Real World Crypto 2021 - Session 11: Cryptocurrency
Session video
Omer Schlomovits (ZenGo) / Attacking Threshold Wallets / video slides
Threshold wallets are based on Threshold Signing, an application of MPC. In threshold signing:
- a signing key split into ‘n’ shares.
- Threshold t < n.
- t+1 shares is enough to make a signature, but <=t shares is useless.
Attack 1: “Forget and Forgive”
- vulnerability in ‘secret re-sharing protocol’
- committee who hold key shares, during a sk update & reshare, have to verify the share they receive. If valid, they overwrite their old share
- attack based on sending valid shares to a subset of the committee, and invalid shares to the rest
- applications: forever lock some money; cause money to be lost; extort money.
- fix is to require a final ACK round so that everyone only updates their share if everyone previous reported that validation succeeded.
Attack 2:" Golden Shoe"
- This was a bit too mathematical for me to capture!
Christian Badertscher/Philipp Kant (IOHK/Cardano) / From Crypto-Paper to Crypto-Currency: the Cardano Consensus Layer / video slides
IOHK have a rather pretty website involving interactive fractal graphics!
At the heart of Cardano is Ouroboros, the algorithm that underpins the Ada cryptocurrency.
Protocol execution model for distributed computation over a network:
- interactive machines
- formalizations of assumed resources e.g. network, clock, random oracle,
- byzantine behaviour (under attack)
- rational behaviour (people have good reasons to want to use honestly)
- machine failures
If your security model has captured all properties then security proofs should be meaningful in practice.
?? Ouroboros: Nakamoto-style proof-of-stake blockchain protocol realizing a ledger
(since 2017) Has gone through 6 iterations of improvement, switching between experiences gained in implementation, and returning to theory to address findings
?? Property-based testing. Once properties are described, random inputs generated, and test that desired properties still hold. If they don’t you drill down through the inputs until you isolate the problem with some specific inputs
Risk of system collapse or takeover when transitioning from a small scale test sytem to a much more decentralised one! Need to do this gradually.
Bernardo David (ITU Copenhagen) / Alice in Randomland: How to Build and Use Distributed Randomness Beacons / paper video
What is a randomness beacon?
- decentralixed setting: can’t trust a central authority to generate randomness
- so rnd beacon protocols , which are unpredictable and unbiasable, help parties generate random outputs.
- they must be publicly verifiable so anyone can check for correct functioning,
- and must have guarnateed outputs as other systems depend on them
What are their important parameters?
- does protocol require any setup, like a zk-snark does?
- how do we know how random the outputs can be, what bias may exist?
- how complex? what security guarantees
Construction 1: Publicly Verifiable Sercret Sharing (PVSS)
- depends on a PKI. outputs uniform randomness. ex. ALBATRROSS
- However: quadratic complexity
- Used in Cardano first version for Ouroboros
Construction 2: Verifiable Random Function
- also depends on a PKI. output randomness can be biased by adversary
- advantage; O[n] complexity. its good to incude on a blockchain
- Used in secret leader election in proof-of-stake protocols
- Used in AlgoRand and current Cardano
Construction 3: Threshold VRFs
- complex setup, requires distributed key generation.
- output randomness is uniform pseudorand
- O[n] complexity. However: as pseudo random eventually will repeat so needs seed to be refreshed occasionally
- Used in: GLOW, DRAND
Construction 4: Time-based primitives
- e.g. time-lock puzzles, verifiable delay functions
- Setup: elaborate setup which could be attacked
- output randomness is uniform; compliexity is O[n] for comms but computational depends on network.
- This isn’t yet well-understood!
- Use in: any app that needs randomness, e.g. VDF Alliance (Etherium)
These could be combined, e.g. using C1 to reseed C3