Cryptocurrency and Blockchain Technologies Problem Set 1

CS 141 Winter 2019

Due: Tuesday, January 22 at 6:00 pm at Steele B113 (slide writeups under the door).
Alternatively, you may email a typeset document to me at yliu2@caltech.edu.
Pick four problems to do.

KL: Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell

CS251: Cryptocurrencies and Blockchain Technologies at Stanford by Dan Boneh and David
Mazières

1. (KL 5.1) Provide formal definitions for second preimage resistance and preimage resistance.
Prove that any hash function that is collision resistant is second preimage resistant, and any
hash function that is second preimage resistant is preimage resistant. (see definitions in Sec-
tion 5.1)

H s takes as input a key s, string x, outputs H s (x) = H(s, x).

Gen takes as input a security parameter 1n , outputs a string H s (x) ∈ {0, 1}l(n) .
Let hash function be Π = (Gen, H).
The experiment Hash-collA,Π (n):

(a) Generate key s by running Gen(1n )

(b) Adversary A is given s, outputs x, x0
(c) x 6= x0 and H s (x) = H s (x0 ) ⇐⇒ experiment outcome is 1.

Collision resistance: Informally, it should be infeasible for any probabilistic polynomial-time

(PPT) algorithm to find a collision in H. Formally, Π is collision resistant if for all PPT
adversaries A, there is a negligible function negl such that:

Pr[Hash-collA,Π (n) = 1] ≤ negl(n)

The experiment Hash-2preimagA,Π (n):

(a) Generate key s by running Gen(1n )

(b) Adversary A is given s, uniform x, outputs x0
(c) H s (x0 ) = H s (x) ⇐⇒ experiment outcome is 1.

Second-preimage resistance: Informally, a hash function is second-preimage resistant if given s

and a uniform x it is infeasible for a PPT adversary to find a x0 6= x such that H s (x0 ) = H s (x).
Formally, Π is second-preimage resistant if for all PPT adversaries A, there is a negligible
function negl such that:

Pr[Hash-2preimagA,Π (n) = 1] ≤ negl(n)

1
 The experiment Hash-preimagA,Π (n):

(a) Generate key s by running Gen(1n )

(b) Adversary A is given s, uniform y, outputs x
(c) H s (x) = y ⇐⇒ experiment outcome is 1.

Preimage resistance: Informally, a hash function is preimage resistant if given s and a uniform
y it is infeasible for a PPT adversary to find a value x such that H s (x) = y. Formally, Π is
preimage resistant if for all PPT adversaries A, there is a negligible function negl such that:

Pr[Hash-preimagA,Π (n) = 1] ≤ negl(n)

Suppose we have A0 that can find x0 6= x for which H s (x0 ) = H s (x) when given uniform x
(break second-preimage resistance), then A can break collision resistance since it can find a
colliding pair x, x0 . Hence collision resistance implies second-preimage resistance.
If we have A00 that can find x such that H s (x) = y when given y, A0 can compute y := H s (x0 )
(break preimage resistance), then obtain H s (x) = y. Since the hash function has inputs of
arbitrary length, the probability of x = x0 is small, so A0 breaks second-preimage resistance.
Hence second-preimage resistance implies preimage resistance.

2. (KL 5.6) For each of the following modifications to the Merkle-Damgård transform (Con-
struction 5.3), determine whether the result is collision resistant. If yes, provide a proof; if
not, demonstrate an attack.

(a) Modify the construction so that the input length is not included at all (i.e., output zB
and not zB+1 = hs (zB ||L)). (Assume the resulting hash function is only defined for
inputs whose length is an integer multiple of the block length.)
(b) Modify the construction so that instead of outputting z = hs (zB ||L), the algorithm
outputs zB ||L.
(c) Instead of using an IV , just start the computation from x1 . That is, define z1 := x1
and then compute zi := hs (zi−1 ||xi ) for i = 2, ..., B + 1 and output zB+1 as before.
(d) Instead of using a fixed IV , set z0 := L and then compute zi := hs (zi−1 ||xi ) for i =
1, . . . , B and output zB

3. (CS251 HW1 Q2) Alice can use a binary Merkle tree to commit to a set of elements S =
T1 , . . . , Tn so that later she can prove to Bob that some Ti is in S using a an inclusion proof
containing at most dlog2 ne hash values. The binding commitment to S is a single hash value.
In this question your goal is to explain how to do the same using a k-ary tree, that is, where
every non-leaf node has up to k children. The hash value for every non-leaf node is computed
as the hash of the concatenation of the values of all its children.

(a) Suppose S = {T1 , . . . , T9 }. Explain how Alice computes a commitment to S using a

ternary Merkle tree (i.e., k = 3). How does Alice later prove to Bob that T4 is in S?

A provides T5 , T6 , H(T1 ||T2 ||T3 ), H(T7 , T8 , T9 ).

2
 (b) Suppose S contains n elements. What is the length of the proof that proves some Ti is
in S, as a function of n and k?

Length of proof is d(k − 1) logk (n)e

(c) For large n, if we want to minimize the proof size, is it better to use a binary or ternary
tree? Why?

Use binary Merkle tree because x logx n is an increasing function of x.

4. (KL 11.8) Consider the following protocol for two parties A and B to flip a fair coin (more
complicated versions of this might be used for Internet gambling): (1) a trusted party T
publishes her public key pk; (2) then A chooses a uniform bit bA , encrypts it using pk, and
announces the ciphertext cA to B and T ; (3) next, B acts symmetrically and announces a
ciphertext cB 6= cA ; (4) T decrypts both cA and cB , and the parties XOR the results to
obtain the value of the coin.

(a) Argue that even if A is dishonest (but B is honest), the final value of the coin is uniformly
distributed.
B’s bit is chosen uniformly at random, so the XOR’ed resultis stilll uniformly distributed
(check cases).
(b) Assume the parties use El Gamal encryption (where the bit b is encoded as the group
element g b before being encrypted—note that efficient decrypt is still possible). Show
how a dishonest B can bias the coin to any value he likes.
A dishonest B can decrypt cA to bA and select the bit that bB such that bA XOR bB is
the result he likes.
(c) Suggest what type of encryption scheme would be appropriate to use here. Can you
define an appropriate notion of security and prove that your suggestion achieves this
definition?
Use a commitment scheme:
i. A flips coin, gets a ∈ {0, 1}, compute f (a).
ii. A sends y = f (a) to B.
iii. B flips coin, gets b ∈ {0, 1}, send b to A.
iv. A claims the value of the expression is a XOR b.
v. A discloses a and shows that y is a valid commitment to a.
vi. B checks the commitment and the value of the expression.
Appropriate security notion: Intuitively, neither party should be able to guess the output.
As long as the commitment scheme is secure, a dishonest B cannot bias the value based
on y. As long as the commitment scheme is binding, a dishonest A cannot reveal a to a
different value. (see 5.6.5 in KL)

5. (CS251 HW1 Q3) Which of the following does Nakamoto consensus guarantee (or guarantee
with all but negligible probability)?

3
 • agreement (all honest nodes agree on same value): as long as the network does not
have any miner with more than half the hashpower, no miner is incentivized to create
conflicting transactions, so this is guaranteed. Obtaining half the hashpower of the
network is economically difficult.
• validity (if some honest node proposes value v then any honest node must decide v, also
known as integrity): honest nodes will accept a block if and only if all transactions in it
are unspent, valid signatures, so this is guaranteed.
• termination (all honest nodes decide on a value eventually): the network tunes the
mining difficulty every 2016 blocks ( about two weeks at a rate of 10 minutes per block),
so a valid block will eventually be found, except with negligible probability.
• fault-tolerance (system continues operating properly in the event of the failure of some
components): (inspired by https://medium.com/loom-network/understanding-blockchain-fundame
and https://www.mail-archive.com/cryptography@metzdowd.com/msg09997.html)
recall the Byzantine generals problem - where a commanding general must send an or-
der to n − 1 lieutenant generals such that all loyal lieutenants obey the same order and
if the commanding general is loyal then every loyal lieutenant obeys the order he sends.
Proof-of-work in Nakamoto consensus probabilistically guarantees fault tolerance as fol-
lows: since honest nodes extend the longest chain, and nodes can verify the majority of
the hashpower on the network was used in the creation of the longest chain, as long as
the majority of the hashpower is controlled by honest nodes, the longest chain an those
nodes will be the same.
6. (CS251 HW1 Q4) Can you solve the Byzantine generals problem (in a synchronous setting)
with three generals one of whom may be a traitor? If so, how? If not, why not?
http://www.cs.cornell.edu/courses/cs614/1999sp/notes99/byzantine.html https://
bitcoin.stackexchange.com/questions/58907/byzantine-fault-tolerant-consensus-why-33-thresh
Note: synchronous systems have known a global, synchronized clock, possibly other guar-
antees such as upper bound on message delivery, ordered message delivery, lock step based
execution.
No, with only three generals it is not possible for a single loyal general to distinguish who is
lying (if a loyal lieutenant gets conflicting messages, no way to tell if the general is lying or
the other lieutenant is lying, and this applies in every round).
Asynchronous, general setting:
• asynchronous system
• some malicious participants
• want safety - “bad things don’t happen”, i.e. honest nodes never disagree on decision
• want liveness - “progress is made”, i.e. honest nodes eventually agree on a decision
Have n nodes, h honest, d dishonest. Let t be threshold for forward progress. Split the group
up into teams of size h/2, d, h/2. So require t > d + h/2 for safety, else malicious nodes
can bias the decision in the case of an even split between honest nodes. Number of nodes for
agreement must be upper bounded by number of honest nodes (since the malicious ones can
just not send messages). So require t ≤ h for liveness. So h ≥ t > h/2 + d which implies
h/2 > d. Hence 1/3 or more dishonest nodes implies we cannot guarantee safety or liveness.

4
7. (CS251 HW1 Q5) Consider a newspaper-classified-ad based cryptocurrency blockchain in
which coins look like this:

coin1 := {Create $1 (serial#53401) for P Kfed }SKfed

coin2 := {Pay SHA256(coin1 ) to P Kdavid }SKfed
coin3 := {Pay SHA256(coin2 ) to P Kdan }SKdavid

Here the notation {m}SK denotes a pair (m, σ) where σ is a signature on m generated using
the key SK. Every day the paper publishes a classified ad that looks like:

new-coins, SHA256(yesterday’s ad)

Everyone using the system builds a database containing SHA256 of every coin ever published,
along with one bit saying if the coin has already been spent. Nodes ignore blocks that contain
a coin whose hash is already in the database (a duplicate hash) or spending a coin containing
a spent or non-existent hash. For instance, an attempt to republish coin1 would fail, as would
an attempt to re-spend coin2 such as:

coin4 := {Pay SHA256(coin2 ) to P Kdavid }SKdavid

How might somebody attack this scheme if we use a malleable digital signature algorithm
such as ECDSA? Recall that a signature scheme is said be malleable if for all messages m, a
valid signature σ on m can be easily transformed into a different valid signature σ 0 on m.
One can generate new coins to oneself if one can easily transform this signature - e.g.

coin4 := {Pay SHA256(coin3 ) to P Kdan }SKdan

since the signature is forgeable.

8. (CS251 HW1 Q1 - optional) We may define two security properties for a hash function, one
called collision resistance and the other called proof-of-work security. Show that a collision-
resistant hash function may not be proof-of-work secure. (Doing this question would require
a good definition of proof-of-work security, which I need to figure out).
Hint: let H : X × Y → {0, 1, . . . , 2n − 1} be a collision-resistant hash function. Construct a
new hash function H 0 : X × Y → {0, 1, . . . , 2m − 1} (where m may be greater than n) that
is also collision resistant, but for a fixed difficulty D (say, D = 232 ) is not proof-of-work
secure with difficulty D. That is, for every puzzle x ∈ X it should be trivial to find a solution
y ∈ Y such that H 0 (x, y) < 2m /D. This is despite H 0 being collision resistant. Remember to
explain why your H 0 is collision resistant, that is, explain why a collision on H 0 would yield
a collision on H.