Blockchain and Smart Contract Long Term Security (updated)

Copyright © 2016 Peter Robinson
Blockchain and Smart Contract Long Term Security
Peter Robinson, peter.robinson@sent.com
Updated November 18, 2016

Overview
▪ Distributed Ledger and Smart Contract systems have as an underlying
assumption that once transactions are in a block chain, they are locked-in forever.
▪ This presentation analyses whether this immutability can actually be delivered in
the long term, given increasing traditional computational power, the emergence of
quantum computing, and the possibility of cryptographic algorithmic flaws.
▪ Additionally, an idea about distributed systems security is presented.
2

Caveat on results in these slides
▪ Tentative results are presented herein.
▪ More detailed analysis is needed.
3

Agenda
▪ Blockchain and Smart Contract Platforms Long Term Security:
▪ Cryptography and Cryptanalysis.
▪ Blockchain Platforms and Cryptanalysis.
▪ Mitigations.
▪ Mitigation for Active Attacks against Distributed Systems.
4

Cryptography &
Cryptanalysis

Cryptography: Algorithms
▪ Digest Algorithm (Hash): SHA256, SHA512, RIPEMD160, KECCAK, SHA3/256:
▪ Variable length input -> Fixed Length Output.
▪ Signing: ECDSA (secp256k1)/Digest Algorithm, RSA/Digest Algorithm:
▪ Sign with private key, verify with public key.
6

Cryptography: Message Digests / Hashes
7
?
Preimage
Resistance
Hash
n
h(x)
x
Second Preimage
Resistance
Hash
n
h(x)
?
Hash
h(x’)
≠
=
?
Collision
Resistance
Hash
n/2
h(x)
?
Hash
h(x’)
≠
=

Cryptography: Signatures
▪ Forgeability: Recover private key from public key.
▪ Non-repudiation: Have two public keys P1 and P2 which verify the same
signature.
▪ Integrity: Have two message digests M1 and M2 which when signed with public
key P result in the same signature.
8

Cryptography: Security Strength
(Assuming no Quantum Cryptanalysis)
9
Security
Strength
RSA ECC Hash
Preimage
Hash
Collision
80 1024 RIPEMD160
112 2048
128 3072 secp256k1 SHA256, Keccak-256,
SHA512/256
160 RIPEMD160
256 SHA256, Keccak-256,
SHA512/256
SHA512
SHA3,512
512 SHA512
SHA3,512

Traditional Computing Power
10
Ref 1: http://www.extremetech.com/wp-content/uploads/2015/04/MooresLaw2.png

Security
Strength
RSA ECC Hash
Preimage
Hash
Collision
80 1024 RIPEMD160
112 2048
128 3072 secp256k1 SHA256, Keccak-256,
SHA512/256
160 RIPEMD160
256 SHA256, Keccak-256,
SHA512/256
SHA512, SHA3,512
512 SHA512, SHA3,512
assuming no Quantum Cryptanalysis
11
2010
2030?

Quantum Cryptanalysis
▪ Shor’s Algorithm: Allows ECC private key to be calculated from ECC public key.
▪ Gover’s Algorithm: Allows algorithms to be executed in square-root time:
▪ Affects message digest algorithms and symmetric key algorithms.
▪ Security Strength after Quantum = (Security Strength Before Quantum) / 2
12

Quantum Cryptanalysis
▪ When will Quantum Computing and Quantum Cryptanalysis be a reality?
▪ Michele Mosca, Institute for Quantum Computing and Department of
Combinatorics and Optimization, University of Waterloo, said2:
▪ “I estimate a 1/7 chance of breaking RSA-2048 by 2026 and a 1/2 chance by 2031”
▪ Predicts a “Moore’s Law” type of increase in capability.
13
Ref 2: Mosca, M. (2015) “Cybersecurity in an era with quantum computers: will we be ready?”
Available: https://eprint.iacr.org/2015/1075.pdf

assuming Quantum Cryptanalysis
14
Security
Strength*
RSA ECC Hash
Preimage
Hash
Collision
4 5
19 secp256k1
26 2048
40 RIPEMD160
64 SHA256, Keccak-256,
SHA512/256
80 RIPEMD160
128 SHA256, Keccak-256,
SHA512/256
SHA512, SHA3,512
256 SHA512, SHA3,512
2012
*: Shor algorithm security strength calculated as log2(K * K * log(K) * log(log(K)))
Late 2020s
or 2030s?

Cryptographic Algorithmic Flaws
15
Ref 3: Preneel, B. (2013) “Introduction to the Design and Cryptanalysis of Cryptographic Hash Functions”
Available: https://www.cosic.esat.kuleuven.be/summer_school_albena/slides/preneel_hash_july2013_shortv1_print.pdf

Blockchain Platforms and
Cryptanalysis

Three Attack Scenarios
▪ Attack existing blocks.
▪ Attacking new blocks as they are being made:
▪ Miners either altering transactions being included in blocks or being able to always mine
the best block.
▪ Users either craft transactions masquerading as other users or craft transactions to
double spend.
17

Bitcoin: Cryptographic Usage4
▪ Main Hash: HM(x) = SHA256(SHA256(x))
▪ Address Hash: HA(x) = RIPEMD160(SHA256(x))
▪ Key Pairs: ECC using secp256k1 curve.
▪ Signatures: ECDSA, with Main Hash.
18
Ref 4: Giechaskiel, I., Cremers, C., Rasmussen, K. (2016) “On Bitcoin Security in the Presence of Broken Crypto Primitives”

Ripple Cryptographic Usage
▪ Main Hash: HM(x) = 256 bit truncated SHA512(x)
▪ Address Hash: HA(x) = RIPEMD160(SHA256(x))
19

Ethereum Cryptographic Usage
▪ Main Hash: HM(x) = KECCAK-256(x)
▪ Address Hash: HA(x) = 160 bit truncated KECCAK-256(x)
20

21
Security
Strength
Hash
Preimage
Hash
Second Preimage
Hash
Collision
40 Keccak-256/160,
RIPEMD160(SHA256(x))
64 SHA256(SHA256(x)),
Keccak-256, SHA512/256
80 Keccak-256/160 Keccak-256/160,
128 SHA512/256 SHA256(SHA256(x)),
208 RIPEMD160(SHA256(x))
256 SHA256(SHA256(x))

Attack Existing Blocks
Message Digest Algorithm Issues
Breakage Address Hash (HA) Main Hash (HM)
Collision None None
Second pre-image Repudiate transaction Repudiate transaction
Pre-image
Uncover public key associated
with address None
22

Attack Existing Blocks
Signature Algorithm Issues
Breakage Effect
Selective forgery
Determine private key based on public
key, then execute transactions
Integrity break Repudiate transaction
Repudiation None
23

Miner Attack
Collision Repudiate transaction
Double spend and execute
transactions and then
repudiate them
Second pre-image Repudiate transaction
repudiate them
Pre-image
Uncover public key associated
with address
Complete failure of the
blockchain: be able to
determine best block more
easily than other miners.
24

Miner Attack
Breakage Effect
Selective forgery
Determine private key based on
public key, then execute transactions
Integrity break Repudiate transaction
Repudiation None
25

User Attack
Collision Repudiate transaction
repudiate them
Second pre-image Repudiate transaction
repudiate them
Pre-image
Uncover key associated with
address None
26

User Attack
Breakage Effect
Selective forgery None
Integrity break
Execute transactions and then
repudiate them
Repudiation
Execute transactions and then
repudiate them
27

Mitigations

Mitigations: Better Use of Existing Algorithms
▪ Use stronger algorithms for Address Hash and Main Hash.
▪ Address Hash:
▪ SHA 512(SHA 512(x)) or
▪ SHA3/512(x)
▪ Main Hash:
▪ SHA 512(SHA 512(x)) or
▪ SHA3/512(x)
29

30
Security
Strength
Hash
Preimage
Hash
Second Preimage
Hash
Collision
40 Keccak-256/160,
64 SHA256(SHA256(x)),
80 Keccak-256/160 Keccak-256/160,
128 SHA512/256 SHA256(SHA256(x)),
SHA 512(SHA 512(x)),
SHA3/512(x)
208 RIPEMD160(SHA256(x))
256 SHA256(SHA256(x)), SHA3/512(x) SHA 512(SHA 512(x)), SHA3/512(x)
512 SHA 512(SHA 512(x))

Mitigations: Post-Quantum
▪ USA’s NIST are looking to standardize post-quantum algorithms by 20225.
▪ Lattice Based Signature Algorithms:
▪ Different type of mathematics to RSA and ECC.
▪ Historically, Lattice based algorithms have been found to be not as strong as first
thought after two to five years of cryptanalysis.
▪ Sphincs:
▪ Based on well understood message digest algorithms.
▪ Larger public keys, private keys and signatures.
31
Ref 5: http://csrc.nist.gov/groups/ST/post-quantum-crypto/documents/pqcrypto-2016-presentation.pdf

Mitigations: Be Prepared to Change
▪ Blockchain platforms need to have migration plans in place.
▪ Allow for multiple algorithms:
▪ Should allow for faster transition in case of a sudden event: stop accepting transactions
which use one algorithm.
▪ Can lead to downgrade attacks.
▪ Learn from other domains such as Transport Layer Security.
▪ Plan for:
▪ Larger signatures and larger identifiers.
▪ Re-sign entire blockchain.
▪ Roll-over all keys to newer algorithms.
32

Mitigation for
Active Attacks against
Distributed Systems

Using Blockchain to provide
Defence in Depth against Active Attacks
▪ Web applications and SaaS can be delivered as scalable cloud services.
▪ These services can be viewed as distributed systems.
▪ Active attackers may Powerfully Own (POWN) parts of the distributed system.
▪ Distributed Ledgers could be used as a resilient distributed database.
▪ Challenges:
▪ Performance.
▪ Non-proof of work consensus algorithms which are resilient to active attack.
▪ Dynamic scaling.
34

Closing

Future Work
▪ More detailed analysis to verify the results presented herein.
▪ Hyper Ledger needs to be reviewed.
▪ Proof of Stake protocols need to be considered.
36

Summary
▪ Cryptography is a dynamic field. Things change:
▪ Quantum Cryptanalysis may become a reality.
▪ Processing power is still ever increasing despite declarations, “Moore’s Law is dead”.
▪ Breaks in cryptographic algorithms happen from time to time.
▪ Plan for change:
▪ Do mitigation planning and determine migration paths.
▪ Start executing changes now which can be done now.
37

Questions
38

Blockchain and Smart Contract Long Term Security (updated)

More Related Content

Viewers also liked (20)

Similar to Blockchain and Smart Contract Long Term Security (updated) (20)

Recently uploaded (20)

Blockchain and Smart Contract Long Term Security (updated)