Montgomery Multiplication - worked numerical examples

1. Montgomery multiplication

1.1. Single-precision Montgomery multiplication

1.1.1. Description

Montgomery multiplication works out xyR^–1 mod N without division, where R > N and gcd(R, N) = 1 on the condition of xy < RN.

In practice, N is chosen to be odd and R in form of 2ⁿ with R > N.

Montgomery multiplication: montMUL(x, y, N, R) = xyR^–1 mod N

Input:  x < N

y < N

N, the modulus, odd

            R, R > N  and R in the form of 2ⁿ for an n.

Output: xyR^-1 mod N

Procedure montMUL(x, y, N, R):

1.    J = -N^–1 mod R; // can be pre-calculated see Algorithm J.

2.    T = x*y ;

3.    q = (T mod R)*J mod R;

4.    t = (T + q*N)/R;

5.    if (t ³ N)

6.        return t - N;

7.    else

8.        return t ;

End_of_procedure

Because R is chosen as R = 2ⁿ, the divisions by R, at Line 3 and Line 4, are simply value extractions.

1.1.2. Numerical example

Given x = 5, y = 10, N = 13, calculate xy mod N with Montgomery arithmetic.

Step 1: We represent all the numbers in hexadecimal as follows:

x = 5;

y = A;

N = D;

Step 2: The R can be chosen R = 0x10. (note: the 10 is 16 in decimal)

Step 3: Calculate constants J and H as follows:

J = -N^–1 mod R = -D^-1 mod 10 = B.

H = R² mod N = 10 mod D = 9.

Step 4: Applying single-precision montMUL(x, y, N, R) as follows:

1.    J = B // pre-calculated

2.    T = x*y = 5*A = 3C.

3.    q = (T mod R)*J mod R = (3C mod 10)*B mod 10 = C*B mod 10 = 84 mod 10 = 4.

4.    t = (T + q*N) /R = (3C + 4*D)/10 = 70/10= 7 (< N)

\ xyR^–1 mod N = 7

Step 5: Calculating montMUL(xyR^–1 mod N, H) = xy mod N:

1.    J = B; H = 9; // pre-calculated

2.    T = 7*9 = 3F;

3.    q = F*B mod 10 = A5 mod 10 = 5;

4.    t = (3F + 5*D)/10 = 80/10 = 8;

\ xy mod N = 8.

1.2. Multi-precision Montgomery multiplication

1.2.1. Description

In the multi-precision case of Montgomery multiplication, it is convenient to choose R = (2^w)ⁿ, where w is the number of bits of a CPU word and the n is the number of CPU words that the R occupies.

The following procedure works out xyR^-1 mod N in multi-precision case for an odd N.

Multi-precision Montgomery multiplication: montMUL(x, y, N, R) = xyR^–1 mod N

Input:   x[s-1, … , 0]

y[s-1, … , 0]

N[s-1, … , 0]

Output:

t[2s-1, … , s] = xyR^-1 mod N

Local variables:

t[2s, 2s-1, … , s , s – 1, … , 0] // 2s + 1 words

c, d, and q, 1-word registers

Procedure: montMUL(x, y, N, R)

1.    J = -N[0]^–1 mod 2^w // can be pre-calculated by Algorithm J. Note: here J is only one CPU word */

2.    t[2s] = 0; t[2s – 1, … , 0] = x*y; // 2s + 1 words

3.    for i = 0 to s –1 // from right to left

4.    {

5.        c = 0;        // c is the carry

6.        q = t[i]*J mod 2^w; // take the lower half

7.        for j = 0 to s – 1

8.        {

9.            (c,d) = t[i +j ] + q*N[j] + c;

10.           t[i + j] = d;

11.       }

12.       t[2s, … , i + s] = t[2s, … , i + s] + c;

13.   }

14.   if  t[2s, 2s–1, … , s] > N // can be optimised

15.       then  t[2s, 2s–1, … , s] = t[2s, 2s–1, … , s] – N;

16.   return t[2s–1, … , s]; // note the difference

End_of_procedure

1.2.2. Numerical example

Given x = 93, y = 167, N = 237 in decimals, calculate xy mod N with multi-precision Montgomery multiplication.

Pencil and paper: 93*126 mod 237 = 126

Step 1: We represent all the numbers in hexadecimal as follows:

x = 0x5D;

y = 0xA7;

N = 0xED; // N[1] = 0xE, N[0] = 0xD;

Step 2: The R is chosen R = 0x100. (note: 0x100 is 256 in decimal)

Step 3: Calculate constants J and H as follows:

J = -N[0]^–1 mod R = -D^-1 mod 10 = B;

H = R² mod N = 10000 mod ED = 7C;

Step 4: Applying multi-precision montMUL(x, y) as follows: (s = 2)

1.    J = B; // pre-calculated

2.    t[4,3,2,1,0] = (0, x*y) = (0, 5D*A7) = 03CAB

3.    i = 0

4.    { // the i = 0 loop

5.        c = 0;

6.        q = t[0]*J mod 10 = B*B mod 10 = 79 mod 10 = 9

7.        j = 0

8.        { the j = 0 loop

9.            (c,d) = t[0 + 0] + q*N[0] + 0 = B + 9*D + 0 = 80

         //c = 8 and d = 0 at this point;

10.           t[0 + 0] = t[0] = d = 0;

11.       } // j += 1; Line 8

8.        {the j = 1 loop

9.            (c,d) = t[0 + 1] + q*N[1] + 8 = A + 9*E + 8 = 90

        // c = 9, d = 0

10.           t[0 + 1] = t[1] = d = 0;

11.       } // j+= 1; j = 2 now and exit of loop j

    // t[4,3,2,1,0] = 03C00 now

12.       t[4,3,2] = t[4,3,2] + c = 03C + 9 = 045;

    // t[4,3,2,1,0] = 04500 now

13.   } // i += 1 and go to Line 4

4.    {   i = 1

5.        c = 0;

6.        q = t[1]*J mod 10 = 0*J mod 10 = 0;

7.        j = 0;

8.        { the j = 0 loop

9.            (c,d) = t[1] + 0 + 0 = 00;

        // c = 0, d = 0;

10.           t[1 + 0] = t[1] = d = 0;

11.       } // j += 1 and go to Line 8

8.        { j = 1 loop

9.            (c,d) = t[2] + 0 + 0 = 05;

        // c = 0, d = 5;

10.           t[1 + 1] = t[2] = d = 5;

11.       } // j += 1; j = 2, exits

    // t[4,3,2,1,0] = 04500

12.       t[4,3] = t[4,3] + c = 04 + 0 = 04;

13.   } // i += 1. exit

// t[4,3,2,1,0] = 04500;

14.   045 < ED; // N = 0xED

15.   // nothing

16.   return t[3,2] = 45;

\5D*A7*R^–1 mod N = 0x45;

Step 5: By applying montMUL() again to achieve

montMUL(45,H) = montMUL(45,7C)= 0x7E. (126 in decimal)

1.3. J, the inverse of –N modulo 2^w

As we can see, an efficient algorithm is needed to work out the J  in the above two algorithms. The J can be calculated either by a general Extended Euclidean Algorithm or by the Algorithm J below which takes advantage of R = 2^w.

Algorithm J: J = – N^–1 mod 2^w

Input:  N

Output:          

J = – N^–1 mod 2^w

Procedure: J = montJ(N)

1.    A = 1; // A is a local variable

2.    for i = 0 to w – 1 // lsb to msb

3.    {

4.        if (A is odd) then // the lsb == 0

5.            J(bit i) = 1; // the i-th bit of J

6.        else

7.            J(bit i) = 0;

8.        A = (A + J(bit i)*N)/2;

9.    }

End_of_procedure

Correctness proof: use exists k, such that JN + 1 = k2^w .

In implementation, the bit i of J is right-shifted into J not by setting bits.

2. Montgomery arithmetic

2.1. Normal domain vs. Montgomery domain

We loosely say an integer ring, Z_N or a GF(p), which we normally deal with, as normal domains. For an odd N, as well as p, and an R in the form of 2ⁿ, greater than N, we can make a 1-to-1 mapping as follows:

Given N and R, we have

1.     montMUL(x, H) = xR mod N

2.     montMUL(xR, 1) = x mod N

3.     montMUL(xR, yR) = xyR mod N (Montgomery domain is closed)

4.     montEXP(xR, k) = x^kR mod N (Montgomery exponentiation)

To perform the above, we need to calculate:

1.     J =  –N^–1 mod R

2.     H = R² mod N

Sometimes, in Elliptic Curves Cryptography, we may need

            U = R³ mod N

which can be achieved by U = montMUL(H, H) = R³ mod N and used for

montMUL(x^–1R^–1, U) = x^–1R mod N

to adjust an inverse, achieved by the Extended Euclidean Algorithm, back to the Montgomery domain.

3. Further readings and studies

The following papers are recommended:

1.     Peter L. Montgomery, "Modular multiplication without trial division". Mathematics of Computation. 44: 519–521, 1985

2.     C. K. Koc, T. Acar and B. Kaliski, “Analyzing and Comparing Montgomery Multiplication Algorithms”, IEEE Micro, 16(3):26-33, June 1996

3.     B. Kaliski, “The Montgomery inverse and its applications”, IEEE Transactions on Computers (Volume: 44 , Issue: 8 , Aug 1995

The above #1 is classic, which provides the theory.

The #2 is a good refence for implementation considerations. When a designer is given a CPU architecture, it would be very helpful to study this paper before coding.

The #3 provides an alternative for obtaining inverse in Montgomery domain to the method mentioned in section 2.2. Commonly used arithmetic.

It is recommended to make a worked numerical example of Algorithm J with N = 0xD (1101) and w = 4 by completing the following table:

i	Bit i	A + J(bit i)*N	A
-	-	-	0001
0	1	01110	0111
1	1	?	?
2	0	?	?
3	1	?	?

 J = 1011 = 0xB

Montgomery Multiplication – a three-page paper

In early June, I learned recently that Peter L. Montgomery passed away in February 2020. I felt a loss immediately and couldn’t help but wrote this small essay in LinkedIn as a tribute to him. I revise the original write-up a bit and publish it here.

Although I never met him in person, his three-page paper, “Peter L. Montgomery (1985). "Modular multiplication without trial division". Mathematics of Computation. 44: 519–521”, had a very big impact on my career in cryptography.

After completing a full RSA library using the Classical method in 1988 (see https://cryptoandsecurity.blogspot.com/2018/02/rsa-and-me-30-years-after-my-first.html), I come across Jun Fang who just came back from Paris after his PhD study and he told me the Montgomery Multiplication. I managed to get a photocopy of this paper and studied it with great care.

I didn’t implement Montgomery Multiplication that time because the change of the underlying modular multiplication method would incur a re-development of the RSA library. In addition, my own RSA implementation was very efficient. But, I didn’t forget this method and kept this photocopy. From time to time, I made remarks on it, some about mathematics, some about programming. Amazingly, it’s been with me since.

Although this paper is of three pages, page 3 is actually a short reference list.

In 1996, when I went to bonnie Scotland to take a position as a Senior Cryptographer in Motorola SPS, I was expected to help the IC design team to implement a Montgomery engine. I didn’t write code for implementation, but generated numerical worked examples to show how each step the multi-precision Montgomery Multiplication worked to help the IC design engineers to microcode a hardware multiplication block.

Around 1997, the rise of Elliptic Curve Cryptography (ECC) called the need of an ECC library. I started to write an ECC library and had chance to implement Montgomery Multiplication properly. Combined with Burt Kaliski Jr’s “The Montgomery inverse and its applications, IEEE Transactions on Computers (Volume: 44 , Issue: 8 , Aug 1995 )”, a fully streamlined ECC library was developed. I had chance to verify the correctness of the library but didn’t have chance to benchmark it. Motorola SPS sold its Smartcard business to Atmel and I was later transferred to Motorola / Freescale NCSG.

That time, NCSG supplied Apple for the G4 (7457) processor which had a vector engine AltiVec® (https://en.wikipedia.org/wiki/AltiVec) as part of the PowerPC ISA. I got chance to develop RSA on the mini supercomputer for benchmark purpose. This time, the Montgomery Multiplication was implemented with the AltiVec® vector engine (Solving Sequential Problems in Parallel – An SIMD Solution to RSA Cryptography, Jan 2, 2007, AN3057, Freescale) with the performance of “3.72ms per signing, 1024 bit RSA @1GHz 7457”.

Montgomery Multiplication is fast because it does not need the correction steps as other methods (Classical, Sedlek, and Barret), an important performance feature for long pipeline super-scalar CPU architecture. It is just naturally 10 to 20 percent faster than any other methods.

In addition to Montgomery Multiplication, Montgomery Powering Ladder and Montgomery Elliptic Curves are often referred in the crypto and security community.

Peter L. Montgomery, R.I.P. Your legacy will be with us for a long time.

A Brief Introduction to Blockchain

[my personal opinion]

Laterally, blockchain is a set of chained blocks and each block is like a tamper-proof container which holds genuine information. The "tamper-proof" here means that any unauthorised change to a block will be detected. 

We can also make a descriptive definition close to blockchain implementation:

A blockchain is a smart ledger which has many identical copies on the Internet. When one copy is legitimately updated, all the other copies can verify the legitimacy of the update and make the same update on themselves to have all copies synchronised to be identical. Here, we can imagine an entry of the smart ledger is a block.

It is important to note that a blockchain can be legitimately updated, and after this update, the blockchain can no longer be changed. Any attempt to fraudulently tamper a blockchain is either infeasible technically or detectable logically.

The technology behind blockchain actually is very matured, mainly including:

1. Merkle Trees
2. Schnorr Signatures
3. Fiat Shamir and Pedersen Commitments
4. Hash Cash, which is a proof of work of a CPU that works out a hash value meeting some special requirement such that the hash value must have 20 leading 0’s. If an CPU can prove its work, it will earn an amount of Hash Cash.

All of them were from 1980s or 1990s, but the blockchain technology nicely fits them together to provide new applications for the digital age.

The above terminology is from data security. A blockchain user does not have to know all the technical details and can take them as what they are because they have been successfully applied to Bitcoin (see Satoshi Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash System, www.bitcoin.org, 31 Oct 2008). The security of Bitcoin has been proven credible and the blockchain that implemented Bitcoin has withstood various malicious attacks. No exploitable weakness has been exposed.

Anyway, what is really a blockchain? In this post, we use a simplistic version of digital currency to describe its main features. Details of blockchain needs to study Satoshi’s paper.

We use an imaginary D-coin, a digital currency, to describe the concept of blockchain, followed by a blockchain application for counterfeit prevention.

Assume in a sovereignty country, all its citizens and enterprises use the D-coin as the only currency, nothing else. The history of transactions of any D-coin, from its creation to its every transaction to date, is recorded in an open ledger which has many (the total number may vary) copies on the Internet. All the copies of the open ledger are identical and each copy is “smart”, which is able to fulfil all the functions that we just mentioned above (Merkle Trees, Schnorr Signature …). This open ledger is called the D-coin blockchain.

Here, we must emphasize that the origin of a D-coin is genuine, not fake. For example, a D-coin is issued by the national bank of this sovereignty country, bonded with its verifiable electronic signature. Everyone accepts it with no dispute.

When we say a D-coin is issued to someone, we really mean that the D-coin is added to the D-coin blockchain or the “D-coin open ledger” as follows (we denote […] as a block of transaction and + as concatenation):

Time_0:

[D-coin#1: Alex] + [D-coin#2: Alex] + [D-coin#3: Alex] +

[D-coin#4: Bella] + [D-coin#5: Bella] +

… +

[D-coin#500: MarketLee] + all MarkektLee’s D-coins + [D-coin#999: MarketLee] +

Other@Time_0

The D-coin blockchain can be visualised as that many blocks are interlocked (chained) together. Each block contains the transaction history of a D-coin. The detail of chaining is described in the technical note below but we can just simplistically accept it as that tampering a block will destroy the chain. The technical note below is for those who are interested in technical details of chaining.

Technical note:

Every block is prefixed with a “lucky number”, denoted as LuckyNbr, and suffixed with a “block serial number”, denoted as BlockNbr. So, the [D-coin#1: Alex] @Time 0 is organised as 

        [LuckyNbr + D-coin#1: Alex + BlockNbr] 

where the BlockNbr is required to have a specified format, such as to have 20 leading 0’s and the LuckyNbr is a random number that makes the BlockNbr, which is a hash value as

BlockNbr = Hash(previous_BlockNbr + LuckyNbr + [Transaction Content]) where the [Transaction Content] is "D-coin#1: Alex", the D-coin#1's current transaction history

to meet the required format where the previous_BlockNbr is previous block’s “block serial number”. In this way, all the blocks are chained together. For details, see Satoshi’s paper.

There are many copies of the ledger on the Internet, which can be looked up by anyone, anytime, anywhere. If a copy is different from the others, the copy is deemed to be fake. As we will see later, it is not easy to tamper the ledger fraudulently and any seemingly successful tampering will be detected immediately by logic.

From the above open D-coin ledger, it is clear that Alex owns 3 D-coins, Bella 2 and MarketLee 500.

When Alex needs to purchase something from MarketLee with 1 D-coin (this is to simplify the description. The principle is the same when 0.1 D-coin or 1.5 D-coin are spent), he can make a transaction request as “Transfer D-coin#1 to MarketLee, signed by Alex”.

MarketLee can verify the authenticity of the transaction request by checking Alex’s electronic signature. But, to make the transaction legitimate, such that this is not a double-spending D-coin, and to make sure that MarkettLee has really received this payment, the transaction must be recorded in the open ledger, resulting in an update like:

  Time_1:

[D-coin#1: Alex] + [D-coin#2: Alex] + [D-coin#3: Alex] +

[D-coin#4: Bella] + [D-coin#5: Bella] +

… +

[D-coin#500: MarketLee] + all MarketLee’s D-coins + [D-coin#999: MarketLee] +

Other@Time_0 + …

Other@Time_1 +

[D-coin#1: Alex : MarketLee]

Looking at this open ledger again, with a little calculation, we can see that Alex now owns 2 D-coins, Bella 2, and MarketLee 501.

We mentioned that there are many copies of this open ledger. How do they get synchronised to be identical?

In fact, a copy of the D-coin blockchain is hosted in a network server which is called a miner or a mining machine, who can add a transaction to the blockchain legitimately.

But, what does “add a transaction to the blockchain legitimately” really mean? It means that a miner has to find a LuckNbr which generates a legitimate BlockNbr for this transaction (see the Technical note above).

And, why a miner is willing to do this hard work by trying numerous random numbers to find the LuckyNbr? This is because they can prove their work to earn the Hash Cash.

The source of Hash Cash varies. For simplicity, we assume the sovereignty state rewards 0.1 D-coin to a miner who has successfully added a transaction record to the D-coin blockchain.

Technical note: The design of Bitcoin makes it is more profitable to update the Bitcoin blockchain, by adding a new transaction or fining a new Bitcoin than to attack it. Details see Satoshi’s paper.

When a transaction is successfully added into a copy of the D-coin blockchain, i.e. a LuckyNbr has been found by a lucky miner, the lucky miner will inform all the other miners immediately. Other miners will do the following:

1. Verify the authenticity of the transaction – this can be done by verify Alex’s signature.
2. Verify the integrity of the lucky miner’s copy of blockchain – this can be done by check the LuckyNbr.
3. Check if their copies are consistent with the lucky miner’s copy. That is, are their copies the same as the lucky miner’s copy before the new transaction.
4. Many other checks can be performed such as if the D-coin is owned by others (double-spending) or if Alex has enough funds.
5. Update their own copies to make them identical to the lucky miner’s if no discrepancy is detected.

In this way, all the miners are having the same copy of the D-coin blockchain and the blockchain is successfully updated.

Note: everyone can look up the D-coin blockchain everywhere at any time. In addition, everyone is assumed to have their own D-coin account, so they know how much money in their account. For example, Alex knows he has 2 D-coins in his account but he may not care about which D-coin numbers they are, just like not many people pay attention on the serial number on their cash notes, as long as those are not fake money.

From here we can see, a blockchain is just a ledger system. Under this system, a transaction record can be added legitimately and upon a successful update, any illegitimate tampering will be detected.

The following attack scenarios show how it works:

Case 1:

Hacker Harry has hacked into miner X and he wants to add a transaction “D-coin#2: transfer to Harry, signed by Alex”. Because Harry doesn’t own Alex’s signature. As soon as this transaction appears, everyone knows it fake and informs miner X. This kind of attacks is infeasible.

Case 2:
Assume we are at Time_2, and Some transactions have happened in the D-coin blockchain since Time_1. For simplicity of description, we assume there is one transaction happened on D-coin#1 as “transfer to WholeSaleMay, signed by MarketLee”. At this point, the D-coin blockchain looks like:

  Time_2:

[D-coin#1: Alex] + [D-coin#2: Alex] + [D-coin#3: Alex] +

[D-coin#4: Bella] + [D-coin#5: Bella] +

… +

[D-coin#500: MarketLee] + all MarketLee’s D-coins + [D-coin#999: MarketLee] +

Other@Time_0 + …

Other@Time_1 +

[D-coin#1: Alex : MarketLee] + Other transactions +

[D-coin#1: Alex : MarketLee : WholeSaleMay] +

Other@Time_2

Alex, the covert hacker, cannot simply remove the previous transaction [D-coin#1: Alex : MarketLee] with all the other subsequent transactions to claims he has successfully updated the D-coin blockchain because his copy will be backtracked to Time_0 and will be greatly shortened. No one would accept has copy of blockchain. This tampering will be detected immediately. This attack won’t work.

Can Alex tamper his legitimate transaction [D-coin#1: Alex : MarketLee] into [D-coin#1: Transfer 0.1 value to MarketLee]? Alex has his own signature and he of course can make such a transaction request. However, to maintain the integrity of his copy of the D-coin blockchain, he needs to find the LuckyNbr of this tampered block. This results in a different BlockNbr which is the input for calculating next_BlockNbr. To achieve a legitimate next_BlockNbr in his copy, Alex needs to recalculate the LuckyNbr for the next block, damaging another BlockNbr.

So, if Alex wants to make his copy look legitimate, he has to re-work out all the LuckyNbr’s along the D-coin blockchain of his copy to “Other@Time_2” and to be faster than the total computation power of all others. He has to produce a longest blockchain with all blocks legitimate.

The motive for Alex to do so is hard to justify. The first is that Alex will lose a lot of Hash Cash, the second is he has to have a bigger computation power than all others combined, and the third even if he succeeds to update his copy he will be detected as a hacker because he has a different seemingly legitimate copy of the D-coin blockchain. No one would accept his copy.

In Satoshi’s paper (Satoshi Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash System, www.bitcoin.org, 31 Oct 2008”), many other attack scenarios have been discussed, such as multiple miners collaborate to attack the Bitcoin blockchain, which was shown to be infeasible. The paper also shows how to solve the case that two miners succeed to add the same block into the Bitcoin blockchain and how to achieve anonymity (i.e. the SK-PK-Address arrangement).

The above describes the main features of a blockchain. For those who are not interested in blockchain technical details, a blockchain can be simplistically regarded as an open ledger with many identical copies on the Internet. All these copies can be legitimately updated simultaneously but cannot be illegitimately tampered.

In addition to implementing digital currency, there are many other applications of blockchain technology, for example, counterfeit prevention.

We use a purely fictitious example, Bella buying an LV (Luxurious Venus) bag,  to demonstrate its potential application in logistics market. This example is to show potential applications of blockchains, not for accuracy.

When LV produced an LV bag for Vendor A, LV assigns a unique serial number, such as LV#1, to the bag and register, legitimately, LV#1 and this bag’s features in to the LV-blockchain as

  Time_0：

[LV#1: sold to vendor A] + [LV#2: sold to vendor A] + … + [LV#100: sold to vendor A]

[LV#101: sold to vendor B] + [LV#102: sold to vendor C] + …

Here, we must emphasize: all the bags sold by LV are genuine at the origin –  we do not discuss LV making counterfeits themselves.

Just like the example of the D-coin blockchain, as soon as a bag is added into the LV blockchain, the bag’s history, such as [LV#1: sold to vendor A] can no longer to be tampered.

Before Bella makes the purchase, she checks the LV blockchain, for example, to see if this bag has been sold  (actually, it is her ShoppingApp that performs all the checks for her) because there shouldn’t be two LV bags having the same serial number.

After validating Vendor A and LV#1, Bella uses her D-coin for the payment and the LV blockchain records this transaction. The deal is done. At this point, the LV-blockchain looks like:

  Time_1:

[LV#1: sold to vendor A] + [LV#2: sold to vendor A] + … + [LV#100: sold to vendor A]

[LV#101: sold to vendor B] + [LV#102: sold to vendor C] + … +

[LV#1: sold to vendor A : sold to Bella]

Would an LV vendor attempt to sell a counterfeit? If a vendor sells a counterfeit, then what the vendor is going to do with the authentic one (say, it is LV#1)? It is impossible to re-sell it because the authentic one’s serial number LV#1 has been added into the LV blockchain, in the block [LV#1: sold to Bella by Vendor A], just like the D-coin blockchain, no double-spending.

Will the vendor keep the authentic bag for their own use? Then, what’s the point to sell a counterfeit? They not only spend money on buying a counterfeit, but also risk the loss of doing business with LV. It’ll be much better they enjoy the authentic bag themselves and then sell is as a refurbished one. Save the money of buying a counterfeit.

Can the vendor re-sell it? This authentic bag has lost its unique LV serial number. It can only be sold as a counterfeit!

Can it be a gift to a friend? It is like spend a fortune to buy counterfeit as a gift. Not a good idea. Of course, if the vendor just determined to do so, no one can help. The vendor can just pray his fraud not being found and not losing his business with LV.

Another scenario, could a Vender X sell a counterfeit LV bag and label it as LV#1, because they know LV#1 is a legitimate serial number? No, they can't. When Bella is online browsing LV bags and she finds the Vendor X’s LV#1 is very reasonable, will Bella buy LV#1? No, she won’t, because her ShpooingApp immediately detects the vendor is wrong. Vendor X is exposed as a fraudster.

In terms of selling counterfeit directly, it is a counterfeit because it won’t be in the LV blockchain. No one would be interested in taking it as an authentic.

There are many applications of blockchain, such as birth certificates, smart contracts, legal documents, and traceability of organic foods. We do not get into their implementation details. The success of Bitcoin (www.bitcoin.org) makes people to believe the blockchain technology is feasible, although it costs a huge amount computation power and needs high-speed communication infrastructure.

To summarise, from a user’s point of view, a blockchain can be simplistically regarded as an open ledger which can be legitimately updated but infeasible to be tampered and can be looked up by anyone, anytime and anywhere.

A post remark: the first version was published on an Internet forum anonymously and it was visited 15,000 times in two days, with some questions asked. I provide a short Q&A as follows in this version.

Q: Is blockchain secure?

A: It should be able to reach a very high level of security assurance though nothing is absolute. Bitcoin has provided a positive example.

Q: Can blockchain protect privacy, such as not being under surveillance?

A: It depends which model is chosen. If an open-anonymity model, like Bitcoin, is used, privacy can be protected. This has been in practice for a long time. However, it results in decentralisation which some organisations or regimes do not like.

On the other hand, a blockchain can be managed by, say, a consortium, which results in limited decentralisation. In this way, the update of blockchain can be very fast because miners do not need to prove their work. Furthermore, it is possible to implement limited offline transaction such as a transaction can be completed by touching two mobile phones. But, in the end, the consortium is able to trace every transaction.

In terms of the implementation details of anonymity of blockchain, please see Satoshi’s paper.

Q: Will quantum computers crush blockchains?

A: Quantum computers will have impact on blockchains, especially those based on elliptic curve cryptography. However, the post quantum cryptography are getting matured (see https://csrc.nist.gov/Projects/Post-Quantum-Cryptography). Any design of large-scale new blockchain will take it into account.

[End of post]

On Handling Sensitive Information

Sir Kim Darroch, UK ambassador to US,  resigned in Trump leaks row. In the news, his email of assessing the Trump administration around 2007, which criticized Trump. was maliciously leaked. It is said an investigation has been launched.

It is very unfortunate to the US-UK relationship, but it shows the importance of handling sensitive information. The Foreign Office estimated it could be around 100 people having access to this email. A question is: do they all need to read it? Another unknown is whether there were any handlers in-between? Furthermore, for the leaked information, is there a mechanism allowing investigators to trace back to the source?

In handling sensitive information, a mechanism for traceability is critical, which not only helps aftermath investigation, but also deters potential culprits.
When handling sensitive information, both confidentiality and traceability must be carefully instated.