From f25e6f1270b11fa9b31817b40dc4fd2604de23fa Mon Sep 17 00:00:00 2001 From: Andrew Burger Date: Mon, 11 Dec 2023 18:43:25 +0100 Subject: [PATCH 1/5] updating slides --- content/cryptography/addresses/slides.md | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/content/cryptography/addresses/slides.md b/content/cryptography/addresses/slides.md index 87e56c1..633742a 100644 --- a/content/cryptography/addresses/slides.md +++ b/content/cryptography/addresses/slides.md @@ -57,6 +57,8 @@ Notes: It turns out that converting from hex/base64 to base58 can in theory take n^2 time! +The number of bits of a character is log2(Base) so for base58 it is log2(58) ~ 5.8 + --- # Mnemonics and Seed Creation @@ -114,11 +116,9 @@ _The first 5 words of the [BIP39 English dictionary](https://github.com/bitcoin/ ## Mnemonic to Secret Key -Of course, the secret key is a point on an elliptic curve, not a phrase. - -BIP39 applies 2,048 rounds of the SHA-512 hash function
to the mnemonic to derive a 64 byte key. +The secret key is a scalar value from the scalar field of the base field which the elliptic curve is defined over. Not a phrase. -Substrate uses the entropy byte array from the mnemonic. +BIP39 applies 2,048 rounds of the SHA-512 hash function
to the mnemonic to derive a 64 byte key. --- @@ -126,6 +126,9 @@ Substrate uses the entropy byte array from the mnemonic. Different key derivation functions affect the ability to use the same mnemonic in multiple wallets as different wallets may use different functions to derive the secret from the mnemonic. +Notes: +i.e. May hash to a different base field because of a different elliptic curve + --- ## Cryptography Types @@ -140,7 +143,14 @@ We will go more in depth in future lectures! Notes: +These are digital signature schemes. ECDSA can use any elliptic curve but +in the case of bitcoin it use secp256r1 + +Sr25519 and Ed25519 uses the same which is Curve25519 + You may have learned RSA in school. It is outdated now, and requires _huge_ keys. +RSA-4096: A 4096-bit RSA key 512 bytes +sr25519 is 32 bytes --- @@ -150,6 +160,9 @@ An address is a representation of a public key, potentially with additional cont Notes: +A public key is a point on a defined elliptic curve more specifically +the secret scalar value multiplied times a fixed base point on some curve G + Having an address for a symmetric cryptography doesn't actually make any sense, because there is no public information about a symmetric key. From 7e6b3ce70f4a9a042ff2e80b84821252b9ca3c9a Mon Sep 17 00:00:00 2001 From: Andrew Burger Date: Tue, 12 Dec 2023 12:52:10 +0100 Subject: [PATCH 2/5] cleaning up hashing slides --- content/cryptography/hashes/slides.md | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/content/cryptography/hashes/slides.md b/content/cryptography/hashes/slides.md index a5b3a22..4d90b7d 100644 --- a/content/cryptography/hashes/slides.md +++ b/content/cryptography/hashes/slides.md @@ -20,12 +20,15 @@ We often want a succinct representation of some data
with the expectation t -1. Accept unbounded size input -1. Map to a bounded output -1. Be fast to compute -1. Be computable strictly one-way
(difficult to find a pre-image for a hash) -1. Resist pre-image attacks
(attacker controls one input) -1. Resist collisions
(attacker controls both inputs) +
+

Accept unbounded size input

+

Map to a bounded output

+

Be fast to compute

+

Be computable strictly one-way
(difficult to find a pre-image for a hash)

+

Resist pre-image attacks
(attacker controls one input)

+

Second pre-image resistance: Given an input and output
(resisting second pre-image attacks).

+

Resist collisions
(attacker controls both inputs)

+
 @@ -266,9 +269,11 @@ e.g., a 256 bit hash output yields 2^128 security It should be difficult for someone to partially (for a substring of the hash output) find a collision or "second" pre-image. -- Bitcoin PoW is a partial pre-image attack. -- Prefix/suffix pre-image attack resistance reduces opportunity for UI attacks for address spoofing. -- Prefix collision resistance important to rationalize costs for some cryptographic data structures. +
+

Bitcoin PoW is a partial pre-image attack.

+

Prefix/suffix pre-image attack resistance reduces opportunity for UI attacks for address spoofing.

+

Prefix collision resistance important to rationalize costs for some cryptographic data structures.

+
--- From 1bc5182594eb502b0847e9af17625b837330b0ae Mon Sep 17 00:00:00 2001 From: Andrew Burger Date: Thu, 14 Dec 2023 14:28:04 +0100 Subject: [PATCH 3/5] basic signatures slide updates --- content/cryptography/addresses/slides.md | 2 +- .../cryptography/basic-signatures/slides.md | 55 +++++++++++-------- 2 files changed, 34 insertions(+), 23 deletions(-) diff --git a/content/cryptography/addresses/slides.md b/content/cryptography/addresses/slides.md index 633742a..baa4def 100644 --- a/content/cryptography/addresses/slides.md +++ b/content/cryptography/addresses/slides.md @@ -144,7 +144,7 @@ We will go more in depth in future lectures! Notes: These are digital signature schemes. ECDSA can use any elliptic curve but -in the case of bitcoin it use secp256r1 +in the case of bitcoin it use secp256k1 Sr25519 and Ed25519 uses the same which is Curve25519 diff --git a/content/cryptography/basic-signatures/slides.md b/content/cryptography/basic-signatures/slides.md index 429aa95..e07cae6 100644 --- a/content/cryptography/basic-signatures/slides.md +++ b/content/cryptography/basic-signatures/slides.md @@ -12,10 +12,12 @@ duration: 1 hour Signature libraries should generally all expose some basic functions: -- `fn generate_key(r) -> sk;`
Generate a `sk` (secret key) from some input `r`. -- `fn public_key(sk) -> pk;`
Return the `pk` (public key) from a `sk`. -- `fn sign(sk, msg) -> signature;`
Takes `sk` and a message; returns a digital signature. -- `fn verify(pk, msg, signature) -> bool;`
For the inputs `pk`, a message, and a signature; returns whether the signature is valid. +
    +
  • fn generate_key(r) -> sk;
    Generate a sk (secret key) from some input r.
    • +
  • fn public_key(sk) -> pk;
    Return the pk (public key) from a sk.
    • +
  • fn sign(sk, msg) -> signature;
    Takes sk and a message; returns a digital signature.
    • +
  • fn verify(pk, msg, signature) -> bool;
    For the inputs pk, a message, and a signature; returns whether the signature is valid.
    • +
Notes: @@ -72,10 +74,12 @@ This means the verifier will need to run the correct hash function on the messag Signatures provide many useful properties: -- Confidentiality: Weak, the same as a hash -- Authenticity: Yes -- Integrity: Yes -- Non-repudiation: Yes +
    +
  • Confidentiality: Weak, the same as a hash
    • +
  • Authenticity: Yes
    • +
  • Integrity: Yes
    • +
  • Non-repudiation: Yes
    • +
Notes: @@ -85,10 +89,11 @@ If a hash is signed, you can prove a signature is valid _without_ telling anyone ## Signing Payloads -Signing payloads are an important part of system design.
-Users should have credible expectations about how their messages are used. - -For example, when a user authorizes a transfer,
they almost always mean just one time. +
    +
  • Signing payloads are an important part of system design.
    • +
  • Users should have credible expectations about how their messages are used.
    • +
  • For example, when a user authorizes a transfer, they almost always mean just one time.
    • +
Notes: @@ -135,9 +140,11 @@ Examples: -- Monotonically increasing account nonces -- Timestamps (or previous blocks) -- Context identifiers like genesis hash and spec versions +
    +
  • Monotonically increasing account nonces
    • +
  • Timestamps (or previous blocks)
    • +
  • Context identifiers like genesis hash and spec versions
    • +
--- @@ -147,18 +154,22 @@ Examples: ## ECDSA -- Uses Secp256k1 elliptic curve. -- ECDSA (used initially in Bitcoin/Ethereum) was developed to work around the patent on Schnorr signatures. -- ECDSA complicates more advanced cryptographic techniques, like threshold signatures. -- Nondeterministic +
    +
  • Commonly uses Secp256k1 elliptic curve.
    • +
  • ECDSA (used initially in Bitcoin/Ethereum) was developed to work around the patent on Schnorr signatures.
    • +
  • ECDSA complicates more advanced cryptographic techniques, like threshold signatures.
    • +
  • Non-Deterministic
    • +
--- ## Ed25519 -- Schnorr signature designed to reduce mistakes in implementation and usage in classical applications, like TLS certificates. -- Signing is 20-30x faster than ECDSA signatures. -- Deterministic +
    +
  • Schnorr signature designed to reduce mistakes in implementation and usage in classical applications, like TLS certificates.
    • +
  • Signing is 20-30x faster than ECDSA signatures.
    • +
  • Deterministic
    • +
--- From bd56ae95e1c67a0b946a079b6fd9fbc04a42ff9d Mon Sep 17 00:00:00 2001 From: Andrew Burger Date: Thu, 14 Dec 2023 15:48:19 +0100 Subject: [PATCH 4/5] cleanup hash based ds --- .../hash-based-data-structures/slides.md | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/content/cryptography/hash-based-data-structures/slides.md b/content/cryptography/hash-based-data-structures/slides.md index e7611af..4b96410 100644 --- a/content/cryptography/hash-based-data-structures/slides.md +++ b/content/cryptography/hash-based-data-structures/slides.md @@ -34,18 +34,15 @@ Each block has the hash of the previous one. A binary Merkle tree is a binary tree using hashes to connect nodes. -Notes: - -Ralph Merkle is a Berkeley alum! - --- ## Proofs -- The root or head hash is a commitment to the entire data structure. -- Generate a proof by expanding some but not all hashes. - -_Crucial for the trustless nature of decentralised cryptographic data systems!_ +
    +
  • The root or head hash is a commitment to the entire data structure.
    • +
  • Generate a proof by expanding some but not all hashes.
    • +
  • Crucial for the trustless nature of decentralised cryptographic data systems!
    • +
--- From 6254e8e76c6245f8c920c1883cf57268da7d71d8 Mon Sep 17 00:00:00 2001 From: Andrew Date: Tue, 19 Dec 2023 21:58:42 +0100 Subject: [PATCH 5/5] Update content/cryptography/addresses/slides.md Co-authored-by: Nate Armstrong --- content/cryptography/addresses/slides.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cryptography/addresses/slides.md b/content/cryptography/addresses/slides.md index baa4def..44ba6c0 100644 --- a/content/cryptography/addresses/slides.md +++ b/content/cryptography/addresses/slides.md @@ -149,7 +149,7 @@ in the case of bitcoin it use secp256k1 Sr25519 and Ed25519 uses the same which is Curve25519 You may have learned RSA in school. It is outdated now, and requires _huge_ keys. -RSA-4096: A 4096-bit RSA key 512 bytes +RSA-4096: A 4096-bit RSA key is 512 bytes sr25519 is 32 bytes ---