catena: preventing lies withrjwalls/nesd/slides/catena...catena: preventing lies with alin tomescu...
TRANSCRIPT
Catena: Preventing Lies with
Alin [email protected]
MIT CSAIL
November 28th, 2016
Srinivas [email protected]
MIT CSAIL
New England Security Day (NESD), Fall '16
The problem: Equivocation
The problem: Equivocation
Good: "Stating the same thing to all people."
Public-key directory
PKA PKB
Bob
Alice
Statement S
Public-key directory
BobPK'A PKB
Bad: "Stating different things to different people.'"
The problem: Equivocation
Statement S
Public-key directory
PKA PK'BAlice
BobPK'A PKB
Bad: "Stating different things to different people.'"
The problem: Equivocation
Statement S
Statement S'
Public-key directory
BobPK'A PKB
PKA PK'BAlice
MITM
Bad: "Stating different things to different people.'"
The problem: Equivocation
Statement S
Statement S'
Why is non-equivocation important?
Why is non-equivocation important?
Public-key distribution- HTTPS- Secure messaging- Security research often assumes a PKI
Why is non-equivocation important?
Public-key distribution- HTTPS- Secure messaging- Security research often assumes a PKI
Tor Directory Servers
Why is non-equivocation important?
Public-key distribution- HTTPS- Secure messaging- Security research often assumes a PKI
Tor Directory Servers
Software transparency schemes- Apple vs. FBI
Previous work
Previous work
Can detect, but not prevent equivocation with gossip.
Previous work
Can detect, but not prevent equivocation with gossip.
Must download 90 GB of blockchain data.
Previous work
CoSi(S&P '16)
Can detect, but not prevent equivocation with gossip.
Must download 90 GB of blockchain data.
Requires a large, diverse, trustworthy set of witnesses.
Previous work
CoSi
"Liar, liar, coins on fire!" (CCS '15)
(S&P '16)
Can detect, but not prevent equivocation with gossip.
Must download 90 GB of blockchain data.
Requires a large, diverse, trustworthy set of witnesses.
Only disincentivizes equivocation. Vulnerable to malicious outsiders.
Key idea
Key ideaEfficiently use Bitcoin's mechanism that prevents double spends as a proof of non-equivocation.
Key idea
TX1
TX'2
TX2
Efficiently use Bitcoin's mechanism that prevents double spends as a proof of non-equivocation.
Key idea
TX1
TX'2
TX2
Efficiently use Bitcoin's mechanism that prevents double spends as a proof of non-equivocation.
s1
s2
s'2
Results- Bitcoin-based tamper-evident log
Results- Bitcoin-based tamper-evident log- As hard-to-fork as the Bitcoin blockchain
Results- Bitcoin-based tamper-evident log- As hard-to-fork as the Bitcoin blockchain- Efficient to audit: 620 bytes / statement + 80 bytes / block
Results- Bitcoin-based tamper-evident log- As hard-to-fork as the Bitcoin blockchain- Efficient to audit: 620 bytes / statement + 80 bytes / block
Java implem
entation
in 3500 SLOC
Bitcoin transactions
Bitcoin transactions
1. Generate coins (assigns them to a PK)
TXa
Bitcoin transactions
1. Generate coins (assigns them to a PK)
TXa
〈2Ƀ, PK〉
Bitcoin transactions
1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a
signature under old PK)
TXa TXb
〈2Ƀ, PK〉
Bitcoin transactions
1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a
signature under old PK)
TXa TXb
SigPK(TXa:0, TXb)〈2Ƀ, PK〉
Bitcoin transactions
1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a
signature under old PK)
TXa TXb
〈2Ƀ, PK〉 〈1Ƀ, PK'〉SigPK(TXa:0, TXb)
Bitcoin transactions
1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a
signature under old PK)
TXa TXb
1Ƀ TX fee!
〈2Ƀ, PK〉 〈1Ƀ, PK'〉SigPK(TXa:0, TXb)
Bitcoin transactions
1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a
signature under old PK)
TXi
TXa TXb
Bitcoin transactions
1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a
signature under old PK)
TXi
TXa TXb
Bitcoin transactions
1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a
signature under old PK)
TXi
TXa TXb
Bitcoin blockchain
Bitcoin blockchain
Block i Block j Block n
1. The time-ordered log of valid transactions (PoW consensus)
txitxjtxa
Bitcoin blockchain
Block i Block j Block n
1. The time-ordered log of valid transactions (PoW consensus)
txb
txitxjtxa
txb
Bitcoin blockchain
Block i Block j Block n
1. The time-ordered log of valid transactions (PoW consensus)2. No double spends: A transaction output can only be referred
to by a single transaction input.
Bitcoin blockchain
txitxjtxa
txk
Block i Block j Block n
1. The time-ordered log of valid transactions (PoW consensus)2. No double spends: A transaction output can only be referred
to by a single transaction input.
txb
Bitcoin blockchain
txitxjtxa
txk
Block i Block j
1. The time-ordered log of valid transactions (PoW consensus)2. No double spends: A transaction output can only be referred
to by a single transaction input.
txb
Blockchain forks ⇔ Double-spent coinsBlock n'
Block n
Catena transaction format
Catena transaction format
txi
<data>
Catena transaction format
txi
<data>
Coins from server for paying TX fees(digital signature)
Catena transaction format
txi
<data>
"Change" coins back to server(public key)
Coins from server for paying TX fees(digital signature)
Catena transaction format
txi"Change" coins back to server(public key)
Unspendable OP_RETURN output with arbitrary data
Coins from server for paying TX fees(digital signature)
<data>
Catena transaction format
txi"Change" coins back to server(public key)
Unspendable OP_RETURN output with arbitrary data
Coins from server for paying TX fees(digital signature)
A single spendable output ⇒ No forks txjtxi
txk
<data>
Catena log server
Catena design
Transaction fee funds
GTX
Block i
Catena design
Genesis TXNCatena
log server
n
s1GTX
Block i Block j
Catena design
Catena log server
n TX1
n s1GTX TX1
Block i Block j
Catena design
s2TX2
Block n
Catena log server
s1GTX
Block i Block j
Catena log server
Catena design
s2
Block n
Next,
unique s3
n TX1 TX2
s1GTX
Block i Block j
Catena log server
Catena design
s2
Block n
Next,
unique s3
Advantages: (1) Hard to fork (2) Efficient to verify
n TX1 TX2
s1GTX
Block i Block j
Catena log server
Catena design
s2
Block n
Advantages: (1) Hard to fork (2) Efficient to verify
Disadvantages: (1) 6-block confirmation delay(2) 1 statement every 10 minutes
n TX1 TX2
Next,
unique s3
Client bandwidth
Client bandwidth
n block headers + k statements(80 bytes each) (around 600 bytes each)
Client bandwidth
e.g., 440K block headers + 10K statements = ~41 MB (80 bytes each) (around 600 bytes each)
Conclusions
- Efficient Bitcoin witnessing is possible!- ~40 MB instead of 90 GB bandwidth overhead
Conclusions
- Efficient Bitcoin witnessing is possible!- ~40 MB instead of 90 GB bandwidth overhead
- Important applications- Public-key directories- Tor Consensus Transparency- Software transparency schemes
Conclusions
- Efficient Bitcoin witnessing is possible!- ~40 MB instead of 90 GB bandwidth overhead
- Important applications- Public-key directories- Tor Consensus Transparency- Software transparency schemes
- Publicly-verifiable consensus like Bitcoin should be leveraged by applications, efficiently.
The end.
Extra slides...just in case.
Catena: Preventing forks
s0 s1TX TX
TX
Block i Block j
s2TX
s'2
Catena log server
Block n
Invalid block: Breaks miner-enforced TXO invariant.
Attacker has to create an invalid block n to fork the log ⇒ Attacker has to fork Bitcoin.
Catena: Preventing forks
s0 s1TX TX
TX
Block i Block j
s2TX
s'2
Catena log server
Block n'
Block n
Malicious blockchain fork.
Attacker has to fork Bitcoin. Attacker needs to mine at least 6 blocks on one of the forks.
Key idea
Q: How can we prove to a thin client that there's no s'2?
s0 s1TX TX
Block i Block j
TX
s2TX
s'2
Block k
s0 s1TX TX
TX
Block i Block j
s2TX
s'2
Violates Bitcoin's security against double spends.
Catena log server
Key idea
Q: How can we prove to a thin client that there's no s'2?A: Leverage Bitcoin's mechanism against double-spends!
Graveyard...where old slides rest in peace.
Bitcoin background
prev: H( block1 )txns: H( merkle2 )
prev: H( block2 )txns: H( merkle3 )
block2 block3
prev: nulltxns: H( merkle1 )
genesis block1
Membership proof for tx1
tx1
tx1e.g., 2Ƀ for PKDan
TX output:Coins and PKs
Bitcoin background
prev: H( block1 )txns: H( merkle2 )
prev: H( block2 )txns: H( merkle3 )
block2 block3
prev: nulltxns: H( merkle1 )
genesis block1
Membership proof for tx2
tx2txd
txa
txb
txc
3Ƀ for PKEva(unspent)
tx2
TX inputs:Signatures
Carol's signature under her PK
2Ƀ for PKDan(spent)
PKCarol