Sei sulla pagina 1di 3

EE 465: Cryptocurrency and Blockchain Technologies (Autumn 2019) Instructor: Saravanan Vijayakumaran Indian Institute of Technology Bombay

Practice Problems

Date: November 17, 2019

1. Bitcoin Improvement Proposal 34 (proposed in 2012) mandated that the first four bytes of the scriptSig in the dummy input of a coinbase transaction should contain the block height (https:

//github.com/bitcoin/bips/blob/master/bip-0034.mediawiki). What problem did this change to the protocol solve?

2. Suppose Alice owns some bitcoin which are stored in a P2PKH address whose corresponding private key is in a file on her computer. Alice does not want to write down the private key or print it out on a paper, as she is worried someone might steal the paper from her home. She wants to keep the private keys only in electronic form on computers owned only by herself.

Alice has three computers where she can store private keys.

Alice uses her computers to browse the Internet so there is a chance that a hacker gains access to her computers when she visits a malicious website.

Alice’s computers may also crash due to a hard disk failure making the files unrecoverable.

What kind of address should Alice move her bitcoin to such that they are safe as long as only one of the three computers gets hacked or crashes? Specify what information Alice needs to store in each of the three computers.

Note: Alice does not know in advance which computer will get affected. If a computer crashes, Alice loses all information which was stored in that computer. If a computer is hacked, the hacker gains access to all information stored in that computer.

3. Consider the pie chart showing the percentage of Bitcoin blocks mined by different mining pools over the past year (https://btc.com/stats/pool).

(a)

How is this pie chart constructed, i.e. how can one know the identity of the entity which mined a block?

(b)

Suppose a mining pool gains control of 50% or more of the network hashrate. If this event occurs, then the general public may lose confidence in the tamper resistance of the Bitcoin blockchain. How can the mining pool hide the fact that it controls a majority of the network hashrate?

4. (a) In a mining pool, how does the pool owner distribute the mining search space for a candidate block among the pool participants such that there is no repetition of work by two different participants?

(b)

Once a participant finds a valid block, how is the block reward distributed among all the participants?

(c)

Why can’t the pool participant who found the valid block cheat by keeping the block reward for himself/herself?

5. Suppose N civil contractors are bidding for a contract to build a road for the municipal corporation. The contractor who submits the lowest bid will win the contract. Typically, the contractors are required to submit sealed envelopes containing their bids before a deadline. After the deadline, the envelopes are opened one by one in a meeting attended by all the contractors and the winning bid is declared. One problem with this procedure is that the values of all the losing bids are made public. Losing bidders may not want this information to revealed.

Consider the following protocol which uses Pedersen commitments instead of sealed paper envelopes.

(i) Let E be an elliptic curve of prime order n which is a 256-bit prime. Assume that the discrete logarithm problem is hard in the group E. Let G and H be generators of the group E such that the discrete logarithm of H with respect to G is not known.

(ii)

Let b i ∈ {0, 1, 2,

, 2 32 1} be the bid of the ith contractor for i = 1, 2,

, N .

(iii)

Before the deadline, each contractor submits a Pedersen commitment C i = x i G + b i H to the municipal corporation where x i Z n is the blinding factor.

(v) After the deadline, each bidder is asked to reveal the blinding factor x i and bid amount b i corresponding to its commitment C i . Failure to reveal these values will disqualify the bidder.

Answer the following questions.

(a)

If the blinding factors and amounts are made available to the municipal corporation, how the corporation convince all the bidders who the winning bidder is without revealing the amounts or blinding factors to them?

(b)

Now suppose that the bidders do not want to reveal the blinding factors or amounts to the municipal corporation. Describe a protocol which can convince everyone of the identity of the winning bidder while revealing only the winning bid amount but not the blinding factors or losing bid amounts. Hint: You are allowed to have multiple rounds of communication between the corporation and the bidders.

6. Consider the following interactive protocol for proving quadratic non-residuosity of an x Z N where N = pq for odd primes p, q.

V

If b = 0, V

If z QR N , P sends b = 0. If z QR N , P sends b = 1

V

$

picks y ←− Z

N

$

and a bit b ←− {0, 1}

sends z = y 2 . If b = 1, V

sends z = xy 2

accepts if b = b

Give an informal reason of why this protocol is not zero-knowledge by describing a verifier which can extract some knowledge from the prover using this protocol.

The formal definition of zero-knowledge requires the existence of a simulator which can simulate the protocol transcript for any verifier V . For the verifier you described in the previous part, why can we not construct a simulator which can simulate the protocol transscript?

7. Let G be a cyclic group of prime order q and generator g, i.e. G = g . Let f, h G be other generators of G such that the discrete logarithms of f, g, h with respect to each other are not known.

is called the representation of the group element u with

respect to generators f, g, and h. Suppose a prover wants to convince a verifier that it knows the representation of u G with respect to f, g, h. Describe an interactive protocol which is a honest- verifier zero-knowledge proof of knowledge for the relation

For u = f α g β h γ , the triple (α, β, γ) Z 3

(a)

(b)

q

R = (u, (α, β, γ)) G × Z 3

q

| u = f α g β h γ .

8. Let G be a cyclic group of prime order q and generator g, i.e. G = g . Suppose a prover wants to convince a verifier that she knows x Z q such that h = g x for a public group element h. The prover and verifier execute the following protocol:

$

1. Prover picks k ←− Z q and sends initial message I = g k

2. Verifier sends a challenge bit b ←− {0, 1}

3. Prover sends s = bx + k mod q

$

?

4. Verifier checks g s = I · h b

Prove that the above protocol is zero-knowledge and a proof of knowledge for the relation

R = {(u, α) G × Z q

| u = g α } .

Note: You are required to prove that the protocol is zero-knowledge, not just honest-verifier zero- knowledge.

9. Two political parties A and B who have formed an alliance want to commit to a power sharing

agreement before an election. The power sharing scheme will be described by a pair of integers

a, b ∈ {1, 2,

party will get if their alliance gets the majority of seats in the election.

Let E be an elliptic curve of prime order n which is much larger than 100. Assume that the discrete logarithm problem is hard in the group E. Let G and H be generators of the group E such that the discrete logarithm of H with respect to G is not known.

Party A publishes Pedersen commitment C A = x a G + aH for a secret blinding factor x a Z n . Party B publishes Pedersen commitment C B = x b G+bH for a secret blinding factor x b Z n . The blinding factor of each party is not known to the other (to prevent one party from revealing the other party’s share).

, 99} such that a + b = 100. These integers represent the percentage of power each

(a)

Describe a procedure by which the parties can convince a PPT observer who sees C A and C B that the following properties hold, without revealing the blinding factors x a , x b or the values a, b to the observer. The procedure should not reveal x a to party B and x b to party A.

(i)

C A is a Pedersen commitment to a value in the range {1, 2,

, 99}

(ii)

C B is a Pedersen commitment to a value in the range {1, 2,

, 99}

(iii)

C A + C B is a Pedersen commitment to the value 100.

Note: Revealing x a G will effectively reveal a to the PPT observer because the observer can

calculate aH = C A x a G and then compare C A x a G to the values in the set {H, 2H, to recover a.

, 99H}

(b)

Party B wants to send some part of its share b to another party C. Let c ∈ {1, 2,

, b 1} be

the share of party C which will be committed to by a Pedersen commitment C C = x c G + cH for a blinding factor x c Z n . The remaining share of party B will be committed to by a Pedersen commitment C B = x b G + (b c)H for a blinding factor x b Z n . Describe a procedure by which the parties B and C can convince a PPT observer who sees C B , C B , and C C that the following properties hold, without revealing the blinding factors x b , x b , x c or the values b, c to the observer. The procedure should not reveal x b , x b to party C and x c to party B.

(i) C C is a Pedersen commitment to a value in the range {1, 2, (ii) C B is a Pedersen commitment to a value in the range {1, 2,

,

,

99}

99}

(iii)

C B + C C is a Pedersen commitment to the same value committed in C B .

Hint: Mimblewimble