Lower Bounds for Off-Chain Protocols: Exploring the Limits of Plasma

Blockchain is a disruptive new technology introduced around a decade ago. It can be viewed as a method for recording timestamped transactions in a public database. Most of blockchain protocols do not scale well, i.e., they cannot process quickly large amounts of transactions. A natural idea to deal with this problem is to use the blockchain only as a timestamping service, i.e., to hash several transactions $\mathit{tx}_1,\ldots,\mathit{tx}_m$ into one short string, and just put this string on the blockchain, while at the same time posting the hashed transactions $\mathit{tx}_1,\ldots,\mathit{tx}_m$ to some public place on the Internet (``off-chain\u27\u27). In this way the transactions $\mathit{tx}_i$ remain timestamped, but the amount of data put on the blockchain is greatly reduced. This idea was introduced in 2017 under the name \emph{Plasma} by Poon and Buterin. Shortly after this proposal, several variants of Plasma have been proposed. They are typically built on top of the Ethereum blockchain, as they strongly rely on so-called \emph{smart contracts} (in order to resolve disputes between the users if some of them start cheating). Plasmas are an example of so-called \emph{off-chain protocols}. In this work we initiate the study of the inherent limitations of Plasma protocols. More concretely, we show that in every Plasma system the adversary can either (a) force the honest parties to communicate a lot with the blockchain, even though they did not intend to (this is traditionally called \emph{mass exit}); or (b) an honest party that wants to leave the system needs to quickly communicate large amounts of data to the blockchain. What makes these attacks particularly hard to handle in real life is that these attacks do not have so-called \emph{uniquely attributable faults}, i.e.~the smart contract cannot determine which party is malicious, and hence cannot force it to pay the fees for the blockchain interaction. An important implication of our result is that the benefits of two of the most prominent Plasma types, called \emph{Plasma Cash} and \emph{Fungible Plasma}, cannot be achieved simultaneously. Besides of the direct implications on real-life cryptocurrency research, we believe that this work may open up a new line of theoretical research, as, up to our knowledge, this is the first work that provides an impossibility result in the area of off-chain protocols

Large-Scale Non-Interactive Threshold Cryptosystems in the YOSO Model

A $(t,n)$-public key threshold cryptosystem allows distributing the execution of a cryptographic task among a set of $n$ parties by splitting the secret key required for the computation into $n$ shares. A subset of at least $t+1$ honest parties is required to execute the task of the cryptosystem correctly, while security is guaranteed as long as at most $t < \frac{n}{2}$ parties are corrupted. Unfortunately, traditional threshold cryptosystems do not scale well, when executed at large-scale (e.g., in the Internet-environment). In such settings, a possible approach is to select a subset of $n$ players (called a committee) out of the entire universe of $N\gg n$ parties to run the protocol. If done naively, however, this means that the adversary\u27s corruption power does not scale with $N$ as otherwise, the adversary would be able to corrupt the entire committee. A beautiful solution for this problem is given by Benhamouda et al. (TCC 2020) who present a novel form of secret sharing, where the efficiency of the protocol is \emph{independent} of $N$, but the adversarial corruption power \emph{scales} with $N$ (a.k.a. fully mobile adversary). They achieve this through a novel mechanism that guarantees parties in a committee to stay anonymous -- also referred to as the YOSO (You Only Speak Once) model -- until they start to interact within the protocol. In this work, we initiate the study of large-scale threshold cryptography in the YOSO model of communication. We formalize and present novel protocols for distributed key generation, threshold encryption, and signature schemes that guarantee security in large-scale environments. A key challenge in our analysis is that we cannot use the secret sharing protocol of Benhamouda et al. as a black-box to construct our schemes, and instead we require a more generalized version, which may be of independent interest. Finally, we show how our protocols can be concretely instantiated in the YOSO model, and discuss interesting applications of our schemes

A new homatropine potentiometric membrane sensor as a useful device for homatropine hydrobromide analysis in pharmaceutical formulation and urine: a computational study

Homatropine (Equipin, Isopto Homatropine) is an anticholinergic medication that inhibits muscarinic acetylcholine receptors and thus the parasympathetic nervous system. It is available as the hydrobromide or methylbromide salt. In this study, a potentiometric liquid membrane sensor for simple and fast determination of homatropine hydrobromide in pharmaceutical formulation and urine was constructed. For the membrane preparation, homatropine-tetraphenylborate complexes were employed as electroactive materials in the membrane. The proposed sensor presents wide linear range (10-5-10-1 mol L-1), low detection limit (8&#215;10-6 mol L-1), and fast response time (ca. 10 s). Validation of the method shows suitability of the sensors for applicability in the quality control analysis of homatropine hydrobromide in pharmaceutical formulation and urine

BIP32-Compatible Threshold Wallets

Cryptographic wallets have become an essential tool to secure users\u27 secret keys and consequently their funds in Blockchain networks. The most prominent wallet standard that is widely adopted in practice is the BIP32 specification. This standard specifies so-called hierarchical deterministic wallets, which are organized in a tree-like structure such that each node in the tree represents a wallet instance and such that a parent node can derive a new child node in a deterministic fashion. BIP32 considers two types of child nodes, namely non-hardened and hardened nodes, which differ in the security guarantees they provide. While the corruption of a hardened wallet does not affect the security of any other wallet instance in the tree, the corruption of a non-hardened node leads to a breach of the entire scheme. In this work, we address this significant drawback of non-hardened nodes by laying out the design for the first hierarchical deterministic wallet scheme with thresholdized non-hardened nodes. We first provide a game-based notion of threshold signatures with rerandomizable keys and show an instantiation via the Gennaro and Goldfeder threshold ECDSA scheme (CCS\u2718). We further observe that the derivation of hardened child wallets according to the BIP32 specification does not translate easily to the threshold setting. Therefore, we devise a new and efficient derivation mechanism for hardened wallets in the threshold setting that satisfies the same properties as the original BIP32 derivation mechanism and therefore allows for efficient constructions of BIP32-compatible threshold wallets

Prevalence and Correlates of Psychiatric Disorders in a National Survey of Iranian Children and Adolescents

Objective: Considering the impact of rapid sociocultural, political, and economical changes on societies and families, population-based surveys of mental disorders in different communities are needed to describe the magnitude of mental health problems and their disabling effects at the individual, familial, and societal levels. Method: A population-based cross sectional survey (IRCAP project) of 30 532 children and adolescents between 6 and 18 years was conducted in all provinces of Iran using a multistage cluster sampling method. Data were collected by 250 clinical psychologists trained to use the validated Persian version of the semi-structured diagnostic interview Kiddie-Schedule for Affective Disorders and Schizophrenia-PL (K-SADS-PL). Results: In this national epidemiological survey, 6209 out of 30 532 (22.31%) were diagnosed with at least one psychiatric disorder. The anxiety disorders (14.13%) and behavioral disorders (8.3%) had the highest prevalence, while eating disorders (0.13%) and psychotic symptoms (0.26%) had the lowest. The prevalence of psychiatric disorders was significantly lower in girls (OR = 0.85; 95% CI: 0.80-0.90), in those living in the rural area (OR = 0.80; 95% CI: 0.73-0.87), in those aged 15-18 years (OR = 0.92; 95% CI: 0.86-0.99), as well as that was significantly higher in those who had a parent suffering from mental disorders (OR = 1.96; 95% CI: 1.63-2.36 for mother and OR = 1.33; 95% CI: 1.07-1.66 for father) or physical illness (OR = 1.26; 95% CI: 1.17-1.35 for mother and OR = 1.19; 95% CI: 1.10-1.28 for father). Conclusion: About one fifth of Iranian children and adolescents suffer from at least one psychiatric disorder. Therefore, we should give a greater priority to promoting mental health and public health, provide more accessible services and trainings, and reduce barriers to accessing existing services

On the (im)possibility of building off-chain protocols from minimal assumptions

Blockchains have come a long way since the introduction of Bitcoin in 2008. Cryptocurrencies have become a household name as more people and even countries see the appeal in a secure decentralized ledger capable of processing monetary transactions and executing programs. Yet, one of the drawbacks of such decentralized systems is their lack of scalability. Hence, blockchains are unfortunately not ready to replace the existing financial system or cost-effectively execute programs. One class of solutions, proposed to tackle these limitations, are off-chain protocols. These protocols shift the communication away from the blockchain, by allowing parties to mostly communicate directly with each another. This direct communication is also referred to as off-chain communication. Probably the most well-known off-chain solution developed to date are Payment Channel Networks (PCNs). PCNs allow parties to make monetary transactions off-chain. Recently, more advanced off-chain solutions such as virtual channels, state channels and Plasma protocols have been developed for the Ethereum blockchain. These solutions allow making payments with improved efficiency and even executing programs (called smart contracts) off-chain. However, they rely on the fact that the Ethereum blockchain can execute Turing complete smart contracts, and it was unclear if one can build such protocols over more restricted blockchains such as Bitcoin. In this thesis, we start by showing that virtual and state channels can be built over Bitcoin and similar blockchains. First, we present a new channel solution called generalized channels over Bitcoin. Generalized channels are comparable to state channels over Ethereum, i.e., generalized channels allow parties to execute applications off-chain that are supported by the underlying blockchain. In order to design generalized channels, we formalized a new primitive called adaptor signatures for the first time and show that Schnorr and ECDSA instantiations of this primitive are secure in our model. We then show that virtual channels can also be built over Bitcoin and Bitcoin-like blockchains. Virtual channels improve the efficiency of PCNs by reducing the communication needed for making off-chain payments. We further analyze the security of our protocols in the Universal Composability framework of Cannetti. We continue by extending our adaptor signature formalization and model two-party adaptor signatures. This extension helps improve the efficiency of our generalized channel construction. We provide two generic transformations that allow us to instantiate single and two-party adaptor signature schemes from signature schemes built from identification schemes that satisfy certain properties. We show that the Schnorr, Katz-Wang, and Guillou-Quisquater signature schemes satisfy the necessary properties required by our transformations and can generically be transformed into single and two-party adaptor signatures. Finally, we show that it is impossible to transform unique signatures schemes such as BLS into adaptor signature schemes. After showing how to instantiate generalized and virtual channels over more restricted blockchains such as Bitcoin, we turn our attention to an alternative off-chain protocol called Plasma. In this solution, a single operator is responsible for updating parties' balances off-chain according to their transactions. On a high level, there are two classes of Plasma protocols, Plasma Cash and Plasma MVP, each with its advantages and disadvantages. Many in the Ethereum community focused on building a protocol that inherits the best properties of both classes without suffering from their disadvantages. We show that it is impossible to build a protocol that achieves the best of both worlds. Put differently, there is an inherent separation between Plasma Cash and MVP. This result can also be seen as "bringing order'' to the huge landscape of Plasma protocols discussed in the Ethereum community. We further provide a formal model for Plasma protocols and also present instantiations of Plasma Cash and MVP that are secure in our model. Finally, we conclude this thesis by presenting CommiTEE, an efficient yet simple Plasma protocol using a Trusted Execution Environment (TEE). A TEE is a piece of hardware that guarantees the correct execution of programs and secure storage of secret values. We only require the operator to have access to a TEE, and hence the end users are not burdened with purchasing expensive equipment. Our protocol removes many of the drawbacks seen in other Plasma constructions and offers a practical solution for real-world usage

Deterministic Wallets for Adaptor Signatures

Adaptor signatures are a new cryptographic primitive that binds the authentication of a message to the revelation of a secret value. In recent years, this primitive has gained increasing popularity both in academia and practice due to its versatile use-cases in different Blockchain applications such as atomic swaps and payment channels. The security of these applications, however, crucially relies on users storing and maintaining the secret values used by adaptor signatures in a secure way. For standard digital signature schemes, cryptographic wallets have been introduced to guarantee secure storage of keys and execution of the signing procedure. However, no prior work has considered cryptographic wallets for adaptor signatures. In this work, we introduce the notion of adaptor wallets. Adaptor wallets allow parties to securely use and maintain adaptor signatures in the Blockchain setting. Our adaptor wallets are both deterministic and operate in the hot/cold paradigm, which was first formalized by Das et al. (CCS 2019) for standard signature schemes. We introduce a new cryptographic primitive called adaptor signatures with rerandomizable keys, and use it to generically construct adaptor wallets. We further show how to instantiate adaptor signatures with rerandomizable keys from the ECDSA signature scheme and discuss that they can likely be built for Schnorr and Katz-Wang schemes as well. Finally, we discuss the limitations of the existing ECDSA- and Schnorr-based adaptor signatures w.r.t. deterministic wallets in the hot/cold setting and prove that it is impossible to overcome these drawbacks given the current state-of-the-art design of adaptor signatures

Fuzzy Asymmetric Password-Authenticated Key Exchange

Password-Authenticated Key Exchange (PAKE) lets users with passwords exchange a cryptographic key. There have been two variants of PAKE which make it more applicable to real-world scenarios: - Asymmetric PAKE (aPAKE), which aims at protecting a client\u27s password even if the authentication server is untrusted, and - Fuzzy PAKE (fPAKE), which enables key agreement even if passwords of users are noisy, but ``close enough\u27\u27. Supporting fuzzy password matches eases the use of higher entropy passwords and enables using biometrics and environmental readings (both of which are naturally noisy). Until now, both variants of PAKE have been considered only in separation. In this paper, we consider both of them simultaneously. We introduce the notion of Fuzzy Asymmetric PAKE (fuzzy aPAKE), which protects against untrusted servers and supports noisy passwords. We formulate our new notion in the Universal Composability framework of Canetti (FOCS\u2701), which is the preferred model for password-based primitives. We then show that fuzzy aPAKE can be obtained from oblivious transfer and some variant of robust secret sharing (Cramer et al, EC\u2715). We achieve security against malicious parties while avoiding expensive tools such as non-interactive zero-knowledge proofs. Our construction is round-optimal, with message and password file sizes that are independent of the schemes error tolerance

Modeling Nanoparticles Effects on Optimization of Acid Dissolution Performance and Self-diverting in Carbonate Reservoirs and Compare it with Conventional Acid

Fluid is more mobile in high permeable media than low permeable one; therefore, the acid movement is faster in the first one. This is important because low permeable media often need acidizing treatment. At this stage, a diverter agent such as nanoparticle is felt to move the acid to the low permeable areas. Performing tests for specific conditions in the laboratory requires time and cost. Probably sometimes, a test can also be repeated several times to improve the results. Also, the effect of specific parameters on each other and the results of the test are also unknown. So for these reasons, modeling work is needed and should be done. The simulation of conventional acid injection was performed to determine the breakthrough volume of the acid without diversion. Next, the properties associated with nanoparticles such as the movement of nanoparticle in the medium based on the Random Walking Particle Tracking theory are studied. In addition, a model for investigating attachment and detachment of particles from surfaces is employed. The gel generates resistance against the high perm zone which causing acid diverts to low perm media. The amount of gelling creation depends on aggregation term. The change in the viscosity of the fluid is measured by using Krieger viscosity model. In addition, finally, acid will be converted into diverting acid. One important finding of this study is that usage of gelling acid leads to less Breakthrough volume, Thus the usage of gelling acid is found to be more efficient than using conventional acid. Moreover, the addition of nanoparticles decreases the average breakthrough volume up to 50%