If Blockchain is so good, why is everyone in jail?.
That's certainly an exaggeration. But my experience in the Bitcoin world is often punctuated by news that someone went to jail; or had been in jail; or will soon be in jail. The serious part of the joke is the Bitcoin Foundation. The Bitcoin Foundation was created to explain Bitcoin to governments, to help governments understand the Bitcoin technology.
Governments are reluctant to accept any new form of money as they circumvent centuries of learning concerning the control of capitol flows, the tracking for purpose of taxation, and techniques to detect and prosecute illicit activity, e.g. money laundering, extortion, counterfeiting and fraud.
Ironically, or perhaps not, of the original Bitcoin Foundation board, several did run into major problems with the law on exactly these issues.
The origins of electronic money are tied into the history of the "crypto-anarchists" and their coding companions, the cipherpunks. This group sought a way of asserting themselves against state power — and such things as censorship, restriction of personal liberty, and so forth, and believed that cryptography was the enabler that will create this brave new world.
The image is of the closed web site Silk Road, which was the notorious killer app for Bitcoin was a fixture of the so called Dark Web. Mt Gox is another name associated with the difficult history of Bitcoin.
Whether Bitcoin gathers people that cross the line or encourages people to cross the line, I don't know. But just as Social Media now shows its dark side, since its inception so has the creation of cash outside of state sponsorship thanks to cryptography.
The Adversary's Resources
Most safes can be opened with enough or enough luck. The video shows a safe opener that automatically works through all possible combinations. Also any of our electronic security methods that depend upon a secret key. It is possible to either work through all possibilities or to luckily guess the key. A theory therefore cannot be built on the absolute impossibility of a circumvention. Circumvention is almost always assured. What is considered is whether the desire is secure under attacks of a reasonable computational model.
The security is parameterized by an integer k, which can be thought of as the number of key bits. To exhaustively test all key possibilities would take 2k steps. Therefore a computer permitted this many steps can circumvent the encryption in the most obvious way possible. Hence any non-trivial answer will require computation be bounded below exponential. A common model is bounding the number of steps by some function polynomial in n, although the degree of the polynomial (its speed of growth) can be arbitrarily large.
However, it is also needed, for many reasons that the computer be allowed to "guess", or otherwise act on the basis of randomness. The model for this is the computer is provided a second input — a string of randomly chosen bits, and the program can refer to them one by one as desire during the computation. The program is then not a deterministic function mapping each input to an output, but a sort of random variable, which maps each input to a spectrum of outputs, according to the various random strings provided by the second input, along with a probability over the outputs, depending on how many random strings yield that output.
This is the model of computation gives a complexity class called the Probabilistic Polynomial Time, or PPT.
The Cryptographic Hash Function
Cryptography makes crypto-currencies possible. There are two important cryptographic widgets were will need to understand: the cryptographic hash function and the digital signature. In this section we consider the hash function.
The notion of a cryptographic hash function will play a prominent role in blockchain and Bitcoin. A hash function reduces a large space of inputs, in fact an infinite space best described as all strings of any finite length, to an output space of k bits. For Bitcoin k will be 256. To be cryptographic, the hash function must be,
For reasons that will be come clear soon, we cannot speak of the resistance of a single hash function, rather we consider H, a large collection of hash functions, and the adversary is presented one, hs, drawn at random from the collection,
H = { hs }
Collision resistance claims that no (randomized polynomially time bounded) Adversary
A, when given a hs chosen randomly from s, outputs a pair x, x' of distinct
values such that hs(x)=hs(x') with only negligible probability.
The probability is over the choice of hs and any randomness in the adversary's
choices.
To just speak of collision resistance of a single hash function makes no sense. In the case of a single hash function, we can hard wire an appropriate x, x' pair into the code. To object that this is cheating is countered as follows: Consider a family of adversaries, A(x,x'), for every possible pair x, x', each of which prints their x, x' and stops. Among these is one this is correct for h. Our definition only asks for the existence of an adversary.
On the other hand, if we begin with a choice of hs from H, this trick does not work, since no A(x,x') works for more than a negligible fraction of the functions in H.
For preimage resistance: given a randomly chosen y, the adversary must find an x such that hs(x)=y. If H is collision resistant, it is preimage resistant. Proof: assuming H is not preimage resistent, repeated choose an x, set h(x)=y, and have the adversary find a preimage x' such that h(x')=h(x). It is possible that x=x', which is why one begins by finding y as h(x)=y. There are multiple preimages for y and the adversary is not told that we are already in possession of x.
To show that collision resistance is strictly stronger, we show an H which is preimage resistant but collision resistant. Let H be preimage resistent. Define H' as the set H, but the least significant bit of x is dropped before applying the hash function. Then immediately x and x^0x01 collide. However given y, finding x such that h(x)=y is essentially the same as in H.
The Digital Signature
A signature is a ceremony in which the signer creates an artifact that can be used later to show that the signer was aware of and in agreement with some document. The digital signature simulates that ceremony in the cyberworld by providing two protocols,
The point about probability is important. The secret key S and the public key P are created together, so that there exists an esoteric relationship between them. This generation is random, so coin flips are needed. The number of coin flips is called the number of bits in the key. A 2048 bit key means that 2048 coin flips were used in the production. Note that an attacker can win the forgery game by guessing S. However, for n random bits consumed in the generation of S and P, that would be an event of probability 2n.
If ten billion guesses were made a second, and there is about two billion seconds in a lifetime, no more than 280 guesses would be accomplished in a lifetime. This is very much smaller than 22024, a key length often used. But it is possible, so we must state the result as a probability, rather than a certainty. The phrase, with negligible probability, refers to a likelihood of guessing a signature that is not much improved over guessing the secret key S.
I find it difficult to think of the nature of identity in electronic protocols. In the human ceremony, somehow we work out whose signature that was, as well as whether it was genuine, as well as whether it was intentional. In the electronic world, we have the secret key as a stand-in for the person. What the verifier is really verifying is that whatever provided σ has knowledge of the S associated with P. If P is Burt's public key, Burt must own up to that, and explain, if he wishes to deny signing the document, how σ became available to the world.
author: burton rosenberg
created: 14 jan 2019
update: 28 jan 2019