catena: preventing lies withrjwalls/nesd/slides/catena...catena: preventing lies with alin tomescu...

Catena: Preventing Lies with

Alin Tomescualinush@mit.edu

MIT CSAIL

November 28th, 2016

Srinivas Devadasdevadas@mit.edu

MIT CSAIL

New England Security Day (NESD), Fall '16

The problem: Equivocation

The problem: Equivocation

Good: "Stating the same thing to all people."

Public-key directory

PKA PKB

Bob

Alice

Statement S

Public-key directory

BobPK'A PKB

Bad: "Stating different things to different people.'"

The problem: Equivocation

Statement S

Public-key directory

PKA PK'BAlice

BobPK'A PKB

Bad: "Stating different things to different people.'"

The problem: Equivocation

Statement S

Statement S'

Public-key directory

BobPK'A PKB

PKA PK'BAlice

MITM

Bad: "Stating different things to different people.'"

The problem: Equivocation

Statement S

Statement S'

Why is non-equivocation important?

Why is non-equivocation important?

Public-key distribution- HTTPS- Secure messaging- Security research often assumes a PKI

Why is non-equivocation important?

Public-key distribution- HTTPS- Secure messaging- Security research often assumes a PKI

Tor Directory Servers

Why is non-equivocation important?

Public-key distribution- HTTPS- Secure messaging- Security research often assumes a PKI

Tor Directory Servers

Software transparency schemes- Apple vs. FBI

Previous work

Previous work

Can detect, but not prevent equivocation with gossip.

Previous work

Can detect, but not prevent equivocation with gossip.

Must download 90 GB of blockchain data.

Previous work

CoSi(S&P '16)

Can detect, but not prevent equivocation with gossip.

Must download 90 GB of blockchain data.

Requires a large, diverse, trustworthy set of witnesses.

Previous work

CoSi

"Liar, liar, coins on fire!" (CCS '15)

(S&P '16)

Can detect, but not prevent equivocation with gossip.

Must download 90 GB of blockchain data.

Requires a large, diverse, trustworthy set of witnesses.

Only disincentivizes equivocation. Vulnerable to malicious outsiders.

Key idea

Key ideaEfficiently use Bitcoin's mechanism that prevents double spends as a proof of non-equivocation.

Key idea

TX1

TX'2

TX2

Efficiently use Bitcoin's mechanism that prevents double spends as a proof of non-equivocation.

Key idea

TX1

TX'2

TX2

Efficiently use Bitcoin's mechanism that prevents double spends as a proof of non-equivocation.

s1

s2

s'2

Results- Bitcoin-based tamper-evident log

Results- Bitcoin-based tamper-evident log- As hard-to-fork as the Bitcoin blockchain

Results- Bitcoin-based tamper-evident log- As hard-to-fork as the Bitcoin blockchain- Efficient to audit: 620 bytes / statement + 80 bytes / block

Results- Bitcoin-based tamper-evident log- As hard-to-fork as the Bitcoin blockchain- Efficient to audit: 620 bytes / statement + 80 bytes / block

Java implem

entation

in 3500 SLOC

Bitcoin transactions

Bitcoin transactions

1. Generate coins (assigns them to a PK)

TXa

Bitcoin transactions

1. Generate coins (assigns them to a PK)

TXa

〈2Ƀ, PK〉

Bitcoin transactions

1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a

signature under old PK)

TXa TXb

〈2Ƀ, PK〉

Bitcoin transactions

1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a

signature under old PK)

TXa TXb

SigPK(TXa:0, TXb)〈2Ƀ, PK〉

Bitcoin transactions

1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a

signature under old PK)

TXa TXb

〈2Ƀ, PK〉 〈1Ƀ, PK'〉SigPK(TXa:0, TXb)

Bitcoin transactions

1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a

signature under old PK)

TXa TXb

1Ƀ TX fee!

〈2Ƀ, PK〉 〈1Ƀ, PK'〉SigPK(TXa:0, TXb)

Bitcoin transactions

1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a

signature under old PK)

TXi

TXa TXb

Bitcoin transactions

1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a

signature under old PK)

TXi

TXa TXb

Bitcoin transactions

1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a

signature under old PK)

TXi

TXa TXb

Bitcoin blockchain

Bitcoin blockchain

Block i Block j Block n

1. The time-ordered log of valid transactions (PoW consensus)

txitxjtxa

Bitcoin blockchain

Block i Block j Block n

1. The time-ordered log of valid transactions (PoW consensus)

txb

txitxjtxa

txb

Bitcoin blockchain

Block i Block j Block n

1. The time-ordered log of valid transactions (PoW consensus)2. No double spends: A transaction output can only be referred

to by a single transaction input.

Bitcoin blockchain

txitxjtxa

txk

Block i Block j Block n

1. The time-ordered log of valid transactions (PoW consensus)2. No double spends: A transaction output can only be referred

to by a single transaction input.

txb

Bitcoin blockchain

txitxjtxa

txk

Block i Block j

1. The time-ordered log of valid transactions (PoW consensus)2. No double spends: A transaction output can only be referred

to by a single transaction input.

txb

Blockchain forks ⇔ Double-spent coinsBlock n'

Block n

Catena transaction format

Catena transaction format

txi

<data>

Catena transaction format

txi

<data>

Coins from server for paying TX fees(digital signature)

Catena transaction format

txi

<data>

"Change" coins back to server(public key)

Coins from server for paying TX fees(digital signature)

Catena transaction format

txi"Change" coins back to server(public key)

Unspendable OP_RETURN output with arbitrary data

Coins from server for paying TX fees(digital signature)

<data>

Catena transaction format

txi"Change" coins back to server(public key)

Unspendable OP_RETURN output with arbitrary data

Coins from server for paying TX fees(digital signature)

A single spendable output ⇒ No forks txjtxi

txk

<data>

Catena log server

Catena design

Transaction fee funds

GTX

Block i

Catena design

Genesis TXNCatena

log server

n

s1GTX

Block i Block j

Catena design

Catena log server

n TX1

n s1GTX TX1

Block i Block j

Catena design

s2TX2

Block n

Catena log server

s1GTX

Block i Block j

Catena log server

Catena design

s2

Block n

Next,

unique s3

n TX1 TX2

s1GTX

Block i Block j

Catena log server

Catena design

s2

Block n

Next,

unique s3

Advantages: (1) Hard to fork (2) Efficient to verify

n TX1 TX2

s1GTX

Block i Block j

Catena log server

Catena design

s2

Block n

Advantages: (1) Hard to fork (2) Efficient to verify

Disadvantages: (1) 6-block confirmation delay(2) 1 statement every 10 minutes

n TX1 TX2

Next,

unique s3

Client bandwidth

Client bandwidth

n block headers + k statements(80 bytes each) (around 600 bytes each)

Client bandwidth

e.g., 440K block headers + 10K statements = ~41 MB (80 bytes each) (around 600 bytes each)

Conclusions

- Efficient Bitcoin witnessing is possible!- ~40 MB instead of 90 GB bandwidth overhead

Conclusions

- Efficient Bitcoin witnessing is possible!- ~40 MB instead of 90 GB bandwidth overhead

- Important applications- Public-key directories- Tor Consensus Transparency- Software transparency schemes

Conclusions

- Efficient Bitcoin witnessing is possible!- ~40 MB instead of 90 GB bandwidth overhead

- Important applications- Public-key directories- Tor Consensus Transparency- Software transparency schemes

- Publicly-verifiable consensus like Bitcoin should be leveraged by applications, efficiently.

The end.

Extra slides...just in case.

Catena: Preventing forks

s0 s1TX TX

TX

Block i Block j

s2TX

s'2

Catena log server

Block n

Invalid block: Breaks miner-enforced TXO invariant.

Attacker has to create an invalid block n to fork the log ⇒ Attacker has to fork Bitcoin.

Catena: Preventing forks

s0 s1TX TX

TX

Block i Block j

s2TX

s'2

Catena log server

Block n'

Block n

Malicious blockchain fork.

Attacker has to fork Bitcoin. Attacker needs to mine at least 6 blocks on one of the forks.

Key idea

Q: How can we prove to a thin client that there's no s'2?

s0 s1TX TX

Block i Block j

TX

s2TX

s'2

Block k

s0 s1TX TX

TX

Block i Block j

s2TX

s'2

Violates Bitcoin's security against double spends.

Catena log server

Key idea

Q: How can we prove to a thin client that there's no s'2?A: Leverage Bitcoin's mechanism against double-spends!

Graveyard...where old slides rest in peace.

Bitcoin background

prev: H( block1 )txns: H( merkle2 )

prev: H( block2 )txns: H( merkle3 )

block2 block3

prev: nulltxns: H( merkle1 )

genesis block1

Membership proof for tx1

tx1

tx1e.g., 2Ƀ for PKDan

TX output:Coins and PKs

Bitcoin background

prev: H( block1 )txns: H( merkle2 )

prev: H( block2 )txns: H( merkle3 )

block2 block3

prev: nulltxns: H( merkle1 )

genesis block1

Membership proof for tx2

tx2txd

txa

txb

txc

3Ƀ for PKEva(unspent)

tx2

TX inputs:Signatures

Carol's signature under her PK

2Ƀ for PKDan(spent)

PKCarol