Cryptographic Hash Functions

Questions and Answers

How do cryptocurrencies ensure security without relying on a central authority?

• By relying on legal frameworks and international agreements.
• By using central banks to control the money supply.
• By enforcing security rules purely technologically through cryptography. (correct)
• By adding anti-counterfeiting features to physical currency.

What is a fundamental property of a cryptographic hash function?

• It is efficiently computable. (correct)
• It produces a variable-size output depending on the input.
• It requires significant computational resources for every input.
• It can only accept fixed-length inputs.

For a hash function to be considered cryptographically secure, which property is essential?

• Output predictability
• Computational complexity
• Collision-resistance (correct)
• Input size variability

What does collision-resistance in a hash function ensure?

That finding two different inputs with the same output is computationally infeasible. (D)

Why does the existence of methods to find collisions not necessarily negate the usefulness of collision-resistant hash functions?

Because these methods typically require infeasible amounts of computation in practice. (A)

What does the 'hiding' property of a cryptographically secure hash function ensure?

It is infeasible to determine the input given the output of the hash function. (B)

How can the 'hiding' property be achieved when an input is not spread out?

By concatenating it with another input that is spread out and has high min-entropy. (D)

In the context of hash functions, what is 'min-entropy'?

A measure of how predictable an outcome is. (D)

What is the purpose of a commitment scheme in cryptography?

To commit to a value while keeping it secret, then reveal it later. (B)

What are the two security properties that a commitment scheme should hold?

Hiding and Binding (D)

If H is a hash function that is collision-resistant and hiding, what property does a commitment scheme using H have?

The necessary security properties for commitment. (D)

What is required to find x such that $H(k||x) = y$ in a puzzle-friendly hash function for every possible n-bit output value y?

A time significantly more than $2^n$ (B)

In the context of a 'search puzzle', what determines the difficulty of the puzzle?

The size of the target set Y. (A)

What does SHA-256 use to convert a fixed-length collision-resistant compression function into a hash function that accepts arbitrary-length inputs?

Merkle-Damgard transform (D)

What is the block size used by SHA-256?

512 bits (B)

What is a hash pointer?

A pointer to data along with the cryptographic hash of that data. (B)

How does a hash pointer enhance the security of a data structure?

By allowing verification that the data has not changed. (C)

What is the primary characteristic of a blockchain data structure?

It is a linked list built using hash pointers. (B)

What makes a blockchain a tamper-evident log?

Each block contains a hash of the previous block, making alterations easily detectable. (C)

How can tampering with data in a blockchain be detected?

By comparing the current hash pointer with the stored hash pointer at the head of the list. (B)

What is the 'genesis block' in a blockchain?

A special block at the beginning of the list. (D)

What is a Merkle tree?

A binary tree with hash pointers. (B)

In a Merkle tree, how are data blocks organized?

They comprise the leaves of the tree. (D)

If there are n nodes in a Merkle tree, approximately how many items need to be shown to prove membership of a data block?

$log(n)$ (C)

What is the purpose of a 'sorted Merkle tree'?

To verify non-membership of a data block. (C)

What is a primary property of a digital signature?

Only one can create the signature, but anyone can verify it. (D)

What is an important consideration when using digital signatures related to the signed document?

The signature should be tied to a particular document. (C)

In the context of digital signature algorithms, what does the function generateKeys(keysize) produce?

A pair of keys: a secret key (sk) and a public key (pk). (B)

What does the property 'existentially unforgeable' mean in the context of digital signatures?

It's computationally infeasible to create a valid signature for a message without the secret key. (A)

Why is a good 'source of randomness' critical for digital signatures?

To prevent attackers from predicting the keys and compromising the signature. (D)

Why do digital signature schemes often sign the hash of a message rather than the message itself?

To limit the message size and ensure that the hash function is collision resistant. (C)

What is the purpose of ECDSA in Bitcoin?

To secure transactions using digital signatures. (D)

What is the estimated security level (in bits) provided by the elliptic curve "secp256k1" used in Bitcoin's ECDSA?

128 bits (A)

Why is using a hash of a public key as an identity practical?

Hashes are smaller in size than public keys. (C)

What are Bitcoin identities called, which are a hash of a public key?

Addresses (C)

What is a potential weak point in real systems regarding decentralized identity management?

The generation of randomness. (B)

What is a major privacy concern in Bitcoin despite not requiring explicit real-world identity?

The pattern of user behavior might itself be identifying. (D)

In GoofyCoin, who can create new coins?

A designated entity, Goofy (C)

What is required for Goofy to create a new coin?

Generating a unique coin ID and creating a digital signature for it. (C)

In GoofyCoin, how is the transfer of a coin accomplished?

By creating a new statement signed by the owner and referencing the coin. (A)

What is the main vulnerability of GoofyCoin?

It is vulnerable to double-spending attacks. (B)

In ScroogeCoin, what is the role of Scrooge?

To act as a central authority that publishes an append-only ledger and digitally signs blocks. (B)

How does ScroogeCoin attempt to prevent double-spending?

By making all transactions publicly visible and requiring them to be written to the ledger before acceptance. (A)

What is a key component that Scrooge digitally signs in the ScroogeCoin blockchain?

The final hash pointer of a block (D)

What happens if Scrooge attempts to alter a past transaction in ScroogeCoin?

It will affect all following blocks due to hash pointers, making the tampering evident. (B)

One significant drawback of ScroogeCoin is...

The centralization problem. (A)

Flashcards

Fiat Currencies

Organizations like central banks control the money supply.

Cryptocurrencies security rules

The need to be enforced without a central authority.

Cryptography

Secures the rules of a cryptocurrency system within the system itself.

Hash function

A mathematical function with specific properties.

Hash function input

Input can be any string of any size.

Hash function output size

It produces a fixed size output.

Efficiently computable

Relatively quick to compute.

Cryptographically secure hash function

It has collision-resistance, hiding, and puzzle-friendliness properties

Collision in hash function

Two distinct inputs produce the same output.

Collision-resistance

Infeasible to find two values that hash to the same output.

Hiding property

Output reveals nothing about the input.

Hiding property requirement

High min-entropy is needed.

Min-entropy

A measure of how predictable an outcome is.

Concatenation to achieve hiding

A secret value ensures that one can't simply reverse the function

What is a commitment scheme?

A commitment scheme consists of two algorithms

verify(com, msg, nonce)

Returns TRUE if com == commit(msg, nonce).

Hiding property in commitment scheme

It is infeasible to find msg

Hash function properties for commitment scheme

collision-resistant and hiding

Puzzle friendliness

Infeasible to find x such that H(k||x) = y in time significantly less than 2^n.

puzzle-ID

A puzzle-ID chosen from a high min-entropy distribution

SHA-256 components

SHA-256 makes use of a compression function

Compression function

Works on fixed length inputs

Technique used to convert compression function into hash function

Merkle-Damgard transform

IV

Initialization Vector

Blockchain

Linked list using hash pointers data structure

Hash pointer

A pointer to where some information is stored, along with its cryptographic hash.

The head of the list

Points to the most recent data block.

Tamper-evident log

When data is altered it is easily detected.

Tampering with the data

Tamper with the hash pointers all the way back to the beginning

Genesis block

Special block at the beginning of the list

Merkle tree

Binary tree with hash pointers

Blocks containing data comprise...

The leaves of the tree.

Building the new data structure.

We reach a single block.

How to identify a message

A signature that verifies correctly under a public key.

GoofyCoin: the first rule

One of the rules is that a designated entity, Goofy, can create new coins whenever he wants and these newly created coins belong to him.

Goofy generates a coin

Generates a unique coin ID that he's never generated before.

Goofy signs the string

Saves the string representing the statement.

GoofyCoin double-spending attack

Alice passed her coin on to Bob by sending her signed statement to Bob but didn't tell anyone else

ScroogeCoin

A designated entity publishes an append-only ledger containing the history of all the transactions that have happened.

ScroogeCoin: What each block has.

Each block has the ID of a transaction, the transaction's contents, and a hash pointer to the previous block.

Study Notes

Course Outline

• Teams code is xmwxbzp
• References can be found on the Teams post
• Grading breakdown:
  • Midterm: 15%
  • Quizzes: 10%
  • Assignments: 20%
  • Attendance: 5%
  • Final: 50%

Introduction

• In fiat currencies, central banks control the money supply and add anti-counterfeiting measures
• Cryptocurrencies must enforce security rules technologically without relying on a central authority
• Cryptography allows for securely encoding cryptocurrency rules within the system

Cryptographic Hash Functions

• A hash function is a mathematical function with specific properties:
  • Input can be any size string
  • Produces a fixed-size output (e.g., 256-bit)
  • Efficiently computable
• Cryptographically secure hash function properties:
  • Collision-resistance
  • Hiding
  • Puzzle-friendliness

Collision Resistance

• Collision: When two distinct inputs produce the same output
• Collision-resistance means it is infeasible to find two different inputs, x and y, where x ≠ y, but H(x) = H(y)
• The input space (infinite) is larger than the output space (finite), requiring some input strings to map to the same output string
• There are methods that guarantee collisions can be found
• For a 256-bit output size, picking 2^256 + 1 distinct values ensures two outputs are equal when hashed.
• Choosing 2^130 + 1 inputs results in a 99.8% chance of collision
• Birthday Paradox: Collision likelihood examined roughly the square root of possible outputs; with 10,000 hashes per second, finding a collision to 2^128 hashes would take over 10^27 years
• Some functions have efficient collision detection methods, like H(x) = x mod 2^256 with a collision occurring between 3 and 3 + 2^256
• There are no collision-resistant functions
• Cryptographic hash functions are relied on in practice

Property 2: Hiding

• Hiding: With the hash function output y = H(x), finding the input, x, is infeasible
• x has to be chosen from a set that’s very spread out
• Inputs that are not spread can be hidden by concatenating it with another input that is spread out.
• With secret value r from high min-entropy distribution, then finding x given H(r || x) is infeasible
• Min-entropy in information theory describes outcome predictability

Application: Commitment

• A commitment scheme utilizes two algorithms:
• com := commit(msg, nonce)
• verify(com, msg, nonce) returns TRUE if com == commit(msg, nonce)
• Security properties
• Hiding: Given com, finding msg is infeasible
• Binding: Finding two pairs (msg, nonce) and (msg', nonce') where msg ≠ msg' and commit(msg, nonce) == commit(msg', nonce') is infeasible.
• Defining commit(msg, nonce) := H(nonce||msg), necessary security properties depend on H being collision-resistant and hiding

Property 3: Puzzle Friendliness

• For every n-bit output value y, if k is chosen from a distribution with high min-entropy, then finding x such that H(k||x) = y is infeasible in time less than 2^n.
• Application: search puzzle
• A hash function: H
• A puzzle-ID: id chosen from a high min-entropy distribution
• A target set Y
• A solution to puzzle x, such that H(id || x) ∈ Y
• Size of Y determines puzzle difficulty.
• If set of all n-bit strings, trivial, where if Y only 1 element, the puzzle is maximally hard

SHA-256

• Builds a hash compression function that works on fixed-length inputs
• Takes inputs of length 'm' and produces an output of a smaller length 'n'.
• Converts into a hash function for arbitrary-length inputs using Merkle-Damgard transform, dividing input into blocks of length m-n
• Initialization Vector (IV) is used for the first block
• SHA-256 compression function takes 768-bit inputs and produces 256-bit outputs and the block size is 512 bits.

Hash Pointers

• A hash pointer contains the "pointer" to stored information and a cryptographic hash of that information
• A regular pointer retrieves information
• A hash pointer verifies no change has occurred.
• Pointers, like linked lists or binary search trees, can be implemented with hash pointers

Blockchain

• Blockchain is a linked list build using hash pointers where each block indicates the previous block's value and contains a digest of that value
• The head of the list is a regular hash-pointer pointing to the recent data block
• Use case for a blockchain is a tamper-evident log
• Altering log data that is earlier in the log, will be detected

Blockchain: tamper-evident log

• Tampering with data anywhere in the blockchain requires tampering across the hash pointers back to the beginning
• Storing the hash pointer at the "head of the list" prevents undetected changes; The "genesis block" is the initial block

Merkle Trees

• A binary tree with hash pointers
• Data blocks comprise the leaves of a Merkle Tree.
• Data blocks are grouped in pairs so that a new data structure contains 2 hash pointers, one to each of the data block pairs.
• These data structures are each level up on the tree
• This process repeats until reaching the root, a single block
• Tampering gets detected by remembering the top hash pointer

Proof of Membership

• Only the root is remembered
• A block a member of the Merkle Tree
• Verify the specific block and the blocks on the path from data block to the root.
• Where there are 'n' nodes in a tree, checking can occur with log(n) items and requires log(n) time

Proof of Non-Membership

• Sorted Merkle Tree is a Merkle Tree sorted by some ordering function.
• Allows verification of non-membership in a logarithmic time and space.
• The path to the item just before and just after an item is revealed because the requested item is not included.
• When two items are consecutive, then the item in question is not included.

Digital Signatures

• Only one entity can create their signature and anyone can verify validity.
• Signatures are tied to a particular document
• Serves to indicate that the signature cannot endorse a different document

Digital Signature Algorithm

• ( sk, pk ) := generateKeys(keysize ) sk is the secret key, used privately for signing messages and pk is what you give out to people.
• sig := sign(sk, message)
• isValid := verify(pk, message, sig) isValid will return TRUE if sig is a valid signature for message, under public key pk.
• Properties
• verify(pk, message, sign(sk, message)) == TRUE
• Signatures are existentially unforgeable

Practical Concerns

• Algorithms require source randomness
• Signing should occur as the hash of the message
• The hash of the message is a message digest (the hash function is collision resistant)
• Signing a hash pointer protects the total structure.

Elliptic Curve Digital Signature Algorithm (ECDSA)

• ECDSA is used on the standard elliptic curve "secp256k1"
• ECDSA is estimated at 128 bits of security.
• ECDSA difficulty is equivalent to 2128 symmetric-key function calls.
• ECDSA technically signs 256-bit messages, but always hashes before allowing an efficient signature for any size message.

Public Keys as Identities

• public Key is then a means of verifying that you can think of pk.
• Access implies knowledge of the corresponding secret key (sk).
• New identities can be made by creating a new key pair sk and pk.
• Hashing can occur if public keys are large

Decentralized Identity Management

• Generate identities without centralization
• Generate multiple with ease
• Bitcoin's version is addresses
• Probability of a repeated key is low
• Randomness has weakness
• There is no need to show your real-world entity, as behavior might be identifying.

Simple Cryptocurrency: Goofy Coin

• Simplified cryptocurrency
• The designated entity, Goofy makes coins
• Coin owner transfers a coin to someone else

Create a Coin

• Goofy ID generates unique coin ID uniqueCoinID so the string "CreateCoin [uniqueCoinID]" is constructed and the digital signature occurs for that string

Transferring a Coin

• Goofy transfers to Alice
• Generates “Pay this to Alice” to reference a coin
• Signs a statement
• Follow the pointer chain back; rightful owner statement saying "pay this coin to [new owner]"

Problems with GoofyCoin: Double Spending

• Bob transfers the coin using a signed declaration, but keeps it a secret.
• A signed declaration can then occurs with Bob to a 3rd party, Chuck.
• Bob / Chuck appear as owners.

Scrooge Coin

• Publishes a ledger
• Any written data remains
• Transactions must be written to the ledger, to prevent Double spending

Blockchain (Scrooge Coin)

• Scrooge signs each blockchain digitally
• Hash pointers and contents
• The signature is published

Rules of Scrooge Coin transaction

• Valid coins that were made previously.
• Has to be a non-Double Spending transaction
• The consumed total should equal the total of what comes out
• Signing is required
• Coins are immutable

Centralization Problems

• Can make as many coins
• Does not endorse a transaction
• Can refuse to write unless has gets money
• Can stop at any point

Descroogifying the system

• How all users can agree to a chain.
• Have the ability to assign Ids
• Control and design coin miniting