![Page 1: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/1.jpg)
Catena: Efficient Non-equivocation via Bitcoin
Tuesday, May 23rd, 2017
Alin [email protected]
Srinivas [email protected]
IEEE Security & Privacy 2017, San Jose, CA
![Page 2: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/2.jpg)
What is non-equivocation?
![Page 3: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/3.jpg)
Public-key directory
What is non-equivocation?
● At time i, publishes digest si
![Page 4: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/4.jpg)
Public-key directory
What is non-equivocation?
● At time i, publishes a single digest si
![Page 5: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/5.jpg)
Public-key directory
What is non-equivocation?
PKA PKB
t1Bob
Alice
● At time i, publishes a single digest si● At time 1, Alice, Bob and others "see" s1
s1 = SHA256(t1)
![Page 6: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/6.jpg)
Public-key directory
Bob
Alice
What is non-equivocation?
t2
PKA PKB
t1
PKA PKB
s1 = SHA256(t1) s2 = SHA256(t2)
●● At time 2, Alice, Bob and others "see" s1 , s2 , ...
![Page 7: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/7.jpg)
Public-key directory
Bob
Alice
What is non-equivocation?
t2
PKA PKB
t1
PKA PKB
s1 = SHA256(t1) s2 = SHA256(t2)
● Alice and Bob can "monitor" own PKs
![Page 8: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/8.jpg)
Public-key directory
Bob
Alice
What is non-equivocation?
t2
PKA PKB
t1
PKA PKB
s1 = SHA256(t1) s2 = SHA256(t2)
● Alice and Bob can "monitor" own PKs
![Page 9: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/9.jpg)
Bob
Alice
What is non-equivocation?
t2
PKA PKB
t1
PKA PKB PKA'
s1 = SHA256(t1) s2 = SHA256(t2)
● Alice and Bob can "monitor" own PKs● ...and server has to impersonate in plain sight
Public-key directory
![Page 10: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/10.jpg)
Bob
Alice
What is non-equivocation?
t2
PKA PKB
t1
PKA PKB PKA'
s1 = SHA256(t1) s2 = SHA256(t2)
Public-key directory
● Alice and Bob can "monitor" own PKs● ...and server has to impersonate in plain sight
![Page 11: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/11.jpg)
Good: "Stating the same thing to all people."
Bob
Alice
What is non-equivocation?
t2
PKA PKB
t1
PKA PKB PKA'
s1 = SHA256(t1) s2 = SHA256(t2)
Public-key directory
![Page 12: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/12.jpg)
Good: "Stating the same thing to all people."
Bob
Alice
What is non-equivocation?
t2
s1 = SHA256(t1) s2 = SHA256(t2)
PKA PKB
t1
PKA PKB PKA'
Including statements that are
incorrect at the application-layer
Public-key directory
![Page 13: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/13.jpg)
What is equivocation?
S1
PKA PKB
t1
● At time 2, malicious server publishes s2 and s2'
Public-key directory
![Page 14: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/14.jpg)
Alice
t2
PKA PKB PKB'
What is equivocation?
PKA PKB
t1
Public-key directory
S1
S2
● s2: Leave Alice's key intact, add fake PKB' for Bob
![Page 15: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/15.jpg)
Bob
Alice
t2'
PKA PKB PKA'
t2
PKA PKB PKB'
What is equivocation?
PKA PKB
t1
Public-key directory
S1
S2
S2'
● s2': Leave Bob's key intact, add fake PKA' for Alice
![Page 16: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/16.jpg)
Bob
Alice
t2'
PKA PKB PKA'
t2
PKA PKB PKB'
What is equivocation?
PKA PKB
t1
Public-key directory
S1
S2
S2'
● Alice not impersonated in her view, but Bob is.
![Page 17: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/17.jpg)
Bob
Alice
t2'
PKA PKB PKA'
t2
PKA PKB PKB'
What is equivocation?
PKA PKB
t1
Public-key directory
S1
S2
S2'
● Bob not impersonated in his view, but Alice is.
![Page 18: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/18.jpg)
MITM
Bob
Alice
t2'
PKA PKB PKA'
t2
PKA PKB PKB'
What is equivocation?
PKA PKB
t1
Public-key directory
S1
S2
S2'
● Obtain fake keys for each other ⇒ MITM
![Page 19: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/19.jpg)
MITM
Bob
Alice
t2'
PKA PKB PKA'
t2
PKA PKB PKB'
Bad: "Stating different things to different people.'"
What is equivocation?
PKA PKB
t1
Public-key directory
S1
S2
S2'
![Page 20: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/20.jpg)
Where is non-equivocation necessary?
Public-key distribution (PKD)- HTTPS- Secure messaging- "We assume a PKI."
![Page 21: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/21.jpg)
Public-key distribution (PKD)- HTTPS- Secure messaging- "We assume a PKI."
Tor Directory Servers
Where is non-equivocation necessary?
![Page 22: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/22.jpg)
Public-key distribution (PKD)- HTTPS- Secure messaging- "We assume a PKI."
Tor Directory Servers
Software transparency schemes- Attacks on Bitcoin binaries
Where is non-equivocation necessary?
![Page 23: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/23.jpg)
Contributions
![Page 24: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/24.jpg)
Contributions● Bitcoin-based append-only log,
![Page 25: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/25.jpg)
Contributions● Bitcoin-based append-only log,
● ...as hard-to-fork as the Bitcoin blockchain
○ Want to fork? Do some work!
![Page 26: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/26.jpg)
Contributions● Bitcoin-based append-only log,
● ...as hard-to-fork as the Bitcoin blockchain
○ Want to fork? Do some work!
● ...but efficiently auditable
![Page 27: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/27.jpg)
Contributions● Bitcoin-based append-only log,
● ...as hard-to-fork as the Bitcoin blockchain
○ Want to fork? Do some work!
● ...but efficiently auditable
○ 600 bytes / statement (e.g., PKD digests)
○ 80 bytes / Bitcoin block
![Page 28: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/28.jpg)
Contributions● Bitcoin-based append-only log,
● ...as hard-to-fork as the Bitcoin blockchain
○ Want to fork? Do some work!
● ...but efficiently auditable
○ 600 bytes / statement (e.g., PKD digests)
○ 80 bytes / Bitcoin block
● Java implementation (3500 SLOC)
![Page 29: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/29.jpg)
Outline
1. Bitcoin background2. Previous work3. Catena design4. Catena scalability
![Page 30: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/30.jpg)
Block nBlock i Block j
Bitcoin blockchain
![Page 31: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/31.jpg)
Block nBlock i Block j
Bitcoin blockchain
● Hash chain of blocks
![Page 32: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/32.jpg)
Block nBlock i Block j
Bitcoin blockchain
● Hash chain of blocks○ Arrows are hash pointers
![Page 33: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/33.jpg)
Block nBlock i Block j
Bitcoin blockchain
● Hash chain of blocks○ Arrows are hash pointers
● Merkle tree of TXNs in each block
![Page 34: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/34.jpg)
Block nBlock i Block j
Bitcoin blockchain
● Hash chain of blocks○ Arrows are hash pointers
● Merkle tree of TXNs in each block● Proof-of-work (PoW) consensus
![Page 35: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/35.jpg)
Block nBlock i Block j
txa
Bitcoin blockchain
● Transactions mint coins
![Page 36: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/36.jpg)
Block nBlock i Block j
Bitcoin blockchain
● Transactions mint coins● Output = # of coins and owner's PK
txa
PKA minted 4Ƀ
![Page 37: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/37.jpg)
Block nBlock i Block j
txa
Bitcoin blockchain
PKA minted 4Ƀ
txb
PKB has 3Ƀ
● Transactions mint coins● Output = # of coins and owner's PK● Transactions transfer coins (and pay fees)
![Page 38: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/38.jpg)
Block nBlock i Block j
txb
txa
Bitcoin blockchain
PKA minted 4Ƀ from SKA PKB has 3Ƀ
● Transactions mint coins● Output = # of coins and owner's PK● Transactions transfer coins (and pay fees)● Input = hash pointer to output & digital signature
![Page 39: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/39.jpg)
Block nBlock i Block j
txb
txa
s1
Bitcoin blockchain
PKA minted 4Ƀ from SKA
Arbitrary statement s1
PKB has 3Ƀ
Data can be embedded in TXNs.
![Page 40: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/40.jpg)
Block nBlock i Block j
txb
txa
Bitcoin blockchain
PKA minted 4Ƀ from SKA PKB has 3Ƀ
Alice gives Bob 3Ƀ,Bitcoin miners collected 1Ƀ as a fee.
s1
![Page 41: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/41.jpg)
Block nBlock i Block j
txb
txc
s1
Bitcoin blockchain
PKB has 3Ƀ from SKB PKC has 2Ƀ
Bob gives Carol 2Ƀ,Bitcoin miners collected another Ƀ as a fee.
![Page 42: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/42.jpg)
Bitcoin blockchain
Block i Block j Block n
s1
txb
txc
txc'
No double-spent coins: A TXN output can only be referred to by a single TXN input.
![Page 43: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/43.jpg)
Moral of the story
TX1
TX2'
TX2
Proof-of-work (PoW) consensus ⇒ No double spends
Either TX2 or TX2' but not both!
![Page 44: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/44.jpg)
Moral of the story
TX1
TX2'
TX2
Proof-of-work (PoW) consensus ⇒ No double spends
Either s2 or s2' but not both!s1
s2
s'2
![Page 45: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/45.jpg)
Outline
1. Bitcoin background2. Previous work3. Catena design4. Catena scalability
![Page 46: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/46.jpg)
Previous work
Block i Block j Block n
s1 s2TX TX
TX s3
![Page 47: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/47.jpg)
Previous work
Block i Block j Block n
Need to download full blocks to find
inconsistent s'3
s1 s2TX TX
TX s3
TX s'3
![Page 48: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/48.jpg)
Our work
Block i Block j Block n
s1 s2TX TX
TX s3
TX s'3
No inconsistent s'3 as it would require a
double-spend!
![Page 49: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/49.jpg)
Previous work
Block i Block j Block n
s1 s2TX TX
TX s3
TX s'3
![Page 50: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/50.jpg)
Our work
Block i Block j Block n
s1 s2TX TX
TX s3
TX s'3
![Page 51: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/51.jpg)
Outline
1. Bitcoin background2. Previous work3. Catena design4. Catena scalability
![Page 52: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/52.jpg)
Catena log server
Server's funds
Starting a Catena log
![Page 53: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/53.jpg)
GTX
Block i
Genesis TXNCatena
log server
Starting a Catena log
● Genesis TXN (GTX) = log's "public key"● Coins from server back to server (minus fees)
![Page 54: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/54.jpg)
s1GTX
Block i Block j
Catena log server
TX1
Appending to a Catena log
● TX1 "spends" GTX's output, publishes s1● Coins from server back to server (minus fees)● Inconsistent s1' would require a double-spend
![Page 55: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/55.jpg)
s1GTX TX1
Block i Block j
s2TX2
Block n
Catena log server
Appending to a Catena log
● TX2 "spends" TX1's output, publishes s2● Coins from server back to server (minus fees)● Inconsistent s2' would require a double-spend
![Page 56: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/56.jpg)
s1GTX
Block i Block j
Catena log server
s2
Block n
Next,
unique s3
TX1 TX2
Appending to a Catena log
● Server is compromised, still cannot equivocate.
![Page 57: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/57.jpg)
s1GTX
Block i Block j
Catena log server
s2
Block n
Next,
unique s3
Advantages: (1) Hard to fork (2) Efficient to verify
TX1 TX2
Appending to a Catena log
![Page 58: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/58.jpg)
s1GTX
Block i Block j
Catena log server
s2
Block n
Advantages: (1) Hard to fork (2) Efficient to verify
Disadvantages: (1) 6-block confirmation delay(2) 1 statement every 10 minutes(3) Must pay Bitcoin TXN fees
TX1 TX2
Next,
unique s3
Appending to a Catena log
![Page 59: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/59.jpg)
Efficient auditing
![Page 60: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/60.jpg)
Efficient auditing
Catena log server
Catena client
![Page 61: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/61.jpg)
Efficient auditing
Catena log server
Catena client
Bitcoin P2P(7000 nodes)
![Page 62: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/62.jpg)
Efficient auditing
Catena log server
Catena client
Header i
GTX
Bitcoin P2P(7000 nodes)
![Page 63: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/63.jpg)
Catena log server
Catena client
Header i
GTX
Bitcoin P2P(7000 nodes)
Q: Next block header(s)?
Efficient auditing
![Page 64: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/64.jpg)
Catena log server
Catena client
Header i
GTX
Bitcoin P2P(7000 nodes)
Header i+1 Header j
Efficient auditing
80 bytes each
![Page 65: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/65.jpg)
Catena log server
Catena client
Header i Header j
GTX
Bitcoin P2P(7000 nodes)
Efficient auditing
![Page 66: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/66.jpg)
Catena log server
Catena client
Header i Header j
GTX
Bitcoin P2P(7000 nodes)
Q: What is s1 in the log?
Efficient auditing
![Page 67: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/67.jpg)
Catena log server
Catena client
Header i Header j
GTX
Bitcoin P2P(7000 nodes)
TX1 s1
Efficient auditing
600 bytes
![Page 68: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/68.jpg)
Catena log server
Catena client
Header i Header j
TX1 s1GTX
Bitcoin P2P(7000 nodes)
Efficient auditing
![Page 69: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/69.jpg)
Catena log server
Catena client
Header i Header j
TX1 s1GTX
Bitcoin P2P(7000 nodes)
Q: Next block header(s)?
Efficient auditing
![Page 70: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/70.jpg)
Catena log server
Catena client
Header i Header j
TX1 s1GTX
Bitcoin P2P(7000 nodes)
Header j+1 Header n
Efficient auditing
![Page 71: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/71.jpg)
Catena log server
Catena client
Header i Header j Header n
TX1 s1GTX
Bitcoin P2P(7000 nodes)
Efficient auditing
![Page 72: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/72.jpg)
Catena log server
Catena client
Header i Header j Header n
TX1 s1GTX
Bitcoin P2P(7000 nodes)
Q: What is s2 in the log?
Efficient auditing
![Page 73: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/73.jpg)
Catena log server
Catena client
Header i Header j Header n
TX1 s1GTX
Bitcoin P2P(7000 nodes) TX2 s2
Efficient auditing
![Page 74: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/74.jpg)
Catena log server
Catena client
Header i Header j Header n
TX1 s1GTX TX2 s2
Bitcoin P2P(7000 nodes)
Efficient auditing
![Page 75: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/75.jpg)
Auditing bandwidth
e.g., 460K block headers + 10K statements = ~41 MB (80 bytes each) (around 600 bytes each)
![Page 76: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/76.jpg)
Outline
1. Bitcoin background2. Previous work3. Catena design4. Catena scalability
![Page 77: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/77.jpg)
Catena scalability
Catena client 2
Catena client 1
Catena client 100,000?
...
P2P~7000 full nodes
Supports up to ~819,000 incoming connections
![Page 78: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/78.jpg)
P2P~7000 full nodes
Supports up to ~819,000 incoming connections
Catena scalability
Catena client 2
Catena client 1
Catena client 100,000?
Q: Next block header(s)?
...
Q: Next block header(s)?
Q: Next block header(s)?
![Page 79: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/79.jpg)
Catena scalability
P2P~7000 full nodes
Supports up to ~819,000 incoming connections
Q: Next block header(s)?
Catena client 2
Catena client 1
Catena client 100,000?
Q: Next block header(s)?
Q: Next block header(s)?
...
100,000 Catena clients ⇒ "Unintended" DDoS
attack on Bitcoin.
![Page 80: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/80.jpg)
Catena scalability
Header Relay Network (HRN)Volunteer nodes
Blockchain explorersFacebook, Twitter, GitHub,
etc.
...
P2P
Header 1 Header n
Catena client 2
Catena client 1
Catena client 100,000
![Page 81: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/81.jpg)
Catena scalability
Header Relay Network (HRN)Volunteer nodes
Blockchain explorersFacebook, Twitter, GitHub,
etc.
Q: Next block header(s)?
...
P2P
Header 1 Header n
Catena client 2
Catena client 1
Catena client 100,000
Q: Next block header(s)?
Q: Next block header(s)?
![Page 82: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/82.jpg)
Q: Next block header(s)?
Q: Next block header(s)?
Q: Next block header(s)?
Catena scalability
Header Relay Network (HRN)Volunteer nodes
Blockchain explorersFacebook, Twitter, GitHub,
etc.
...
P2P
Header 1 Header n
Catena client 2
Catena client 1
Catena client 100,000
![Page 83: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/83.jpg)
Conclusions
![Page 84: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/84.jpg)
Conclusions
What we did: - Enabled applications to efficiently leverage Bitcoin's
publicly-verifiable consensus- Download transactions selectively rather than full blockchain- ~41 MB instead of gigabytes of bandwidth
![Page 85: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/85.jpg)
Conclusions
What we did: - Enabled applications to efficiently leverage Bitcoin's
publicly-verifiable consensus- Download transactions selectively rather than full blockchain- ~41 MB instead of gigabytes of bandwidth
Why it matters:- Public-key directories for HTTPS and secure messaging- Tor Consensus Transparency- Software transparency schemes- Turn fork consistency into full consistency
![Page 86: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/86.jpg)
Conclusions
What we did: - Enabled applications to efficiently leverage Bitcoin's
publicly-verifiable consensus- Download transactions selectively rather than full blockchain- ~41 MB instead of gigabytes of bandwidth
Why it matters:- Public-key directories for HTTPS and secure messaging- Tor Consensus Transparency- Software transparency schemes- Turn fork consistency into full consistency
For more, read our paper!
![Page 87: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/87.jpg)
Ask me questions!
Block j Block n
s1 s2
s'3
Block i Block j Block n
s1 s2
s3
s'3
s3
Block i
No inconsistent s'3 as it would require
a double-spend!
Need to download full blocks to find
inconsistent s'3
Prev
ious
wor
kC
aten
ahttps://github.com/alinush/catena-java
![Page 88: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/88.jpg)
Extra slides
![Page 89: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/89.jpg)
Payment T
Xs
Bitcoin: The full picture
blocki
A ➝ ,95K
A ➝ ,95K
B ➝ A, $100K
Peer-to-peer network
Miners
A
Customers Merchants
Payment
verificationA ➝ , $95K
blockj
A ➝ , $95K
![Page 90: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/90.jpg)
Catena transaction format
txi"Change" coins back to server(public key)
Unspendable OP_RETURN output with arbitrary data
Coins from server for paying TX fees(digital signature)
A single spendable output ⇒ No forks txjtxi
txk
<data>
![Page 91: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/91.jpg)
BKD: A Bitcoin-backed PKD
Catena: Hard-to-fork, append-only log (Bitcoin-backed)
A B
A' B'
E D
A" B" D'C
TX TXTX
t1t3t2
BKD: Hard-to-fork public-key directory (Catena-backed)
![Page 92: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/92.jpg)
Block n'
Bitcoin blockchain
Block i Block j
Blockchain forks ⇔ Double-spent coins
Block n
s1
txb
txc
txc'
![Page 93: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/93.jpg)
Previous work"Liar, liar, coins on fire!" (CCS '15)
![Page 94: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/94.jpg)
tx1
Previous work"Liar, liar, coins on fire!" (CCS '15)
tx1[0] = (2Ƀ, PK)
SK, PK
![Page 95: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/95.jpg)
tx1
Previous work"Liar, liar, coins on fire!" (CCS '15)
tx1[0] = (2Ƀ, PK)
SK, PK
signSK(i, s)
signSK(i, s')
![Page 96: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/96.jpg)
tx1
Previous work"Liar, liar, coins on fire!" (CCS '15)
SK, PK
signSK(i, s)
signSK(i, s')
extractSK()secret key SK
![Page 97: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/97.jpg)
tx2tx1
Previous work"Liar, liar, coins on fire!" (CCS '15)
SIGSK(tx1[0], tx2) tx2[0] = (2Ƀ, PK')
SK, PK
extractSK()secret key SK
signSK(i, s)
signSK(i, s')
![Page 98: Catena: Efficient Non-equivocation via Bitcoinpeople.csail.mit.edu/alinush/files/catena-sp2017-slides.pdf2 PK A PK B t 1 PK A PK B s 1 = SHA256(t 1) s 2 ... Must pay Bitcoin TXN fees](https://reader034.vdocuments.us/reader034/viewer/2022042710/5f66ab61728a7d29c60bbc8e/html5/thumbnails/98.jpg)
tx2tx1
Previous work"Liar, liar, coins on fire!" (CCS '15)
SK, PK
Disincentivizes equivocation by locking Bitcoin funds under SK.Does not prevent equivocation by malicious outsiders!
tx2[0] = (2Ƀ, PK')SIGSK(tx1[0], tx2)