The spread of cryptocurrencies contributed to the development of many solutions based on a distributed ledger technology (blockchain). Although the scope of these solutions varies, most of them have the same basic set of security services, i.e. confidentiality, authenticity, and integrity. These features are granted by the practical applications of public key cryptography, in particular, digital signature (DS). But unlike many other applications of public key cryptography, cryptocurrency networks do not use public key certificates. This is the aspect that we would like to talk about.
American mathematician and cryptographer Claude E. Shannon published an article entitled “The Bandwagon”. Shannon expressed concern that the methods of information theory he had invented are irresponsibly applied to non-specific fields of knowledge, from biology and physics to economics, psychology, and linguistics. Shannon was not totally against the application of his theory to various fields, but he sharply condemned the blind, illiterate transfer, without a balanced approach and proper application of the mathematical apparatus. As he reasonably noted:
"While we feel that information theory is indeed a valuable tool in providing fundamental insights into the nature of communication problems and will continue to grow in importance, it is certainly no panacea for the communication engineer or, a fortiori, for anyone else. Seldom do more than a few of nature’s secrets give way at one time."
History repeats itself. Now cryptocurrencies and solutions used in cryptocurrency networks are the very “heady draught” that makes engineers dizzy and is perceived as a panacea. Once again, we witness the situation of "calque" in action, when the solution or theory is transferred from one area to another without taking into account the fundamental principles that make up the content of the corresponding section of science. This disturbing trend prompted us to write this post.
Shannon's article had a positive impact on the development of information theory. We dare to hope that our modest text will prevent some miscalculations and omissions that could be tragicomic due to their simplicity and obviousness.
First of all, we recall a fundamental feature of cryptocurrency networks, i.e. the anonymity of transactions. This means that the personal data of the sender is not disclosed. Anonymity is a fundamental feature and a regulatory requirement at the same time. In fact, this feature largely determines the semantic content of cryptocurrency as a financial instrument. If there is no anonymity, then the cryptocurrency loses one of its main advantages.
It's worth emphasizing that anonymity does not mean untraceability. In other words, despite existing anonymity, it is possible to trace movements of funds (tokens) in most cases, namely: how many coins were sent and received, as well as addresses of sender and receiver of transaction. Sure, there are certain types of cryptocurrencies, such as Monero, which also guarantee untraceability. But when referring to the features of cryptocurrencies, we will adhere to the concept of Bitcoin, a popular and well-studied first-generation cryptocurrency network. Let's look closer at the methods that guarantee anonymity.
The method of providing anonymity in the Bitcoin network is simple and logical. All transactions include DS verified with a public key. The basic idea is that the public key exists on its own, outside of any certificate. The so-called "wallet", or unique address involved in a transaction, is the value of a cryptographic hash function with a public key as an argument. Thus, given a known address and a given public key, one-to-one matching is always possible.
The logic of this decision is as follows: since the certificate contains, among other things, the personal data of the public key owner, then the absence of a certificate naturally guarantees anonymity. And anonymity, as we mentioned above, should be considered a fundamental feature of cryptocurrency networks. Thus, if the cryptocurrency network used a public key certificate, then it would lose its main advantage. Here we can assume: what if we issue certificates without personal data of public key owners, some kind of anonymous certificates? In this case, the meaning of such certificates is completely lost. The very definition of the term "certificate", formulated by Loren Kohnfelder in 1978, involves binding to personal data. This is its main purpose. Thus, issuing and maintaining certificates without personal data of public key owners does not make any sense, as it contradicts the paradigm postulated by L.Kohnfelder.
According to Kohnfelder's paradigm, DS lacks sense if the certificate is absent, as this lack paves way to falsifications and forgery with all the ensuing consequences. But is this problem relevant for cryptocurrencies? Using Bitcoin as an example, let's find out what consequences the absence of a certificate can lead to. If the reader regards the indicated problem as self-evident, then you can finish reading this blog post right now. We sincerely regret making you distracted from more impressive topics.
We start with just a curious experiment. Let's type "public key certificate" or even just "certificate" in the search bar, while reading the electronic version of the book by Andreas M. Antonopoulos entitled "Mastering Bitcoin: Programming the Open Blockchain". Nothing is found. The author of the mentioned book does not even casually touch upon the problem of the authenticity of public keys, although this issue reflects the essence of the Kohnfelder's paradigm and, along with the solution based on certificates, is widely covered in the specialized scientific literature. Since there is no reason to doubt the author's competence, it is reasonable to assume that such a problem does not exist in the Bitcoin network.
In Bitcoin, public key cryptography mechanisms are limited to DS. We will be interested not in a specific DS scheme, but in its intended purpose and methodology of application. In cryptocurrency networks, DS allows to verify the ownership of an asset and prevent the re-sale (alienation) of the same assets (double-spending).
A DS is generated for each transaction using the private key of the wallet owner. As we noted earlier, it is always possible to establish a one-to-one correspondence between the wallet and the public key that is used to verify the digital signature. Thus, the fact is that, in the Bitcoin network, there is only one type of verification that the public key matches the wallet, which is carried out by calculating the value of the cryptographic hash function from the public key and then verifying the result.
Our further reasoning is based on the definitions of computational complexity, which are well known to specialists in the field of computer science. An explanation of these definitions is beyond the scope of this blog post, however, we will indicate in brackets an intuitive interpretation for clarity of presentation: “simple” (computationally feasible) or “difficult” (computationally not feasible). We also exclude the arguments about available computing resources from consideration.
For the private and public keys, as well as the wallet, the following ratios of computational complexity are valid:
1. For a given private key, the public key is computed with polynomial complexity (simple).
2. For a given public key, the private key is computed with superpolynomial complexity (difficult).
3. For a given public key, the address (wallet) is computed with polynomial complexity (simple).
4. For a given address (wallet), the public key is computed with superpolynomial complexity (difficult).
In particular, this means that both the address and the public key are required for matching the correspondence. If no address is given, then there are no valid criteria for verification. If the address is given, but the public key is unknown, then it can be computed with superpolynomial complexity, namely very difficult, and this makes the process meaningless. Note that both components are known by construction.
Before being sent to the blockchain, a transaction with all the details, including a DS, is stored in a publicly available long-term memory. Since memory access is not limited, falsification is possible on this stage. The attacker has the following options:
1. The attacker can generate a new DS without changing the content of the transaction.
2. The attacker can first make changes to the content of the transaction, and then certify the changed transaction with DS.
Both cases have the same background. By definition, only those who know the private key can generate a DS. Thus, the falsification is possible only if the transaction address is changed, because the verification of the DS is initiated upon a positive result of the verification of the address and the paired public key. Then, arbitrary falsification, such that all subsequent checks will unequivocally confirm that the transaction is ready for inclusion in the blockchain, is only possible for a different registered asset owner, distinct from the initiator of the original transaction. Obviously, if the secret key is compromised, then the falsifications are potentially unlimited.
Thus, falsification is generally possible, but there is no motivation. As shown above, such a falsification will lead to the situation when funds are debited from another wallet. If we exclude the situation with compromised private key, then such actions need very special reasons. Apparently, Bitcoin developers classified such reasons as unlikely and therefore insignificant. However, the absence of public key certificates guarantees anonymity, which is more important in terms of financial transactions. It seems to us that the above considerations plausibly explain the lack of certificates in the Bitcoin network.
Let us now turn to other applications, such as electronic document management. For clarity, consider a typical example. Suppose that party A issues a loan note to party B. This is an electronic document certified by the DS of party A. The amount indicated in the loan note is agreed with B. Anyone who has access to the public key PA can verify that the signature was generated by party A using a paired private key SA. However, if there is no certificate for the PA, then party A can always refuse its obligations, claiming that it is not the owner of the PA and, therefore, does not owe anything to party B. This is the simplest example that demonstrates why every time before checking a DS the public key must be authenticated. After all, the certificate contains personal data of party A, and the presence of a trusted certification authority DS guarantees that PA belongs to A and no one else.
In all fairness, it is necessary to mention other types of control that are not fundamental in the context of current discussion. For example, reconciliation with the list of revoked certificates. It is logical to conclude that normative functions of a DS cannot be implemented without a public key certificate. Cryptocurrency networks are the very exception that proves the rule.
The authenticity of public keys is of paramount importance for providing a security service such as confidentiality. For example, party A sends an encrypted message to party B. To encrypt, party A uses the public key PB, and party B decrypts the message using the paired private key SB. It is clear that if party C impersonates B and party A uses PC instead of PB for encryption, then party C will have access to the message that is addressed to party B. Thanks to Kohnfelder, we know that we can fix the situation using party B's public key certificate.
There are other methods of destructive influence, traditionally referred to as “attacks”. The most common and studied of them are “intermediary” attacks, or MitM (Man-in-the-Middle attack). Kohnfelder mentioned and analyzed all these circumstances, as well as various possible attacks.
Imagine now that a developer, without going into nuances, creates a solution for electronic document management, simply copying the architecture of a cryptocurrency network, for example, the Bitcoin network. It sounds loud, fashionable, dozens of articles on advanced technologies with his comments are published in the media. In essence, this means that there is a pair of functionally related keys, a private and a public one, as well as a wallet or address calculated in the above mentioned way. The public key and wallet are easy to check for a match. Can one somehow validate the public key with the help of a verified address? For example, in the case of an electronic loan note? The answer to this question is obvious. No, he can't. Indeed, the address and the public key are functionally related, but the address does not carry any information about personal data of the public key owner.
Let's formulate conclusions:
1. Direct transfer of cryptocurrency-originated solutions to other fields may result in the situation when the mechanisms of public key cryptography become vulnerable.
2. Each practical solution based on such mechanisms must be comprehensively analyzed for possible attacks.
3. Be aware that ensuring the authenticity of public keys is the routine responsibility of every developer of cryptographic applications.
The absence of certificates in cryptocurrency networks does not indicate that they are redundant and can be ignored wherever public key cryptography mechanisms are used. It is important to understand that with a thoughtless attitude, a cryptocurrency bandwagon is a trap with fatal consequences.