://eprint.iacr.org/2015/1075.pdf
14
Copyright © 2016 Peter Robinson
Cryptography: Security Strength assuming Quantum Cryptanalysis
Security Strength*
RSA ECC HashPreimage
HashCollision
4 5
19 secp256k1
26 2048
40 RIPEMD160
64 SHA256, Keccak-256,SHA512/256
80 RIPEMD160
128 SHA256, Keccak-256,SHA512/256
SHA512, SHA3,512
256 SHA512, SHA3,512
2012
*: Shor algorithm security strength calculated as log2(K * K * log(K) * log(log(K)))
Late 2020s or 2030s?
15
Copyright © 2016 Peter Robinson
Cryptographic Algorithmic Flaws
Ref 3: Preneel, B. (2013) “Introduction to the Design and Cryptanalysis of Cryptographic Hash Functions”Available: https://www.cosic.esat.kuleuven.be/summer_school_albena/slides/preneel_hash_july2013_shortv1_print.pdf
Copyright © 2016 Peter Robinson
Blockchain Platforms and Cryptanalysis
17
Copyright © 2016 Peter Robinson
Three Attack Scenarios
▪ Attack existing blocks.
▪ Attacking new blocks as they are being made:▪ Miners either altering transactions being included in blocks or being able to always mine
the best block.
▪ Users either craft transactions masquerading as other users or craft transactions to double spend.
18
Copyright © 2016 Peter Robinson
Bitcoin: Cryptographic Usage4
▪ Main Hash: HM(x) = SHA256(SHA256(x))
▪ Address Hash: HA(x) = RIPEMD160(SHA256(x))
▪ Key Pairs: ECC using secp256k1 curve.
▪ Signatures: ECDSA, with Main Hash.
Ref 4: Giechaskiel, I., Cremers, C., Rasmussen, K. (2016) “On Bitcoin Security in the Presence of Broken Crypto Primitives”
19
Copyright © 2016 Peter Robinson
Ripple Cryptographic Usage
▪ Main Hash: HM(x) = 256 bit truncated SHA512(x)
▪ Address Hash: HA(x) = RIPEMD160(SHA256(x))
▪ Key Pairs: ECC using secp256k1 curve.
▪ Signatures: ECDSA, with Main Hash.
20
Copyright © 2016 Peter Robinson
Ethereum Cryptographic Usage
▪ Main Hash: HM(x) = KECCAK-256(x)
▪ Address Hash: HA(x) = 160 bit truncated KECCAK-256(x)
▪ Key Pairs: ECC using secp256k1 curve.
▪ Signatures: ECDSA, with Main Hash.
21
Copyright © 2016 Peter Robinson
Cryptography: Security Strength assuming Quantum Cryptanalysis
Security Strength
HashPreimage
HashSecond Preimage
HashCollision
40 Keccak-256/160, RIPEMD160(SHA256(x))
64 SHA256(SHA256(x)), Keccak-256, SHA512/256
80 Keccak-256/160 Keccak-256/160, RIPEMD160(SHA256(x))
128 SHA512/256 SHA256(SHA256(x)), Keccak-256, SHA512/256
208 RIPEMD160(SHA256(x))
256 SHA256(SHA256(x))
22
Copyright © 2016 Peter Robinson
Attack Existing BlocksMessage Digest Algorithm Issues
Breakage Address Hash (HA) Main Hash (HM)
Collision None None
Second pre-image Repudiate transaction Repudiate transaction
Pre-imageUncover public key associated with address None
23
Copyright © 2016 Peter Robinson
Attack Existing BlocksSignature Algorithm Issues
Breakage Effect
Selective forgeryDetermine private key based on public key, then execute transactions
Integrity break Repudiate transaction
Repudiation None
24
Copyright © 2016 Peter Robinson
Miner AttackMessage Digest Algorithm Issues
Breakage Address Hash (HA) Main Hash (HM)
Collision Repudiate transaction
Double spend and execute transactions and then repudiate them
Second pre-image Repudiate transaction
Double spend and execute transactions and then repudiate them
Pre-imageUncover public key associated with address
Complete failure of the blockchain: be able to determine best block more easily than other miners.
25
Copyright © 2016 Peter Robinson
Miner AttackSignature Algorithm Issues
Breakage Effect
Selective forgeryDetermine private key based on public key, then execute transactions
Integrity break Repudiate transaction
Repudiation None
26
Copyright © 2016 Peter Robinson
User AttackMessage Digest Algorithm Issues
Breakage Address Hash (HA) Main Hash (HM)
Collision Repudiate transaction
Double spend and execute transactions and then repudiate them
Second pre-image Repudiate transaction
Double spend and execute transactions and then repudiate them
Pre-imageUncover key associated with address None
27
Copyright © 2016 Peter Robinson
User AttackSignature Algorithm Issues
Breakage EffectSelective forgery None
Integrity break Execute transactions and then repudiate them
RepudiationExecute transactions and then repudiate them
Copyright © 2016 Peter Robinson
Mitigations
29
Copyright © 2016 Peter Robinson
Mitigations: Better Use of Existing Algorithms
▪ Use stronger algorithms for Address Hash and Main Hash.
▪ Address Hash: ▪ SHA 512(SHA 512(x)) or
▪ SHA3/512(x)
▪ Main Hash: ▪ SHA 512(SHA 512(x)) or
▪ SHA3/512(x)
30
Copyright © 2016 Peter Robinson
Cryptography: Security Strength assuming Quantum Cryptanalysis
Security Strength
HashPreimage
HashSecond Preimage
HashCollision
40 Keccak-256/160, RIPEMD160(SHA256(x))
64 SHA256(SHA256(x)), Keccak-256, SHA512/256
80 Keccak-256/160 Keccak-256/160, RIPEMD160(SHA256(x))
128 SHA512/256 SHA256(SHA256(x)), Keccak-256, SHA512/256
SHA 512(SHA 512(x)), SHA3/512(x)
208 RIPEMD160(SHA256(x))
256 SHA256(SHA256(x)), SHA3/512(x) SHA 512(SHA 512(x)), SHA3/512(x)
512 SHA 512(SHA 512(x))
31
Copyright © 2016 Peter Robinson
Mitigations: Post-Quantum
▪ USA’s NIST are looking to standardize post-quantum algorithms by 20225.
▪ Lattice Based Signature Algorithms:▪ Different type of mathematics to RSA and ECC.
▪ Historically, Lattice based algorithms have been found to be not as strong as first thought after two to five years of cryptanalysis.
▪ Sphincs:▪ Based on well understood message digest algorithms.
▪ Larger public keys, private keys and signatures.
Ref 5: http://csrc.nist.gov/groups/ST/post-quantum-crypto/documents/pqcrypto-2016-presentation.pdf
32
Copyright © 2016 Peter Robinson
Mitigations: Be Prepared to Change▪ Blockchain platforms need to have migration plans in place.
▪ Allow for multiple algorithms:▪ Should allow for faster transition in case of a sudden event: stop accepting transactions which
use one algorithm.
▪ Can lead to downgrade attacks.
▪ Learn from other domains such as Transport Layer Security.
▪ Plan for:▪ Larger signatures and larger identifiers.
▪ Re-sign entire blockchain.
▪ Roll-over all keys to newer algorithms.
Copyright © 2016 Peter Robinson
Mitigation for Active Attacks against Distributed Systems
34
Copyright © 2016 Peter Robinson
Using Blockchain to provide Defence in Depth against Active Attacks
▪ Web applications and SaaS can be delivered as scalable cloud services.
▪ These services can be viewed as distributed systems.
▪ Active attackers may Powerfully Own (POWN) parts of the distributed system.
▪ Distributed Ledgers could be used as a resilient distributed database.
▪ Challenges:▪ Performance.
▪ Non-proof of work consensus algorithms which are resilient to active attack.
▪ Dynamic scaling.
Copyright © 2016 Peter Robinson
Closing
36
Copyright © 2016 Peter Robinson
Future Work
▪ More detailed analysis to verify the results presented herein.
▪ Hyper Ledger needs to be reviewed.
▪ Proof of Stake protocols need to be considered.
37
Copyright © 2016 Peter Robinson
Summary
▪ Cryptography is a dynamic field. Things change:▪ Quantum Cryptanalysis may become a reality.
▪ Processing power is still ever increasing despite declarations, “Moore’s Law is dead”.
▪ Breaks in cryptographic algorithms happen from time to time.
▪ Plan for change:▪ Do mitigation planning and determine migration paths.
▪ Start executing changes now which can be done now.
38
Copyright © 2016 Peter Robinson
Questions