0 valutazioniIl 0% ha trovato utile questo documento (0 voti)

1 visualizzazioni3 pagineBlock chain questions

Dec 01, 2019

© © All Rights Reserved

PDF, TXT o leggi online da Scribd

Block chain questions

© All Rights Reserved

0 valutazioniIl 0% ha trovato utile questo documento (0 voti)

1 visualizzazioni3 pagineBlock chain questions

© All Rights Reserved

Sei sulla pagina 1di 3

EE 465: Cryptocurrency and Blockchain Technologies (Autumn 2019) Instructor: Saravanan Vijayakumaran Indian Institute of Technology Bombay

Practice Problems

Date: November 17, 2019

1. Bitcoin Improvement Proposal 34 (proposed in 2012) mandated that the ﬁrst four bytes of the scriptSig in the dummy input of a coinbase transaction should contain the block height (https:

//github.com/bitcoin/bips/blob/master/bip-0034.mediawiki). What problem did this change to the protocol solve?

2. Suppose Alice owns some bitcoin which are stored in a P2PKH address whose corresponding private key is in a ﬁle on her computer. Alice does not want to write down the private key or print it out on a paper, as she is worried someone might steal the paper from her home. She wants to keep the private keys only in electronic form on computers owned only by herself.

• Alice has three computers where she can store private keys.

• Alice uses her computers to browse the Internet so there is a chance that a hacker gains access to her computers when she visits a malicious website.

• Alice’s computers may also crash due to a hard disk failure making the ﬁles unrecoverable.

What kind of address should Alice move her bitcoin to such that they are safe as long as only one of the three computers gets hacked or crashes? Specify what information Alice needs to store in each of the three computers.

Note: Alice does not know in advance which computer will get aﬀected. If a computer crashes, Alice loses all information which was stored in that computer. If a computer is hacked, the hacker gains access to all information stored in that computer.

3. Consider the pie chart showing the percentage of Bitcoin blocks mined by diﬀerent mining pools over the past year (https://btc.com/stats/pool).

(a) |
How is this pie chart constructed, i.e. how can one know the identity of the entity which mined a block? |

(b) |
Suppose a mining pool gains control of 50% or more of the network hashrate. If this event occurs, then the general public may lose conﬁdence in the tamper resistance of the Bitcoin blockchain. How can the mining pool hide the fact that it controls a majority of the network hashrate? |

4. (a) In a mining pool, how does the pool owner distribute the mining search space for a candidate block among the pool participants such that there is no repetition of work by two diﬀerent participants?

(b) |
Once a participant ﬁnds a valid block, how is the block reward distributed among all the participants? |

(c) |
Why can’t the pool participant who found the valid block cheat by keeping the block reward for himself/herself? |

5. Suppose N civil contractors are bidding for a contract to build a road for the municipal corporation. The contractor who submits the lowest bid will win the contract. Typically, the contractors are required to submit sealed envelopes containing their bids before a deadline. After the deadline, the envelopes are opened one by one in a meeting attended by all the contractors and the winning bid is declared. One problem with this procedure is that the values of all the losing bids are made public. Losing bidders may not want this information to revealed.

Consider the following protocol which uses Pedersen commitments instead of sealed paper envelopes.

(i) Let E be an elliptic curve of prime order n which is a 256-bit prime. Assume that the discrete logarithm problem is hard in the group E. Let G and H be generators of the group E such that the discrete logarithm of H with respect to G is not known.

(ii) |
Let b |
, 2 |
, N . |

(iii) |
Before the deadline, each contractor submits a Pedersen commitment C |

(iv)

As soon as each bid is received, the corresponding C _{i} is displayed on a public notice board in the municipal corporation oﬃce.

(v) After the deadline, each bidder is asked to reveal the blinding factor x _{i} and bid amount b _{i} corresponding to its commitment C _{i} . Failure to reveal these values will disqualify the bidder.

Answer the following questions.

(a) |
If the blinding factors and amounts are made available to the municipal corporation, how the corporation convince all the bidders who the winning bidder is without revealing the amounts or blinding factors to them? |

(b) |
Now suppose that the bidders do not want to reveal the blinding factors or amounts to the municipal corporation. Describe a protocol which can convince everyone of the identity of the winning bidder while revealing only the winning bid amount but not the blinding factors or losing bid amounts. Hint: You are allowed to have multiple rounds of communication between the corporation and the bidders. |

6. Consider the following interactive protocol for proving quadratic non-residuosity of an x ∈ Z _{N} where N = pq for odd primes p, q.

∗

•

•

•

•

V

If b = 0, V

If z ∈ QR _{N} , P sends b ^{} = 0. If z ∈ QR _{N} , P sends b ^{} = 1

V

$

picks y ←− Z

∗

_{N}

$

and a bit b ←− {0, 1}

sends z = y ^{2} . If b = 1, V

sends z = xy ^{2}

accepts if b ^{} = b

Give an informal reason of why this protocol is not zero-knowledge by describing a veriﬁer which can extract some knowledge from the prover using this protocol.

The formal deﬁnition of zero-knowledge requires the existence of a simulator which can simulate the protocol transcript for any veriﬁer V ^{∗} . For the veriﬁer you described in the previous part, why can we not construct a simulator which can simulate the protocol transscript?

7. Let G be a cyclic group of prime order q and generator g, i.e. G = g . Let f, h ∈ G be other generators of G such that the discrete logarithms of f, g, h with respect to each other are not known.

is called the representation of the group element u with

respect to generators f, g, and h. Suppose a prover wants to convince a veriﬁer that it knows the representation of u ∈ G with respect to f, g, h. Describe an interactive protocol which is a honest- veriﬁer zero-knowledge proof of knowledge for the relation

For u = f ^{α} g ^{β} h ^{γ} , the triple (α, β, γ) ∈ Z ^{3}

(a)

(b)

q

R = ^{} (u, (α, β, γ)) ∈ G × Z ^{3}

q

| u = f ^{α} g ^{β} h ^{γ} ^{} .

8. Let G be a cyclic group of prime order q and generator g, i.e. G = g . Suppose a prover wants to convince a veriﬁer that she knows x ∈ Z _{q} such that h = g ^{x} for a public group element h. The prover and veriﬁer execute the following protocol:

$

1. Prover picks k ←− Z _{q} and sends initial message I = g ^{k}

2. Veriﬁer sends a challenge bit b ←− {0, 1}

3. Prover sends s = bx + k mod q

$

?

4. Veriﬁer checks g ^{s} = I · h ^{b}

Prove that the above protocol is zero-knowledge and a proof of knowledge for the relation

R = {(u, α) ∈ G × Z _{q}

| u = g ^{α} } .

Note: You are required to prove that the protocol is zero-knowledge, not just honest-veriﬁer zero- knowledge.

9. Two political parties A and B who have formed an alliance want to commit to a power sharing

agreement before an election. The power sharing scheme will be described by a pair of integers

a, b ∈ {1, 2,

party will get if their alliance gets the majority of seats in the election.

Let E be an elliptic curve of prime order n which is much larger than 100. Assume that the discrete logarithm problem is hard in the group E. Let G and H be generators of the group E such that the discrete logarithm of H with respect to G is not known.

Party A publishes Pedersen commitment C _{A} = x _{a} G + aH for a secret blinding factor x _{a} ∈ Z _{n} . Party B publishes Pedersen commitment C _{B} = x _{b} G+bH for a secret blinding factor x _{b} ∈ Z _{n} . The blinding factor of each party is not known to the other (to prevent one party from revealing the other party’s share).

, 99} such that a + b = 100. These integers represent the percentage of power each

(a) |
Describe a procedure by which the parties can convince a PPT observer who sees C |
|||

(i) |
C |
, 99} |
||

(ii) |
C |
, 99} |
||

(iii) |
C |
|||

Note: Revealing x |
||||

calculate aH = C , 99H} |
||||

(b) |
Party B wants to send some part of its share b to another party C. Let c ∈ {1, 2, , b − 1} be |

the share of party C which will be committed to by a Pedersen commitment C _{C} = x _{c} G + cH for a blinding factor x _{c} ∈ Z _{n} . The remaining share of party B will be committed to by a Pedersen commitment C _{B} = x ^{} _{b} G + (b − c)H for a blinding factor x _{b} ^{} ∈ Z _{n} . Describe a procedure by which the parties B and C can convince a PPT observer who sees C _{B} , C _{B} , and C _{C} that the following properties hold, without revealing the blinding factors x _{b} , x ^{} _{b} , x _{c} or the values b, c to the observer. The procedure should not reveal x _{b} , x _{b} ^{} to party C and x _{c} to party B.

(i) C _{C} is a Pedersen commitment to a value in the range {1, 2, (ii) C _{B} is a Pedersen commitment to a value in the range {1, 2,

,

,

99}

99}

(iii)

C _{B} + C _{C} is a Pedersen commitment to the same value committed in C _{B} .

Hint: Mimblewimble

## Molto più che documenti.

Scopri tutto ciò che Scribd ha da offrire, inclusi libri e audiolibri dei maggiori editori.

Annulla in qualsiasi momento.