What it is like to do a PhD in Cryptography

Thursday, 5 May 2016

Amazon Failure - Why I lost my prime membership

Overview - What happened?

I ordered a Now TV Box with 6 Months Entertainment on the 28th April for £18 (discounted price) which is a great price for this gadget,

I received a notification that the order was accepted, and that it would be delivered on Saturday (due to my Prime Membership) which is fantastic.

On Saturday, I noticed on the tracker that the item was out for delivery (great!), but the item never arrived.

On Tuesday, I contacted Amazon to inquiry about the item, and was informed an investigation would be opened to find out the cause. I was also given 30 days extra Amazon Prime for the inconvenience (which I didn't expect... but it was a nice gesture). I informed to get back in contact on the 5th May about the item.

On Thrusday (5th May, Today), I re-contacted Amazon and was informed that the item was lost/damaged. They informed me that a refund would be issued as Amazon has run out of stuck, and then I could re-order from the supplier. Normally, this is OK, but the price has increased from £18 to £38.49.... So I would need to pay an additional £20.49 for the item (i.e. double the price)!!

I told Amazon I would be happy to wait for the item to be re-stocked so I can maintain the discount, but for an unknown reason, this is not possible. I spoke with an adviser, supervisor and manager, and in the end... had to forfeit my prime membership to cover the cost to re-order the item.

Why is this a problem? Amazon guarantees that the delivery will be fulfilled, and due to their mistake, (or whatever the outcome of the internal investigation) I will have to pay double the price for the item. That really is incredibly unfair. I had to request for my prime membership to be cancelled to cover the additional £20 the item, which is a shame, as I order frequently from Amazon (21 orders in the past six months, which is a lot for me!). Oh, and they retracted the 30 days free prime membership...

A transcript of the conversation:

Initial Question: Hi, I got in contact about this order on Monday (maybe Tuesday), and was told to wait until the 5th May before re-contacting. Do you know if there has been an update? I was told there was an investigation open.

10:21 AM BST Kanika(Amazon): Hello, my name is Kanika. I’m sorry to hear about this. I’ll be glad to help you. First of all, can you please verify the name on your account?
10:22 AM BST Patrick Mc Corry: Patrick McCorry
10:23 AM BST Kanika: Thank you for the verification.
I'm really sorry to hear that you haven't received your order yet.
You do not need to be worry, I can help you with this.
May I know the order number, please?
10:23 AM BST Patrick Mc Corry: <blanked out>

10:23 AM BST Kanika: Thank you for providing the order number.
Is this the item "NOW TV Box with 6 Month Entertainment Pass" you are talking about?
10:24 AM BST Patrick Mc Corry: Yeah
10:24 AM BST Kanika: Thanks for the confirmation.
After researching this order, we can presume the item has been lost or damage and can offer you a full refund now.
10:24 AM BST Patrick Mc Corry: Id rather have the item :)
It was on offer at £18, so can I get it re-delivered?
10:25 AM BST Kanika: I wish I could do this for you, however, the item is currently not in stock with us.
10:25 AM BST Patrick Mc Corry: :(
but the item has gone up to £40 now...
10:26 AM BST Patrick Mc Corry: (well £38.49)
so to re-order will cost me approximately £20 extra than I intended
10:28 AM BST Kanika: I do understand your situation in this regards. However, we are unable to match the price for this item because it is beyond my limitation.
Although we work towards offering value to customers on everything we sell on our website through consistently competitive pricing, we realise that from time to time, our customers will be able to buy products from another store at a lower price than ours. We recognise that you have a choice of retailers and are grateful that you’d prefer to order from us.
However, I've forwarded your feedback to the relevant department.
10:28 AM BST Patrick Mc Corry: ??? but a delivery issue is going to cost me double the price of the item!
can you raise it with a manager or something? that seems really unfair
10:28 AM BST Kanika: I can completely understand, If that happened to me, I'd be really upset too. I can imagine how frustrating that must be.
10:29 AM BST Patrick Mc Corry: Did you just copy and paste that?
10:29 AM BST Kanika: My first point of escalation is supervisor, if you wish I can transfer the chat to my supervisor.
10:29 AM BST Patrick Mc Corry: Most people can only type 80 words per second, and that was must faster
10:29 AM BST Kanika: My first point of escalation is supervisor, if you wish I can transfer the chat to my supervisor.
10:29 AM BST Patrick Mc Corry: Please do
10:29 AM BST Kanika: Yes Sure
10:29 AM BST Patrick Mc Corry: but was that a copy and paste?
10:29 AM BST Kanika: Could you please allow me few minutes while I can transfer the chat to my supervisor?

10:29 AM BST Patrick Mc Corry: yes

10:38 AM BST Ashish(Amazon): Hi my name is Ashish and I am one of the Supervisor available on the floor.
Please give me 2 to 3 minutes while I check your chat with our representative.

10:38 AM BST Patrick Mc Corry: thank you :)

10:40 AM BST Ashish: Thank you for your patience.
Patrick, I sincerely apologize for the inconvenience caused to you.

10:41 AM BST Ashish: Patrick, since we could not deliver your parcel, in that case we would have created a replacement of this order. However this item is currently out of stock, so we will not be able to create a replacement of this item. We have processed a refund for the same and you can place a new order with the seller.

10:42 AM BST Patrick Mc Corry: but the item is now £40, and I ordered at £18
that means it is going to cost be double to re-order it?

10:43 AM BST Patrick Mc Corry: I only ordered it because it was on discount - so it is really unfair that I would have to re-order it at full price
I am happy to wait until it is in stock again if that means I get a replacement order for the same price

10:44 AM BST Ashish: I can understand your concern. However I am sorry to say that we will not be able to take care of the increased price.

10:45 AM BST Patrick Mc Corry: That is incredibly unfair, especially since I pay for prime to get next-day delivery, and have had to wait a week just to find out that I am going to have to pay double-the price for an item

10:46 AM BST Patrick Mc Corry: If the item is going to be re-stocked, then I will wait

10:46 AM BST Ashish: I understand that you are a prime customer and we have already extended your prime membership by 30 days.
However we will not be able to take care of the price of the item.

10:47 AM BST Patrick Mc Corry: I'd rather have my £20 discount on that item than an extra 30 days prime... :(
I wouldn't care if the item had increased by £5 or something, but it is literally double the price

10:48 AM BST Patrick Mc Corry: and the only reason I am not getting that discount, is because the Amazon Fulfilled Delivery lost the item.... that is really frustrating
10:51 AM BST Ashish: I can understand the inconvenience you may have faced with this. However we will not be able to take care of the price increased.
10:51 AM BST Patrick Mc Corry: Can you please pass me onto a manager?
10:52 AM BST Ashish: My manager will not be able to match the price as well.
10:52 AM BST Patrick Mc Corry: But can you please?
10:54 AM BST Ashish: Yes I can transfer this chat to my manager. However he is on another chat right now. So it will take sometime to transfer this chat to him.
10:55 AM BST Patrick Mc Corry: thank you :)
11:08 AM BST Ashish: He is still on chat.
Your patience on this would be appreciated.
11:16 AM BST Ashish: Thank you for your patience.
I am transferring your chat to my manager.
11:17 AM BST Patrick Mc Corry: thank you
Hey, okay, so I ordered this item on the 28th April, and I took the day off work on Saturday to wait for its delivery, unfortunately the item never arrived. I contacted Amazon on the Tuesday to ask about why the item had not yet been delivered, and I was informed to wait until the 5th May to re-contact, as an investigation had been opened. I was offered 30 days prime for the delay. I got in contact this morning, and was informed that the delivery could not be fulfilled, and I would receive a refund. Normally, this is OK, as I can re-order the item. However, the item has doubled in price since the time I ordered it on the 28th April, it was £18.99 at the time of ordering, and is now £38.49. So for me to receive the refund and re-order, is making me pay double the price! That is not really fair at all, especially as I took the day off work on Saturday (which is a loss of precious time) to wait for this delivery. I informed your colleague if it made it easier, I would happily wait until the item is re-stocked before it is delivered so I can keep the £18 price that I had paid. For some reason this is not possible (and I have not been told why this is not possible), but is incredibly frustrating, as I will not receive the discount simply because Amazon lost the package!!! :( I am a very patient person, and as long as the item is eventually delivered I do not care, but I am going to be out of pocket for Amazon's mistake.
11:18 AM BST Sandeep(Amazon): Hi my name is Sandeep. I am one of the Supervisor with Amazon.co.uk. Please allow me 2 minutes while I review your chat.
11:22 AM BST Sandeep: Thank you for your patience.
11:23 AM BST Sandeep: Patrick, I am sorry to say Although we work towards offering value to customers on everything we sell on our website through consistently competitive pricing, we realise that from time to time, our customers will be able to buy products from another store at a lower price than ours. We recognise that you have a choice of retailers and are grateful that you’d prefer to order from us.
11:24 AM BST Patrick Mc Corry: I am not getting the discounted item due to your mistake. That is not fiar.
fair*
At the time of ordering, Amazon offered the lowest price, so I ordered from Amazon.
(or at least, the Delivery is Fulfilled by Amazon)
11:25 AM BST Patrick Mc Corry: And Amazon failed to delivery an item which has resulted in me having to pay double the price
Literally double
11:25 AM BST Sandeep: I do understand that Patrick however Please note that in some cases our website offers lower prices via the used and new offerings available from Amazon.co.uk Marketplace sellers.
11:25 AM BST Patrick Mc Corry: Used will not give me the 6 months entertainment package that I wanted
I ordered the item was it was guaranteed by Amazon, not because it was by a third party supplier
As it was*
11:26 AM BST Patrick Mc Corry: You must understand how frustrating it is?
I am willing to wait until Amazon Delivery have it re-stocked, so I can just get the discounted item
11:28 AM BST Sandeep: I can understand your frustration Patrick however we won't be able to do price match for that item.
11:29 AM BST Patrick Mc Corry: I do not want a price match - I just want the item I ordered to be delivered
I mean, it was ordered, out for delivery, and then lost
11:31 AM BST Sandeep: I do understand that Patrick however now price of that item is £38.49 and we won't be able to make any changes with that price.
11:31 AM BST Patrick Mc Corry: I know it is £38.49 that is the problem! :( I do not want you to change that price, I just want you to fulfill my original order
11:32 AM BST Patrick Mc Corry: Or at least cancel my prime, give me my remaining balance, so I know I do not need to waste my money on it
Perhaps then I can use the refund of prime to cover the extra £20 I need to spend!
11:36 AM BST Sandeep: Sure, I can process refund for your prime charge of 7.99 GBP
Is that fine?
11:37 AM BST Patrick Mc Corry: 7.99? my last payment was the 25th December, so it should be £20
or a little more than £20
as I have only used 5 months of it
11:38 AM BST Patrick Mc Corry: £22.75 for 7 remaining months
11:39 AM BST Sandeep: Alright. I will cancelled prime membership from your account and will process refund of 22.75 GBP.
Is that fine ?
11:40 AM BST Patrick Mc Corry: yes thank you
Also, before I leave, will you clarify

1) The outcome of the investigation for the delivery delay?
2) Why it is not possible for an item to be re-stocked to fulfill a previous order?
11:40 AM BST Sandeep: Sure, I will do that for you.
Is there anything else I can help with?
11:41 AM BST Patrick Mc Corry: Also, before I leave, will you clarify
1) The outcome of the investigation for the delivery delay?
2) Why it is not possible for an item to be re-stocked to fulfill a previous order?
11:42 AM BST Sandeep: Patrick, investigation will be internally so we won't be able to get back to you.
Regarding that I will also forward your query to our concern team.
11:43 AM BST Patrick Mc Corry: the concern team is for 2)?
11:43 AM BST Sandeep: Yes Patrick.
11:44 AM BST Patrick Mc Corry: ok thank you
11:45 AM BST Sandeep: You are welcome.
Thank you for contacting Amazon
We hope to see you again soon! Please click the "End Chat" link to close this window.
11:45 AM BST Patrick Mc Corry: I know you dont hope to see me again. Good bye

Wednesday, 25 June 2014

Explanation for multi-signatures in Bitcoin

Today, i'm going to talk about the multi-signature scheme (P2SH) in Bitcoin.

Many sources on the internet explain how to use the multi-signature scheme in the Bitcoin Core Client. However, there appears to be a lack of understanding or at least an explanation about what is actually happening under the hood. So much so that I bet many developers could tell you exactly how to create and sign using a multi-signature scheme, but would not be able to tell you what the new Bitcoin address represents.

What is a multi-signature scheme?

Remember, in Bitcoin, everyone has a Bitcoin address - which is essentially the hash of an ECDSA public key. This means for every Bitcoin address - there is a single ECDSA public/private key pair. (Public key is given to people and the private key is kept secret to sign documents)

This scheme takes a twist on threshold cryptography - this new Bitcoin Address is associated with more than one public key. To spend any bitcoins using this new address - you would need to provide signatures that are associated with more than one public key - that is where we get the name "multi-signature" - as one or more signatures is required!

Let's make this a little bit more concrete before we continue.

The user will create "n" public keys. Let's say the user creates 3 public keys - A,B,C.

The user will also have "m" private keys - associated with each public key - a,b,c.

So now, we have potentially three Bitcoin addresses, (A,a) (B,b) (C,c).

However, we want to create a single Bitcoin address Z that requires at least two signatures to spend any bitcoins.

We call this a 'multisig' address that requires 2 signatures from 3 public keys. I could provide any combination of signatures ab, bc, ac to spend the coins. The important note - is that I do not require ALL three private keys to spend them. I may not even hold all three keys - each key could be given to a separate party (me, arbitrator, merchant).

The reason we use 'm' and 'n' - is because the combination is flexible - you could have a single Bitcoin address Z that is created using up to 20 public keys - but only require 5 private keys to spend it.

How does all this look in the Bitcoin world?

Well - as I mentioned earlier - a Bitcoin address is typically the hash of an ECDSA public key. However, in this case, the Bitcoin address will be the hash of a script... but what is a script?

OP_m <pubKey1> ... <pubKeyN> OP_n OP_CHECKMULTISIG

OP_m - specifies the number of signatures required from the public keys in this script to authorise a payment.

<pubKey1> ... <pubKeyN> - list of public keys that will be associated with this new Bitcoin address

OP_n - specifies the total number of public keys associated with this new Bitcoin address

OP_CHECKMULTISIG - Anchor to inform the Bitcoin Client what to do! (Check that the signatures provided match the public keys provided in the script).

In our trivial example:

2 A B C 3 OP_CHECKMULTISIG

As you can see - it matches the scripts conditions.

Now - how does this become a Bitcoin address?

The script is concatenated and hashed using SHA256 followed by RIPEMD-160. Let's call it H(script) for now. Then, we concatenate a byte to specify the type of address and a 4-byte checksum before encoding it using base58. Lets call this magic art of concatenation and encoding - our multi-sig address Z.

Encode using base58: [one-byte version]||[20-byte hash = H(Script)]||[4-byte checksum]

Now that I have my multisig address Z - how does someone send me money?

It's slightly different than with the traditional Bitcoin address. To send money to your multisig address - the sender will require a slightly different scriptPubKey in their transaction output:

scriptPubKey: OP_HASH160 H(Script) OP_EQUAL

In this case, the sender will use your H(script) as part of the transaction and NOT Z. Remember, Bitcoin addresses are just for our understanding as humans - the protocol does not need to use an explicit Bitcoin address. In this case, H(script) is extracted from Z and placed inside the transaction (remember, the 20-byte hash in the multisig address is H(script)).

Someone has sent me money - how do I spend it?

As normal - your transaction will contain a scriptSig. Infact, the word 'scriptSig' makes more sense for the multi-signature scheme than it does for the traditional signature scheme. I say this because you are providing the script that specifies the conditions for spending the bitcoin (the pre-image of H(Script)) AND the signatures that are relevant for the script! (As such, script and sig are included, so scriptSig).

So in our trivial example, we will provide two signatures for the private keys a,b.

scriptSig: sig(a) sig(b) 2 A B C 3 OP_CHECKMULTISIG

Remember, we sign the hash of the transaction - H(T) - before any signatures have been included in the transaction! Someday I'll write a piece that talks in detail about what exactly is signed.

As you can see - it is the responsibility of the spender to specify the script that is used to redeem the bitcoins. That is why we call the script the redeemScript. So in essence, the scriptsig requires:

scriptSig: ..signatures... <redeemScript>

The fact the spender reveals the redeemScript is useful - the ECDSA public keys are kept secret until the time our bitcoins will be spent. The H(Script) is a commitment to our multisig address and it is assumed in the security of cryptographic hash functions - that it is extremely unlikely that a second pre-image of H(Script) could be found, such that the signatures are not required to spend the bitcoins. (Remember, the scriptPubKey is only seeking a pre-image of H(Script) to be valid, but the pre-image is tied to the script, and this script must be processed to be valid before we consider if the scriptPubKey is valid as well).

Conclusion

I hope you have found this article useful in understanding what is happening under the hood with the multi-signature scheme. All I want you to understand is that the multi-signature scheme requires one or more signatures for a single Bitcoin address and in the end - it is still using single ECDSA public/private key pairs - it is simply, a set of ECDSA public/private key pairs. It is NOT using anything like Shamir's secret - where a single ECDSA private key is fragmented and the fragments are required to produce a single signature.

References:
Multi-sig encoding: http://bitcoin.stackexchange.com/questions/26872/what-cryptographic-operations-are-performed-on-the-3-public-keys-to-produce-a-mu

SHA256 then RIPEMD160: https://en.bitcoin.it/wiki/Script

P2SH: https://en.bitcoin.it/wiki/Transactions

Sunday, 16 June 2013

Introduction

Hi folks,

About me
My name is Patrick McCorry and have recently graduated with a BSc in Computer Science at a Russel Group university. I did not specialise in any field and did a bit of everything (networks, security, real-time programming, databases, graphics, etc). Thankfully, I was lucky to get a 14 month placement in Hursley which allowed me to experience what it is like to work in industry (agile methodologies, plenty of java and a little assembler).

Why a PhD?
I have always wanted to be Dr Patrick McCorry (like most geeks) while I was at school. Of course, I never knew why I wanted to be a Dr (what does being a Doctor really mean? does it have benefits?) and I had no idea what I would do it in! All I knew, is that is what I wanted to do.

When I was working in industry was the first time that I properly considered the advantages and disadvantages of undertaking a PhD. Does a PhD make you more employable? Is it required in this industry which thrives with very frequent innovation? Would I benefit more from having a job in the industry as opposed to self-study?

Thankfully, I was able to meet a lot of Doctors in a variety of fields. Some loved their PhD, some hated it, and some only did it as it was 'natural progression' in academia. What I discussed with these people is a post for another time - but in general these discussions had a general theme -> if you choose to do a PhD - make sure you do it on the right topic! As you are stuck with it for three years.

Returning to university to complete my final year was a strange experience - coming out of a 9 - 5 job and having to do work in the evening / weekends - not many people enjoy that type of change. But, it was during this year that helped me make my decision. I was given the chance to study interesting topics (especially in Cryptography) and found it a challenge to understand - something that industry just did not give me. I did Java most days and was more an engineer than a scientist - I want to explore and learn new things, not connect pipes.

For example, RSA (public key encryption, aka allows you and your mate to chat securely) is based on the difficulty to factorize two prime numbers. Factorizing is something you are taught at school (and I was really bad at!). The fact this simple technique protects me checking my online banking is fascinating. (I know, very sad!)

But then... I was offered a job with an attractive starting salary

At the end of the day, I do believe that money is not everything the world - it is nice to have, but I am a simple person, living a simple life - I don't know what I would do with a lot of money! (probably have a stash of Jaffa Cakes). I decided that doing a PhD would be more interesting and rewarding. Why? I get the chance to learn - to be more educated, explore topics that have changed the world and in the future people could be studying the work that I undertake in academia.

Why this blog?
Making the decision to do a PhD instead of getting a graduate role is the most difficult thing I have ever had to do in my life. In the end I might end up getting a graduate role after these three years like the Doctors at Hursley. Documenting my experiences of further study may help someone in the future to make the same decision. After all, knowledge is power - and understanding the choice you make will affect your future career, relationships and wealth. I hope you enjoy my blog, and if you know someone who is thinking of doing a PhD, make sure to share it with them!