What is money?

• A medium of exchange
• A unit of account
• A store of value
• A standard of deferred payment

How to create money?

• M0: cash money created by a central bank by minting coins and printing banknotes
• M1/M2: money created by private banks through the recording of loans as deposits of borrowing clients
  • Currently created as electronic money

Rai stones from Yap

Digital signature

Digression:
The cannonball problem

The method of Diophantus

• \(1^2+2^2+\cdots+x^2=\frac{x(x+1)(2x+1)}{6}=y^2\)
  • Two trivial solutions: \((x,y)=(0,0)\) or \((1,1)\)
• The line through these two points is \(y=x\), which intersects with the curve and gives the equation \[x^3-\frac{3}{2}x^2+\frac{1}{2}x=0\]
  • The third root is \(x=\frac{1}{2}\)

Repeat for (1,1) & (1/2,-1/2)

• The line is \(y=3x−2\), so the equation is \[x^3-\frac{51}{2}x^2+\cdots=0\]
  • The third root is \(x=24\), so \(y=70\), i.e., \[1^2+2^2+\cdots+24^2=70^2\]
• If we keep repeating this procedure, we'll obtain infinitely many rational solutions to our equation
• However, it can be shown that \((24,70)\) is the only non-trivial solution in positive integers

The congruent number problem

• The question of which integers \(n\) can occur as areas of right triangles with rational sides is known as the congruent number problem
• E.g., \(n=5\): are there rational numbers \(a,b,c\) s.t. \[a^2+b^2=c^2,ab=10?\]
• Equivalently, \(c^2+20=(a+b)^2,c^2-20=(a-b)^2\)
• Let \(x=(c/2)^2\): \(y^2=(x+5)x(x-5)=x^3-25x\)

Diophantus revisited

• Consider the tangent line at \((−4,6)\): \(y=\frac{23}{12}x+\frac{41}{3},\) which intersects the curve and gives \[x^3-\left(\frac{23}{12}\right)^2x^2+\cdots=0\]
• The third root is \((23/12)^2+4+4=(41/12)^2\), i.e., \[a=\frac{20}{3},b=\frac{3}{2},c=\frac{41}{6}\]
• There are infinitely many other solutions, which can be obtained by successively repeating this procedure

An elliptic curve \(E\) is the graph of an equation of the form \(y^2=x^3+Ax+B\), where \(A\) and \(B\) are constants.  This will be referred to as the Weierstraß equation for an elliptic curve.  We will need to specify what set \(A,B,x\) and \(y\) belong to.  Usually, they will be taken to be elements of a field, for example, the real numbers \(\mathbb R\), the complex numbers \(\mathbb C\), the rational numbers \(\mathbb Q\), one of the finite fields \(\mathbb F_p(=\mathbb Z/p\mathbb Z)\) for a prime \(p\), or one of the finite fields \(\mathbb F_q\), where \(q=p^k\) with \(k\geq 1\).  If \(K\) is a field with \(A,B\in K\), then we say that \(E\) is defined over \(K\).

Points on elliptic curve

• If we want to consider points with coordinates in some field \(L\supseteq K\), we write \(E(L)\)
• By definition, this always contains the point at infinity: \[E(L)=\Big\{\infty\Big\}\bigcup\Big\{(x,y)\in L\times L:y^2=x^3+Ax+B\Big\}\]
• \(E(L)\) is an abelian group

Group operations in \(E(L)\)

Elliptic curve cryptography

• Security depends on the hardness of the elliptic curve discrete logarithm problem (ECDLP)
  • Given a point \(Q\in G\subseteq E(L)\) and a generator \(P\) of \(G,\) find an integer \(n\) s.t. \(nP=Q\)
• Pros: smaller keys and ciphertexts for achieving same security level as DLP-based cryptosystems
  • \(\text{160--256}\) bits vs. \(\text{1024--3072}\) bits
• Cons: security is achieved only over secure curves

ECDSA

• To sign a message \(m\):
  1. \(h\leftarrow H(m)\)
  2. \(k\stackrel{\$}{\leftarrow}(\mathbb Z/q\mathbb Z)^*\)
  3. \(\color{blue}r\color{black}\leftarrow f(kP)\bmod q\)
  4. \(\color{blue}s\color{black}\leftarrow(h+\color{red}x\color{blue}r\color{black})/k\bmod q\)

• To verify signature \(\color{blue}(r,s)\):
  1. \(h\leftarrow H(m)\)
  2. \(a\leftarrow h/\color{blue}s\color{black}\bmod q\)
  3. \(b\leftarrow \color{blue}r\color{black}/\color{blue}s\color{black}\bmod q\)
  4. \(f(aP+bQ)\stackrel{?}{=}\color{blue}r\color{black}\bmod q\)

Why it works? \[f(aP+bQ)=f(aP+b\color{red}x\color{black}P)=f(\frac{h+\color{red}x\color{blue}r\color{black}}{s}P)=f(kP)\]

Digital signature in Bitcoin

• ECDSA over curve secp256k1
  • Public/private keys: 33 or 65 bytes
  • Signatures: 71, 72, or 73 bytes
• Bitcoin address = RIPEND160(SHA256(pk)): 20 bytes
  • Often in Base58Check encoding

Bitcoin transaction

• Transaction consists of \(\geq 1\) inputs and \(\geq 1\) outputs
• To prevent double spending, each input must refer to a previous unspent transaction output (UTXO)
  • Except for coin generation, e.g.: genesis block

Merkel tree

Blockchain as

tamper-evident log

The Bitcoin consensus protocol

• New transactions are broadcast to all nodes
• Each node collects transactions into a block and broadcasts the block as its proof of work
• Other nodes accept the block only if all transactions in it are valid, i.e., unspent with valid signatures
• Nodes express their acceptance of the block by including its hash in the next block they create

Incentivization via mining

• Bitcoin miners' incentives
  • Transaction fees
  • Block rewards
    • Started being 50 bitcoins in 2009, now 3.125
    • Cut in half every 4 years to limit supply to ≈21M
• Best strategy: when there are multiple chains of blocks, follow the longest chain of blocks

The Bitcoin script

Executing P2PKH scripts

• Pay-to-PubkeyHash
  • scriptSig: <sig> <pubKey>
  • scriptPubKey: OP_DUP OP_HASH160 <pubKeyHash?> OP_EQUALVERIFY OP_CHECKSIG
• Pay-to-ScriptHash
  • scriptSig: ...signatures... <serialized script>
  • scriptPubKey: OP_HASH160 <scriptHash> OP_EQUAL

Ethereum

• Proposed in late 2013 by Vitalik Buterin
• Went live on 30 July 2015
• Stewarded by nonprofit foundation
• Turing-complete scripts, a.k.a. smart contracts
  • A contract is a program that lives on the blockchain
  • A dApp is a collection of integrated contracts
  • A decentralized autonomous organization (DAO) is an organization represented by rules encoded as contracts on a blockchain

An example contract

Opportunities

• Electronic payment
• Asset tokenization
• Provenance tracking
• Digital identity
• Custody & escrow
• Automation
• Web3

Challenges

• Operating models and regulation
• Scalability
• Privacy
• Latency
• Integration

Beyond digital signature

• Standard digital signature on message \( x \):
  • "I swear that the signer said \( x \)."
• Beyond digital signature:
  • "The signer said \( \color{red}x\color{black} \), which I'm not going to disclose here, but I swear that \( f(\color{red}x\color{black})=y \)."

Example

• CA signs Cert: "Batman was born on Jan 1, 1976"
• \( f(x,\color{red}w\color{black})=1 \) if and only if:
  • \( \color{red}w\color{black} \) is a valid certificate signed by CA
  • \( \color{red}w\color{black} \) says as of today, \( x \) is over 18 years old
• Beers for Batman if \( f(\text{Batman},\color{red}\text{Cert}\color{black})=1 \)

Proving \( f(x)=y \)

• Syntax of (polynomial) functional commitment
  • \( c=\text{commit}(r,f) \)
  • \( (y,\pi)=\text{eval}(r,f,x) \)
  • \( \text{verify}\Big(c,x,y,\pi\Big) \) iff \( \exists r\text{ s.t. }c=\text{commit}(r,f) \) and \( f(x)=y \)
• Example (Merkle tree)
  • Leaves \( y_0,y_1,\ldots,y_{n-1} \) define \( f:\Big\{0,1,\ldots,n-1\Big\}\rightarrow Y \)
  • Authentication path encodes (binary expansion of) \( i\in\Big\{0,1,\ldots,n-1\Big\} \) and thus proves \( f(i)=y_i \)

Why polynomials?

• \( f_{v+w}=f_v+f_w, f_{v\odot w}=f_vf_w \) for coordinate-wise product \( \odot \) \[ \Big(\because\text{ev}\in k[X]\times k\rightarrow k\cong k[X]\rightarrow k\rightarrow k\Big) \]
• Lemma [Schwartz-Zippel] \[ \text{Pr}_{r\in k}\Big(f(r)=g(r)\Big)\leq\frac{d}{|k|}\text{ for }f\neq g\text{ with }\deg f,\deg g\leq d \]
  • Zero test: \( f(\omega)=0\ \forall\omega\in\Omega \)
  • Sum check: \( \sum_{\omega\in\Omega}f(\omega)=0 \)
  • Product check: \( \prod_{\omega\in\Omega}f(\omega)=1 \)

Zero-knowledge IP

• V learns nothing beyond S is true
  • Consider special S: \( y=f(x,\color{red}w\color{black}) \)
  • Can simulate the dialogues without knowing \(\color{red}w\color{black}\)
• Example: Blind V with two colored balls

Toy example

• Prover: "I know integers \( \color{red}p\color{black},\color{red}q\color{black} \) s.t. \( n=\color{red}pq\color{black} \)"
• Prover commits to three polynomial functions: \[ \color{red}r_p\color{black}X+\color{red}p\color{black},\color{red}r_q\color{black}X+\color{red}q\color{black},\text{ and }\color{red}r_pr_q\color{black}X^2+(\color{red}r_pq\color{black}+\color{red}pr_q\color{black})X+n \]
• Verifier challenges Prover with random \( r \) and checks whether \( (\color{red}r_p\color{black}r+\color{red}p\color{black})(\color{red}r_q\color{black}r+\color{red}q\color{black})\stackrel{?}{=}\color{red}r_pr_q\color{black}r^2+(\color{red}r_pq\color{black}+\color{red}pr_q\color{black})r+n \)
• Lemma [Schwartz-Zippel] \[ \text{Pr}_{r\in k}\Big(f(r)=g(r)\Big)\leq\frac{d}{|k|}\text{ for }f\neq g\text{ with }\deg f,\deg g\leq d \]

Schnorr's ZKP for DLP

• S: "I know \( \color{red}x\color{black} \) s.t. \( y=g^{\color{red}x\color{black}} \)"
  • P \( \rightarrow \) V: \( r=g^{\color{red}k\color{black}} \)
  • P \( \leftarrow \) V: \( e \)
  • P \( \rightarrow \) V: \( s=\color{red}k\color{black}-\color{red}x\color{black}e \)
  • V checks: \( r\stackrel{?}{=}g^sy^e\left(=g^{\color{red}k\color{black}-\color{red}x\color{black}e}(g^x)^e\right) \)
• Fiat-Shamir heuristic turns (most) IP to NIROP (Non-Interactive Random-Oracle Proof)
  • Schnorr's signature: \( \pi=(r,s) \) for \( e=H(r||m) \)
  • zk-NARK (Noninteractive ARgument of Knowledge)

Knowledge extractor

How Sony PS3 got hacked in 2011: \[ \left\{\begin{aligned} s_1 & =\color{red}k\color{black}-\color{red}x\color{black}e_1 \\ s_2 &= \color{red}k\color{black}-\color{red}x\color{black}e_2 \end{aligned}\right. \]

EF's semaphore

• "Users who broadcast a signal will not expose their identity"
  • "Specifically, an adversary will only know they're a user in the group, but not which user"
• "Users cannot broadcast two different signals on the same topic twice"

How to implement?

• Identity commitment integrity: \[ \text{id}_\text{comm}=\text{Commit}_{\text{id}_\text{trapdoor}}(\text{id}_\text{pub},\text{id}_\text{nullifier}) \]
• Merkle path validity: \[ (\text{id\textunderscore path},\text{id\textunderscore path\textunderscore index})\text{ is a valid Merkle path from id}_\text{comm}\text{ to root} \]
• Nullifiers hash integrity: \[ \text{nullifiers\textunderscore hash}=\text{PRF}_{\text{id}_\text{nullifier}}(\text{external\textunderscore nullifier},\text{id\textunderscore path\textunderscore index}) \]
• Signal authorization: \[ \text{Verify}(\text{id}_\text{pub},(\text{external\textunderscore nullifier},\text{signal\textunderscore hash}),\text{signature}) \]

Revisiting Merkle tree

In ZoKrates

• Witness contains array of arrays of hash values along authentication path
• Well-known trick to include the indices of these hash values at each level
  • Not strictly necessarily but for easy programming
  • Will expand to nested if-then-else in R1CS anyway

\(\text{\tt fold}\) to rescue in Keelung

\(\text{\tt foldl :: Foldable t => (b -> a -> b) -> b -> t a -> b}\)