字幕表 動画を再生する 英語字幕をプリント [MUSIC PLAYING] SPEAKER 1: Cryptography. What is it, and why is it important? We're going to answer those two questions in exactly that order. Let's start with what cryptography is. It's the art and science of obscuring, and ideally protecting, information. Now it's an art and a science because there's math involved with it. It's pretty straightforward to manipulate characters in some way by adding some constant number to them or to change them in some systematic manner. But it's an art, because doing so in a way to defend against potential attacks is not as easy as it might first appear. There's a lot of guesswork and calculation that needs to go into play to find a really strong cipher. Cryptography gives us the opportunity to have a basic level of security against an adversary who might do bad things with the information. We usually contrast, in cipher information, with information that is presented in the clear, which is to say there's no protection surrounding it at all. And it's generally considered better to protect information using cryptography than to have information just freely available out there. Now a cipher, we're going to start by talking about cryptography sort of through history. We'll lead up to more modern forms of cryptography, which are derived from more ancient forms of cryptography. But a cipher is one of the most fundamental forms of cryptography. And ciphers are algorithms. And recall that an algorithm is just a step-by-step set of instructions that we use to complete a task. And in case, the task is to obscure or encipher information. And ciphers can also be used in reverse to unobscure, or decipher, that same information that was previously encoded or enciphered. Now there are many different ciphers out there that have varying levels of security potential. Some of the more ancient ciphers that we're going to start with should be [INAUDIBLE] be considered to have no security potential at all considering how easy they are to crack. But again, this leads into the more modern approach to cryptography, which is much more secure than some of these basic ones. And now let's start by imagining that we have possession of this device. Now if you're looking at this device and it seems somewhat familiar to you, it may be because you've recently seen the movie A Christmas Story, where Ralphie, the character there, obtains one of these, which is a little orphan Annie's secret society decoder pin. And this decoder pin has a set of numbers going sequentially one through 26 around the inner edge, and a set of letters, which is not presented in any particular order, around the outer edge. And what would happen is the radio announcer would provide, set your pins to some combination. So line up one number with one letter. And then it would read off some secret message that, ostensibly, only individuals who possessed this pin, or many of the duplicate versions of this pin that were distributed to children around the country, could then decipher by taking the numbers that were given over the radio and transforming them back into letters so that it makes sense. So if you can, if you zoom in on this image, it might be a little difficult to see, but you can see that the 3 corresponds to the letter L, and the 4 corresponds to an M based on this particular setting of this decoder pin. So this is one potential, what we would call a substitution cipher, where we're changing, we're substituting a letter in this case for a number, and that number will henceforth represent that letter for the rest of this message. But what is the problem with this cipher? Or more generally, when we think about issues in computer science where we have adversaries who are trying to penetrate some system, or break a code, or break in, or hack into anything, hack your password, we sometimes frame this in terms of asking the question, what is the attack vector? Where is the vulnerability that is potentially part of this particular cipher? And in this case, it's that anybody who has access to this pin is able to break any cipher that is made with this pin. And again, this pin was distributed pretty extensively in 1930s and 40s to children who listened to this very popular radio program. So these pins were in the hands of many people. And anybody who had access to the pin would be able to understand the message. And so that is, how we might frame this attack vector, is the key, in this case, the pin, which we will call a key for this purpose, is just very prevalent. It's pretty well known how to use this key and manipulate this key. A lot of people have access to that key. But that's just one example of a substitution cipher. We have many different examples of substitution ciphers that we could use. Let's just take another very simple, straightforward one, which is imagine we have all of the letters of the alphabet and we're just going to assign the ordinal position of that letter as its cipher value. So with the secret society pin, there was this sort of random element to it, right? The letters were being skipped. There wasn't a rhyme or reason to them, although the numbers were sequential. Here let's just line up both. Let's use sequential letters and map them to their sequential numbers. So A becomes 1, B becomes 2, and so on. Both of these things are increasing linearly. Now you may recall that as computer scientists, we ordinarily start counting from zero rather than counting from one. I'm counting from one here because this mapping of A to 1 and Z to 26 is much more familiar to us intuitively as humans, and I want to keep us grounded in this discussion of cryptography right now. But ordinarily, you might actually instead see this as 0 to 25, 0 being A, through Z being 25 as opposed to 1 through 26. But this cipher would work exactly the same and has roughly the same security potential as Annie's secret society cipher does. And we can actually make this a little bit better because we are consistently increasing the letters, A through Z, and consistently increasing the numbers, 1 through 26. We could also, instead of just doing this direct mapping, we could rotate around. We could start the 1 somewhere else as opposed to being A. And now instead of having just one cipher where A maps to 1, B maps to 2, we have a variety of different ciphers, depending on where we decide we want to have our starting point. So for example, we might instead add two to every number. So instead of going from 1 to 26, we go from 3 to 28. Now think about it. If you're trying to break this cipher and you see patterns like this with all these numbers in them, what might jump out at you? Well, if you're used to seeing ciphers that are 1 through 26, for example, something where you don't see any 1s or 2s and suddenly you're seeing 27s and 28s potentially in the message that might be long enough to have, in this case, Ys or Zs in it might seem to you that this is slightly off. Like this cipher must be shifted in some way. Instead of being this straightforward line, there's some modification that's been made to it. That's kind of a tip off if you're trying to defend against somebody figuring that out. And so instead of going 27, 28 at the end, we might instead wrap around the alphabet. Once we have exhausted the 26 possible values that we started with, the 26 letters of the alphabet, we might instead, once we have X is 26, say, well, instead of Y being 27, Y is 1 and Z is 2. And this is not a massive improvement on the security of this cipher. Like I said, it's still quite fragile and quite easy to break. But it doesn't give quite as much of a clue to a potential adversary as to how to crack it, how to decipher the message. And this can be done for any different value to obtain any number of different ciphers. Instead of going forward by two positions, we could add 20 to every letter's value, again, wrapping around the alphabet when we exhaust, when we get to 26, instead of having 27, 28, we would just reset at 1 and continue on. But we can also add 26 to it. But that doesn't look very different than what we had before. And that's where this cipher's vulnerability comes into play. There's only 26 possible ways to rotate the alphabet while keeping the order of the letters preserved, right? Unless we start skipping A, D, G, and then, you know, rearranging the other letters in some other way. If we want to keep everything straightforward in a line, again, wrapping around 26 when necessary, there's only 26 ways to do it. That is to say that shifting the alphabet forward by 26 is exactly the same as shifting the alphabet forward by 0. And so that's our limitation. We have a very small number of, again, this word keys that can be used to decipher using this cipher. Now this is an example of something called a rotational cipher, and it's actually a rather famous rotational cipher known as the Caesar Cipher. It's attributed to Julius Caesar and was apparently used more than two millennia ago for him to encode messages to his troops on the line. And at the time, this was revolutionary. And generally what you're going to find with cryptography is there's just this pattern of breaking the mold and doing something new and trying to stay one step ahead. And oftentimes, other people will then catch up. And this cipher, which was once, you know, lauded as being a wonderful cipher, is no longer as strong as it once was thought to be. And so we keep having to advance and improve and get ahead of it for whatever kind of adversary that is, whether that's a potential enemy on the battle line, as might have been the case with Julius Caesar, or whether that's a hacker who's trying to break into your system as might be the case today. And fortunately, again, we're not using Caesar Cipher today to uncipher any of our information. We're using much more modern techniques. But these modern techniques evolved from seeing codes being created, ciphers being created and broken, and then having to be created anew to try and defend against new vulnerabilities that have been exposed. So like I said previously, very easy to decipher or to crack the Caesar Cipher, but at the time, very, very difficult. The limitation, again, limited number of keys. There's only 26 ways to rotate the alphabet for it to make sense. In the English alphabet, of course. If you're using a different alphabet, you're number of keys might be different if you're using the same rotational approach. But the fundamental limitation is you are confined by how many letters are in your alphabet that you're using to encipher information. So let's take things one step further. What is an improvement that we might be able to make to Caesar? That would lead us to this idea potentially of the Vigenere Cipher. So Caesar had this limitation of there's one key and there's only 26 possible values for that key. What Vigenere Cipher does is it, instead of using a single key, uses multiple keys. Instead of picking a number to shift by, we're instead going to define a keyword. And we're going to use the letters of that keyword in sequence as we go to change what our key is at any given time, such that our enciphered message, instead of being enciphered using one key, might use three keys or five keys or 10 keys, depending on the length of the keyword that we use, if that keyword is three or five or 10 letters long. So this keyword becomes the interesting twist that made Caesar much more challenging for an adversary to crack by using different keys. Now let's walk through an example of how the Vigenere Cipher works because I think it makes more sense to see this visually rather than just discussing it verbally. So what we want to do here is encrypt the message HELLO using the keyword LAW. So here our message HELLO is what also might be called plain text. It is in the clear. It is not enciphered. It is not hidden against any adversary. And our key is LAW. All right, so let's take a look at how we might do this. So it oftentimes helps, especially when trying to encipher or decipher using the Vigenere Cipher, to consider all of the inputs that go into determining the final outputted character. So we're going to take a look at plain text, and we're going to convert it, just like we did with Caesar, to its ordinal position. We're going to see where in the alphabet that is. Is it the first letter? Then it's 1. If it's the last letter, it's 26. And so on. We're going to do the exact same thing with each letter of our keyword. So we're going to take a look at the keyword, figure out what that letter's numerical correspondence would be. We're going to then add those two things together. If we go over 26, just as we did with the Caesar Cipher, we're going to wrap back around such that we're confining ourselves to that range of 1 through 26. And then we're going to take that number and transform it into a letter. So for example, if the result there is 2, we're going to change that into a B. And the reason for that is that B is the second letter of the alphabet. So let's walk through this with HELLO as our plain text and LAW as our key. So the first letter of our plain text is H, and the ordinal position of that H is 8. It is the eighth letter of the alphabet. We do the same thing with the first L for LAW, the first letter of LAW. L is 12, it's the 12th letter of the alphabet. So our next step is to add those two values, eight and 12 together. We get 20. We don't need to wrap around. We didn't go over 26, so we're still OK. And the 20th letter of the alphabet is T. So the first step of this is enciphering process with HELLO, using the Vigenere Cipher, using the key LAW, is to turn the H into a T. So we can do this again, we can take a look at the E, the second letter of our plain text. We use the second letter of our keyword now. So we're not using the same key. We're not using 12 over and over and over. We're using a different key. We're now using the A, the second letter of our keyword, whose ordinal position is 1. So 5 plus 1 is 6, and that results in F. Next, we use the first L of HELLO, and the W of LAW. So L is 12, W is the 23rd letter of the alphabet, we add those together, we're at 35. 35 is not a legal value in terms of this cipher. We are confined to 1 through 26. And so we just subtract 26 and we get down to 9, and now we have I. So now what do we do? We've exhausted our keyword, but we still have plain text that we need to encipher. Well, as you might expect, the logical thing to do is just go back to the beginning of the keyword and continue on. And so we will. So we'll use the L, the second L of our plain text, and the first L-- because we've now exhausted all of those letters, we have to go back to the beginning-- the L for LAW. 12 plus 12 is 24. 24, the 24th letter of the alphabet is X. And we do that finally as well for the O, advancing it one position, because of the A in LAW, to 16, and that is P. So ultimately, HELLO in this case becomes this random set of characters, TFIXP. And some advantages might also immediately jump out at you. With the Caesar Cipher, anytime we changed a letter, it always was that same letter every time we saw it in the enciphered message. So if we had a B and we were advancing everything by two characters, every B in the original message would always be a D because D comes two letters after B. So again, if our Caesar Cipher key is two, every time we see a B, it becomes a D, every time we have an A, it becomes a C, always. Here with the Vigenere Cipher, because we have different keys and we're rotating these keys differently, depending on which letter of the keyword we are and which letter of the plain text we are, those two Ls are not the same, right? Instead of H-E-L-L-O, we don't have some mapping. Those two Ls are I and X. They are not the same character. And so already we're seeing a bit more security here because there's not this potential to guess. Caesar is also much more secure when you consider how many keys are available to you. With the Caesar Cipher we had 26 keys available to us. With the Vigenere Cipher we have 26 to the n keys, where n is the length of our keyword. So for example, if we're using a two letter long keyword, for example, AA or AB or all the way up, that leaves us with 26 squared, or 676 possibilities. Now if we extend to three letter keywords or four letter keywords, we're getting even more and more possibilities. And as we start to increase the number of possibilities, we start to really increase the difficulty for some adversary to figure out what the key is. And that's really the goal of cryptography, right? We want to be able to protect information and we want to defend that information from being determined by other people. So the more work we put into making more challenging keys, the more likely we are to be successful in our attempt to encipher information. So again, Vigenere much more of a secure cipher. It's still not secure and it's definitely not a cipher that is used today. There are computer programs that are capable of figuring out how to decipher using the Vigenere Cipher pretty well. But it's more secure than Caesar for sure because of its changing alphabets and its much larger number of keys. Let's go back to this decoder pin and think about another potential problem that we have. Now assume that your adversary is actually not a member of Annie's secret society. They don't have this pin. So that's already a step up. We previously had assumed that anybody who had the pin could crack it, and that's still true. But let's assume your adversary, lucky you, doesn't have this pin. Is there still a way that they would be able to crack the code without the pin? Think about it for a second. Think about what our characteristics of the English language are that might suggest people figure out what this cipher is. Think about some unique features of the English language, which is one letter words, like I and A, which might appear in the message. If you see a single letter word in a message, you're probably going to guess that it's either the letter I, and every time I see that character or that number I'm going to assume it's an I, or you're going to assume it's an A and you're going to try and plug in an A everywhere. And some trial and error might reveal some patterns that emerge. And there is a very prevalent pattern in the English language, which is that letters appear with a pretty regular frequency. Given any arbitrary text in the English language, it's pretty likely that the distribution of letters within that text is going to follow this pattern roughly 13% of the time, give or take. Any arbitrary letter selected from a text is going to be the letter E. And only 1/10 of 1% of the time will it be a Z. And only 2/10 might it be a J. So there are some letters that appear very frequently and there are other letters that appear very infrequently. And that is still a problem in this generic substitution cipher, even with the letters being scrambled, which seems at first blush to perhaps be much more secure than one where the letters are increasing sequentially and the numbers are increasing sequentially. Even this scattershot mapping of letters to numbers, as long as we're still confined to these two domains where we have A through Z and 1 through 26 and there's always a mapping between them, whether they're ordered or not ordered, is still a problem, in the English language anyway, because of frequency analysis. These are actually very common puzzles. Humans might find it kind of tedious to try and solve these puzzles, but otherwise, this is well known as a cryptogram. You may, if you are the puzzling type, this type of puzzle is called a cryptogram. And this pattern is definitely something that is across all messages that appear in the English language. There are plenty of other ciphers that appear, that are used, that are more secure than any of these what we might call one-to-one ciphers, mapping a single character to a different character or to a number. There are some ciphers that substitute pairs or triples of characters at a time. And these ciphers, again, form the basis for what eventually becomes more modern cryptography, which we're getting to in just a moment. There are also transposition ciphers, where instead of substituting one character for another, we simply use an algorithm to rearrange all the letters in some systematic way. And the defect there is that all the letters of our original plain text message are still there and all we need to do is unscramble them. And because there's an algorithm that was used to scramble them in the first place, there's got to be a way to undo it as well. With a little bit of trial and error, we can probably sort that out. Finally, the most egregious issue with these classical ciphers is, how do you distribute the key? How do you tell someone who you want to share information with? How do you tell your ally what the key is for the cipher that you are going to use? You can't encrypt it because if you encrypt the key, how will they know what the real key is? If you say, if you send them a message and they don't know how to interpret it, or they see it and they interpret it as something else, that's not going to be helpful to you. You want them to see the key in the plain text. You want them to see the key in the clear, rather. You want them to just have it. You don't want to encrypt that as you hand it to them. That doesn't do them any good. But if you're giving the key to your ally and your adversary is within earshot, or they have access to that same piece of paper because your ally carelessly throws it away and they can just pick it up, now all of a sudden all of your messages using basic ciphers are fairly insecure. But let's take a step forward in modern cryptography. Perhaps you've seen a screen that looks like this at some point when you're trying to log in to some system. Enter your email and we'll email you a link to change your password. Well, why don't you just email me my password? Like you're going to give me a link to change it, you must know it if I use my credentials to log in to your service any given day. But OK, I guess, sure. The reason for this is actually a reason of security. So let's distinguish ciphers, which we've been talking about, from hashes. So one of the most critical distinctions is that ciphers are generally reversible. You can undo what you did. That's the whole reason why it's important to share with your allies the key. But hashes are generally not reversible. Or certainly, they're not supposed to be reversible. And so it turns out, and we'll learn about this a little bit later, when you log in to some service, if that service is doing a good job of protecting your data, the reason they can't just send you your password is because they actually don't know your password. And that might seem strange because clearly, there must be something-- if I type in my password then I get logged in. But a good service is one that does not store your password in the database. That's probably a good thing if you think about it. In case there was ever a data breach, you wouldn't want your password to be in their database. Instead what they do is they store a hash of your password in the database. And then when you provide your password to them, they run that hash through the same things, called a hash function, which is just a generic idea for a function that takes any arbitrarily large amount of data and maps it to some other range or some other set of values. Now that might be a arbitrarily long string of information. It might be some fixed string where if I run my password through this, I'm going to get back something that is always 20 characters long. But it looks nothing like my original password. I've just made some weird manipulations to it. And that's what happens in log-in systems more generally is you will log in to some service, you'll type in your password, when that information is then submitted to the organization to check your log-in credentials, they will run your password through that same hash function again. And if that value matches what they have in their database for you, that is how they know that you have provided the correct credentials. They're mapping-- they're matching some mapping of your password to the one that they have stored, but they're not actually checking your actual password. And that should probably give you some sense of security. And if you ever use a service where you end up having to click on that link and they actually send you your password, you probably don't want to use that service anymore because they're not taking strong enough precautions to protect your data. So as I said, once we have a password stored in the database, it is actually stored as a hash rather than as the password itself. The service should not be able to tell you what your password really is. So this idea of a hash function-- what is it? Well, as I said, it's something that takes any arbitrary data-- and eventually we'll get into hashing things like files and not just words or strings, but for now let's keep it to strings, strings being a sequence of characters or letters, like a word or a phrase or a sentence-- and mapping it to some other range. So we'll start out by just mapping a string, a set of letters, to a number. But it could be to a different string, a string that's always 10 characters long, and so on. So there are some properties that good hash functions have. Let's take a look at what some of these are. So they should use only the data being hashed. There shouldn't be anything else that comes into play. They shouldn't be bringing in any outside information. It should rely exclusively on whatever data is being passed in to the hash function. They should also use all of the data being hashed. It becomes a bit less effective if every time I provide a word or a string to my hash function, I'm only using the first letter of that string, such that my hash function for every word or every string I provide that starts with A is going to return the same value. That's not terribly useful to me. I want to get a better distribution of values. Your hash function should be deterministic. And when we say deterministic, we mean no random elements to it. Oftentimes we think that random numbers are nice to jumble things up. But the problem is we want our hash function to always output the same value for the same inputs. So if I give you my password and hash it and I get some output, every time I provide my password and run it through that same hash function, I want to get the same output every time. And that's what sites rely on when they're using hashed passwords as part of the credentialing check. They're relying on the fact that they will always get the same output given the same input. So that's a requirement of a hash function. Hash functions should uniformly distribute data. So oftentimes you're mapping these strings, let's say, to some set of values. Those could be numbers, again, those could be strings. You want to spread those out evenly, ideally, across all of the possible values that you have. You don't want everything to hash to 15 if your range is 0 to 100. You'd ideally like everything to be spread out such that there's an equal number of 0s, 1s, 99s, and so on, as we talked about a little bit when we discussed hash tables. Finally, we also want to be able to generate very different hash codes, very different values for very similar data. For example, LAW and LAWS should hash two very different values. That would be ideal if a tiny bit of variation created a really dramatic ripple effect. And creating this really dramatic ripple effect is pretty key when we're talking about cryptographic hash functions, which we'll get to in a second, which form the basis of almost all modern cryptography, which form the basis of everything that we do that we rely on when we think of security in the computational field, it's almost always relying on these hash functions being really, really good at making small changes have very dramatic ripple effects in the hash code or the hash value, the data that comes out of the hash function. So after all this talk about good hash functions, let's take a look at a pretty bad hash function. And we'll talk about why. We'll talk about one of its virtues, but some of its potential problems as well. So instead, let's add up all of the ordinal positions of all the letters in the hash string. So this ordinal position idea is exactly the same as we had a moment ago when we were talking about Caesar and Vigenere. So A is 1, B is 2, and so on. So for example, for a word like STAR, if we want to add up the ordinal positions of all of the letters in that word, we have S-T-A-R. That's 19 plus 20 plus 1 plus 18. So if you do that math quickly, that ends up being 58. So what is a good thing about this hash function? Well, it's not reversible. If I get a 58, I don't necessarily know that the input that I had there was STAR. It could have been any one of a whole variety of things. It could have been ARTS or RATS or SWAP or PAWS or WASP or MULL or this whole random set of 29 Bs in a row. All of these things, when run through this really terrible hash function that I've defined here, all add up to 58 when I follow the rules of this algorithm. So I never know what my input was given my output. That is a good thing. That is what a hash function should do. Hash functions, unlike ciphers, should not be reversible. But the problem that I have here is that I have a lot of collisions, right? There are a lot of different things that map to 58. And when we talked about collisions a little bit previously, we were talking about them in the context of a hash table. And collisions were OK in that context. We were just clustering things together. If they all happened to have the same hash value, we'll just put them in the same bucket. When we're talking about cryptography though, when we start to get into relying on cryptography to keep our data secure, we can't have collisions at all. In fact, pretty much we rely on the fact that it is so mathematically unlikely, neigh impossible to have a collision in order for these things to work. And so collisions, when we're talking about cryptographic hash functions, are definitely not a good thing. So to recap, to check that a user gave us the correct password, if we're storing a hash of the password in the database versus just storing the plain text password in the database, which hopefully no one is storing a plain text password in the database, we run the actual password, the real password through the hash function. We get a hash value as an output, some string or some number or what have you as the output. And if we get a match, odds are they entered the right password. Now I'm saying odds are because we can't be 100% sure. And we can never be 100% sure. We can be really, really, really sure, but there's always a chance of a collision. Even with the best designed hash functions, even with the best designed cryptographic hash functions, there's always a chance of a collision. But ideally, that chance is quite infinitesimal. Very, very, very, very, very, very unlikely. So odds are if we get this hash, comes out of this hash function, it's quite likely, like 99.9% plus likely that they entered the correct password, this is, in fact, the user whose credentials are being verified, and we should log them in. Modern cryptography is just hashing. It's just hashing that's quite a bit more clever, certainly than the example that I just talked about a moment ago. Also, these algorithms tend not to work on a character by character basis. It's the algorithm that I just did as well where I was adding up every single letter. I was looking at each one individually. They tend to take, these modern algorithms tend to take clusters of letters, pairs or triples or so on at a time, maybe do even more things. They might rearrange the letters before they do things to them. So there's multiple layers going on with these encryption algorithms. And unlike some of the ones I've discussed earlier, most of these also have the property where given data of arbitrary size-- and now we're starting to really expand our minds into not just words or strings, but also images, files, videos, documents, PDFs, and so on; anything can be run through a hash function to get a value-- but we're always going to get a string of bits, a bit string, that is always exactly the same size. So depending on the algorithm, maybe it's going to be a 160-bit long string, or a 256-bit long string. But our range is finite. It's always going to be exactly 256 bits. But the combination of those bits will be different, ideally, for every single piece of data we might throw at it, no matter what. OK, so let's expand our definition of a hash function to this idea of a cryptographic hash function. What properties should they have? They should be very difficult, very, very difficult, basically impossible to reverse. It should be computationally impossible for anybody to undo the encryption. That's pretty much the same as a regular hash function. We're just really hammering the point home when we say this here. They should still be deterministic. We don't want any random elements to it. We still want to a hash a value and always get the same output no matter what if we run that same value through the hash function an arbitrary number of times. They should still generate very different hash codes for very similar data. We still want things to be spread out and we want minor changes to have dramatic effect. And they should never-- and this is one of those words that computer scientists love-- they should never allow two different sets of data to hash to the same value. Do you see a potential problem when we frame it in this way? When we say they should never be able to do that? We've already restricted ourselves to a finite domain, right? I said a moment ago, maybe this hash function maps to 160-bit long strings. There's only so many combinations of 160 bits. Now that might be an unfathomably large number, but using the word never there becomes a bit dangerous. We can't really rely on that. And we'll see why this could potentially be a problem. This static length string, by the way, is usually referred to as a digest in this context. When we start to talk about more modern cryptography techniques, the output of a cryptographic hash function is usually referred to as a digest. Let's take a look at one of these cryptographic hash functions. And certainly I'm not going to dive into the mathematics of it. I wouldn't be able to explain the mathematics. I wouldn't be able to do it justice if I tried to explain the mathematics of it. But let's just take a look at some of the basics of this. So SHA-1. SHA-1 is quite a famous algorithm. It was designed by the National Security Agency in the mid-1990s. So these are really smart people who are tasked with working with things like military intelligence. These are people who are dedicating their lives to trying to protect data as best as they possibly can. Far more brilliant minds than I, for sure. And this hash function-- and this is a published paper. Hash functions tend to be, actually it's this very strange dichotomy where you describe exactly how the function works, but it still should be irreversible. And this just really becomes a question of incredibly complicated mathematics involved, such that even if you knew so many of the pieces going in, you still might not-- you still wouldn't be able to undo it, even if you tried. It's kind of amazing actually. SHA-1's digests are always 160 bits in length. So this is one of those ones I just said a moment ago. That means that there are 2 to the 160 different SHA-1 digests, which is a bit over 10 to the 48th power. And again, 2 to 160 means for every single one of the 160 bits, that could be a 0 or a 1. So we have that, two options times two options times two options, 160 times. Just to try and make it fathomable, to understand how large this number is, let me try and paint a picture for you. So imagine that you are looking on Earth for a specific grain of sand. You're looking for one specific grain of sand on Earth. That is easier by far than trying to have SHA-1 have a collision where two values would map to the same thing. There's about 10 to the 18 grains of sand on Earth. So that's eight quintillion-- I had to look up that word-- eight quintillion grains of sand. So way easier to find the grain of sand on Earth than it is to have a collision. In fact, we go even further and say that imagine that every single one of those grains of sand was another planet Earth, each of which also had sand on it. So you have eight quintillion planet Earths. You're trying to find a specific grain of sand on one of those eight quintillion planets. It's still easier than trying to have a collision with SHA-1. SHA-1 is such an important algorithm that it's actually one of the algorithms that is required in federal regulations to be used by the government for encrypting information. There are others as well, but SHA-1 is listed by the National Institute for Science and Technology as a standard algorithm. But there's a problem, which is that SHA-1 is broken. And it has this clever website called SHAttered, shattered.io. So the research team that figured out how to create a collision intentionally create a collision. And intentionally creating collision has the effect of basically saying, this cryptographic hash function is broken. And they have proven that there is a way that they can systematically generate collisions. So that's bad. And we'll see why that's bad in just a moment. But you can go to this URL, shattered.io, and read quite a bit about how the researchers do it. They explain it in different levels. So if you really want to dive into the technology and the mathematics of it, you're certainly welcome to. If you just want to understand it at a base level and why this is a problem, I definitely encourage you to take a look at this site and read more about this. So what did these researchers do? So they said, It is now practically possible to craft two colliding PDF files and obtain a SHA-1 digital signature on the first PDF file, which can also be abused as a valid signature on the second PDF file. In short, what they're basically saying here is we were able to create two PDF files such that if I run them through the SHA-1 algorithm, the digest that I get is the same. Why is this potentially bad? For example, by crafting the two colliding PDF files as two rental agreements with different rent, it is possible to trick someone to create a valid signature for a high-rent contract by having him or her sign a low-rent contract. If you can take a PDF and twist it into anything you want it to be, but have a valid signature, a valid SHA hash associated with it, that's not great. Now before alarm bells start going off because SHA-1 is still use quite extensively, even now, this SHAttered research result was developed in 2017 it was released, but SHA-1 is still being used now, even then. Before you panic though, it has not been broken that many times, although they did very-- they worked for two years to create this PDF collision. And they demonstrated a method for how to do it. It has still not happened that many times. Cryptographic hash functions, once they've demonstrated one collision, are broken. That is certainly true. But the actual effects of this have not yet really materialized. The computational power required to create this is well beyond the capabilities of most people, or most syndicates even. So no cause for alarm yet. But it does show that there is a limitation with SHA-1, and we still want to always be staying one step ahead. Just like when Julius Caesar's enemies figured out how to crack the Caesar Cipher, the goal was, we need to get one step ahead. As technologists, we always want to stay one step ahead to make sure that we are doing our best job protecting our data. And as lawyers, we want to make sure we're doing our best job protecting our clients' data against potential adversarial attacks. So as I mentioned, there are other standards that are in use by other organizations, including the federal government. SHA-1, as I mentioned, is just one of a few different options that they use. SHA-2 and SHA-3 are much more robust algorithms. They use more bits, basically, in their digest. So instead of being 160 bits, you can have anywhere between 220 and 500 or so bits. So way larger of a domain, even reducing the likelihood of a collision that much more. Again, imagine how unlikely it was with 2 to the 160. Now we make it even more so. 500 bits, that's unfathomably large and difficult to duplicate. MD5 and MD6 are other cryptographic hash functions, or hash functions that you may encounter. MD5 in particular I've highlighted here in yellow because it's not actually considered secure anymore, but it's still very, very commonly used as a checksum. Basically, what we do is we run a file through MD5. And say we're a distributor of a file and we want people to come download our source, and they want to be able to trust our source, we might run our file through MD5 and say, if you run this file through MD5, the hash will be blah blah blah blah blah. And other people can then download the file and run it through MD5. It's usually a program that is available on computers for people to just run any arbitrary data through to get a hash result. And they can check, OK, the hash value that I received from this trusted source matches the hash value that I was told I would receive, and so I will trust this. Versus perhaps getting that same software versus some corner of the internet that you don't really trust. If you find the MD5 hash of the trusted source does not match what you downloaded and what you thought was that same file, it's probably a sign that something has changed in it and you don't really want to-- you might want to be skeptical about trusting that file rather than just diving right into it. So what do we do that relies on cryptography on the internet today? Or you know, just using our computers every day. Email. Email relies pretty extensively on cryptography, particularly when we start to use secure email services, of which Gmail might not be considered one, but there are services out there, for example, ProtonMail and others, that do encrypt email completely from point to point. Much safer in terms of protecting one's communications. Similarly, you may be familiar with the mobile app Signal is also used to encrypt communications between two people over the text messaging network rather than over email and the internet. Secure web browsing, you may be familiar with this distinction between HTTP and HTTPS. And if you're not, that's OK. We're going to be talking about that a little bit later as well. But you want to make sure that your web traffic is encrypted against people who are able to just monitor the network for all the traffic that is going by. You probably don't want your searches to be someone else's fodder for entertainment. VPNs. If you use a VPN, that's a great thing to do if you're traveling, for example, and you may be on less secure networks than you might find at your business or at home or at a university institution, for example. VPNs allow you to encrypt communications with a network, and also allow the network to pretend to do something on your behalf so that your web traffic cannot be traced back to you directly, which might be advantageous in some situations as well. Document storage as well. So if you use services like Dropbox, for example, generally what Dropbox is going to do is break your document into pieces and encrypt those pieces. Rather than just storing the whole file writ large in some server somewhere on the cloud, it's going to encrypt it before it sends it over so that you have some more comfort that your data is being protected by these cloud services. And certainly, we're going to talk a bit more about what the cloud is and what cloud services are and what they can be used for a little bit later in the course as well. Hash functions and cryptographic hash functions are great, but they are well documented and there's only the one. There's only one version of SHA-1. There's only one version of SHA-3. And that is a limitation. Now it might not be a severe one because it's pretty strong. They're pretty strong algorithms. But are there ways that we can improve our own cryptographic techniques if we're trying to protect data that we are receiving, data that we are sending, and so on? And that leaves this idea of public-key cryptography, or public- and private-key cryptography, or asymmetric encryption. You'll hear these terms kind of used interchangeably. Let's start by talking about public-key cryptography by way of an analogy. We're going to go way back to arithmetic and algebra days here. So imagine we have something like this. We have 14 times 8 equals 112. Multiplication we can think of as a function. It is a function. If 14 is our input and our function is times 8, the result is 112. Now multiplication is not a hash function because it is reversible. I can take that 112, multiply it by 1/8, or equivalently divide by 8, and get back the original input. So multiplication is a function, but it is not a hash function. It is reversible because if we multiply any number x by some other number y, we get a result z. And we can undo that whole process by taking z, multiplying it by 1 over y, or the reciprocal of y, and getting back the original x. Reversible. Goes in both directions. Now let's take this function and kind of obscure it. We know for ourselves that this function that I'm using is n times 8. Whatever I pass in is going to be multiplied by 8. But I don't tell you what that is. I don't tell my friends what that is. I just say, hey, if you want to send me a message, just run it through this function. So again, we're going to just use math as an example here. If my message is 14, I might say, f of 14-- and again, this is getting back to algebra, maybe a little bit back in the day-- f of 14 is 112. That is my public key, you might think. And you might say, having just gone through this whole example, that, well, it's pretty easy to undo that. If I know that 14 is the plain text and 112 is the cipher text, I can probably figure out that your function is n times 8. And so I've broken your encryption scheme. I have figured out how to reverse your cryptography. Well, it's true that n times 8 is certainly one function that I could use to turn that plain text, 14 in this example, into that cipher text, 112 in this example. But there are other ways that I can do it. My actual function could have been n times 10 minus 28. So 14 times 10 is 140, minus 28 is 112. And there are other contrived mathematical examples that I could continue to do pretty much ad infinitum to define ways to transform 14 into 112. So just because you see that 112, that doesn't mean you have figured out how to break my hash function. You haven't figured out what my encryption technique is. If all I say is, here's a black box that I would like you to feed an input into, even if you see the output, you, or really more concernedly an adversary who sees that output as well should not be able to, or cannot in this case, undo it. Because yes, I could have been using n times 8. I could have been using this crazy thing involving the square of n. And that's kind of the idea behind public-key cryptography. I am going to publicize that I have a function that can be used, but I'm not going to tell you what that function is, and I'm certainly not going to tell you how to reverse it. So public- and private-key cryptography are actually two hash functions where the goal is to reverse them. We kind of talked about this as hash functions are supposed to be irreversible. But the distinction here is that we are creating two functions, f and g, which are intended to reverse one another. So it's not that the function does the single function that is reversible, it is that we have two functions that, working together, create a circuit. If I take data and I run it through function f, I get some output. If I run that output through function g, I get back the original data. I have deciphered the information. And the same thing works in reverse. If I take some data and I run it through function g, I get some hashed output that makes no sense. And if I run that hashed output through function f, I get back the original data once again. Now the key is that-- pun intended-- the key is that one of these functions is public and the other one is private. One of them is available to everybody, and everybody uses that function to send you messages. If you want to send me a message using encryption, using public and private key encryption, you take the message and you use my public key to encrypt it, and you send me the result, the hashed encrypted result. And I use my private key to decrypt it. And I am, ostensibly, the only person who has my private key, even though I've broadcasted, made my public key widely available. Now the math that goes into this is well beyond the scope of a discussion that we're going to have here today. But basically, and most encryption, most cryptography involves the use of prime numbers, particularly very, very large prime numbers. And you're looking for prime numbers that have a particular pattern. And when I say "you're" looking for it, don't worry, you don't have to do this yourself. There are plenty of programs out there, RSA being a very popular one, that can be used to generate these public and private key pairs. But the amazing thing is that it can generate these pairs very quickly, but it's almost impossible to break or figure out what the underlying functions, or even in this case what the underlying two prime numbers are that are the foundation for your own encryption strategy. So it's pretty amazing that it's easy to define these functions and almost impossible to reverse engineer them, so to speak. So we start with a huge prime number, we find some other prime number that has a property, a special property related to it, and from those two numbers we generate two functions whose goal in life is to undo whatever the first one does. So f's job is to undo what g does, g's job is to undo what f does. And this is called a public and private key pair. So your public key is really some complicated hash function that does work. And that hash function is represented as a very long string of numbers and letters. It looks just like a hash digest. But it's just a human representation, a readable representation of a mathematical function. And your private key is the same-- or your private key is also a representation of letters and numbers. It's not exactly the same as your public key, but it undoes the work that your private key does. And again, these keys are generated using a program called RSA. So let's take a look at exactly how we would go about doing some asymmetric encryption using public and private keys. So here we have some original data. It's a message perhaps that I want to send. And I want to send it to you. I want to send this message to you, but I don't want to send it to you in the clear. I don't want to, you know, it's sensitive information. I don't want to send it via plain text. And I don't want to use a generic hash function because if I use a generic hash function, like SHA for example, it's irreversible. You will not be able to figure out what I tried to say. So instead, I take this original data and I use your public key. Your public key, again, is just a mathematical-- a very complex-- mathematical function. So I take this data, I feed it into your public key, your public hash function, and I get some garbled stuff out. OK? And this is what I send to you. I send you this garbled stuff. In order for you to figure out what the original message is, you use your private key. Not your public key-- your public key is what I use to encipher the information-- but your private key, which is known only to you, hypothetically. It should not be distributed to others. It undoes the work that your public key did. And so if I give you the scrambled data and you use your private key to try and decipher it, you will get back that original data. But here's the great thing. No one else's private key will be able to do that. If anybody intercepts that message other than you and they use their private key or they use your public key again, they will not be able to decipher the message that I sent to you. And so public and private keys are very interesting because they create these pairs. They're these unique encryption schemes that are unique to two people, or really even to one person. If you were to send me a message back, you would send me a message using my public key. You would then send me whatever the encrypted sort of scrambled data is for the message that you sent using my public key. I would then use my private key, which is not known to you or to, hypothetically, anyone else to decipher what you sent me. And I would get back the secret message, or the perhaps not-so-secret, but sensitive message that you sent to me. And so that's this idea of asymmetric encryption. You can encrypt using someone's public key. And anybody can do so. And for that reason, you'll often find technically-minded people will sometimes post their public key literally on the internet, such that anybody who wants to send them a message using a secure channel can do so. And programmers as well. So if I'm doing some work using a tool called GitHub, a popular service available online for sharing and posting source code, if I want to send something from my computer to GitHub's servers in the cloud, I might authenticate using a public key and private key encryption scheme so that they see that I'm using their public key to send them information, they're decrypting it. When they send information back to me, they're using my public key and I use my private key to decrypt it. It's actually part of-- it's part of a communication strategy used by technically-minded folks. And you're not restricted to just having one public and private key. For example, I have one public and private key that I use for a secure email, I have one public and private key that I would use for secure texting on my phone, and I have one public and private key that I use for my GitHub repository. So I have different sets and different combinations of these keys. But the key is that-- the key, again, pun intended-- is that the decryption can only be done by someone who has the private key, not the public key, because only those two functions are reciprocals of one another. They undo the work that the other did in the first place. But interestingly enough, that's not the only thing we can do with public and private keys. So instead of just encryption, we also have this idea of a digital signature, which is different than e-signature, an e-signature just being the tracing of a pen typically along some surface and just logging where all the pen strokes happen to be. So we're talking about something much more complex than that. We're talking about something cryptographically based when we talk about digital signature. It's kind of the opposite of encryption. And using someone's digital signature, you can verify the authenticity of a document and verify, more precisely, the authenticity of the sender of a document. And we're going to explain this in great detail in just a moment, but the basic idea is they're signing the document using their private key. You still don't see what the key is. And because these public and private key pairs are specific to an individual person, if you were able to verify that that document could only have been signed using someone's private key, then you have quite a serious belief that that person is the person who signed the document, who sent the document, and so on. Digital signatures are 256 bits long pretty consistently, which means there are 2 to the 256th power distinct digital signatures, which makes the potential of a forgery effectively zero. Again, I'm using this-- I'm trying to avoid saying never because computer scientists don't like never. But effectively, there is no chance of a forgery. Now the process for how one verifies a digital signature is quite-- there's quite a few steps involved. And I have a diagram here that I sourced from online. And what I'd like us to do now is walk through this process to hopefully give you an understanding of how these work and how you might be able to rely on digital signatures. And states and different entities are recognizing digital signatures as a valid way to sign documents, but it really helps to have a good understanding of them such that you, as an attorney, are comfortable with the fact that this does represent a specific individual. So let's take a look at how this process works. So we start with data. Data in this case is any document. Perhaps it's a scanned, signed version of some PDF with somebody's actual ink signature. But again, the whole thing is just scanned. The next step is to use a hash function. The hash function that we could use in this context could be anything. It could be SHA-1. It could be something very complex. In general, the hash function that's going to be used here is actually not a cryptographic hash function. It's going to be something like MD5. So something that anybody has access to. And that's going to result in a hash, a set of zeros and ones. In the case of MD5, it's going to be about 160 or so different characters. Now where things get very interesting is we take that hash, that set of zeros and ones, and we encrypt it using the signer's private keys. Remember, these functions are reciprocals of one another. A public key can undo what the private key does, and the private key can undo what the public key does. Notice in this case we're still not sending anyone our private key. We are just using our private key to encrypt something. So we take this hash that we received from running our file through MD5, we encrypt it using our private key, and we get some other result out of it. This number that comes out of running the hash through our private key is called the signature. We then just couple that-- so when we send this off, we send the signature plus the original document, and that would be considered a digital signature. So that's the signing part of the process. That's where we go. We start with a file. We run that file through a generic hash function. Not our public and private keys, something that is generally pretty accessible. We take that hash, we encrypt it using our private key to get some other hash that looks similar, different zeros and ones, but totally different pattern of zeros and ones. We attach the original document and the digital signature when we send it off, and that is considered a digitally signed document. Now the real crux is how do you prove that I'm the person who sent you this document, right? If you want-- if you're receiving something that has a digital signature, which is supposed to be as good as any other kind of signature, it's supposed to have legal effect. How do we verify that that person who sent you the document was actually the correct one? So then we go to the verification step. So we start, we've now received this digitally signed data. This is the same as this digitally signed data here that was sent by the sender. We also received two pieces of information. We received the document, the original document, and we received the signature. And recall, again, that the signature is what happens when we take the hash of the document and run it using our private key to get a result. Now the interesting step here is remembering that the public and private keys are reciprocals of one another. So we can take this complicated signature hash and we can use the public key, which, again, is publicly available. Anybody should ostensibly have access to someone's public key, not their private key. And notice that the signer has never sent their private key. They've only used it to encrypt some data, but they never sent the private key. The public key has always been available though. We take the signature, we run it through the public key function, and we get a hash. We take the data, the document, and we run it through MD5, the same hash function that the sender was supposed to use, and we get a hash. And we're checking to make sure that these two hashes are equal to one another. If they are equal to one another, that means the signature is valid. Let's talk about why that would be the case. If we use the MD5 of this file, the generic hash of this file, and we encrypt it using our private key, we get some result, OK? But this is very easy to calculate. It's MD5. We're taking a basic document, we're running it through a publicly known, well-defined hash function. Anybody who has access to this document and a program on their computer called MD5 can literally run this document through it and get this number. This is not the tricky part of this. We then take this hash function, we encrypt it using our private key to get some secret number. The public key though will undo that. Remember, the public and private keys are reciprocals of one another. Whatever one does, the other one can undo. And so only my public key will undo the work of my private key. So if I take this value and I encrypt it using my private key, and then I run this value through the public key, I should get the original result again, the original MD5 hash. And that's why we have to send the document as well, not just the digital signature, the numbers that we get by running it through our private key in the first place. That way we have a way to validate that yes, this file has this checksum, and the sender took that checksum, they ran it through their own private key, and when I used their public key to undo it, I get the same value, which is effectively proving, but is, we'll term it as it's very, very, very, very likely that this person who claimed to have sent the document is, in fact, the person who sent that document. And so that's what digital signatures can be used for. It is a mathematical, cryptographic way to verify the identity of the sender of a document or an individual. Or in whatever context you might be using or receiving digital signatures, it is purely a verification step that is based entirely in mathematics. There's one other potentially interesting use of digital signatures that's also quite buzzy right now, and that's blockchain technology. And what is the blockchain? Digital signatures are really key to knowing how the blockchain works and why it is trusted as a decentralized source of information for individuals. So understanding digital signatures means you are in a position to understand blockchain. And I use here the term the blockchain, but it really is a blockchain. There's no such thing as the one blockchain. There are many different-- this is just an idea that is implemented. Generally, we're hearing it in the context of a cryptocurrency, but it does not need to be restricted to that, although cryptocurrencies are so discussed in the media and have been dissected by so many researchers that they provide an interesting vehicle, an interesting lens through which to consider blockchain. And so our example today is going to focus on Bitcoin. It is the most well-documented of the cryptocurrencies. It is the most well-documented implementation of the blockchain, or among the most well-documented implementations. But this is not specifically a lecture about Bitcoin. We're just using Bitcoin as a lens through which to understand blockchain. There's also an outside source that I strongly encourage. This channel on YouTube provides interesting mathematical dissections of topics, and they tackle blockchain and Bitcoin pretty extensively. And this is an excellent supplementary resource to consider if you're trying to dig into this or understand it a little bit more, because in this video I'm going to omit some of the more technical details for the sake of, hopefully, broader understanding. But if you want to dive into it more deeply, this is a resource that I would recommend. And I really like talking about Bitcoin in the context of blockchain because it's actually how I kind of got started almost as an attorney. When I was practicing, when I graduated from law school, I decided to go out on my own and start my own firm. I live in a small town and so a lot of my early work was doing estate plans, wills and such for individuals in my town, getting to know them. But I had studied extensively technology-related law in law school and I really wanted to use it. And a few years into my practice, I had a friend who needed an estate plan prepared, and he asked if he could pay me in Bitcoin. And I had no idea what that meant. I didn't really know anything about Bitcoin at the time. And I looked it up and thought it sounded interesting, and so I said sure. So I learned how to set up an account. And it's also worth mentioning at the outset, as we're talking about cryptocurrency, that you need to understand how Bitcoin works to use Bitcoin. You don't need to understand how the federal banking system works to use a bank. And the same is true here with Bitcoin. But I ended up accepting a Bitcoin payment by creating what's called a Bitcoin wallet. I immediately sold the Bitcoin that I received and turned it into cash, such that I could use it for more generic purposes. And what I decided to do was send out a press release saying, oh, I accept Bitcoin, because it was something that was novel and I hadn't really heard that much about it. And this got the attention of my local paper and companies in the area that were technically minded as well. And so Bitcoin sort of provided this forum to meet new clients that also allowed me to explore fields of the law about which I am passionate. So it's kind of an interesting segue to be able to share that with you now. All right, so stepping away from Bitcoin again more broadly to blockchain. What is the blockchain? It's very similar to something you've already learned about, which is a linked list. So recall that a linked list is a set of nodes, each of which have connections forward and backward to other nodes in the chain. They are linked together. And similarly, with a blockchain, all of the blocks are chained together. It's basically the same terminology slightly modified. So a linked list is a set of nodes, each of which is connected to the one prior and the one after it. We learned about linked lists as having generally three pieces of information associated with them-- a previous pointer, which is basically a reference to the prior node, or in this case, the prior block; we have the next pointer, which is a reference to the next node or the next block; and we had data. And in this case, the data is actually two different things. There's the real data. And again, in the context of a cryptocurrency blockchain we're going to be talking about a list of transactions, a numbered list of transactions from person A to person b, each of those transactions being digitally signed such that you can verify that the person who logs that transaction is actually the one who made that transaction. And also, something called a proof of work. And this proof of work is very interesting because this is how Bitcoin ostensibly derives its authority. There is no central controller of the Bitcoin currency, and it is very decentralized. And there needs to be some way for people to agree as to what the true ledger is, or what the true set of transactions that have happened are. And the way that is done is by relying on something called the proof of work. And we'll dive into that shortly as well. So again, cryptocurrencies, that data is a ledger of transactions, each of which is digitally signed using the digital signature technique we've just discussed by the person who made or initiated that transaction. And that ledger is decentralized, which means that any time there's ever a change, any time any transaction is recorded, in this case, using Bitcoin, again, our lens through which to consider blockchain, that message is broadcast out. So if I make a transaction in Bitcoin, I pay you $10, I'm going to announce to everyone else who has a Bitcoin wallet or who is monitoring the blockchain, the list of transactions, hey, please add the following transaction to this list, Doug pays you $10. And that is announced to everybody, everybody records it in their ledger, and then some stuff is going to start happening. But here is a potential issue. How do you know that the blockchain is legitimate? How do you know that your copy of what is being said is the truth? How do you know that your copy of the blockchain is accurate with respect to all other transactions that have happened? Everybody else has their own copy as well. It's decentralized. We all maintain, anybody who's using Bitcoin maintains their own copy of the blockchain. How do you defend against people modifying it? That's a very interesting question. The way that cryptocurrencies do it is to assume-- and this is defined in the Bitcoin paper-- the way the cryptocurrencies do it is to assume that the chain that has the most computational work put into it is the true chain. This decision is completely arbitrary. There's no reason why one needs to be vetted over the other. But something had to be agreed upon by, collectively, users of Bitcoin to say in the event of a dispute, between which person's chain is the accurate de facto definitive list of transactions? We're going to go with the one that has been verified the most times. And again, this word verified is sort of a sketchy word. There's nothing inherently about proof of work or anything else that proves that a transaction has taken place in the way that we normally think of this term verified. Rather it is the collective standard by which we all agree to adhere, that the person-- or that the blockchain that has the most proof of work in it is the list. That is just something we must subscribe to as users and consumers of blockchain. Now how do we determine which blockchain has had the most computational work into it, which copy of the blockchain has had the most computational work put into it? Well, this is proof of work. So proof of work is how the correct blockchain of all the copies that are decentralized is determined. So recall how hashing works. Hashing allows us to take any arbitrary data and run it through a hash function and get an outcome. And that outcome is going to be, let's say 256 bits, each of those bits being, of course, 0 or 1. Now there's a lot of different combinations there. But some of them will be very unique. And the way Bitcoin works, Bitcoin's blockchain works is to prove a particular block. We are asking people who are oftentimes called miners-- that's where this term comes from because they are mining. , Ultimately the reward for doing this proof of work is to receive Bitcoin that are sort of generated out of thin air. And so these people are termed miners. But we are asking anyone who has a computer to hash the entire block. So hash the entire list of transactions, the reference to the previous block and the next block. And remember, all of that is contained in a single node of this blockchain, basically. And we're looking for a highly unusual pattern. We're looking for maybe the first 30 bits or the first 40 bits to all be zeros. That's really weird. Like, that's a really difficult pattern to find. And the only way to do it is to guess. So you take this entire block, you attach a single piece of data to the bottom of it, like 1, 2, 3. You can just count in that way trying to guess. And if you hash that entire thing together, do you eventually find a block that, when hashed in this way, produces this very, very unique pattern? If so, you just say, here's the number that I attach. So let's say I took the entire block and I hashed it with 12345 was the number, right? It's very difficult to find a value that would create this unique pattern of zeros and ones, in particular, zeros, 30 zeros in a row. But it's really, really easy to verify that someone has done it. To verify that someone has done it, all you have to do is if they announce the number that they used, 12345, as their proof of work-- and that's what the proof of work really is, it's that number that they use to figure it out-- if they announce that and you hash the block with that number, you can verify, yes, that pattern is actually 30 zeros in a row. So I guess you have proven it. Now this is, again, kind of arbitrary. Like, this seems weird. Why are you spending all your time trying to figure out a specific pattern that exists somewhere? That is a question that I cannot answer other than to say that it is the standard by which people who have ascribed to the Bitcoin standard have just agreed to be bound by. The person who finds this number is probably the-- is proving the validity of all the transactions above it. And this gets interesting when you think about somebody trying to perpetrate a fraudulent transaction. So imagine I'm trying to perpetrate a fraudulent transaction by initiating a transaction that says, I'm going to pay you $100. And I announce that to you, but I don't broadcast it to everybody else who maintains the blocks, who are maintaining their own copies of blockchains. Which is interesting because you think that I have spent $100, and as far as you're concerned I have spent $100 to you, but no one else is aware of that. So no one else thinks that I have spent $100. They all think I am $100 wealthier than I actually am. The problem then arises that I need to verify that block. I need to verify that transaction. So I append the transaction to my own copy of the blockchain because I am the only person other than you-- the two of us maybe have these copies of the blockchain, but everybody else, I didn't broadcast this transaction so no one else knows about it. In order for it to have a proof of work attached to it, in order for it to be considered the valid chain, I would need to prove that block. I would need to find that secret number that when hashed with the entire block, produces a pattern of 30 consecutive zero bits before anybody else does. So that's a 1 in 2 over 2 to the 30th power chance because I'm looking for a pattern of 30 consecutive zeros. There's a 1 in 2 to the 30th power chance that I'm going to find that pattern. And I have to find that pattern before somebody else. And in the meantime, other transactions are coming in on my ledger. On my-- other people are broadcasting their transactions. And I have to keep adding them to my ledger and keep proving that work over and over and over, all the while trying to stay ahead so that my fraudulent transaction is considered ultimately the correct blockchain. Now the odd-- you just can't beat the odds of that. One malicious person trying to perpetrate a fraudulent transaction using the blockchain cannot stay ahead. They can't win the find the secret number game over and over and over and over. Eventually, some other chain, which contains valid transactions, will win out over my attempted fraudulent chain. And it will be disregarded. Nobody will consider that to be a valid part of the chain anymore. And so that's kind of how this works. Again, it's arbitrary the way they decide to resolve or verify. There's nothing about this process that proves that person A sent person B money. It's just the consensus that we have decided, well, if people have gone through the effort to try and find these secret numbers, and many different people are doing it, and this one chain is longer than the others because it's been verified-- again, using this term verified-- it's been proven with work over and over and over, we're just going to agree that that's the right one. So again, it's kind of strange. And I do, again, refer you to that video that I shared earlier to get into some of the more technical details of this, which I'm glossing over a little bit here in this discussion. But proof of work is basically the collective consensus of blockchain users, or in this case specifically, of Bitcoin users, for which transactions they are going to consider valid. Because changing any one-- and if you go back in time, as opposed to trying to forward think I want to add a new fraudulent transaction, if you try and go back in time to modify a transaction from the past, say there was a transaction that was you pay me $10 and I maintain a copy of the blockchain, so I can go back in time and modify that file, technically, I change it to you pay me $100, well, because I've changed even the tiniest thing and I'm hashing that block, that means that when I hash it with that secret number, I'm no longer getting that secret pattern of 30 numbers, 30 zeros in a row. And so that kind of calls that transaction into question. It also, because each of those blocks contains a reference to the next block and the previous block, it also invalidates all of the other transactions in that blockchain. And so because of this weird technique we're doing of hashing blocks, hashing data, trying to look for specific patterns, but realizing that any cryptographic hash function with the tiniest change to the input creates a totally different output, we actually are pretty well defended against people who try and go back in time and make fraudulent transactions using the blockchain. So it's mathematical and it's quirky, but it does provide a clever way to defend against that kind of thing, considering we don't have a central authority to rely on to adjudicate these kinds of disputes. We are collectively, not trusting one another enough, but agreeing to trust the mathematics of the blockchain in order for it to succeed. So as I mentioned, we can very easily verify the correctness of someone's proof of work. That proof of work is just the number that is hashed with the block to produce the secret pattern of 30 zeros and then some other bits, and so on. The longer a chain gets, the more and more likely it is that all the transactions in it are "verified." Again, I keep putting air quotes around that word because it doesn't mean in exactly the same way that we might consider verified colloquially to mean. It doesn't prove anything about the transaction itself, just that we accept it as the standard. We accept this as the de facto truth because of all the mathematics that have been put into it. So the longer a chain gets, the more likely it is that it consists of only verified, legitimate transactions. But that brings up a question of, what is a transaction? A transaction is just an exchange between two people. And if we start to really spread things out, we can almost think about a transaction as a contract. I offer you $10 for you to do something on my behalf, and assuming that we're intending for me to actually give you these $10, and you're intending to actually do something on my behalf, and the thing that you're doing for me is not illegal, we've basically formed a contract. And so while Bitcoin can be used, the blockchain for Bitcoin can be used to send money back and forth between people, the data that goes into the data block of any blockchain is arbitrary. And there's no reason why, instead of being a list of transactions, that data couldn't be something much more significant than that. There's no reason it couldn't be a digitally signed PDF scan of a contract between two people. There's no reason it can't be a message from me typed to you saying, I will pay you $100 if you paint my house on Tuesday, and you sending something back in that same chain saying, I will paint-- I accept your offer for this payment. I accept your offer. I will paint your house on Tuesday in exchange for $100. We've just formed a contract with no middleman at all. We are announcing our intentions. It is being recorded publicly in everybody's version of the blockchain. There is verified, again, verified in the sense that we collectively term to be accurate rather than proving that I definitely sent this although the digital signatures associated with these transactions do, again, suggest yes, I am the person who made this transaction because I digitally signed it. If I do the same thing with a contract, if I send you an offer and you accept, and both of those items are in the chain, we arguably have formed a contract. And that is what the blockchain associated with the Ethereum technology is actually more akin to. So Bitcoin is kind of restricted in how it approaches cryptocurrency and approaches transactions between people. And Ethereum opens up a little bit more. And there are other blockchain technologies and other services that rely on the blockchain in order to do things far beyond what a cryptocurrency could do. But all these things are only possible because we rely on-- we rely so extensively on cryptography. We use computers to send information securely, encrypt information. And the mathematical unlikelihood of someone being able to duplicate our work, or certainly reverse engineer this encryption is what gives us the confidence to make these transactions in the first place. And so cryptography forms the basis of almost everything that we do when we talk about security on a computer. But ultimately, cryptography just relies on mathematics. So the moral of the story is probably this. You are probably not going to be implementing your own version of the blockchain. And really, you don't need to understand it completely in order to use it. Like I said, you can use Bitcoin without knowing the mathematics of how Bitcoin works, just like you can use a bank without knowing the minutia of how the banking system works. The point of the blockchain is to remove a central authority. We don't rely on one person or one entity or one government to determine what has happened, what the transactions are like we do with a bank. Your bank has a ledger of everybody's accounts. With blockchain technology, we are decentralizing this and making it so that everybody has access to all of the information at once, and it is everybody's responsibility to keep that ledger accurate. And because these ledgers rely so extensively on cryptography, because this technology relies on cryptography, we can use the power of cryptography, the fact that things are very difficult to reverse engineer mathematically to verify that yes, these are the things, these are the things that have happened, these are the transactions that have been logged, and everybody knows about it at the same time.
B1 中級 弁護士のためのCS50 2019 - 暗号化 (CS50 for Lawyers 2019 - Cryptography) 9 0 林宜悉 に公開 2021 年 01 月 14 日 シェア シェア 保存 報告 動画の中の単語