coins, clubs, and crowds: scaling and …...coins, clubs, and crowds: scaling and decentralization...
TRANSCRIPT
![Page 1: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/1.jpg)
Coins, Clubs, and Crowds:Scaling and Decentralization inNext-Generation Blockchains
Coins, Clubs, and Crowds:Scaling and Decentralization inNext-Generation Blockchains
Prof. Bryan FordDecentralized and Distributed Systems (DEDIS)School of Information and Communications (IC)
[email protected] – dedis.epfl.ch
Vienna BDLT Summer School – September 3, 2019
Prof. Bryan FordDecentralized and Distributed Systems (DEDIS)School of Information and Communications (IC)
[email protected] – dedis.epfl.ch
Vienna BDLT Summer School – September 3, 2019
![Page 2: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/2.jpg)
Where there’s data, there’s risk...
![Page 3: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/3.jpg)
Access, sharing compounds risk
Business
Partner A
SharedAccess
Partner B
Partner C “All of us!”“All of us!”
“You cantrust us!”
Weakest-LinkSecurity
![Page 4: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/4.jpg)
A Fundamental Challenge
In today’s IT systems, security is an afterthought● Designs embody “weakest-link” security
Scaling to bigger systems → weaker security● Greater chance of any “weak link” breaking
![Page 5: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/5.jpg)
Central Databases = Attractive Targets
One of three credit rating agencies in the US● Exposed sensitive personal information about
143 million people (44% of US population)
![Page 6: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/6.jpg)
The DEDIS lab at EPFL: Mission
Design, build, and deploy secure privacy-preservingDecentralized and Distributed Systems (DEDIS)
• Distributed: spread widely across the Internet & world
• Decentralized: independent participants, no central authority,no single points of failure or compromise
Overarching theme: building decentralized systemsthat distribute trust widely with strongest-link security
Weakest-LinkSecurity
Strongest-LinkSecurity
![Page 7: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/7.jpg)
Turning Around the Security Game
Design IT systems so that making them biggermakes their security increase instead of decrease
Weakest-linksecurity
Strongest-linksecurity
ScalableStrongest-link
security
![Page 8: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/8.jpg)
DEDIS Laboratory Members
Bryan FordAssociate Professor
Philipp JovanovicPostdoctoral Scholar
Lefteris Kokoris-KogiasPh.D. Student
Kirill NikitinPh.D. Student
Cristina BasescuPh.D. Student
Enis Ceyhun AlpPh.D. Student
Jeff R. AllenSoftware Engineer
Kelong CongSoftware Engineer
Gaylor BossonSoftware Engineer
Noémien KocherSoftware Engineer
![Page 9: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/9.jpg)
Today’s Hot Decentralized Technology
(credit: Tony Arcieri)
![Page 10: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/10.jpg)
Bitcoin (2008)
First successful decentralized cryptocurrency…
![Page 11: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/11.jpg)
How to track wealth(or anything)?
Things● Gold, beads, cash...
Ledgers● Who owns what?
![Page 12: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/12.jpg)
Precedent: the Rai Stones of Yap
Stone “coins” weighing thousands of kilograms● Left in place once
created (“mined”)● Ownership transfer by
public proclamation
(this comparison shamelessly borrowed from Gün Sirer and others)
![Page 13: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/13.jpg)
Alice 5 BTC
Bob 2 BTC
Charlie 3 BTC
...
Distributed Ledgers
Problem: we don't want to trust any designated,centralized authority to maintain the ledger
Solution: “everyone” keeps a copy of the ledger!– Everyone checks everyone else's changes to it
Alice 5 BTC
Bob 2 BTC
Charlie 3 BTC
...
Alice's copyAlice 5 BTC
Bob 2 BTC
Charlie 3 BTC
...
Bob's copy
Alice 5 BTC
Bob 2 BTC
Charlie 3 BTC
...
Charlie's copy
![Page 14: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/14.jpg)
Applications of Distributed Ledgers
Can represent a distributed electronic record of:● Who owns how much currency? (Bitcoin)● Who owns a name or a digital work of art?● What are the terms of a contract? (Ethereum)● When was a document written? (notaries)● What is the provenance of a part? (supply chain)● Who are you? (self-sovereign identity)● Who used data for what purpose? (access logs)● …
![Page 15: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/15.jpg)
Distributed Trust is Old News
Many algorithms allow us to distribute trust among multiple (preferably independent) parties
Work correctly despite any one(or several) participantsbeing compromised,maliciously colluding
Example algorithms:● Byzantine consensus● Threshold cryptography
(signing, encryption, …)
![Page 16: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/16.jpg)
Distributed Trust is Old News
Many algorithms allow us to distribute trust among multiple (preferably independent) parties
Work correctly despite any one(or several) participantsbeing compromised,maliciously colluding
Example algorithms:● Byzantine consensus● Threshold cryptography
(signing, encryption, …)
![Page 17: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/17.jpg)
How Bitcoin was Groundbreaking
Byzantine consensus (BFT) wasn’t remotely new, but Bitcoin solved it in an interesting new way● Permissionless: “anyone” can participate
– If you’re willing to waste energy continuously
● Scalable to thousands of consensus nodes– BFT was typically tested among 4, ~10s of nodes
● No long-lived leaders, supernodes, committees– Unspecialized nodes resist rapidly-adaptive attacks
![Page 18: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/18.jpg)
Properly-Designed BlockchainsEliminate Single Points of Compromise
Weakest-linkSecurity:
T = 1
Strongest-linkSecurity:T = 2-10
Collective Security:
T = 100s,1000s
T: threshold of compromised parties to break security
![Page 19: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/19.jpg)
Launched Global Wave of Interestin Decentralized Systems
![Page 20: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/20.jpg)
Limitations of Today’s Blockchains
Public/permissionless (e.g., Bitcoin, Ethereum)● Slow, weak consistency, low total throughput● Limited privacy: leaky, can’t keep secrets● User devices must be online, well-connected● Mining is inefficient, insecure, re-centralizing
Private/permissioned (e.g., HyperLedger, Corda)● Weak security – single points of compromise
![Page 21: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/21.jpg)
Beware the Lemon Market
George A. Akerlof won Nobel Prize in economics for observing:
If buyers have less information than sellers about product quality, incentives lead to reduced quality
The cybersecurity marketis a lemon market…
![Page 22: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/22.jpg)
The Blockchain Lemon Market
Today’s blockchain market is too.
Economically-leading “first-to-market” designs completely compromise decentralized security● One-click “Blockchain-as-a-Service” on cloud● Non-Byzantine consensus in deployment● Centralized PKI in permissioned blockchains
![Page 23: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/23.jpg)
DEDIS Blockchain Research
Working to make tomorrow’s blockchains:● Fast: responsive in seconds, not minutes/hours● Scalable: support high transaction volumes● Private: keeping confidential data secure● Available: blockchain records usable offline● Equitable: people-centric decentralization
DEDIS next-generation blockchain infrastructure already available, in use by multiple partners
![Page 24: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/24.jpg)
DEDIS Blockchain Overview
Key aspects of DEDIS blockchain architecture:● Scaling: can we do enough, fast enough?● Privacy: can we store and process secrets?● Resilience: what if we’re poorly-connected?● Stake: how to get equitable decentralization?
Industry Impact, Applications, and Conclusion
![Page 25: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/25.jpg)
DEDIS Blockchain Overview
Key aspects of DEDIS blockchain architecture:● Scaling: can we do enough, fast enough?● Privacy: can we store and process secrets?● Resilience: what if we’re poorly-connected?● Stake: how to get equitable decentralization?
Industry Impact, Applications, and Conclusion
![Page 26: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/26.jpg)
Drawbacks of Nakamoto Consensus
● Transaction delay– Any transaction takes ~10 mins minimum in Bitcoin
● Weak consistency: – You’re not really certain your
transaction is committed untilyou wait ~1 hour or more
● Low throughput:– Bitcoin: ~7 transactions/second
● Proof-of-work mining:– Wastes huge amount of energy
![Page 27: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/27.jpg)
Scaling Blockchains is Not Easy
![Page 28: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/28.jpg)
Many Approaches to Scaling
Scalable BFT
Horizontal Sharding
Sidechains
Payment Networks
L
share window of size w
L
keyblock (co-signed)
microblock (co-signed)
share
miner (co-signer)
leader
Keyblocks
Microblocks
Miners
Transactions
Shard 1Shard 2
Shard 3
![Page 29: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/29.jpg)
ByzCoin: Marrying PBFT with PoWUse PoW to pick PBFT groups [USENIX Security ‘16]
● Permanent transaction commitment in seconds
● 700+ TPS demonstrated (100x Bitcoin, ~PayPal)
Closely-related: Hybrid Consensus by Pass/Shi
1 2 3
1 2 3 4 5
...
5-10 sec
BitcoinCothority
Miner Witnesses
Key-Block
Micro-Block
depends on
6
Co-Signature
![Page 30: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/30.jpg)
Why PBFT Doesn’t Readily Scale
Three phase: pre-prepare, prepare, commit
In prepare & commit, leader must get at leasttwo-thirds of all participants to “sign-off”● Nodes sign-off via broadcast: O(N2)
![Page 31: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/31.jpg)
PBFT with Collective Signing (CoSi)
Builds on CoSi, presented in [IEEE S&P ‘16]
ByzCoin runs collective signing (CoSi) roundsto implement PBFT prepare, commit phases● Efficient tree-structured communication● Sign-offs compressed into 1 signature
Reduce round cost from O(N2) to ~O(N)
Announce Commit Challenge Response
![Page 32: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/32.jpg)
Horizontal Scaling via Sharding
OmniLedger: A Secure Scale-Out Ledger [S&P 18]● Break large collective into small random subgroups● Builds on scalable bias-resistant randomness protocol
(IEEE S&P 2017)● Commit transactions cross-shard w/ 2-phase protocol
Transactions
Shard 1Shard 2
Shard 3
![Page 33: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/33.jpg)
OmniLedger: Key Intuition
At any time a (possibly slow) consensus processmaintains large (~1000s) list of miners/validators● Use public randomness to pick smaller (10s,
100s) representative subgroups or shards– Subgroup size is security/performance tradeoff– Periodically refresh/re-form shards to handle churn
● Each shard manages subset of state (accounts)● Transactions processed by one or a few shards
– Typically one shard per account transaction affects– Cross-shard commit protocol ensures consistency
![Page 34: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/34.jpg)
OmniLedger Throughput
Wide range of performance/security settings
![Page 35: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/35.jpg)
Problem: Secure Public Randomness
Vietnam War Lotteries (1969)
![Page 36: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/36.jpg)
RandHound/RandHerd
“Scalable Bias-Resistant Distributed Randomness” [IEEE Security & Privacy ‘17]● Standard t-of-n
threshold model● Efficient, scales to
thousands of parties● Compatible with
ByzCoin, OmniLedgerblockchains
(c,r)
collective randomness
CLCL
TSS group 1 TSS group 2
TSS group 0
GLGLGLGL
(c,r0)
(c,r1) (c,r2)
![Page 37: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/37.jpg)
The Chicken-and-Egg Problem
More scalable if we could use smaller groups…but need randomness to sample them securely!● Sharding needs randomness needs sharding
Addressed by RandHound, RandHerd protocols● Scalable Bias-Resistant Distributed
Randomness [IEEE S&P ‘17]● RandHound: bootstrap protocol,
O(n log n) efficiency● RandHerd: repeating beacon,
O(log n) cost/node/round
![Page 38: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/38.jpg)
The League of Entropy
Public randomness beacon based on RandHerd● Launched by EFPL-DEDIS, Cloudflare,
Kudelski, University of Chile, Protocol Labs● Simplifications, BLS instead of Schnorr signing
![Page 39: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/39.jpg)
Future: Function Scaling
How to manage the growing complexity of decentralized architectures as they evolve?● Analogy: functional units in modern CPUs
![Page 40: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/40.jpg)
PROTEAN: Functional Scaling
Rethinking General-Purpose Decentralized Computing [HotOS ‘19]● Ecosystem of
decentralizedfunction units
PublicStorageFunction
Unit
SecretStorageFunction
Unit
PublicComputationFunction Unit
(EVM, WASM, ...)
PrivateComputationFunction Unit
(SMPC, FHE, ...)
Special PurposeFunction Unit
(Public Randomness,Verifiable Shuffle, …)
![Page 41: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/41.jpg)
Scalable Coordination: Summary
Bitcoin’s architecture was a brilliantly wrong conflation of membership & consensus protocols● De-conflating them is not trivial but massively
improves performance, scalability, consistency– Bitcoin-NG, ByzCoin, OmniLedger
● Critical scalability tool: public randomness– RandHound/RandHerd, used in OmniLedger
● In the future we’ll see many different types of shards with different compositions, purposes
![Page 42: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/42.jpg)
DEDIS Blockchain Overview
Key aspects of DEDIS blockchain architecture:● Scaling: can we do enough, fast enough?● Privacy: can we store and process secrets?● Resilience: what if we’re poorly-connected?● Stake: how to get equitable decentralization?
Industry Impact, Applications, and Conclusion
![Page 43: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/43.jpg)
The C-I-A (or A-I-C) Triad
In information security and data protection, we generally want three fundamental properties
Blockchains strengthen Integrity and Availability,while by default weakening confidentiality!
IntegrityAvailability
Confidentiality
![Page 44: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/44.jpg)
The Blockchain Privacy Challenge
Blockchains protect the integrity of data bygiving everyone a copy for independent checking● This works against privacy & confidentiality● Current privacy provisions are leaky● Solvable with proper use of encryption
– When combined, important to remember:it’s the encryption, not the blockchain,that protects privacy.
![Page 45: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/45.jpg)
So How Do We Get Privacy?
Encryption, of course!
Encrypt data before storing, decrypt on use…
![Page 46: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/46.jpg)
But Who Holds the Keys?
Any encrypted data is secured with a private key● A private key is just information (a number)!● If the key leaks, anyone can decrypt the data
– Regardless of where it’s stored: cloud, blockchain…
If the private key is held by a single party,then that party is a single point of compromise● If key-holder hacked, attacker gets everything● Even if it’s held on a “private blockchain”!
![Page 47: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/47.jpg)
The Privacy Problem in Blockchains
In current blockchains, secrets (keys, passwords) must be held “off-chain” by private parties● Just a hash on-chain → document might be lost● Encrypted on-chain → encrypted to whom?
– Decided at encryption, cannot be changed/revoked
Current blockchainscan’t manage secrets,because they wouldleak to all participants● Weakest-link security again
![Page 48: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/48.jpg)
How to Get Privacy, Accountability?
Blockchains don’t protect privacy & accountability without single points of compromise; how can we?
With another classic technology: secret sharing.
Essential idea: after encrypting data,”deal” the secret key to a threshold t of n parties● At least t parties must work together to recover● If just one (or fewer than t) compromised,
attacker can’t recover the key (or the data)
![Page 49: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/49.jpg)
Secret Sharing: Illustration
Suppose you’re a pirate & bury your treasure…
X
![Page 50: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/50.jpg)
Keeping the Location Secret
You have 3 henchmen who you want to send back for it later, but you don’t trust any one completely
![Page 51: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/51.jpg)
Secret Sharing: Illustration
You mark the spot between two reference points
XSecret!
![Page 52: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/52.jpg)
Secret Sharing: Illustration
Then draw three parallel reference lines…
XSecret!
![Page 53: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/53.jpg)
Secret Sharing: Illustration
…and another line intersecting all four…
XSecret!
![Page 54: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/54.jpg)
Secret Sharing: Illustration
The intersection points are the secret shares...
XSecret!
X XX
SecretShares
![Page 55: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/55.jpg)
Secret Sharing: Illustration
You give one of these shares to each henchman
XSecret!
X XX
SecretShares
![Page 56: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/56.jpg)
Threshold Secret Sharing
Now suppose your henchmen come back later to recover the treasure… ● Any one henchman won’t know how to find it● Any two henchmen will be able to!
You get both threshold privacy of the secret…● No single compromised party can recover it
You also get threshold availability of the secret● Can still recover if one henchman goes missing
![Page 57: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/57.jpg)
Secret Sharing: Illustration
One henchman alone can’t recover secret
XSecret!
X???
![Page 58: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/58.jpg)
Secret Sharing: Illustration
…but any two working together can!
XSecret!
XX
![Page 59: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/59.jpg)
On-Chain Secrets
“CALYPSO: Auditable Sharing of Private Data”
Encrypt(*) secrets care-of the blockchain itself,under a specific access policy or smart contract● Threshold of trustees
mediate all accesses● Enforce policies,
access recording● Ensure data both
hidden and disclosedwhen policy requires
● Can revoke access ifpolicy/ACLs change
Access-control cothorityWanda
Ron
(1.1) Store secret and access policy for idRon
Blockchain
(2.1) Download
encrypted secret
(3.1) Request secret re-encryption
Secret-management cothority
(1.2) Log secret
(2.3) Log access
(4) Decrypt secret
(2.2) Request
access to
secret
(3.2) Deliver re-encrypted secret
Ron’s identity skipchain (idRon)
(*) with post-quantum security if desired
![Page 60: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/60.jpg)
Application: Blockchain E-voting
Prototyped blockchain-based e-voting system● State-of-the-art cryptographic security/privacy● Deployed within EPFL community of 10,000+
Helios-like workflow:● Clients encrypt votes
to threshold of trustees● Blockchain records them● Neff shuffle and decrypt
![Page 61: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/61.jpg)
Privacy-Preserving Processing
Can we compute on private data? At what cost?
Intensely active area of cryptography research…● Fully-homomorphic encryption (FHE)● Secure multiparty computation (SMPC)
…and blockchain/smart contract activities, e.g.,● MIT Enigma project● EPFL UnLynx project
![Page 62: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/62.jpg)
UnLynx: Privacy-Conscious, Blockchain-Secured Medical Data Sharing
Functionality:• Allow queriers to query a set of
distributed databases
Requirements:• Data Providers data confidentiality• No single point of failure• Computation correctness• Privacy of data providers (DP) and
individuals storing their data in DPs
Threat model:• Queriers, servers may be compromised• Data providers honest-but-curious
SELECT AVG(cholesterol_rate) FROM DP1, …, DPn
WHERE age in [40:50] AND ethnicity = CaucasianGROUP BY gender
![Page 63: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/63.jpg)
DEDIS Blockchain Overview
Key aspects of DEDIS blockchain architecture:● Scaling: can we do enough, fast enough?● Privacy: can we store and process secrets?● Resilience: what if we’re poorly-connected?● Stake: how to get equitable decentralization?
Industry Impact, Applications, and Conclusion
![Page 64: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/64.jpg)
The C-I-A (or A-I-C) Triad
In information security and data protection, we generally want three fundamental properties
Many copies mean availability, right? Well…
IntegrityAvailability
Confidentiality
![Page 65: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/65.jpg)
Some Blockchain Availability Risks
What if a blockchain you rely on is:● Overloaded by a load spike you can’t control?● Under denial-of-service or bribery attack?● Unreachable from a client that needs it?● Disconnected/eclipsed by a network attacker?● Just too slow due to global network latencies?
![Page 66: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/66.jpg)
![Page 67: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/67.jpg)
![Page 68: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/68.jpg)
Blockchain Resilience Challenges
Some challenges DEDIS design addresses:● Can light/low-power clients verify transactions
and the state of the blockchain offline?● Can poorly-connected or disconnected devices
securely update each other peer-to-peer?● Can a blockchain commit transactions quickly
in local areas (by speed-of-light distance)?● Can blockchain operate robustly in local areas
when global connectivity is slow or expensive?
![Page 69: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/69.jpg)
Backward and Forward Verifiability
Standard blockchains traversable only backward● Via hash back-links from current head
Chainiac adds traversability forward in time● Collective signature by prior consensus group
Time
Backward hash links, embedded in blocks at commit time
Collectively signed forward links, added later once target exists
Time
Backward hash links, embedded in blocks at commit time
![Page 70: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/70.jpg)
Leaping Through Time: SkipChains
Offline/peer-to-peer cryptographic verification and efficient “time-travel” through all blockchain history
Time
Backward hash links, embedded in blocks at commit time
Collectively signed forward links, added later once target exists
B3
B2
B1
F1
F2
F3
Level
![Page 71: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/71.jpg)
Chaniac: Secure Software Updates
Critical devices increasingly networked (IoT) ● Keeping their software up-to-date is critical
– Otherwise vulnerable to old threats: e.g., WannaCry
DEDIS “Chainiac” provides end-to-end secure blockchain-based software distribution & update
![Page 72: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/72.jpg)
Secure Digital Documents
Significant interest in digitaldegrees, awards, land titles, …● Blockchain can provide a
hard-to-forge timestamp
But how do you verifya digital document?● Current blockchains:
you must be online
DEDIS blockchain: offline-verifiable timestamps
![Page 73: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/73.jpg)
Locality: Beating the Speed of Light
Problem: Strong global consensus requires us to pay global speed-of-light latencies
– But many interacting usersare likely to be near each otherin geography, network topology,network latency
Can we create many local blockchain shards,such that for any group of interacting users,they use a “nearby” shard offering low latency?
![Page 74: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/74.jpg)
Resilient Local-Area Operation
Crux: Locality-Preserving Distributed Systems [preprint]
![Page 75: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/75.jpg)
DEDIS Blockchain Overview
Key aspects of DEDIS blockchain architecture:● Scaling: can we do enough, fast enough?● Privacy: can we store and process secrets?● Resilience: what if we’re poorly-connected?● Stake: how to get equitable decentralization?
Industry Impact, Applications, and Conclusion
![Page 76: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/76.jpg)
Any human organization need a way to decide:● Who holds a stake in decision-making● How much
influence eachstakeholderwields
● How decisionsare a actuallyagreed on:consensus
Without stake & consensus, organizations fail
Membership, Stake, and Influence
![Page 77: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/77.jpg)
Alternative Foundations for Stake
Permissioned: prove you’re in a meatspace club
Proof-of-Work: prove you’re wasting energy
Proof-of-Stake: prove you’re already rich
Proof-of-Storage: prove you have a big disk
Proof-of-*: prove you have a lot of *’s
Proof-of-Personhood: prove you’re a real person
![Page 78: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/78.jpg)
Proof-of-Work as a Basis for Stake
Proof-of-Work requires miners to expend energy surmounting an artificial barrier to entry,just in order to prove they did that.
Important point: Proof-of-Work servers no purposeother than to erect an artificial barrier to entryand create competition for mining rewards!
Have we seen human practices like this before?
![Page 79: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/79.jpg)
Membership by Hazing Ritual
Anything that not everyone will do on a whim:entire purpose is to create a barrier to entry
May be uncomfortable and/or embarrassing…
![Page 80: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/80.jpg)
Membership by Hazing Ritual
Or just plain weird… ● MIT ‘58: using Oliver Smoot to measure bridge
![Page 81: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/81.jpg)
Membership by Hazing Ritual
Or difficult, requiring energy and cooperation● Yap: chisel a giant circular “coin” out of stone
available only on another, distant island
![Page 82: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/82.jpg)
Bitcoin’s Hazing Ritual
Digitally flip coins.
Many coins.
Billions of them.
By forming new “blocks”and feeding them into acryptographic hash● Converts any information
to pseudorandom number
Repeat endlessly.
![Page 83: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/83.jpg)
Power Distribution in Bitcoin
How much influence does each member wield?● Proportional to member’s rate of coin-flipping:
number of “hashes per second”, or hashpower● More energy, faster chips → more hashpower
![Page 84: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/84.jpg)
JUST…ONE…JUST…ONE…
…MORE…BITCOIN…MORE…BITCOIN
![Page 85: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/85.jpg)
Environmental Costs
Proof-of-work = “scorched-earth” blockchains● Bitcoin makes BTC scarce by making miners
prove they wasted energy● Serves no purpose except to prove they did it●
![Page 86: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/86.jpg)
Bitcoin Energy Consumption Index
Bitcoin now wastes more energy than159 countries use for their people to live on!
![Page 87: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/87.jpg)
Not Even Decentralized Anymore
Market incentives drive consolidation of hashrate or “voting power” to a few powerful mining pools● Over 60% currently in one country (China)● Any faction >51%
can control orveto decisions,censor, etc.
![Page 88: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/88.jpg)
A Problem Not Unique to Bitcoin
Most cryptocurrencies aren’t that decentralized
![Page 89: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/89.jpg)
Permissioned Ledgers
Just decide administratively who participates;Fixed or manually-changed group of “miners”
– No proof-of-work needed → low energy cost– More mature consensus protocols applicable– Higher human organizational costs– No longer open for “anyone” to participate
![Page 90: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/90.jpg)
The Weakness of Limited Scale
Public/permissionless designs in principle have the advantage of security scaling with size● As more participants arrive, security increases
Closed participation designs limit security scaling!
Weakest-linksecurity
Strongest-linksecurity
ScalableStrongest-link
security
![Page 91: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/91.jpg)
Alternative: Proof-of-Stake (PoS)
● Proof-of-Stake: assigns consensus shares in proportion to prior capital investment– Could address energy waste problem– Many nontrivial design challenges
● Securing proof-of-stakeis a nontrivial, interesting,but mostly-solved problem– e.g., Orobouros, Algorand– Also implementable with
CoSi + SkipChains +OmniLedger + RandHound
![Page 92: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/92.jpg)
Modular Proof-of-Stake
Assume we have a ByzCoin-like consensus group● Use PBFT to agree on transactions and stake
– List of stakeholders, # shares each, their validators
● After epoch, RandHound-sample next group– Old group collectively signs new, forms SkipChain
Epoch 1 blocks, transactions
Consensus Group 1
Epoch 2 blocks, transactions
Consensus Group 2
ID
StakeholderDatabaseStake Validator
ID Stake Validator… … …
CoSi
publicRandHound
sampling
![Page 93: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/93.jpg)
Is Proof-of-Stake What We Want?
A Proof-of-Stake cryptocurrency is essentially an automated analog of a shareholder corporation.● May help hasten the takeover of automation,
but won’t fix the world.
![Page 94: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/94.jpg)
It’s all just “Proof-of-Investment”
Proof-of-Work, Proof-of-Stake, Proof-of-* are allProof-of-Investment, aka investment capitalism.● The more * you invest, the greater your reward.
All prone to re-centralization, aka rich get richer● Larger stakeholders always in a better position
to exploit economies of scale – or just cheat –to further increase their percentage of the pie.
Proof-of-stake won’t keep systems decentralized!● At best they can reduce rate of recentralization
![Page 95: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/95.jpg)
Long-Term Decentralization?
Can we build decentralized systems that will reliably stay decentralized over the long haul?● Inclusive: allow “permissionless” participation
by everyone in practice, not just in theory– Including developing world, homeless, refugees
● Sustainable: Ensure future generations will have the same opportunities that we do today– Regardless whether their grandparents were lucky
● Empowering: Provide opportunities for all while limiting vulnerability to abuse of power
![Page 96: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/96.jpg)
Toward People-Centric Blockchains
Can we build decentralized technology that will● Securely stay open and widely decentralized?● Offer a fairness metric meaningful to people?● Be accountable to users rather than wealth?
“We must act to ensure that technology is designed and developed to serve humankind, and not the other way around”
- Tim Cook, Oct 24, 2018
![Page 97: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/97.jpg)
Person-Centric Decentralization
Proof-of-Personhood [IEEE S&B ‘17]● Proof-of-Stake but one stake unit per person
![Page 98: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/98.jpg)
Proof-of-Personhood: Approaches
● Legacy Identities (e.g., government-issued)– Require costly ID-checking, not that hard to fake
● Global Biometric Databases (India, UNHCR)– Huge privacy issues, false positives+negatives
● Trust Networks (PGP “Web of Trust” model)– Unusable in practice, doesn’t address Sybil attacks
● Pseudonym Parties [SocialNets ‘08]– Requires in-person participation, physical security– Low-cost: verifies only personhood, not ID or trust
![Page 99: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/99.jpg)
Is Digital Identity, KYC a Solution?
Key Advantages:● Many businesses, governments working on it● Leverages existing “document-trail” identities
Key Disadvantages:● Identity documents not hard to fake, steal, buy
– SSN $1, Fake ID $20, fake passport $1000, …
● Identity authorities are single points of compromise– Attacker needs to break only one to create many Sybils
● Exclusionary: undocumented/unlucky lose out– Migrants, refugees, homeless, stateless, …
![Page 100: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/100.jpg)
Are Biometrics a Solution?
Key Advantages:● Technically scalable, workable in principle
– India Aadhaar, UNHCR World Food Program, …
Key Disadvantages:● Requires not just authentication (1-to-1 comparison)
but biometric identity (1-to-billions comparison)– 0.01% FAR → 100,000 false positives per user in India
● Privacy: must collect in massive queryable database– Biometrics are passwords you can’t change when leaked
● One compromised device can enroll many Sybils
![Page 101: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/101.jpg)
Are Trust Networks a Solution?
PGP-style social trust has never proven to be usable● Even most hard-core geeks don’t participate
PGP-style social trust solves the wrong problem● Even if all key-signing trust relationships are genuine,
they don’t actually prevent Sybil attacks– Attacker can forge multiple real relationships under one name in
one group, more under another name in a different group, … – There are enough non-intersecting small groups in the world for
Sybil attacker to create thousands/millions of Sybils over time● Little chance of getting caught, plausible deniability if they do
● Exclusionary: people who don’t know people or have social status lose out (migrants, refugees, homeless, …)
![Page 102: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/102.jpg)
Are Graph Algorithms a Solution?
Examples: SybilLimit [Yu et al], SumUp [Tran et al], …● Assume trust net divided into honest and Sybil regions● Assume hard for attacker create edges between them
![Page 103: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/103.jpg)
Are Graph Algorithms a Solution?
Examples: SybilLimit [Yu et al], SumUp [Tran et al], …● Assume trust net divided into honest and Sybil regions● Assume hard for attacker create edges between the two
Clever, interesting, important algorithms, but:● Works only against large-scale attacks, not small-scale
– Vulnerable if many rational participants cheat “just a bit”
● Today’s usable social networks aren’t trust networks– Many Facebook etc users promiscuous → many attack edges
● Excludes genuine but poorly-connected communities– Migrants, refugees, homeless, stateless, again…
![Page 104: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/104.jpg)
Proof-of-Personhood: Intuition
Local communities organize periodic PoP parties● Interested participants come to given time/place
– e.g., once per month, once per quarter
● After critical moment, people can only leave– Obtain one “PoP token” per person on the way out
One body → one token per person per event● Anonymous, can wear masks as in Carnival● Local organizers only collectively trusted● Multiple groups can coordinate, federate
![Page 105: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/105.jpg)
Pseudonym Parties: Summary
Locally-organized regular physical meetings● Anyone can enter a space until a set deadline● Then can only exit, each getting one credential
No need for IDs, biometrics, PGP key-signing, etc● Just bodies: can be in only one place at a time
PseudonymParty Room
1. 2.PseudonymParty Room
![Page 106: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/106.jpg)
Proof-of-Personhood: Tradeoffs
Key Advantages:● Much simpler for attendees than PGP parties
– Just show up, get a QR code scanned
Key Challenges:● Takes some real, physical-world effort: reward?● Not “one-time” → must regularly attend events
– Tokens have limited life, expire, must be renewed– Otherwise users could still build up Sybils over time
● Synchronization, scaling across groups, …
![Page 107: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/107.jpg)
Scaling Pseudonym Parties
Many local communities host pseudonym parties independently but with synchronized deadlines● One person, one credential, across all parties
Local communities federate, monitor each otherto build large-scale trust network of communities● e.g., each party must host RandHound-chosen
group of observers from other communities
Easier than securing trust networks of individuals● Organizers can be expected to have geek skills;
ordinary participants just need to show up
![Page 108: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/108.jpg)
Why Would Anyone Show Up?
PoP parties cost some (a bit) of physical effort● Not just once but regularly
Is there precedent for people being willing to endure real-world ceremonies like this?● Well…
![Page 109: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/109.jpg)
Precedent: “Landsgemeinde”
People debate and vote in person in town square
![Page 110: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/110.jpg)
Political Events, Rallies, Protests
People [sometimes] show up to make a statement ● Even when no one’s counting (precisely)
![Page 111: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/111.jpg)
Parties, Festivals
![Page 112: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/112.jpg)
Religious Traditions
Once a week, or even several times per day● Often for no tangible rewards in “here-and-now”
What if showing up served a tangible purpose?
![Page 113: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/113.jpg)
Example Uses of PoP Tokens
Get anonymous “verified user” accounts on sites● Wikis, discussion or deliberative forums● Services can effectively block if abused
Privately extend in-person meetings online● Accessible only to the people who were there
Reputation systems that count only real users● Only real people get to vote, one per person
Cryptocurrencies with equal stake per person● Rewards act as a permissionless basic income
![Page 114: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/114.jpg)
Towards Privacy with Accountability
A more powerful tool: anonymous reputation
Early prototype: AnonRep [NSDI ‘16]● Users post information fully anonymously,
perform peer review (e.g., upvotes/downvotes)● System encrypts
reputation balances● Posters reveal only
reputation buckets(e.g., “>1000”)
Zcash, zkLedger tools may help
![Page 115: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/115.jpg)
A Crypto Universal Basic Income?
Available on “opt-in” basis to everyone,not just in particular jurisdictions
![Page 116: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/116.jpg)
Towards Secure Digital Personhood
Does the digital world need a new social contract?
Cost: you must regularly invest effort to show up
Reward: rights and protections in the digital world● Right to privacy, anonymity, including protection
from anonymous abuse via blocking/filtering● Right to freedom of speech, in equal share:
protection from unfair amplification by others● Right to economic opportunity in equal measure:
permissionless universal basic income● Right to inclusion, protect long-term decentralized
![Page 117: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/117.jpg)
Summary: Approaches to Stake
Any decentralized system needs to define who its members are and how much power each has● Proof-of-Work: a disaster that can & must die● Permissioned: a reasonable, efficient approach
for federations that are closed anyway● Proof-of-Stake: a useful step with interesting
technical challenges, but not the final answer– Same with all “Proof-of-Investment” foundations
● Proof-of-Personhood: a democratic foundation for decentralization on basis of real people
![Page 118: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/118.jpg)
DEDIS Blockchain Overview
Key aspects of DEDIS blockchain architecture:● Scaling: can we do enough, fast enough?● Privacy: can we store and process secrets?● Resilience: what if we’re poorly-connected?● Stake: how to get equitable decentralization?
Conclusion
![Page 119: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/119.jpg)
DEDIS Blockchain Industry Impact
Supporting partners collaborating with DEDIS
Other companies building on DEDIS research
IOST
![Page 120: Coins, Clubs, and Crowds: Scaling and …...Coins, Clubs, and Crowds: Scaling and Decentralization in Next-Generation Blockchains Prof. Bryan Ford Decentralized and Distributed Systems](https://reader035.vdocuments.us/reader035/viewer/2022070711/5ec87fefba2ac70086064b53/html5/thumbnails/120.jpg)
Conclusion
DEDIS builds next-gen decentralized systems● Strongest-link security: no single failure points● Scalable security: strengthens with growth
Making blockchains/ledgers truly usable● Scalability: scale-out to Visa/MC throughputs● Privacy: on-chain secrets with enforced policies● Resilience: offline verification, local operation● Stake: towards equitable decentralization