Upload
hamien
View
220
Download
2
Embed Size (px)
Citation preview
SESSION ID:SESSION ID:
#RSAC
Ren Zhang Bart Preneel
2017 Selected TopicsPublish or Perish: A Backward-Compatible Defense against Selfish Mining in Bitcoin
CRYP-R10
↑ ↑Doctoral Student Professor@nizenzangKU Leuven, ESAT-COSIC and imec
#RSAC
Bitcoin
4
A p2p network
Maintaining a public decentralized ledger
The ledger is organized as a hash chain of blocks
Each block contains a set of transactions (txs)
Prev_Hash
Tx: tx1 tx2 …
#RSAC
Bitcoin Mining
5
New txs are broadcast to the entire network, each miner collects these txs into a block
Every miner works on finding the solution “nonce” to the following puzzle:H(txs, prev_hash, nonce)< threshold
Whoever finds the solution first broadcasts the next block
Within the block, a special coinbase tx issues 12.5 new btc to the miner
Prev_Hash
Tx: tx1 tx2 …coinbase
Nonce
PH Tx N
PH Tx N
#RSAC
Bitcoin Network’s Current Mining Power
6
Network hash rate: 3×1018H/s
Puzzle difficulty: around 71 leading zeros
Known hashratedistribution →
70% of mining power in China
#RSAC
Release new blocks to the public immediately
Fork-resolving policy: mine on the longest chain, or the first received block during a tie
Reward distribution policy: orphaned blocks receive no reward
Bitcoin’s Fork-Resolving Policy
7
time
“orphaned”“fork”
the public
#RSAC
Selfish Mining Attack
8
Fairness assumption: when >50% mining power follows the protocol,a miner’s block rewards ∝ the miner's computational power
The assumption is disproved by this selfish mining attack
Two scenarios: winning a tie (with some luck) or with a longer chain
time
the public
#RSAC
Why is Selfish Mining Harmful?
9
Targets the Bitcoin protocol itself
The selfish miner’s expected relative revenue rises superlinearly with the mining power
=> rational choice for miners: to do selfish mining collectively=> the decentralized nature of Bitcoin is damaged
When combined with selfish mining, double spending attacks can be launched with arbitrarily low mining power, rather than the previously believed 51% percent
=> The most fundamental attack in Bitcoin
#RSAC
Existing Defenses & Key Observation
10
Tie-breaking defenses: have no effectiveness when the selfish chain is longer than the public chain
=> only valid against weak attackers
Backward-incompatible defenses: modify the balances of existing accounts
=> will never see adoption in Bitcoin
Can we change only the fork-resolving policy?
#RSAC
Definitions
12
Assuming the upper bound of block propagation delay is τ
A block received τ after a competing block of the same height is late; otherwise it is in time
A block B1 is considered to be the uncle of another block B2 if B1 is a competing in time block of B2's parent block
time
the public𝜏
late!uncle
#RSAC
Our Defense
13
Modified mining algorithm: miners incorporate the hash of all uncles in their blocks
The weight of a chain: # in time blocks + # in time uncle hashes embedded in these blocks
Modified fork-resolving policy: A miner chooses the chain with the largest weight; in a tie the miner chooses randomly
time
the public𝜏
late!uncle
#RSAC
If publishes S: S counts in weight of both chains
If not: S counts in weight of neither chains
Impossible for earlier secret block to have an honest uncle
A Dilemma for the Selfish Miner
14
time
the public𝜏
late!uncleS S
#RSAC
Another Problem: CAP Theorem
15
In original Bitcoin, if the network is partitioned and reunited, the ledger converges fast
=> selfish mining and network partition are indistinguishable
In our defense, every part of the network would consider blocks mined by other parts late
=> the ledger may not converge
Unfortunately there is no perfect solution
Availability
Partition recoveryConsistency
Original Bitcoin
Our defense
#RSAC
Another Problem
16
Our solution: when the longest chain is k blocks ahead, all miners adopt it
Result:k=1: a tie-breaking defense;k=∞: resistant against 51% attacker;k=3, the ledger converges in a few hours even when an attacker with 50% of total mining power works to prevent convergence
Availability
Partition recoveryConsistency
Our defense, k=3
#RSAC
The Optimal Selfish Mining Strategy
17
We model the mining process as a Markov decision process and solved the optimal selfish mining strategy and its relative revenue
Attacker’s best choice in given mining sequences (48% mining power)
publish or perish, k=3: give up S and work on Puniform tie breaking: keep working on S
publish or perish, k=3 : publish both blocksuniform tie breaking: keep working secretly
S
P
#RSAC
Comparison with Other Defenses
18
Ideal:relative revenue ∝ mining power
Optimal tie breaking:an imaginary defense in which the attacker loses every tie
Our defense is still not fair, but better than existing defenses
#RSAC
Summary
20
Selfish mining is the most fundamental attack in Bitcoin
We proposed an effective, decentralized and backward-compatibledefense against selfish mining
We highlighted the origin of selfish mining attack: Bitcoin’s high partition tolerance
Future work:A fair selfish mining defense
Analyzing selfish mining and double-spending resistance of all existing proof-of-work protocols
Optimal combination of eclipse and selfish mining attacks
#RSAC
“Apply” Slide (Requested by RSA Conference)
21
Bitcoin’s high tolerance to network partition is the reason why selfish mining and some double-spending attacks are possible
To suggest changes to Bitcoin: our protocol has the best resistance against these attacks :D
To design a new proof-of-work cryptocurrency: deal with network partition explicitly! Do not trade security for service availability!
SESSION ID: SESSION ID:
#RSAC
Jihoon Cho, Kyu Young Choi, Itai Dinur, Orr Dunkelman, Nathan Keller, Dukjae Moon and Aviya Veidberg
WEM: A New Family of White-box Block Ciphers Based on the Even-Mansour Construction
CRYP-R10
Dukjae Moon Senior Engineer, Security Research Group, SAMSUNG SDS [email protected]
#RSAC
Outline
2
Introduction
Description of WEM
Security in the Black-Box Model
Security in the White-Box Model
Conclusions
#RSAC
Outline
3
Introduction
White-Box Cryptography
Design Directions
Description of WEM
Security in the Black-Box Model
Security in the White-Box Model
Conclusions
#RSAC
White-Box Cryptography [1/3]
4
Attack environment of cryptographic algorithms has been changed
Black-box Environment White-box Environment
Attackers cannot access the environment where encryption occurs
Most cryptographic algorithms are designed under the black-box attack model (BBM)
Attackers can access the environment where encryption occurs
They have much higher chance to acquire the encryption key
#RSAC
White-Box Cryptography [2/3]
5
Encryption key is embedded in the encryption algorithm
WBC is applicable for protecting credentials as a low cost S/W module
Cryptographic algorithm
Decryption using white-box primitives Decryption using conventional primitives
• Static analysis
• Dynamic analysis
• Side-channel attacks
• Memory inspection
Cryptographic keys are never
revealed in memory
Cryptographic algorithm
#RSAC
White-Box Cryptography [3/3]
6
Security goal in White-box attack model (WBM) Unbreakability — WBC is infeasible to recover the secret key K by accessing the implementation
Incompressibility (Weak white-box security, Space hardness) — WBC is infeasible to recover full implementation by using partial components of full
implementation
Strong white-box security (Incompressibility + One-wayness) — One-wayness: WBC is infeasible to decrypt a given ciphertext, even if an adversary
gets the encryption implementation
#RSAC
Design Directions [1/3]
7
Primitives based on an existing block ciphers
In 2002, Chow et al. proposed white-box primitives
The implementation method is using large tables or algebraic equations
Underlying block cipher (e.g., AES)
Implementation WB primitive
#RSAC
Design Directions [2/3]
8
Primitives based on an existing block ciphers
All published primitives were practically broken
Cipher [ref.]
WB-DES [DRM’02]
WB-AES [SAC’02]
WB-AES [ePrint’06]
WB-AES [CSA’09]
WB-D.AES [ICISC’10]
Method 8-bit table 8-bit table equation 16-bit table 8-bit table
Crypt- analysis
DFA[DRM’02] DA[SAC’07]
AA[SAC’04] AA[SAC’08] DFA[BH’15] DPA[FSE’16]
DCA[CHES’16]
SDA [IndoC.’10]
AA[SAC’08] AA[SAC’12]
AA[SAC’13]
DA: Differential Attacks SDA: Structural Decomposition Attacks AA: Algebraic Attacks DPA(DFA/DCA): Differential Power/Fault/Computation Attacks
#RSAC
Design Directions [3/3]
9
Dedicated primitives with white-box protection
These designs are based on key-dependent components (e.g., S-boxes)
ASASA family [Asiacrypt’14] were practically broken [CRYPTO’15, Asiacrypt’15]
Other primitives
Primitive SPACE [ACM-CCS’15] WhiteBlock [Asiacrypt’16]
Structure Generalized Feistel
with secret function S-boxes Iterative function of
one Feistel step and AES call
Figure
#RSAC
Outline
10
Introduction
Description of WEM Design Rationale
New family of Block ciphers
Structure of the incompressible S-Box
Security in the Black-Box Model
Security in the White-Box Model
Conclusions
#RSAC
Design Rationale [1/2]
11
Strong security and Good performance in BBM
Our primitives use the iterated EM (Even-Mansour) construction
The security level of this scheme with more than 2 rounds is close to 2n
The scheme becomes even stronger by changing the key addition for a secret S-box
By taking a round-reduced of a underlying block cipher E as the public permutation, our primitives can have a good performance without sacrificing security
#RSAC
Design Rationale [2/2]
12
Strong security in WBM
Goal: An adversary cannot extract the master key, even if the secret S-boxes are known (he does not have access to the generation process of these S-boxes)
We use the Fisher-Yates shuffle algorithm with the pseudo-random sequences from the block cipher E in counter mode to generate the S-boxes
This generation process ensures incompressibility. One can reuse some S-boxes for more flexibility
One of the main differences between WEM and the previous primitives (such as SPACE and WhiteBlock) is that we use secret permutation S-boxes
#RSAC
New family of Block Ciphers [1/2]
13
Based on an iterated EM construction with incompressible S-boxes
WEM(n, m, r, E, d) is a modification of the r-round EM scheme
n: the block size of the cipher
m: the size of the incompressible S-box
r: the number of rounds in the underlying iterated EM construction
E: the underlying block cipher (e.g., AES)
d: the number of rounds we take in key-less version of E
Public permutation P: a d-round reduced variant of E with the fixed key
S-box layer: parallel application of n/m incompressible m-to-m bit S-boxes
#RSAC
New family of Block Ciphers [2/2]
14
Specific instantiation: WEM(128, 16, 2, AES-128, 5) = WEM-16
Use 24 S-boxes totally
Encryption time complexity is a single AES encryption plus 3 sequences of 8 parallel table lookups
#RSAC
Structure of the incompressible S-box
15
Stand-alone primitive with n-bit security
Generate a long sequence of pseudo-random bits from the n-bit secret key
— For example, we use AES-CTR with 128-bit secret master key
Instantiate an m-to-m bit S-boxes by using the pseudo-random sequence.
— We use the Fisher-Yates shuffle algorithm
— This algorithm generates a truly random permutation
To shuffle an array a of n elements (indices 0..n-1):
for i from n − 1 downto 0 do
j ← random integer (mod i) exchange a[j] and a[i]
#RSAC
Outline
16
Introduction
Description of WEM
Security in the Black-Box Model Minimal Construction for WEM
Security Analysis
Security in the White-Box Model
Conclusions
#RSAC
Minimal Construction for WEM [1/4]
17
Are the primitive WEM-8 and WEM-16 ‘minimal’?
Yes, 2-round WEM is minimal. That is, 1-round WEM does not supply 128-bit security
We can recover all entries of the secret S-boxes by a structural attack against 1-round WEM with about 2n/2 time complexity
WEM(128,8,1,AES-128,10)
P
#RSAC
Minimal Construction for WEM [2/4]
18
Structural attack on WEM(128,8,1,AES-128,10)
Let Δi be the set of 256 (=28) values of 16-bytes for E (= WEM)
— The most significant byte has an active property “A”, remaining 15 bytes are fixed “F”
Let Λj be the set of 256 values of 16-bytes for a public permutation P
Δ𝑖 = *𝑥 ∈ 0,1+128 𝑥 0 = 𝑖 0 , 𝑥 1 = 𝑖 1 , ⋯ , 𝑥 14 = 𝑖 14 +
Λ𝑗 = *𝑦 ∈ 0,1+128 𝑦 0 = 𝑗 0 , 𝑦 1 = 𝑗 1 , ⋯ , 𝑦 14 = 𝑗 14 +
#RSAC
Minimal Construction for WEM [3/4]
19
Useful property
If we look for multi-sets for E(Δi) and P(Λj) with the same property
It guarantees that S(Δi) and Λj collide
This means that the values of fixed 15 bytes are the same
𝑆0 𝑖 0 = 𝑗 0 𝑆1 𝑖 1 = 𝑗 1
⋮ 𝑆14 𝑖 14 = 𝑗 14
#RSAC
Minimal Construction for WEM [4/4]
20
Attack algorithm (Time and memory complexities are about 268)
Evaluate the public permutation P on sets of 256 (=28) inputs Λj for 260 arbitrary values of j.
For each set, evaluate I(P(Λj)) and store it in a table next to Λj.
Ask for the encryptions of sets of 256 inputs Δi for 260 arbitrary values of i.
For each set, evaluate I(E(Δi)) and look for matches in the table.
For each match I(E(Δi)) = I(P(Λj)), compute the corresponding entries of secret S-boxes
Try to recover other entries by changing one byte of Δi and Λj at a time, till recovery of the secret S-boxes succeeds
#RSAC
Security Analysis [1/4]
21
For the sake of black-box analysis, we may view the secret S-boxes of our primitive as random permutations
Previously studied constructions
2-round Iterated Even-Mansour construction
Standard AES with 128-bit key
AES with secret S-boxes
10-round AES with random S-boxes
Known-key round-reduced AES
#RSAC
Security Analysis [2/4]
22
Brief assessment of the security
Count the expected attack rounds in units of AES rounds
The full 10-round WEM-8/16 are expected to be immune to all given attacks
GA DC/LC BA SA ID CA RKA
WEM-8/16 5 4 6 5 7 7 7
Ref. FSE
2015 IET-IFS 2007
AES 2004
FSE 2015
IndoC. 2010
FSE 2013
EuroC. 2010
GA: Generic Key Recovery Attacks DC/LC: Differential and Linear Characteristics BA: Boomerang Attacks SA: Square Attacks CA: Collision Attacks ID: Impossible Differential attacks RKA: Related-Key Attacks
#RSAC
Security Analysis [3/4]
23
4-round differential or linear characteristics of WEM-16
The lower bound of 25 active 8-bit S-boxes in any 4-round differential or linear characteristic for WEM-8 does not hold for WEM-16
Theorem 1. The number of active 8-bit S-boxes in any 4 round differential or linear characteristic of WEM(128,16,2,AES-128,5) is at least 15
— We can compute the number of active S-boxes according to the inserted locations of the secret S-box layer λ
Inserted location 0/4 1 2 3
# of active S-boxes ≥ 25 ≥ 17 ≥ 15 ≥ 17
#RSAC
Security Analysis [4/4]
24
4-round differential or linear characteristics of WEM-16
When λ is applied between the 2nd and the 3rd, we can find a 4-round characteristic with 15 active 8-bit S-boxes plus 2 16-bit secret S-boxes
4 1 2 8 2
#RSAC
Outline
25
Introduction
Description of WEM
Security in the Black-Box Model
Security in the White-Box Model Space-Hardness
Space-Hardness of WEM
Comparison to previous primitives
Conclusions
#RSAC
Space-Hardness
26
Introduced in [ACMCCS2015] as a generalization of the weak white-box security
(M, Z)-space hardness The cipher is a (M, Z)-space hard if it is infeasible for an adversary to encrypt/ decrypt a random chosen plaintext/ciphertext with probability more than 2–Z given code (table) size less than M
Space-hardness does not make code lifting impossible but harder to implement in practice
#RSAC
Space-Hardness of WEM [1/2]
27
First, we evaluate the space-hardness of WEM(128,16,r,AES-128,5)
Goal: Determine the minimal value of r for achieving (T/4, 112)-space hardness, where T is the size of the 16-bit S-box in 16-bit words
CASE 1: an adversary can encrypt a random plaintext by using only the known S-box entries
— Since the probability for this is 2-2∙8r (< 2-128), we can take r = 9
CASE 2: an adversary can encrypt a random plaintext by guessing some S-box entries, when he misses the entries of several S-boxes
— He can miss only 8 S-box entries with very low probability (∵ 2-15∙9 < 2-128)
— Overall, he should choose (8r-8) S-box entries in the known entries
— Therefore, we can take r ≥ 12 (∵ 2-2(8r-8) ∙ 8rC8 < 2-128)
#RSAC
Space-Hardness of WEM [2/2]
28
Generally, we evaluate the space-hardness for a block cipher with m-bit S-box and k S-boxes (k = n/m)
Goal: Determine the minimal value of r for (2-α ∙T, n-log(T))-space hardness
An adversary can miss only k S-box entries with very low probability
We can take r (> m/α) s.t. is sufficient 2-α(k∙r-k) ∙ k∙rCk < 2-k∙m
−𝛼 𝑘 ∙ 𝑟 − 𝑘 + 𝑘 ∙ 𝑙𝑜𝑔 𝑘 + 𝑘 ∙ 𝑙𝑜𝑔 𝑟 < −𝑘 ∙ 𝑚 (∵ 𝐶𝑘 < 𝑘 ∙ 𝑟 𝑘)𝑘∙𝑟
−𝑟 + 1 +log 𝑘
𝛼+
log 𝑟
𝛼< −
𝑚
𝛼 𝑑𝑒𝑣𝑖𝑑𝑖𝑛𝑔 𝑏𝑦 𝛼 ∙ 𝑘
∴ 𝒓 −log 𝑟
𝛼 >
𝒎
𝜶 +
log 𝑘
𝛼+ 1
#RSAC
Comparison to previous primitives [1/2]
29
We can evaluate the space-hardness of the WhiteBlock structure
This cipher uses m-to-64 S-box and
k S-boxes in a round (k∙m=64)
An adversary can miss one S-box entry with very low probability (∵ 2-64∙2 ≤ 2-128)
Overall, he should choose (k∙r-k) S-box entries in r-1 rounds
Therefore, we can take r (≥ 2m/α) (∵ 2-α(k∙r-k) ∙ rC(r-1) < 2-2k∙m)
−𝛼 𝑘 ∙ 𝑟 − 𝑘 + 𝑙𝑜𝑔 𝑟 < −2𝑘 ∙ 𝑚
∴ 𝒓 −log 𝑟
𝛼 ∙ 𝑘 >
𝟐𝒎
𝜶 + 1
m
m
m
m
k k
#RSAC
Comparison to previous primitives [2/2]
30
Summary of bounds for space-hardness (the number of rounds)
We only describe the evaluation results for SPACE family in [ACM-CCS’15] because this cipher differs from WEM significantly
We can reduce the number of rounds in our primitives by using an SP network
Primitive WEM WhiteBlock SPACE WB
Security Ref. This paper
(m/α) This paper
(2m/α) Asiacrypt
2016 ACM-CCS
2015
8-bit 4 8 - 300 (T/4, 120)
16-bit 8 16 18 128 (T/4, 112)
32-bit 16 32 34 128 (T/4, 96)
#RSAC
Outline
31
Introduction
Description of WEM
Security in the Black-Box Model
Security in the White-Box Model
Conclusions
#RSAC
Conclusions [1/2]
32
We presented a new family of white-box primitives WEM
It combines the iterated EM construction with incompressible S-boxes and a round-reduced variant of an existing block cipher (e.g., AES)
This structure allows obtaining good performance with the security confidence in BBM
The security in WBM is based on the provable randomness of the Fisher-Yates shuffle algorithm
#RSAC
Conclusions [2/2]
33
Our cipher is based on an SP network
This structure allows reducing the number of rounds for the same space-hardness level in contrast with the previous primitives based on Feistel construction (e.g., SPACE, WhiteBlock)
If application of S-boxes in parallel is possible, we can make our cipher faster
Performance
Primitive CPB Table Size Platform
WEM(128,16,12,AES-128,5) 96.8 217 Bytes i7-5500U (2.4GHz, w/o AES-NI)
WhiteBlock-16 (HOUND-16) 140 219 Bytes Xeon E5-1603v3 (2.8GHz, w AES-NI)