PP - crypto.fmf.ktu.ltcrypto.fmf.ktu.lt/lt/telekonf/archyvas/Data... · PuK1==98982789 AddrA=...
Transcript of PP - crypto.fmf.ktu.ltcrypto.fmf.ktu.lt/lt/telekonf/archyvas/Data... · PuK1==98982789 AddrA=...
ECDSA standards Standards for Efficient Cryptography Group (SEC)http://www.secg.org/Bitcoin follows the secp256k1 standard.
Public Parameters: PP=(EC=secp256k1, BasePoint=G); Addition operations of points in the Elliptic Curve (EC);BasePoint G is a generator of additive EC Group of points.Let number of points in EC Group is |EC Group|=N; Private Key of EC Cryptosystem (ECC) is PrK ECCS=x>> x=randi(N)
Public Key of ECCS is PuKECCS=A=x•G, where • means x-time additions of points G in EC, i.e. multiplication of G by x.
We use ElGamal type Cryptosystem and their Public Parameters.
Public Parameters: PP=(strongprime=p, generator=g);Multiplication operations mod p of numbers in the group of integersZp={1, 2, 3, ..., p-1} mod p.Let for toy example p has the number of bits |p|=28.Private Key PrK=x. >> x=randi(p-1) % or >> x=randi(2^26) % then x is of length of less than 26 bits.
011_2020_DS Bitcoin-4
011_2020_DS Bitcoin-4 Page 1
>> x=randi(2^26) % then x is of length of less than 26 bits.
Public Key is PuK=a=x•g mod p.
ElGamal Cryptosystem (CS) Elliptic Curve Cryptosystem (CS)
PP=(strongprime=p, generator=g)p=255996887;g=22;
PP=(EC=secp256k1, BasePoint=G)
PrK=x>> x=randi(p-1) % or >> x=randi(2^26)
PrK ECC=x|EC Group|=N>> x=randi(N)
PuK=a=x•g PuKECCS=A=x•G
Alice A:x=1975596;a=210649132;
pb = 1111010000100011001111010111 |p|=28 bits.
0
In our consideration we assume that Bitcoin Public Key is the same as Bitcoin Address for all users, e.g.:PukA=a=210649132=AddrA
Alice received 1200 and 2300 Sat from transactions Tx1 and Tx2 respectively.Alice sends 2100 Sat to Bob and returns to herself change 3500 Sat.
1200 + 2300 = 2100 + 1400 = 3500 Sat.
011_2020_DS Bitcoin-4 Page 2
1200 + 2300 = 2100 + 1400 = 3500 Sat.
Alice A:PrkA=x=1975596;
PukA=a=210649132;AddrA= PukA
Bob B:y= 43440755;b= 10039541;AddrB=PukB
Tx1 TxA TxB
Out1 InA1 OutA1 InB1
HTx1=
=56531970
Sat=1200
PuK1==98982789
AddrA==210649132
Sig1=(s1,t1)=
=(19054509, 47064464)
1200
HTx1=
=56531970
Sat=1200
PuK1==98982789
AddrA=210649132
Sig1=(s1,t1)=
=(19054509, 47064464)
HTxA==2BFC1D9
Sat=2100
PukA=210649132
AddrB=10039541
SigA=(sAh,tAh)=
=(1BC22A4, 521DAEF)
2100
HTxA==2BFC1D9
Sat=2100
PukA=10649132
AddrB=10039541
SigA=(sAh,tAh)=
(1BC22A4, 521DAEF)
Tx2 TxAChange
Out2 InA2 OutA2 InA3
HTx2==67497465
Sat=2300
PuK2== 62556582
AddrA=210649132
Sig2=(s2,t2)=
=( 93914475, 50582226)
2300
HTx1==67497465
Sat=2300
PuK2== 62556582
AddrA=210649132
Sig2=(s2,t2)=
=( 93914475, 50582226)
HTxA==2BFC1D9
Sat=1400
PukA=210649132
AddrA=210649132
SigA=(sAh,tAh)=
(1BC22A4, 521DAEF)
1400
HTxA==2BFC1D9
Sat=1400
PukA=210649132
AddrA==210649132
SigA=(sAh,tAh)=
(1BC22A4, 521DAEF)
TimeStamp=TS= 011_2020_DS Bitcoin-4 Page 3
TimeStamp=TS=
=2020.05.07.17:29:59
PukA=210649132
HIn=H(In1||In2)==CF1FAC2
HOut=H(Out1||Out2)=
BBFEB44
HSigA= H(HIn||HOut||TS||PukA)
= F47C9E1
SignatA(PrKA,HSigA)==SigA=
=(sAh, tAh)=
=(1BC22A4, 521DAEF)
HTxA=H(HSigA||SigA)=
=2BFC1D9
HIn1=h28(‘HTx1=56531970||Sat1=1200||Puk1=98982789’)= C24E70CHIn2=h28(‘HTx2=67497465|Sat2=2300||Puk2=62556582’)= 9D4B065HIn=h28(‘HIn1=C24E70C||HIn2=9D4B065’)= CF1FAC2
HOut1=h28(‘Sat3=2100|| PukA=210649132||AddrB=10039541’)= EA4096FHOut2=h28(‘Sat4=1400|| PukA=210649132||AddrA=210649132’)= 9D1243BHOut= h28(‘HOut1=EA4096F||HOut2=9D1243B’)= BBFEB44
HSigA=h28(‘HIn=CF1FAC2||HOut=BBFEB44||TS=2020.05.07.17:29:59||PukA=210649132’)= F47C9E1
SignatA=(PrKA, HSigA)=SigA=(sAh, tAh)=(1BC22A4, 521DAEF)
HTxA=h28(‘HSigA=F47C9E1||SigA=(1BC22A4, 521DAEF’)= 2BFC1D9
% is a comment in Octave and this string is ignored
>> HIn1=h28('HTx1=56531970||Sat1=1200||PuK1=98982789')HIn1 = C24E70C>> HIn2=h28('HTx2=67497465||Sat2=2300||PuK2=62556582')HIn2 = 9D4B065>> HIn=h28('HIn1=C24E70C||HIn2=9D4B065')HIn = CF1FAC2
>> HOut1=h28('Sat3=2100||PuKA=210649132||AddrB=10039541')
011_2020_DS Bitcoin-4 Page 4
>> HOut1=h28('Sat3=2100||PuKA=210649132||AddrB=10039541')HOut1 = EA4096F>> Hout2=h28('Sat4=1400||PuKA=210649132||AddrA=210649132')Hout2 = 9D1243B>> HOut=h28('HOut1=EA4096F||HOut2=9D1243B')HOut = BBFEB44
>>HSigA=h28('HIn=CF1FAC2||HOut=BBFEB44||TS=2020.05.07.17:29:59||PukA=210649132')HSigA = F47C9E1
% is a comment in Octave and this string is ignored
>> p=255996887 % first public parameter: strong prime numberp = 255996887 % >> p=genstrong(2^28)>> g=22 % second public parameter: generatorg = 22 % g must meet two criterions
>> PrKA=1975596 % Private KeyPrKA = 1975596>> PuKA=210649132PuKA = 210649132 % Public Key
>> mh=HSigA % mh – message in hex format signature mustmh = F47C9E1 % be placed on message in dec format>> m=hex2dec(mh) % m – message to be signed in dec formatm = 256362977
>> k=45931090 % enter k without computing >> k=randi(2^26)k = 45931090 % for the first time for certainty of computations>> tA=mod_exp(g,k,p)tA = 86104815 % the second component of Alice signature tA
>> conc=concat(m,tA) % concatenation of two strings: m and tA
% 25636297786104815conc = 25636297786104815 % m||tA=256362977||86104815=
>> h=hd26(conc) % computation of h-value for computing signature h = 37511075 % on this h-value
>> sA=mod(k+PrKA*h,p-1) % the first component of Alice signature sAsA = 29106852
% signature verification: signature is valid if
% tA•PuKAh mod p = gsA mod p>> aph=mod_exp(PuKA,h,p) aph = 62083210 % PuKAh mod p computation>> tAaph=mod(tA*aph,p)
011_2020_DS Bitcoin-4 Page 5
>> tAaph=mod(tA*aph,p)
tAaph = 60547013 % tA•PuKAh mod p computation>> gps=mod_exp(g,s,p)gps = 60547013 % gsA mod p computation
>> sAh=dec2hex(sA) % first signature computation in hex formatsAh = 1BC22A4>> tAh=dec2hex(tA) % second signature computation in hex formattAh = 521DAEF
% Alice transaction TxA h-value computation HTxA % HTxA is used to include transaction
>> HTxA=h28('HSigA=F47C9E1||sAh=1BC22A4||tAh=521DAEF')HTxA = 2BFC1D9
011_2020_DS Bitcoin-4 Page 6