Cryptography in Algorand

(1)

Zhenfei Zhang

(2)

Consensus on next blocks

Proof of Work: , ,. . .

(3)

(4)

This talk

Cryptography that makes Algorand possible:

ed25519 signature

Verifiable random function (VRF)[MRV99, GNP+_15]

Cryptography that improves efficiency/security

Boneh–Lynn–Shacham (BLS) signature [BLS01, BGLS03, BDN18] Pixel signature [DGNW19, GW19]

Focus on use cases, constructions Not on security proofs, implementations

Will not cover

Algorand’s consensus protocol Algorand’s smart contract Tokenomics

(5)

Consensus on next blocks

Blockchain has > 1 million users

(6)

Problem Statement

1 _{Shrink user size: 1 million → 3 thousand}

(7)

Problem Statement

(8)

Problem Statement 2 _{Authentication} Schnorr identification Sender (x , X := xG ) Receiver (X ) r ←$ Z|G|, R = rG R −−−−−−−−→ c ←$Z|G| c ←−−−−−−−− z = r − xc z −−−−−−−−→ zG = R − cX?

(9)

Problem Statement

2 Authentication

Schnorr signature (with Fiat-Shamir transformation)

Sign(x , X , msg ): r ←$Z|G|, R = rG c = hash(msg |pk|R) z = r − xc σ = {z, c} Verify(X , msg , σ): R0 = zG + cX c= hash(msg |pk|R? 0)

Sketch security proof

(10)

Problem Statement

(11)

Problem Statement

Algorand’s self-lottery

Each user draws a random number ri

User is in voting committee if it wins lottery: ri < b

Use VRF to build lottery

Set b so that 3k users are expected to win for each round Invoke BA to achieve consensus among committee members

(12)

Problem Statement

(13)

Problem Statement

Schnorr identification Sender (x , X := xG ) Receiver (X ) r ←$ Z|G|, R = rG R −−−−−−−−→ c ←$Z|G| c ←−−−−−−−− z = r − xc z −−−−−−−−→ zG = R − cX?

(14)

Problem Statement

1 Shrink user size: 1 million → 3 thousand

“Double” Schnorr identification

Sender (x , X := xG ) Receiver (X ) r ←$Z|G|, R1= rG H = hash(X ), R2= rH, Y = xH R1,R2,Y −−−−−−−−→ c ←$Z|G| c ←−−−−−−−− z = r − xc z −−−−−−−−→ H = hash(X ) zG= R? 1− cX zH= R? 2− cY

(15)

Problem Statement

ECVRF[GNP+_15] Prove(x , X , msg ): r ←$Z|G|, R1= rG H = hash1(msg |pk), R2= rH, Y = xH c = hash2(msg |pk|R1|R2) z = r − xc σ = {z, c}, π = Y Verify(X , msg , σ, π): R₁0 = zG + cX H = hash1(msg |pk) R₂0 = zH + cY c= hash? 2(msg |pk|R10|R20)

(16)

ECVRF[GNP+_15] Prove(x , X , msg ): r ←$Z|G|, R1= rG H = hash1(msg |pk), R2= rH, Y = xH c = hash2(msg |pk|R1|R2) z = r − xc σ = {z, c}, π = Y Verify(X , msg , σ, π): R₁0 = zG + cX H = hash1(msg |pk) R₂0 = zH + cY c= hash? 2(msg |pk|R10|R20) Security requirements Correctness

Unforgability follows Schnorr signature Uniqueness: fix X , msg , there is only one Y Pseudorandomness: Y is IND from random

(17)

(18)

Problem Statement

New block generated every 4.5 sec → 250 ms budget for cryptography Verifies 5k transactions per block

(19)

Problem Statement

Bilinear pairing : G1× G2 7→ Gt, e(aG1, bG2) = e(G1, G2)ab

BLS signature[BLS01, BGLS03, BDN18] Sign(x , msg ): H = hash(msg ) S = xH Verify(X := xG1, msg , S ): H = hash(msg ) e(G1, S ) ? = e(X , H)

(20)

Problem Statement

Bilinear pairing : G1× G2 7→ Gt, e(aG1, bG2) = e(G1, G2)ab

BLS signature[BLS01, BGLS03, BDN18] Sign(x , msg ): H = hash(msg ) S = xH Aggregate(S1, . . . , Sk): S =Pk i =1Si Verify(X := xG1, msg , S ): H = hash(msg ) e(G1, S ) ? = e(X , H) AggreVerify({Xi, msgi}ki =1, S ): Hi = hash(msgi) e(G , S )=? Qk e(X, H)

(21)

Problem Statement

Same message rogue key attack[BDN18]

Attacker sees {msg , X } for a user who knows x

Attacker claims his public key is Y − X (he does not know y /x )

Attacker forges an agg. signature Sy := yH for user and attacker

(22)

Problem Statement

Same message rogue key attack[BDN18]

Attacker sees {msg , X } for a user who knows x

Attacker claims his public key is Y − X (he does not know y /x )

Attacker forges an agg. signature Sy := yH for user and attacker

Can be verified by AggreVerify(X , Y − X , msg , Sy)

Solutions

(23)

Problem Statement

BLS+ signature[BDN18] Sign(x , msg ): H = hash(msg ) S = xH Aggregate({Xi, Si}k_{i =1}): r1. . . , rk = hash1({Xi}ki =1) S =Pk i =1riSi Verify(X := xG1, msg , S ): H = hash(msg ) e(G1, S ) ? = e(X , H) AggreVerify({Xi}k_{i =1}, msg , S ): r1. . . , rk = hash1({Xi}ki =1) H = hash2(msg ) e(G1, S ) ? =Qk i =1e(riXi, H)

(24)

(25)

Problem Statement

New block generated every 4.5 sec Verifies 5k transactions per block Verifies 1k votes per block

Forward security

Attacker corrupts voters after they have voted Ask them to vote for another block – creates a fork

Solution: Pixel signature [DGNW19, GW19]

Same message aggregatable Forward secure

(26)

High level description (HIBE)

A master public key pk; t secret keys for t levels for i = 1, . . . , t

use ski for level i to sign; (HIBE encryption) use ski to generate ski +1; (HIBE delegation) throw away ski

support t time slots naively

(27)

Toy example with t slots

PP: G ∈ G1; H, H1, . . . , Ht ∈ G2

pk: xG , msk: xH (Note e(pk, H) = e(G , msk)) SKUpdate(ski)7→ ski +1:

ski +1[0] = ski[0] + ri +1G ski +1[1] = ski[1] + ri +1Pi +1_{j =1}Hj

ski +1[2][j ] = ski +1[2][j + 1] + ri +1Hj +i +2

randomize G1 gen. randomize x w. new gen. randomize G2gen.

sk1 r1G xH + r1H1 r1hH2, . . . , Hti sk2 (r1+ r2)G xH + r1H1+ r2(H1+ H2) (r1+ r2) hH3, . . . , Hti sk3 (r1+ r2+ r3)G xH + r1H1+ r2(H1+ H2) (r1+ r2+ r3) hH4, . . . , Hti +r3(H1+ H2+ H3)

(28)

Toy example with t slots, continued PP: G ∈ G1; H, H1, . . . , Ht ∈ G2 pk: xG , msk: xH sk1 = {r1G , xH + r1H1, r1hH2, . . . , Ht−1, Hti} Sign(msg, sk1)7→ σ: a ←$Z|G1| h = hash(msg ) X = aG + r1G Y = (xH + r1H1) + h(r1Ht) + a(H1+ hHt) σ = {X , Y } Verify(msg, pk, σ := {X , Y }): e(xG , H) · e(X , H1+ hHt) ? = e(G , Y )

(29)

Correctness: e(xG , H) · e(X , H1+ hHt) ? = e(G , Y ) X = aG + r1G Y = (xH + r1H1) + h(r1Ht) + a(H1+ hHt) e(xG , H) · e(X , H1+ hHt)

= e(G , H)x· e(X , H1) · e(X , Ht)h

= e(G , H)x· e(G , H₁)a+r1_{· e(G , H}

t)h(a+r1)

e(G , Y ) = e(G , xH + r1H1) · e(G , hr1Ht) · e(G , a(H1+ hHt))

= e(G , xH) · e(G , (r1+ a)H1) · e(G , (hr1+ ah)Ht)

(30)

Forward security

pk: xG , msk: xH

sk1 = {r1G , xH + r1H1, r1hH2, . . . , Hti}

sk2 = {(r1+ r2)G , xH + r1H1+ r2(H1+ H2), (r1+ r2) hH3, . . . , Hti}

Cannot find msk from sk1

(31)

Same message aggregation User 1 X1= a1G + r1,1G Y1= (x1H + r1,1H1) + h(r1,1Ht) + a1(H1+ hHt) User 2 X2= a2G + r2,1G Y2= (x2H + r2,1H1) + h(r2,1Ht) + a2(H1+ hHt) Aggregated sig: X1+ X2, Y1+ Y2 Correctness: e(x1G + x2G , H) · e(X1+ X2, H1+ hHt)

= e(x1G , H) · e(x2G , H) · e(X1, H1+ hHt) · e(X2, H1+ hHt)

= (e(x1G , H) · e(X1, H1+ hHt)) · (e(x2G , H) · e(X2, H1+ hHt))

(32)

Signatures – reduce signature size (Falcon ≈ 1kB) VRF – WIP

(None-interactive) aggregatable signature – no known solution Forward secure signatures – lattice based HIBE does not scale well

(33)

This talk: https://zhenfeizhang.github.io/material/talks/ ECVRF reference implementation: https://github.com/

algorand/libsodium/tree/draft-irtf-cfrg-vrf-03 BLS reference implementation:

https://github.com/algorand/bls_sigs_ref Pixel reference implementation:

(34)

Dan Boneh, Craig Gentry, Ben Lynn, and Hovav Shacham. Aggregate and verifiably encrypted signatures from bilinear maps. In EUROCRYPT 2003, 2003.

Dan Boneh, Ben Lynn, and Hovav Shacham. Short signatures from the weil pairing. In ASIACRYPT 2001, 2001.

Manu Drijvers, Sergey Gorbunov, Gregory Neven, and Hoeteck Wee. Pixel: Multi-signatures for consensus.

IACR Cryptol. ePrint Arch., 2019:514, 2019.

Sharon Goldberg, Moni Naor, Dimitrios Papadopoulos, Leonid Reyzin, Sachin Vasant, and Asaf Ziv.

NSEC5: provably preventing DNSSEC zone enumeration. In NDSS 2015, 2015.

(35)

Silvio Micali, Michael O. Rabin, and Salil P. Vadhan. Verifiable random functions.