catena: efficient non-equivocation via bitcoin · 2 pk a pk b t 1 pk a pk b s 1 = sha256(t 1) s 2...
TRANSCRIPT
Catena: Efficient Non-equivocation via Bitcoin
Tuesday, May 23rd, 2017
Alin [email protected]
Srinivas [email protected]
IEEE Security & Privacy 2017, San Jose, CA
What is non-equivocation?
Public-key directory
What is non-equivocation?
● At time i, publishes digest si
Public-key directory
What is non-equivocation?
● At time i, publishes a single digest si
Public-key directory
What is non-equivocation?
PKA PKB
t1Bob
Alice
● At time i, publishes a single digest si● At time 1, Alice, Bob and others "see" s1
s1 = SHA256(t1)
Public-key directory
Bob
Alice
What is non-equivocation?
t2
PKA PKB
t1
PKA PKB
s1 = SHA256(t1) s2 = SHA256(t2)
●● At time 2, Alice, Bob and others "see" s1 , s2 , ...
Public-key directory
Bob
Alice
What is non-equivocation?
t2
PKA PKB
t1
PKA PKB
s1 = SHA256(t1) s2 = SHA256(t2)
● Alice and Bob can "monitor" own PKs
Public-key directory
Bob
Alice
What is non-equivocation?
t2
PKA PKB
t1
PKA PKB
s1 = SHA256(t1) s2 = SHA256(t2)
● Alice and Bob can "monitor" own PKs
Bob
Alice
What is non-equivocation?
t2
PKA PKB
t1
PKA PKB PKA'
s1 = SHA256(t1) s2 = SHA256(t2)
● Alice and Bob can "monitor" own PKs● ...and server has to impersonate in plain sight
Public-key directory
Bob
Alice
What is non-equivocation?
t2
PKA PKB
t1
PKA PKB PKA'
s1 = SHA256(t1) s2 = SHA256(t2)
Public-key directory
● Alice and Bob can "monitor" own PKs● ...and server has to impersonate in plain sight
Good: "Stating the same thing to all people."
Bob
Alice
What is non-equivocation?
t2
PKA PKB
t1
PKA PKB PKA'
s1 = SHA256(t1) s2 = SHA256(t2)
Public-key directory
Good: "Stating the same thing to all people."
Bob
Alice
What is non-equivocation?
t2
s1 = SHA256(t1) s2 = SHA256(t2)
PKA PKB
t1
PKA PKB PKA'
Including statements that are
incorrect at the application-layer
Public-key directory
What is equivocation?
S1
PKA PKB
t1
● At time 2, malicious server publishes s2 and s2'
Public-key directory
Alice
t2
PKA PKB PKB'
What is equivocation?
PKA PKB
t1
Public-key directory
S1
S2
● s2: Leave Alice's key intact, add fake PKB' for Bob
Bob
Alice
t2'
PKA PKB PKA'
t2
PKA PKB PKB'
What is equivocation?
PKA PKB
t1
Public-key directory
S1
S2
S2'
● s2': Leave Bob's key intact, add fake PKA' for Alice
Bob
Alice
t2'
PKA PKB PKA'
t2
PKA PKB PKB'
What is equivocation?
PKA PKB
t1
Public-key directory
S1
S2
S2'
● Alice not impersonated in her view, but Bob is.
Bob
Alice
t2'
PKA PKB PKA'
t2
PKA PKB PKB'
What is equivocation?
PKA PKB
t1
Public-key directory
S1
S2
S2'
● Bob not impersonated in his view, but Alice is.
MITM
Bob
Alice
t2'
PKA PKB PKA'
t2
PKA PKB PKB'
What is equivocation?
PKA PKB
t1
Public-key directory
S1
S2
S2'
● Obtain fake keys for each other ⇒ MITM
MITM
Bob
Alice
t2'
PKA PKB PKA'
t2
PKA PKB PKB'
Bad: "Stating different things to different people.'"
What is equivocation?
PKA PKB
t1
Public-key directory
S1
S2
S2'
Where is non-equivocation necessary?
Public-key distribution (PKD)- HTTPS- Secure messaging- "We assume a PKI."
Public-key distribution (PKD)- HTTPS- Secure messaging- "We assume a PKI."
Tor Directory Servers
Where is non-equivocation necessary?
Public-key distribution (PKD)- HTTPS- Secure messaging- "We assume a PKI."
Tor Directory Servers
Software transparency schemes- Attacks on Bitcoin binaries
Where is non-equivocation necessary?
Contributions
Contributions● Bitcoin-based append-only log,
Contributions● Bitcoin-based append-only log,
● ...as hard-to-fork as the Bitcoin blockchain
○ Want to fork? Do some work!
Contributions● Bitcoin-based append-only log,
● ...as hard-to-fork as the Bitcoin blockchain
○ Want to fork? Do some work!
● ...but efficiently auditable
Contributions● Bitcoin-based append-only log,
● ...as hard-to-fork as the Bitcoin blockchain
○ Want to fork? Do some work!
● ...but efficiently auditable
○ 600 bytes / statement (e.g., PKD digests)
○ 80 bytes / Bitcoin block
Contributions● Bitcoin-based append-only log,
● ...as hard-to-fork as the Bitcoin blockchain
○ Want to fork? Do some work!
● ...but efficiently auditable
○ 600 bytes / statement (e.g., PKD digests)
○ 80 bytes / Bitcoin block
● Java implementation (3500 SLOC)
Outline
1. Bitcoin background2. Previous work3. Catena design4. Catena scalability
Block nBlock i Block j
Bitcoin blockchain
Block nBlock i Block j
Bitcoin blockchain
● Hash chain of blocks
Block nBlock i Block j
Bitcoin blockchain
● Hash chain of blocks○ Arrows are hash pointers
Block nBlock i Block j
Bitcoin blockchain
● Hash chain of blocks○ Arrows are hash pointers
● Merkle tree of TXNs in each block
Block nBlock i Block j
Bitcoin blockchain
● Hash chain of blocks○ Arrows are hash pointers
● Merkle tree of TXNs in each block● Proof-of-work (PoW) consensus
Block nBlock i Block j
txa
Bitcoin blockchain
● Transactions mint coins
Block nBlock i Block j
Bitcoin blockchain
● Transactions mint coins● Output = # of coins and owner's PK
txa
PKA minted 4Ƀ
Block nBlock i Block j
txa
Bitcoin blockchain
PKA minted 4Ƀ
txb
PKB has 3Ƀ
● Transactions mint coins● Output = # of coins and owner's PK● Transactions transfer coins (and pay fees)
Block nBlock i Block j
txb
txa
Bitcoin blockchain
PKA minted 4Ƀ from SKA PKB has 3Ƀ
● Transactions mint coins● Output = # of coins and owner's PK● Transactions transfer coins (and pay fees)● Input = hash pointer to output & digital signature
Block nBlock i Block j
txb
txa
s1
Bitcoin blockchain
PKA minted 4Ƀ from SKA
Arbitrary statement s1
PKB has 3Ƀ
Data can be embedded in TXNs.
Block nBlock i Block j
txb
txa
Bitcoin blockchain
PKA minted 4Ƀ from SKA PKB has 3Ƀ
Alice gives Bob 3Ƀ,Bitcoin miners collected 1Ƀ as a fee.
s1
Block nBlock i Block j
txb
txc
s1
Bitcoin blockchain
PKB has 3Ƀ from SKB PKC has 2Ƀ
Bob gives Carol 2Ƀ,Bitcoin miners collected another Ƀ as a fee.
Bitcoin blockchain
Block i Block j Block n
s1
txb
txc
txc'
No double-spent coins: A TXN output can only be referred to by a single TXN input.
Moral of the story
TX1
TX2'
TX2
Proof-of-work (PoW) consensus ⇒ No double spends
Either TX2 or TX2' but not both!
Moral of the story
TX1
TX2'
TX2
Proof-of-work (PoW) consensus ⇒ No double spends
Either s2 or s2' but not both!s1
s2
s'2
Outline
1. Bitcoin background2. Previous work3. Catena design4. Catena scalability
Previous work
Block i Block j Block n
s1 s2TX TX
TX s3
Previous work
Block i Block j Block n
Need to download full blocks to find
inconsistent s'3
s1 s2TX TX
TX s3
TX s'3
Our work
Block i Block j Block n
s1 s2TX TX
TX s3
TX s'3
No inconsistent s'3 as it would require a
double-spend!
Previous work
Block i Block j Block n
s1 s2TX TX
TX s3
TX s'3
Our work
Block i Block j Block n
s1 s2TX TX
TX s3
TX s'3
Outline
1. Bitcoin background2. Previous work3. Catena design4. Catena scalability
Catena log server
Server's funds
Starting a Catena log
GTX
Block i
Genesis TXNCatena
log server
Starting a Catena log
● Genesis TXN (GTX) = log's "public key"● Coins from server back to server (minus fees)
s1GTX
Block i Block j
Catena log server
TX1
Appending to a Catena log
● TX1 "spends" GTX's output, publishes s1● Coins from server back to server (minus fees)● Inconsistent s1' would require a double-spend
s1GTX TX1
Block i Block j
s2TX2
Block n
Catena log server
Appending to a Catena log
● TX2 "spends" TX1's output, publishes s2● Coins from server back to server (minus fees)● Inconsistent s2' would require a double-spend
s1GTX
Block i Block j
Catena log server
s2
Block n
Next,
unique s3
TX1 TX2
Appending to a Catena log
● Server is compromised, still cannot equivocate.
s1GTX
Block i Block j
Catena log server
s2
Block n
Next,
unique s3
Advantages: (1) Hard to fork (2) Efficient to verify
TX1 TX2
Appending to a Catena log
s1GTX
Block i Block j
Catena log server
s2
Block n
Advantages: (1) Hard to fork (2) Efficient to verify
Disadvantages: (1) 6-block confirmation delay(2) 1 statement every 10 minutes(3) Must pay Bitcoin TXN fees
TX1 TX2
Next,
unique s3
Appending to a Catena log
Efficient auditing
Efficient auditing
Catena log server
Catena client
Efficient auditing
Catena log server
Catena client
Bitcoin P2P(7000 nodes)
Efficient auditing
Catena log server
Catena client
Header i
GTX
Bitcoin P2P(7000 nodes)
Catena log server
Catena client
Header i
GTX
Bitcoin P2P(7000 nodes)
Q: Next block header(s)?
Efficient auditing
Catena log server
Catena client
Header i
GTX
Bitcoin P2P(7000 nodes)
Header i+1 Header j
Efficient auditing
80 bytes each
Catena log server
Catena client
Header i Header j
GTX
Bitcoin P2P(7000 nodes)
Efficient auditing
Catena log server
Catena client
Header i Header j
GTX
Bitcoin P2P(7000 nodes)
Q: What is s1 in the log?
Efficient auditing
Catena log server
Catena client
Header i Header j
GTX
Bitcoin P2P(7000 nodes)
TX1 s1
Efficient auditing
600 bytes
Catena log server
Catena client
Header i Header j
TX1 s1GTX
Bitcoin P2P(7000 nodes)
Efficient auditing
Catena log server
Catena client
Header i Header j
TX1 s1GTX
Bitcoin P2P(7000 nodes)
Q: Next block header(s)?
Efficient auditing
Catena log server
Catena client
Header i Header j
TX1 s1GTX
Bitcoin P2P(7000 nodes)
Header j+1 Header n
Efficient auditing
Catena log server
Catena client
Header i Header j Header n
TX1 s1GTX
Bitcoin P2P(7000 nodes)
Efficient auditing
Catena log server
Catena client
Header i Header j Header n
TX1 s1GTX
Bitcoin P2P(7000 nodes)
Q: What is s2 in the log?
Efficient auditing
Catena log server
Catena client
Header i Header j Header n
TX1 s1GTX
Bitcoin P2P(7000 nodes) TX2 s2
Efficient auditing
Catena log server
Catena client
Header i Header j Header n
TX1 s1GTX TX2 s2
Bitcoin P2P(7000 nodes)
Efficient auditing
Auditing bandwidth
e.g., 460K block headers + 10K statements = ~41 MB (80 bytes each) (around 600 bytes each)
Outline
1. Bitcoin background2. Previous work3. Catena design4. Catena scalability
Catena scalability
Catena client 2
Catena client 1
Catena client 100,000?
...
P2P~7000 full nodes
Supports up to ~819,000 incoming connections
P2P~7000 full nodes
Supports up to ~819,000 incoming connections
Catena scalability
Catena client 2
Catena client 1
Catena client 100,000?
Q: Next block header(s)?
...
Q: Next block header(s)?
Q: Next block header(s)?
Catena scalability
P2P~7000 full nodes
Supports up to ~819,000 incoming connections
Q: Next block header(s)?
Catena client 2
Catena client 1
Catena client 100,000?
Q: Next block header(s)?
Q: Next block header(s)?
...
100,000 Catena clients ⇒ "Unintended" DDoS
attack on Bitcoin.
Catena scalability
Header Relay Network (HRN)Volunteer nodes
Blockchain explorersFacebook, Twitter, GitHub,
etc.
...
P2P
Header 1 Header n
Catena client 2
Catena client 1
Catena client 100,000
Catena scalability
Header Relay Network (HRN)Volunteer nodes
Blockchain explorersFacebook, Twitter, GitHub,
etc.
Q: Next block header(s)?
...
P2P
Header 1 Header n
Catena client 2
Catena client 1
Catena client 100,000
Q: Next block header(s)?
Q: Next block header(s)?
Q: Next block header(s)?
Q: Next block header(s)?
Q: Next block header(s)?
Catena scalability
Header Relay Network (HRN)Volunteer nodes
Blockchain explorersFacebook, Twitter, GitHub,
etc.
...
P2P
Header 1 Header n
Catena client 2
Catena client 1
Catena client 100,000
Conclusions
Conclusions
What we did: - Enabled applications to efficiently leverage Bitcoin's
publicly-verifiable consensus- Download transactions selectively rather than full blockchain- ~41 MB instead of gigabytes of bandwidth
Conclusions
What we did: - Enabled applications to efficiently leverage Bitcoin's
publicly-verifiable consensus- Download transactions selectively rather than full blockchain- ~41 MB instead of gigabytes of bandwidth
Why it matters:- Public-key directories for HTTPS and secure messaging- Tor Consensus Transparency- Software transparency schemes- Turn fork consistency into full consistency
Conclusions
What we did: - Enabled applications to efficiently leverage Bitcoin's
publicly-verifiable consensus- Download transactions selectively rather than full blockchain- ~41 MB instead of gigabytes of bandwidth
Why it matters:- Public-key directories for HTTPS and secure messaging- Tor Consensus Transparency- Software transparency schemes- Turn fork consistency into full consistency
For more, read our paper!
Ask me questions!
Block j Block n
s1 s2
s'3
Block i Block j Block n
s1 s2
s3
s'3
s3
Block i
No inconsistent s'3 as it would require
a double-spend!
Need to download full blocks to find
inconsistent s'3
Prev
ious
wor
kC
aten
ahttps://github.com/alinush/catena-java
Extra slides
Payment T
Xs
Bitcoin: The full picture
blocki
A ➝ ,95K
A ➝ ,95K
B ➝ A, $100K
Peer-to-peer network
Miners
A
Customers Merchants
Payment
verificationA ➝ , $95K
blockj
A ➝ , $95K
Catena transaction format
txi"Change" coins back to server(public key)
Unspendable OP_RETURN output with arbitrary data
Coins from server for paying TX fees(digital signature)
A single spendable output ⇒ No forks txjtxi
txk
<data>
BKD: A Bitcoin-backed PKD
Catena: Hard-to-fork, append-only log (Bitcoin-backed)
A B
A' B'
E D
A" B" D'C
TX TXTX
t1t3t2
BKD: Hard-to-fork public-key directory (Catena-backed)
Block n'
Bitcoin blockchain
Block i Block j
Blockchain forks ⇔ Double-spent coins
Block n
s1
txb
txc
txc'
Previous work"Liar, liar, coins on fire!" (CCS '15)
tx1
Previous work"Liar, liar, coins on fire!" (CCS '15)
tx1[0] = (2Ƀ, PK)
SK, PK
tx1
Previous work"Liar, liar, coins on fire!" (CCS '15)
tx1[0] = (2Ƀ, PK)
SK, PK
signSK(i, s)
signSK(i, s')
tx1
Previous work"Liar, liar, coins on fire!" (CCS '15)
SK, PK
signSK(i, s)
signSK(i, s')
extractSK()secret key SK
tx2tx1
Previous work"Liar, liar, coins on fire!" (CCS '15)
SIGSK(tx1[0], tx2) tx2[0] = (2Ƀ, PK')
SK, PK
extractSK()secret key SK
signSK(i, s)
signSK(i, s')
tx2tx1
Previous work"Liar, liar, coins on fire!" (CCS '15)
SK, PK
Disincentivizes equivocation by locking Bitcoin funds under SK.Does not prevent equivocation by malicious outsiders!
tx2[0] = (2Ƀ, PK')SIGSK(tx1[0], tx2)