論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus: 已公開 available
論文名稱 Title |
可防止提權攻擊之階層式安全比特幣錢包機制 Secure Hierarchical Bitcoin Wallet Scheme Against Privilege Escalation Attacks |
||
系所名稱 Department |
|||
畢業學年期 Year, semester |
語文別 Language |
||
學位類別 Degree |
頁數 Number of pages |
49 |
|
研究生 Author |
|||
指導教授 Advisor |
|||
召集委員 Convenor |
|||
口試委員 Advisory Committee |
|||
口試日期 Date of Exam |
2018-07-13 |
繳交日期 Date of Submission |
2018-08-21 |
關鍵字 Keywords |
提權攻擊、比特幣、階層式確定性錢包、比特幣改進協議032、陷門雜湊函數、Schnorr簽章機制 Privilege escalation attacks, Schnorr signature, Bitcoin, HD wallets, Trapdoor hash function, BIP032 |
||
統計 Statistics |
本論文已被瀏覽 5646 次,被下載 0 次 The thesis/dissertation has been browsed 5646 times, has been downloaded 0 times. |
中文摘要 |
隨著比特幣日益普及,人們傾向於使用比特幣錢包來管理用來支出或接受資金的金鑰。階層式確定性(HD)錢包不是隨機生成不便於存儲的金鑰對,而是從單一種子來派生所有金鑰,因此只要存儲該種子便足以恢復金鑰。HD錢包中允許使用者在不知道任何私鑰的情況下從父公鑰生成子公鑰,這個功能的一個合適情況是允許稽查人員導出所有公鑰以進行審計的案例。然而,這個優秀的特性卻使得HD錢包遭受到所謂的提權攻擊,意即任意一個子私鑰和主公鑰的洩漏就會導致整個錢包中的所有密鑰洩漏出去。為了應對這個嚴重的問題,我們提出了一種新的HD錢包機制,該機制使用陷門雜湊函數發出簽章,而不是直接提供給任何人私鑰以產生簽章,因此可以防止提權攻擊的發生。然而,我們所提出的方案提供了兩個公鑰之間的不可連結性,以實現用戶身分的匿名性和金鑰派生的高可擴展性。因此,我們的機制實現了匿名性、公鑰派生以及高可擴展性。 |
Abstract |
As the rising popularity of Bitcoin, people tend to use Bitcoin wallets to managing the keys for spending or receiving funds. Instead of generating pairs of keys randomly which are hard to be stored, hierarchical deterministic (HD) wallets derive all the keys from a single seed, thus storing that seed is sufficient to recover keys. In an HD wallet, it allows users to generate child public keys from parent public keys without knowledge of any private key. A suitable case for this feature is that an auditor is permitted to derive all the public keys for auditing. However, this impressive feature makes HD wallets suffered from so-called privilege escalation attacks that the leakage of any one of child private key along with its parent public key will cause the exposure of the other child private keys. To confront with this severe problem, we propose a novel HD wallet scheme that gives out a signature with trapdoor hash functions instead of directly giving anyone private keys for signing. Since it conceals private keys from any child nodes, it can prevent from privilege escalation attacks. Nevertheless, the proposed scheme also provides unlinkability between two public keys in order to achieve anonymity of user identity and high scalability to the derivations of keys. Thus, the proposed scheme achieves user anonymity, public key derivation and high scalability. |
目次 Table of Contents |
論文審定書 i Acknowledgments iv 摘要 v Abstract vi List of Figures ix List of Tables x Chapter 1 Introduction 1 Chapter 2 Preliminaries 4 2.1 Unforgeable Game . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1.1 Collision-Resistant-Trapdoor-Hash-Function-Game . . . . . . . . . . . 4 2.2 Schnorr signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3 Trapdoor hash function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.4 Hash-based message authentication code (HMAC) . . . . . . . . . . . . . . . . 6 2.5 Hierarchical deterministic key derivation . . . . . . . . . . . . . . . . . . . . . . 7 2.6 Privilege Escalation Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.7 Use cases for HD wallets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Chapter 3 Related Works 11 3.1 Wuille et al.’s HD wallet scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.2 Gutoski et al.’s HD wallet scheme . . . . . . . . . . . . . . . . . . . . . . . . . . 13 vii3.3 Goldfeder et al.’s HD wallet scheme . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.4 Courtois et al.’s HD wallet scheme . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Chapter 4 Our Scheme 17 4.1 The Proposed Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 4.1.1 Initialization(1λ) → (param) . . . . . . . . . . . . . . . . . . . . . . . . 18 4.1.2 Setup(param) → (msk; mpk; T HK0; n; e0) . . . . . . . . . . . . . . . 18 4.1.3 HMAC(k; m) → (hL ∥ hR) . . . . . . . . . . . . . . . . . . . . . . . . . 19 4.1.4 Set-Child-Private-Key(sskpar;i) → sski . . . . . . . . . . . . . . . . . . 19 4.1.5 Set-Child-Public-Key(spkpar;index) → spki . . . . . . . . . . . . . . . 19 4.1.6 Root-KGC-SigGen-For-Child(m; T HK0; x; n; e0;i) → (σi; T HKi) . . 20 4.1.7 Lower-level-KGC-SigGen-For-Child(mj; T HK0; nt; j) → (σj; T HKj) 21 4.1.8 UserSigGen(m; σ ~ i; κi; T HKi) → σ~ . . . . . . . . . . . . . . . . . . . . . 22 4.1.9 Verifying(pk; σ) = 1/0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 4.1.10 Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 4.2 The Proposed HD Wallet System . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Chapter 5 Threat Models, Security Proofs and Analysis 26 5.1 Security Against F1 Adversary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 5.1.1 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 5.1.2 Security Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.2 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 5.2.1 The unforgeability of another lower-level KGC’s signature . . . . . . . 29 5.2.2 The unforgeability of a trustless auditor . . . . . . . . . . . . . . . . . . 30 5.2.3 The unlinkability of public keys for external users . . . . . . . . . . . . 30 Chapter 6 Comparisons 31 Chapter 7 Conclusion 34 Bibliography 35 |
參考文獻 References |
[1] Louise Axon. Privacy-awareness in blockchain-based pki. 2015. [2] Jaume Barcelo. User privacy in the public bitcoin blockchain. 2014. [3] Mihir Bellare, Ran Canetti, and Hugo Krawczyk. Keying hash functions for message authentication. In Annual International Cryptology Conference, pages 1–15. Springer, 1996. [4] Nicolas T. Courtois, Pinar Emirdag, and Filippo Valsorda. Private key recovery combination attacks: On extreme fragility of popular bitcoin key management, wallet and cold storage solutions in presence of poor rng events. Cryptology ePrint Archive, Report 2014/848, 2014. https://eprint.iacr.org/2014/848. [5] Nicolas T Courtois and Rebekah Mercer. Stealth address and key management techniques in blockchain systems. 2017. [6] Gaby G Dagher, Benedikt Bünz, Joseph Bonneau, Jeremy Clark, and Dan Boneh. Provisions: Privacy-preserving proofs of solvency for bitcoin exchanges. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 720–731, 2015. [7] Shayan Eskandari, Jeremy Clark, David Barrera, and Elizabeth Stobert. A first look at the usability of bitcoin key management. arXiv preprint arXiv:1802.04351, 2018. [8] Steven Goldfeder, Rosario Gennaro, Harry Kalodner, Joseph Bonneau, Joshua A Kroll, Edward W Felten, and Arvind Narayanan. Securing bitcoin wallets via a new dsa/ecdsa threshold signature scheme, 2015. 35[9] Gus Gutoski and Douglas Stebila. Hierarchical deterministic bitcoin wallets that tolerate key leakage. In International Conference on Financial Cryptography and Data Security, pages 497–504. Springer, 2015. [10] Stephen Kent. Evaluating certification authority security. In IEEE Aerospace Conference, 1998, pages 319–327, 1998. [11] Lyudmil Latinov. Md5, sha-1, sha-256 and sha-512 speed performance. [online]Available:https://automationrhapsody.com/ md5-sha-1-sha-256-sha-512-speed-performance/, March 2018. [12] Albert Levi and M Ufuk Caglayan. The problem of trusted third party in authentication and digital signature protocols. In Proc. of the 12th Int’l Symp. on Computer and Information Sciences, 1997. [13] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. 2008. [14] David Pointcheval and Jacques Stern. Security proofs for signature schemes. In International Conference on the Theory and Applications of Cryptographic Techniques, pages 387–398. Springer, 1996. [15] Abdalhossein Rezai and Parviz Keshavarzi. High-throughput modular multiplication and exponentiation algorithms using multibit-scan–multibit-shift technique. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, pages 1710–1719, 2015. [16] Rainer Schmidt, Michael Möhring, Daniel Glück, Ralf Haerting, Barbara Keller, and Christopher Reichstein. Benefits from using bitcoin: empirical evidence from a european country. International Journal of Service Science, Management, Engineering, and Technology (IJSSMET), 7(4):48–62, 2016. [17] Claus-Peter Schnorr. Efficient signature generation by smart cards. Journal of cryptology, 4(3):161–174, 1991. [18] Berry Schoenmakers. Security aspects of the ecash™ payment system. Lecture notes in computer science, pages 338–352, 1998. 36[19] Adi Shamir and Yael Tauman. Improved online/offline signature schemes. In Annual International Cryptology Conference, pages 355–367. Springer, 2001. [20] Yeda Regina Venturini and UFSCar Sorocaba. Performance analysis of parallel modular multiplication algorithms for ecc in mobile devices. Revista de Sistemas de Informaçao da FSMA, pages 57–67, 2014. [21] Pieter Wuille. Hierarchical deterministic wallets. [online]Available:https:// github.com/bitcoin/bips/blob/master/bip-0032.mediawiki, 2012. |
電子全文 Fulltext |
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。 論文使用權限 Thesis access permission:自定論文開放時間 user define 開放時間 Available: 校內 Campus: 已公開 available 校外 Off-campus: 已公開 available |
紙本論文 Printed copies |
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。 開放時間 available 已公開 available |
QR Code |