MGT411: DeFi

Introduction to Cryptography for Finance

Topic:

Features

peer to peer

no trusted third parties

censorship resistant 

secure

fully decentralized

Key Questions

properties of records

updating protocol for record changes

What's needed for trust in  anonymous deals?

Authority

Execution

Continuity

Part 0:
useful tools

Part 1:
properties of records

Part 2:
updating mechanism

A close look at a real Ethereum transaction

A close look at a real Bitcoin transaction

A close look at a Ethereum block

A close look at a Bitcoin block

Hashing

  1. What is hashing?
  2. Why do we use hashing?

Drilling down part 0: useful tools

Definition

  • M: a message/text of arbitrary length
  • h(M): a fixed length output or "digest"

What is cryptographic hashing?

What is cryptographic hashing?

Properties

  1. Deterministic (i.e., not random)
    • the same message always generates the same digest
  2. Fast
    • you don't need much time/many computing cycles to compute a hash
  3. "unpredictable"
    • if two messages M and M' are similar, their digests should look very different
  4. not invertible
    • there is no inverse function, i.e., there is no functional form h^-1(M) such that one can infer M from h(M),  nor can an attacker find M from h(M) in "normal" (polynomial) time.
  5. Collusion resistant
    • an attacker cannot find two messages M and M' such that h(M)=h(M') in "normal" time.

Polynomial vs exponential time

Example for "normal" or polynomial time:

  • Take deck of cards with numbers from 1 to 20.
  • Throw it in the air & land face down.
  • Now then sort from small to large
    • \(\to\) how many steps do you need?
  • Find smallest number:
    • \(\to\) at most 20 steps.
  • Find second-smallest number
    • \(\to\) at most 19 steps.
  • Total steps:
    • \(N+(N-1)+\ldots+2+1=\frac{N(N+1)}{2}\)

Example for exponential time:

  • "Travelling salesman"
  • Wants to visit \(N\) towns, and each only once.
  • Which order is best?
  • \(\to\) exponential problem (also "NP-hard")

What is cryptographic hashing?

Simple Application

  • Databases should not store user passwords and usernames in plain text
    • => attacker could immediately impersonate every user
  • Store as a hash: attacker cannot invert the username & password

Nerdy stuff:

  • read up on P vs NP hard problems
  • Idea: If a solution to a problem is easy to check, is the problem easy to solve?
    • We don't know the answer yet.

What hashing functions are there?

  • Many!
  • MD5
  • SHA1 (better than MD5)
  • SHA256 (better than MD5)
    • output of 256 bits; 4 bit= 1 characters => 64 characters
    • developed by the NSA
    • Code, e.g., https://www.movable-type.co.uk/scripts/sha256.html
  • SHA512
  • RIPEMD-160 (for "160 bit output)

What hashing functions are used with blockchains?

  • MD5
    • cac58b5234e1f98b4c956998b8ac2e26
  • SHA1
    • 60D795AC720DEB5B29AB44F3A690A90DDF147D75
  • SHA256 
    • 9EEA6242471F9B3999F21C6FE247679CAB1EAE0B6E8431A3A1A5FAADB27051C8

Examples of "Andreas"

  • MD5
    • bcc9d898264b67515fba62598bdc58c0
  • SHA1
    • DE2737F0E88865DCDF7A33848F664FF807A3208C
  • SHA256 
    • 62D3869E008362B2DD4490D8BF9D4AFC4CED4FF34045709DD1EEAA743CF5C793

Examples of "AnDrEaS"

What hashing functions are used with blockchains?

Problem: Hashes can be cracked!

cracked by "CrackStation"

Why are hashing functions used with blockchains?

  1. efficient way to represent data
    • always same-length output
    • => good convention
  2. small changes to data trigger large changes in hash
    • (recall the demonstration)
    • => easy to check consistency 
  3. they work as "pointers"
    • each block contains a hash of the past block
    • this hash is a pointer
    • pointers make searches easy
  4. Hashes of hashes are used to simplify data storage
    • the process of hashing hashes repeatedly creates the "Merkle Tree" 

Cryptography

  • Foundation: let's understand the secure sending of information
  • Problem: send message M that you want no-one to be able to read 
  • Basic idea (just as with hashing):
    • should be easy to decrypt with the right tools
    • hard to decrypt without it

Some formalism

  • message M 
  • public key P
  • private key S (for "safe")
  • cipher text C
  • Two functions:
    • encode message: enc(M,P)=p(M) 
    • decode cipher: dec(C,S)=s(C)

Alice wants to send Bob money without Charles seeing it

Symmetric Encryption: Bob and Alice use the same key to encrypt and decrypt a message

Formally: public key P = private key S

Symmetric Encryption: Example

Letter number encoding

 
A 0 3
B 1 4
C 2 5
...
W 21 25
X 23 0
Y 24 1
Z 25 2
n~\to~n+3 \text{ mod }26
n
  • Codeword:
    • management
  • converted to numbers
    • 12 0 13 0 6 4 12 4 13 19
  • cypher
    • 15 3 16 3 9 7 15 7 16 22
  • modulo operation:
    • "the remainder"
    • example:
      • \(25/3=8 \frac{1}{3}\)
      • or \(25 \text{ mod } 3 = 1\)

Asymmetric Encryption: Bob has a public and a private key, (Pb Sb)

Pb

Sb

Pb

Sb

Digital Signatures

  • Problem: send message M and ensure that the other side believes that you sent this particular message
    • worry about manipulation
    • other side may worry about proving what you did, etc.
    • => want to digitally sign the message
  • As with encryption:
    • should be easy to prove that you signed 
    • hard to forge your signature

Drilling down part 1: properties of records

Digital Signatures

Formally

  • Components:
    • Message M
    • Signature or Tag T
    • Public & private keys P & S
  • Two functions
    • Sign(M,S)
    • Check(M,T,P)

required property

if S applied to M created T, T=Sign(M,S) => Check(T,M,P)=1

Alice wants to send Bob a message and provide proof that its her.

Sa

Pa

formally: computes T=Sign(M,Sa)

formally: computes check(T,M,Pa)

Concrete Application of Signatures: RSA Asymmetric Key Cipher

  • Based on Rivest-Shamir-Adleman algorithm
  • widely used, e.g. for online banking etc
  • not exactly used in Blockchains (they use "elliptic curve" algorithms),
  • but the idea is similar and RSA is easier to explain
  • Warning: this will be the mathiest and geekiest part of the class
  • I'll do it by example.

background math (specifically, number theory)

  • terminology: numbers \(a\) and \(b\) are prime relative to one another if their greatest common divisor is 1.
  • goes back to prime factorization \(\to\) expressing a number as the product of primes.
  • example: 
    • \(2^3\cdot3^2=72,~5^2\cdot7=175\)
  • Euler's \(\phi\) function for a number \(n\) is the number of natural numbers that are prime relative to \(n\)
    • 72 and 175 have no common factors
      \(\to\) 72 is prime to 175
n
1 1
5 4
10 4
12 4
14 6
15 8
\phi(n)

background math (specifically, number theory)

  • Some extra results.
    • For a prime number \(n\) we have \(\phi(n)=n-1\)
    • For a prime numbers \(n,n\) we have
      \(\phi(n\cdot m)=(n-1)(m-1).\)
  • When \(n\) and \(m\) are prime to one another then there exists integers \(x\) and \(y\) such that
    • \(x\cdot m+y\cdot n=1\)
  • Let's do this by example (we use "long division") for 72 and 175

background math (specifically, number theory)

\begin{array}{rclcl} 175 \div 72&=&2\cdot 72+31&=&2 \text{ mod } 31\\ 72 \div 31 &=&2\cdot 31+10&=&2 \text{ mod } 10\\ 31 \div 10 &=&3 \cdot 10+1&=&3 \text{ mod } 1 \end{array}

and now going backward:

\begin{array}{rcl} 1&=&31-3\cdot 10\\ &=& 31-3\cdot(72-2\cdot 31 )\\ &=& 31-3\cdot72+3\cdot 2\cdot 31 \\ &=& 7\cdot 31-3\cdot72\\ &=& 7\cdot (175-2\cdot72)-3\cdot72\\ &=& 7\cdot 175-7\cdot2\cdot72-3\cdot72\\ &=& 7\cdot 175-17\cdot72 \end{array}

so we have \(x=7\) and \(y=-17\) so that

\(1=x\cdot m+y\cdot n=7\cdot 175+(-17)\cdot 72\)

background math (specifically, number theory)

  • terminology: numbers \(a\) and \(b\) are prime relative to one another if their greatest common divisor is 1.
  • Euler's \(\phi\) function for a number \(n\) is the number of natural numbers that are prime relative to \(n\)
  • Some extra results.
    • For a prime number \(n\) we have \(\phi(n)=n-1\)
    • For a prime numbers \(n,n\) we have
      \(\phi(n\cdot m)=(n-1)(m-1).\)

background math (specifically, number theory)

Ingredients for encryption

  • pick \(n\) 
    • not just any actually. rather, we pick two prime numbers \(q\) and \(p\) so that \(n=qp\)
  • compute \(\phi(n)\)
    • with primes, \(\phi(n)=\phi(q)\cdot\phi(p)=(q-1)\cdot (p-1).\)
  • Pick e that is prime relative to \(\phi(n)\) 
  • Find \(x,y\) such that \(x\cdot e+y\cdot\phi(n)=1\)

What do we want to do?

  1. Take a word with letters \(l_1,\cdot l_m\)
  2. Convert letters to numbers \(w_1,\ldots,w_m\)
  3. Encode the numbers \(w_i\to\tilde{w}_i=w^e\text{ mod } n\)
  4. Prove that they can be decoded uniquely.

What do we send?

  1. The letters \(\tilde{w}_1,\ldots,\tilde{w}_m\)
  2. The numbers \(n, e\)
  • Finding \(x\) and \(y\), which are necessary for an outsider is computationally NP-hard.
  • Why? Because prime factorizations are NP-hard! 

How do you decrypt?

Calculate \({\tilde{w}_i}^x\text{ mod } n.\)

Now the RSA components

  1. pick two large prime numbers, \(p\) and \(q\)
    • ​​\(p=53\)
    • \(q=59\)
  2. Compute \(n=pq​\)
    • \(​​53\cdot59=3127=n\)
  3. Find Euler's Phi for \(n\)
    • \(\phi(3127)=(53-1) (59-1)=3016\)
  4. ​Select a small number e that is prime to \(\phi(n)\) 
    • e=3 (3016 mod 3=1)
  5. ​​Find the \(x,y\) s.t. \(xe+y\phi(n)=1\):
    • \(2011\cdot 3-2\cdot 3016=1\)

Sa

Pa

S=(x,n)=(2011,3127)

P=(e,n)=(3,3127)

Now the RSA components

for greater satisfaction, the formal argument for the encrypter

\begin{array}{rcl} {\tilde{w}}^x\text{ mod }n&=&(w^e)^x\text{ mod }n\\ &=&w^{ex}\text{ mod }n\\ &=&w^{1-y\phi(n)}\text{ mod }n\\ &=&w\left(w^{\phi(n)}\right)^{-y}\text{ mod }n\\ &=&w1^{-y}\text{ mod }n\\ &=&w\text{ mod }n\\ &=&w. \end{array}

(assumes \(n\) is large and \(w\) small)

this step uses Euler's theorem

Application of RSA to sending an encrypted message

  • suppose message is M
    • M=89
  • encrypting is
    • Enc(M,P)=P(M)=
    •  
  • decrypting is
    • Dec(C,S)=S(C)=
    •  

Sa

Pa

S=(x,n)=(2011,3127)

P=(e,n)=(3,3127)

M^e \text{ mod } n
C^x \text{ mod } n
89^3 \text{ mod } 3127=1394=C
1394^{2011} \text{ mod } 3127=89

Application of RSA to sending digital signatures

Example parameters

  1. Choose p=53, q=59
    • ​n=3127
    • phi(n)=3016
  2. ​Choose e=3
    • ​​pick x=2011
  3. P=(3,3127), S=2011
  4. Message M=89
  • Signature:
     
  • Validation:
     
sig=M^x \text{ mod } n=89^{2011} \text{ mod } 3127=545
check=Sig^e \text{ mod } n=545^{3} \text{ mod } 3127=89=M

Putting it together

  • Hashing is used widely and provides convenient outputs of fixed length => concise representation of information
  • Public-private key signatures ensure that you can prove ownership and that there is security
  • Encrypting messages is a lesser concern for blockchains => info on transaction is supposed to be out in the open
  • But: all the theory used numbers not letters - how does that go together?
  • Answer: you can present any text by a number using ASCII code!
    • Long Text => H(Long text)
    • H(Long text) = fixed length text
    • => ASCII(H(text)) = number of fixed length.

Another Anders Brownworth Demo

https://anders.com/blockchain/public-private-keys/signatures.html

Drilling down part 2: updating of records

Cryptography is nice but not enough!

  • Order of transactions?

  • Cancel one before the other?

  • When is it in the "database"?

Byzantine Generals' Problem

Simple Version Problem

  • Attack only succeeds if both attack.
  • Two need a coordinated attack.
  • Messengers can be intercepted and compromised.

Possible Solution?

  • None. 
  • A needs to know B plays ball, and B needs to know that A plays ball
  • messages go back and forth ad infimum.

Byzantine Generals' Problem

Problem

  • Many generals.
  • Need consensus to succeed.

Note:

They don't care if they coordinate on attack or withdraw = either is OK as long as there is consensus

Byzantine Generals' Problem

seek consensus for time of attack

leader proposes \(t\)

Byzantine Generals' Problem

\(t\)

\(t\)

\(t\)

\(t\)

\(t\)

\(t\)

\(t\)

\(t\)

\(t\)

Byzantine Generals' Problem

\(t\)

\(t\)

\(x\)

\(t\)

\(t\)

\(t\)

\(t\)

\(t\)

\(x\)

\(t,t,x\)

\(t,t,x\)

\(t,t,t\)

consensus is reached!

Byzantine Generals' Problem

\(x\)

\(y\)

\(z\)

\(y\)

\(x\)

\(z\)

\(y\)

\(x\)

\(z\)

\(x,y.z\)

\(x,y,z\)

\(x,y,z\)

consensus is reached (no attack)

Byzantine Generals' Problem

Equilibrium

  • generals pick majority message
  • successful consensus as long as no more than 1/3 cheats

Blockchain requirement

  • reach Byzantine Fault Tolerant consensus
  • trick: messages are hard to forge

Proof of Work Protocol

A Byzantine Fault Tolerant Algorithm

This Hash starts with a pre-specified number of zeros!

Blockchain BFT

Blockchain BFT

= 00000xd4we...

= 00000xd4we...

= 00000xd4we...

consensus is reached if hash starts with right number of leading zeros

PoW does two things

- selects a leader

- makes messages hard to forge

A demonstration of Hashes and Nonces

https://anders.com/blockchain/block.html

How does the proof of work protocol address Byzantine Fault Resistance?

  1. Looking for leading zeros is a coordination device
    • If you see such a message update what you want to do.
  2. Mining is difficult and time consuming
    • a forger needs to work hard to change the message
  3. Message is send to many entities
    • strength in numbers: a forger needs to capture many messages 
    • unless there are too many forgers (there is a math result here) can trust

Proof of Work:

yields Consensus

=> "Existence"

B3

B1

B2

B4

B5

Contains transaction from Bob to Alice

Question: Can Bob rewrite history?

Drilling down part 2b: immutability

No! Because: Economics!

Importance of Economics, Step 1: Incentive to support longest chain

B3

B1

B2

B4

B5

B6

Where to add a new block B7?

  • Add to B3?
    • => people after still more likely to add to B6
    • lose "coinbase" reward

Economic Analysis, Part I

Equilibrium for "the longest chain"? - Yes!

  • "Blockchain Mining Games" by Kiayias,Koutsoupias, Kyropoulouz, and Tselekounis, Proceedings of the 2016 ACM Conference on Economics and Computation, 2016

  • "The blockchain folk theorem" by Biais, Bisière, Bouvard, and Casamatta, RFS 2018

Importance of Economics, Step 2: Altering the past?

B3

B1

B2

B4

B5

  • needs to be faster than anyone after who adds to B5 and build a longer chain
  • or needs to be able to mine repeatedly

B8

B7

B9

B10

B6

Contains transaction from Bob to Alice

Bob wants to undo the transaction by rewriting history with B6

Last part of Anders Brownworth's Demo

https://anders.com/blockchain/distributed.html

Bob's objective

  • Wants to undo this trade and cheat Alice by building alternative chain from B6

What does it take?

  1. needs to be predictably able to add several blocks to the chain without interference, or
  2. needs to be faster than anyone after who adds to B5 and build a longer chain, or
  3. needs to ability to reject new blocks that are added to B5 .

How does Proof of Work prevent this?

  • mining success is random subject to resources spend:
    • computers/GPUs
    • electricity
  • you need faster/more computers than 51% of the network
    • current network power: 25million tera-hashes per second (blockchain.info)

Back of the envelope calculation

  • hashrate: 25,000,000 TH/s
  • best GPUs have 2.5GH/s per card=0.0025 TH/s
  • => need 25,000,000 x 400 x 0.5 = 5,000,000,000 GPUs
  • 1 GPU costs around $200
  • =>Cost = $1,000,000,000,000

Economic Analysis, Part II

Double spend attack prevention

  • Validation rewards are taken as given, but they are crucial in
    • determining incentives to participate,
    • to support the chain, and
    • to expense electricity and computing power

Basic idea of competitive equilibrium

aggregate mining cost = aggregate reward

Double spending attack

  • expense resources but:
  • win N block rewards until "confirmation" block
  • ability to double-spend

condition that prevents it

(Chiu & Koeppl RFS 2018)

 

 

\text{mining reward} \times (N+1)N > \text{double spend amount}

Bigger Insights

  • Philosophy: anyone is allowed to write to the ledger, but we don't trust anyone
  • Key requirement: you cannot predict or determine when you'd write again
    • => cannot manipulate/take over
  • PoW achieves "randomness" by solve a hard, expensive cryptographic puzzle
  • much work goes into finding viable alternatives, which we will discuss later
    • Proof of Stake, Proof of Burn, Proof of Elapsed Time

Major innovation of bitcoin

  • combine cryptography, blockchains, and proof-of-work
  • first application of PoW: HashCash
  • Blockchains have been used for timestamp servers (with central authority)

Proof of Work uses unsustainable amounts of energy

  • Nakamoto consensus consumes energy on par with (Jan 2019)
    • Austria
    • 2x Denmarks
    • 3x Irelands
    • 4x nuclear power plants
  • No connection between energy burned and economic value created

Performance limited by design

  • BTC Throughput: 3.3-7 tps, latency: 10-60 minutes
  • ETH throughput: 15 tps, latency: 14s to 30 minutes

  • Tweaks: lighting network (BTC) or side chains, SegWit, blocksize possible, but there are limits

  • microtransactions, IoT, and other smart contract use cases place very high demands

Conceptual limitations of POW

  • Provides a probabilistic guarantee, though on practice, 1-ε = 1

  • Minting is performed according to a set schedule
    => no monetary policy and adequate liquidity management

  • Hash difficulty adjusted to achieve target inter-block latency => Implies a hard limit to protocol throughput

  • Block size: performance - decentralization trade off

    • larger blocks lead to more orphans, especially for smaller miners

    • There exists a blocksize at which the network fractures

Mining concentration

Source: blockchain.info 25/02/2018 

Source: etherscan.io 25/02/2018 

Ether

Bitcoin

Miners

  • have a huge say over changes in the protocol, and

  • they can collectively block changes, force forks, etc., and

  • have incentives that may run counter to the common good

Mining 2009

Mining 2010

Mining 2011

Mining 2012

Mining 2013-15

Mining 2015-17

Mining 2018

  • blockchain 1.0
  • first solution to double spending
  • clunky, slow, expensive
  • huge following and computing power
  • one trick pony

vs

  • blockchain 2.0
  • universal turing machine for decentralized execution of code
  • highly flexible
  • foundation for many private initiatives
  • cryptocurrency Ether is a means to an end
  • code execution = requires computing power
    • pay for GPU cycles (=Gas) =>Ether is the "fuel" 
    • malicious code could "crash" virtual machine
  • Big message:
    • Ethereum is not a "better" cryptocurrency
    • It is a code execution network that runs on Ether
  • Allows generation of "tokens" = digital assets

Ethereum

  • developed and built by a Waterloo-based team around Vitalik Buterin
  • not a firm
  • team had the chance to sell their system to Google, but declined
  • instead built a "Foundation" => Ethereum cannot be "bought" 
  • founders still got wealthy as they did/do have a stake in the coins

Some Ethereum History

  • with this history comes a philosophy
  • Blockchain entities don't strive to be "firms"
  • they form teams for projects, invite everyone, not concerned about IP
  • they don't strive to get high-powered jobs or sell to a large bank
  • but yes, they want to drive Lambos 

Ethereum Enterprise Alliance

Common Idea:

  • build private blockchains on top of Ethereum
  • use open source tools

Advantages

  • preserve interoperability of systems
  • compatibility and free development
  • best of two worlds? 
  • 150 companies are members of EEA
  • US$400M invested in VC funding (CBInsight)
  • US$900M from tokens since Nov 2016 (Smith and Crown).

Bitcoin and Ethereum Addresses

My JAXX addresses:

  • Bitcoin:
    • 16dNbpPnA5vz41f6D8iQsBwN9j8G6YW7zP
  • Ethereum
    • 0x91c44e74ebf75baa81a45dc589443194d2eba84b
  • General rule: Bitcoin commonly start with 1 (other models exist), Ethereum addresses with 0x

Bitcoin Addresses

  • Usually, your wallet creates your public/private keys
  • Recall that Bitcoin uses an "Elliptic Curve" algorithm
    • With RSA pick primes, e and then d
    • With Elliptic curves, you "pick points on a curve"
    • => your wallet does this and then creates the keys for you
  • From these items it creates your address through a series of hashing operators, mixed with adding "stuff"

Bitcoin Addresses (nerdy stuff)

Ethereum Addresses

  • are essentially a hexidecimal string that always starts with 0x
  • Like Bitcoin, get public/private key with the Elliptic Curve algo
  • Hash public key with Keccak-256.
    • ​=> 32-byte string.
  • Drop first 12 bytes
    • 20 bytes = 40 character remain
  • Add prefix 0x.
    • ​=>your Ethereum address
  • ​Note:
    • not as crafted as Bitcoin
    • ​Ethereum is more flexible and works to to use a name-representation
    • => interaction with the International Bank Account Number (IBAN) System

background math (specifically, number theory)

  • terminology: a is prime relative to b if their greatest common divisor is 1
  • Euler's Phi function for a number n is the number of natural numbers that are prime relative to n
  • for m,n prime numbers 
n
1 1
5 4
10 4
12 4
14 6
15 8
\phi(n)

A task that'll come up

  • pick n
  • compute 
  • pick e that is prime relative to 
  • find d such that

 

 

\phi(n)
\phi(n)
\frac{d\cdot e -1}{\phi(n)}=\text{an integer}

trick: pick k and then find d s.t.

e\cdot d= 1+k \cdot \phi(n)
\phi(n)=n-1 \text{ and } \phi(m\cdot n)=\phi(n)\cdot\phi(m)=(n-1)(m-1)

background math (specifically, number theory)

Example

  • n=10
  • \(\phi(10)=4\)
  • 3 is prime to \(4=\phi(10)\)
  • now want \((d\cdot 3-1)/4=\) an integer
  • \(\Rightarrow\) 7 because \((7\cdot 3-1)/4=5\)

Example

  • n=10
  • \(\phi(10)=4\)
  • 3 is prime to \(4=\phi(10)\)
  • now go for \(k\) and \(d\)

A task that'll come up

  • pick n
  • compute 
  • pick e that is prime relative to 
  • find d such that

 

\phi(n)
\phi(n)
\frac{d\cdot e -1}{\phi(n)}=\text{an integer}

trick: pick k and then find d s.t.

d= (1+k \cdot \phi(n))/3
k
1 (1+4)/3
2 (1+8)/3=... 1
3 (1+12)/3
4 (1+16)/3
5 (1+20)/3=... 7
\frac{\phi(n)\cdot k+1}{3}
d

Blockchain tech & math (MBA)

By Andreas Park

Blockchain tech & math (MBA)

This deck covers basics of cryptography such as hashing, digital signatures, the RSA algo.

  • 468

More from Andreas Park