CSE446: Blockchain & Cryptocurrencies

Lecture – 3: Cryptography Review

Agenda
• Cryptography review
• Cryptographic hash functions
• Symmetric encryption
• Asymmetric encryption (Public-key encryption)
• Digital signature
• Merkle tree This lecture has been prepared from multiple sources:
• Textbook
• https://github.com/PratyushRT/blockchainsS21/wiki
• https://github.com/sebischair/bbse
Cryptographic hash function: puzzle-friendliness
• A hash function H is said to be puzzle-friendly if
• for every possible n-bit output value y, if k is chosen from a
distribution with high min-entropy,
• then it is infeasible to find x such that H(k ǁ x) = y in time
significantly less than 2n
• If a hash function is puzzle friendly, then there is no solving
strategy for this type of puzzle that is much better than trying
random values of x
Puzzle-friendliness: application
• Search puzzle
• Consists out of:
• A hash function H: Computes the puzzle results
• A value id: puzzle-ID (makes solutions to the puzzle unique,
should not be known in advance, otherwise pre-computation is
possible)
• A target set Y, for a valid solution z, 𝑧 ∈ 𝑌
• Computation: z = H(puzzle-ID || x)
• x changes until 𝑧 ∈ 𝑌
Puzzle-friendliness: application
Input Space Output Space

ID || x Y

ID || x + 1
H(.)
ID || x + 2

ID || x + 3
Family of hash functions
• MD5 (Message Digest 5) -> Currently considered broken!
• Secure Hashing Algorithm 1 (SHA-1) -> Currently considered
broken!
• Secure Hashing Algorithm 2/3 (SHA-2/3) -> safe to use, SHA-3
preferrable
 SHA-256 (SHA-2)
Break the message in the multiples of 512 bits, pad 0s in the last block to make it a 512 bit block

Merkle-Damgard
Construction

Theorem [Merkle-Damgard]: If c is collision-resistant, then SHA-256 is collision-resistant

SHA-256 (SHA-2)

Theorem [Merkle-Damgard]: If c is collision-resistant, then SHA-256 is collision-resistant

SHA-256 (SHA-2)

https://www.mdpi.com/entropy/entropy-21-00577/article_deploy/html/images/entropy-21-00577-g001-550.jpg
 1.2 Hash Pointers and Data Structures
In this section, we’re going to discuss ​hash pointers​ and their applications.
Hash pointer structure that turns out to be useful in many of the systems that we will tal
simply a pointer to where some information is stored together with a crypt
• A hash pointerinformation.
is Whereas a regular pointer gives you a way to retrieve the info
• a pointer to also givessome
where you a way to verify that
information isthe information hasn’t changed.
stored
• together with a cryptographic hash of
the information
• We can use a hash pointer
• to get the info back, and
• to verify that it hasn’t changed
Figure 1.4 Hash pointer.​ ​A hash pointer is a pointer to where data is stored
cryptographic hash of the value of that data at some fixed point in time.
Linked list with hash pointer

Figure 1.5 Block chain.​ A block chain is a linked list that is built with hash pointers instead of pointers.
Temper-evident log
Linked list with hash pointer

Figure 1.6 Tamper‐evident log.​ ​If an adversary modifies data anywhere in the block chain, it will result
in the hash pointer in the following block being incorrect. If we store the head of the list, then even if
the adversary modifies all of the pointers to be consistent with the modified data, the head pointer
Linked list with hash pointer

Blockchain!

Figure 1.6 Tamper‐evident log.​ ​If an adversary modifies data anywhere in the block chain, it will result
in the hash pointer in the following block being incorrect. If we store the head of the list, then even if
the adversary modifies all of the pointers to be consistent with the modified data, the head pointer
Merkle tree
• A Merkle Tree (due to Ralph Merkle) is a data structure using
cryptographic hashes, basically a binary tree with hash pointers
• It is used as an efficient and secure way to verify large data
structures
• It especially provides an efficient way to
• prove that a certain data block is contained in a Merkle Tree (Proof of
Membership) in O(log n) time/space
• prove that a certain data block is not contained in a sorted Merkle
Tree (Proof of Non Membership) in O(log n) time/space
Merkle tree

Figure 1.7 Merkle tree.​ ​In a Merkle tree, data blocks are grouped in pairs and the hash of each of
Merkle tree (proof of membership)

https://drek4537l1klr.cloudfront.net/wong/v-9/Figures/proof_of_membership.png
Bloom filter
• A Bloom filter is a probabilistic data structure which allows to test if an element
Bloom filters
is a member of a set
A Bloom filter is a probabilistic data structure which allows to test if an element is a member of a set.
• How would
How wouldyou check
you check if anif an element
element is a memberisof a member of a set?
a set?

Traditional approach: e ∈ S?

Apple;Apricot;Avocado;Banana;Blackberry;
Blueberry;Coconut;Cranberry;Cucumber;D
Set S: amson;Dragonfruit;Grape;Raisin;Grapefruit
;Lemon;Lime;Lychee;Mango;Melon;Cantal
oupe;Honeydew;Watermelon;Miracle fruit

Element e: Lime

➔ If the set grows larger, membership

➔ If the setchecks for multiple
grows larger, itemschecks
membership can befortime-consuming
Bloom filter articles in a news page the user has not seen.
Example: Recommend

You are the web developer for the website of a

news paper. At the bottom of each article, the
website displays recommended articles to
read for the user. The algorithm for good
recommendations works fine already, however
does not take into account if an article has
been read yet. If it has, it should not be
displayed.

With thousands individual users each month

which read many stories over time, storing all
reads and testing if an article is in this set is
too slow for a good surfing experience on the
website of the newspaper.

What to do?

02 Cryptographic Basics - Gallersdörfer, U., Holl, P., & Matthes, F. (2020). "Blockchain-based Systems Engineering". Lecture Slides. TU Munich.​ CC BY-SA 4.0 21
Bloom filter
• A Bloom filter
Bloomisfilters
a probabilistic
(cont.) data structure which allows to test if 𝑒 ∈ 𝑆
• It is setAup asfilter
Bloom a bit array data structure which allows to test if an element e is a member of a set S. It is
is a probabilistic
set up as a bit array.
• A query to the filter either returns
A query to the filter either returns
• True (“e• possibly in set S”)
True (“e possibly in set S”)
• False (“e definitely
• False not
(“e definitely not in set
in set S”) S”)

Structure of a Bloom Filter

Baskets equal zero Baskets equal one

h=3 hash functions1

0 1 2 3 4 5 6 7 8 9 A B C D E F h1= MD5{0}
h2= SHA-1{0}
h3= SHA-2{0}
n=16 baskets
1Out of simplicity, we only consider the first character of the resulting hash.

Bloom Filters were introduced in Bitcoin in 2012 with the BIP 37.We will learn about BIPs later.
Further information about Bloom Filters: Gervais, Arthur, et al. "On the privacy provisions of bloom filters in lightweight bitcoin clients." Proceedings of the 30th Annual Computer Security Applications Conference. ACM, 2014.

02 Cryptographic Basics - Gallersdörfer, U., Holl, P., & Matthes, F. (2020). "Blockchain-based Systems Engineering". Lecture Slides. TU Munich.​ CC BY-SA 4.0 22
Bloom filter: phase 0
Bloom filter internals: Phase 0
Set Information Hashing results

Set S: empty
h1=
h2=
h1= MD5{0}
h3=
Element e: empty h2= SHA-1{0}
h3= SHA-2{0}

Explicit State

0 1 2 3 4 5 6 7 8 9 A B C D E F

Phase 0: Filter Setup

The filter is initialized with n buckets (0 → n-1). Each bucket is filled with zero. The hash-functions are
defined.

This box explains every step.

02 Cryptographic Basics - Gallersdörfer, U., Holl, P., & Matthes, F. (2020). "Blockchain-based Systems Engineering". Lecture Slides. TU Munich.​ CC BY-SA 4.0 23
Bloom filter: phase 1
Bloom filter internals: Phase 1
Set Information Hashing results

Set S: apple
h1= 1F3870BE274F6…
h2= D0BE2DC421BE…
h1= MD5{0}
h3= 3A7BD3E2360A…
Element e: apple h2= SHA-1{0}
h3= SHA-2{0}

Explicit State

0 1 2 3 4 5 6 7 8 9 A B C D E F

Phase 1: Element addition (e=“apple”)

We add our first element to the filter. We hash it with three different hash functions (h1, h2, h3) and set
their corresponding buckets to one. Following buckets are set to one: 1, 3, and D.

02 Cryptographic Basics - Gallersdörfer, U., Holl, P., & Matthes, F. (2020). "Blockchain-based Systems Engineering". Lecture Slides. TU Munich.​ CC BY-SA 4.0 24
Bloom filter: phase 1
Bloom filter internals: Phase 1
Set Information Hashing results

Set S: apple; lime

h1= 6
h2= C
h1= MD5{0}
h3= E
Element e: lime h2= SHA-1{0}
h3= SHA-2{0}

Explicit State

0 1 2 3 4 5 6 7 8 9 A B C D E F

Phase 1: Element addition (e=“lime”)

We add our second element to the filter. We hash it with three different hash functions (h1, h2, h3) and
set their corresponding buckets to one. Following buckets are set to one: 6, C, and E.

02 Cryptographic Basics - Gallersdörfer, U., Holl, P., & Matthes, F. (2020). "Blockchain-based Systems Engineering". Lecture Slides. TU Munich.​ CC BY-SA 4.0 25
Bloom filter: phase 1
Bloom filter internals: Phase 1
Set Information Hashing results

Set S: apple; lime; lemon

h1= 3
h2= D
h1= MD5{0}
h3= F
Element e: lemon h2= SHA-1{0}
h3= SHA-2{0}

Explicit State

0 1 2 3 4 5 6 7 8 9 A B C D E F

Phase 1: Element addition (e=“lemon”)

We add our third element to the filter. Again, we hash it. This time, two out of three buckets are already
set to one. In these buckets one remains.

02 Cryptographic Basics - Gallersdörfer, U., Holl, P., & Matthes, F. (2020). "Blockchain-based Systems Engineering". Lecture Slides. TU Munich.​ CC BY-SA 4.0 26
Bloom filter: phase 2
Bloom filter internals: Phase 2
Set Information Hashing results

Set S: apple; lime; lemon

h1= 1
h2= D
h1= MD5{0}
Element search apple
h3= 3
h2= SHA-1{0}
h3= SHA-2{0}

Explicit State

0 1 2 3 4 5 6 7 8 9 A B C D E F

Phase 2: Element Validation (e=“apple”)

Now we are able to search if an element is contained in the bloom filter. We added the apple before,
therefore we receive true from the filter.

02 Cryptographic Basics - Gallersdörfer, U., Holl, P., & Matthes, F. (2020). "Blockchain-based Systems Engineering". Lecture Slides. TU Munich.​ CC BY-SA 4.0 27
Bloom filter: phase 2
Bloom filter internals: Phase 2
Set Information Hashing results

Set S: apple; lime; lemon

h1= A
h2= 9
h1= MD5{0}
Element search mango
h3= 6
h2= SHA-1{0}
h3= SHA-2{0}

Explicit State

0 1 2 3 4 5 6 7 8 9 A B C D E F

Phase 2: Element Validation (e=“mango”)

Is “mango” contained in the set? Hashing mango results in A, 9, and 6, of which only one bucket is set to
one.

All h buckets have to be set to one for a match.

02 Cryptographic Basics - Gallersdörfer, U., Holl, P., & Matthes, F. (2020). "Blockchain-based Systems Engineering". Lecture Slides. TU Munich.​ CC BY-SA 4.0 28
Bloom filter: phase 2
Bloom filter internals: Phase 2
Set Information Hashing results

Set S: apple; lime; lemon

h1= 6
h2= F
h1= MD5{0}
Element search grapefruit
h3= E
h2= SHA-1{0}
h3= SHA-2{0}

Explicit State

0 1 2 3 4 5 6 7 8 9 A B C D E F

Phase 2: Element Validation (e=“grapefruit”)

Other elements might generate a false positive, as their buckets might be filled by chance. This is the
case with grapefruit, as the functions generate the hashes 6, F, and E.

False positive generations occur in Bloom filters. The probability of their occurrence depends on
the number of buckets n and the number of hash functions h.
02 Cryptographic Basics - Gallersdörfer, U., Holl, P., & Matthes, F. (2020). "Blockchain-based Systems Engineering". Lecture Slides. TU Munich.​ CC BY-SA 4.0 29
Bloom
Solved: filter
Recommend articles in a news page the user has not seen.

What to do?

▪ Store a bloom filter for each user.

▪ Add each read story to the filter.
▪ Check the filter to find out if a story has
been read:
▪ True: Do not display story
▪ False: Display story and store in filter

Why are false positives not a problem in this case?

02 Cryptographic Basics - Gallersdörfer, U., Holl, P., & Matthes, F. (2020). "Blockchain-based Systems Engineering". Lecture Slides. TU Munich.​ CC BY-SA 4.0 30
Symmetric encryption
3.1 / SYMMETRIC CIPHER MODEL 87
Secret key shared by Secret key shared by
sender and recipient sender and recipient

K K

Transmitted
X ciphertext
Y = E(K, X ) X = D(K, Y )

Plaintext Plaintext
Encryption algorithm Decryption algorithm
input output
(e.g., AES) (reverse of encryption
algorithm)
Figure 3.1 Simplified Model of Symmetric Encryption
The main issue is key-management!
■ Ciphertext: This is the scrambled message produced as output. It depends on
the plaintext and the secret key. For a given message, two different keys will
produce two different ciphertexts. The ciphertext is an apparently random
Symmetric encryption
88 CHAPTER 3 / CLASSICAL ENCRYPTION TECHNIQUES

X
Cryptanalyst
K

Message X Encryption Decryption X

Destination
source algorithm Y = E(K, X) algorithm

Secure channel
Key
source

Figure 3.2 Model of Symmetric Cryptosystem

AES is currently the most widely used symmetric encryption
the binary alphabet {0, 1} is typically used. For encryption, a key of the form
K = [K1, K2, c , KJ] is generated. If the key is generated at the message source,
then it must also be provided to the destination by means of some secure channel.
Alternatively, a third party could generate the key and securely deliver it to both
Public key cryptography: encryption
Bob 2. Share public key Alice

1. Generate Key Server/Other

methods
Public Key Private Key Key-pairs

4. Se 3. Encrypt doc/text
n d the using public key
encr
ypte
d text
5. Decrypt the text
using the private key
Public key cryptography: encryption 9.1 / PRINCIPLES OF PUBLIC-KEY CRYPTOSYSTEMS 287

Bobs's
public-key
ring
Joy
Ted
Mike Alice

PUa Alice's public PRa Alice's private

key key

Transmitted X=
X ciphertext D[PRa, Y]

Y = E[PUa, X]
Plaintext Plaintext
Encryption algorithm Decryption algorithm
input output
(e.g., RSA)

Bob (a) Encryption with public key Alice

Alice's
public key
Public key cryptography: digital signature
• Digital signatures are based on asymmetric cryptography
algorithms like RSA or ECC
• We need two properties of (analogue) signatures to hold in
the digital world:
• Only an entity is able to create a signature of its own, but
everyone can verify it
• This signature is tied to data that gets signed. A signature
cannot be used for different data
Digital signature: definition
• Three algorithms:
• (sk, pk) := generateKeys(keysize)
• sk is the secret key and is used to sign messages. pk is the public key and is given to
everyone. With the pk, they can verify the signature
• sig := sign(sk, message)
• The sign method takes the message and the secret key, sk, as input and returns a signature
for message under sk
• isValid := verify(pk, message, sig)
• The verify method takes a message, a signature, and a public key as input
• It will return true if the signature was generated out of the message and the secret key,
otherwise false
• Such that verify(pk, message, sign(sk, message)) == true and signatures are
unforgeable
Digital signature: definition
generateKeys
Bob 2. Share public key Alice

1. Generate Key Server/Other

methods
Public Key Private Key Key-pairs

verify

3. Sign the document

using the private key
4. Send the doc and 5. Verify the signature
sign signature using the public key
Digital signature algorithms
• Two major digital signature schemes are available
• RSA-based signature schemes, such as RSA-PSS
• RSA signature was invented 1977 by Rivest, Shamir and Adleman
• Based on the assumption that the factorisation of large prime number multiplicated
is very hard
• ECC-based signature schemes, such as ECDSA
• Suggested independently by Neal Koblitz and Victor S. Miller in 1985
• Based on discrete logarithms
• The BSI recommends following key sizes for asymmetric cryptography
• RSA: min. 2048 Bit
• ECDSA: min. 256 Bit
• Due to smaller key sizes in ECC, many blockchain systems use ECC
Decentralised Identity
• Identity is a must in many online services
• To create an identity, you need to register to the Service Provider (SP)
• An identity requires a unique identifier to uniquely identify an entity
within the system
• Username -> unique only within a system
• Email/mobile phone number are universal identifiers
• But all these need to rely on a specific SP
• For emails, it is the Email provider and so on, if such an SP ceases to exist,
all services dependent on the identifiers become vulnerable
Decentralised Identity
• Decentralised identity is the solution using digital signature
schemes
• The public key pk acts as an identity
• The private key sk is the password to prove the ownership of this identity
• This has some advantages:
• New identities can be generated at will with the generateKeys function
• Also, these new identities cannot be used to uncover your real-world
identity, providing a layer of pseudonymous privacy
Decentralised Identity
• Public keys are very large
• You want to hash your public key pk in order to receive an “identity”
• To validate a statement, one has to check
1. if the pk hashes to the identity and
2. if the message verifies under the public key pk
Decentralised Identity
Hashing Hashing
Identity 1 Identity 1

Private Key Public Key Public Key Private Key

Hashing Hashing
Identity 2 Identity 2

Private Key Public Key Public Key Private Key

Hashing Hashing
Identity 3 Identity 3

Private Key Public Key Public Key Private Key

Almost all (public) blockchain systems adopt this approach

Cryptography resources
• Introduction to Cryptography: With Coding Theory, by Lawrence C.
Washington and Wade Trappe
• Cryptography and Network Security: Principles and Practice, by
William Stallings
Question?

ANY QUESTION?