catena: preventing lies withrjwalls/nesd/slides/catena...catena: preventing lies with alin tomescu...
TRANSCRIPT
![Page 1: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/1.jpg)
Catena: Preventing Lies with
Alin [email protected]
MIT CSAIL
November 28th, 2016
Srinivas [email protected]
MIT CSAIL
New England Security Day (NESD), Fall '16
![Page 2: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/2.jpg)
The problem: Equivocation
![Page 3: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/3.jpg)
The problem: Equivocation
Good: "Stating the same thing to all people."
Public-key directory
PKA PKB
Bob
Alice
Statement S
![Page 4: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/4.jpg)
Public-key directory
BobPK'A PKB
Bad: "Stating different things to different people.'"
The problem: Equivocation
Statement S
![Page 5: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/5.jpg)
Public-key directory
PKA PK'BAlice
BobPK'A PKB
Bad: "Stating different things to different people.'"
The problem: Equivocation
Statement S
Statement S'
![Page 6: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/6.jpg)
Public-key directory
BobPK'A PKB
PKA PK'BAlice
MITM
Bad: "Stating different things to different people.'"
The problem: Equivocation
Statement S
Statement S'
![Page 7: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/7.jpg)
Why is non-equivocation important?
![Page 8: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/8.jpg)
Why is non-equivocation important?
Public-key distribution- HTTPS- Secure messaging- Security research often assumes a PKI
![Page 9: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/9.jpg)
Why is non-equivocation important?
Public-key distribution- HTTPS- Secure messaging- Security research often assumes a PKI
Tor Directory Servers
![Page 10: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/10.jpg)
Why is non-equivocation important?
Public-key distribution- HTTPS- Secure messaging- Security research often assumes a PKI
Tor Directory Servers
Software transparency schemes- Apple vs. FBI
![Page 11: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/11.jpg)
Previous work
![Page 12: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/12.jpg)
Previous work
Can detect, but not prevent equivocation with gossip.
![Page 13: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/13.jpg)
Previous work
Can detect, but not prevent equivocation with gossip.
Must download 90 GB of blockchain data.
![Page 14: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/14.jpg)
Previous work
CoSi(S&P '16)
Can detect, but not prevent equivocation with gossip.
Must download 90 GB of blockchain data.
Requires a large, diverse, trustworthy set of witnesses.
![Page 15: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/15.jpg)
Previous work
CoSi
"Liar, liar, coins on fire!" (CCS '15)
(S&P '16)
Can detect, but not prevent equivocation with gossip.
Must download 90 GB of blockchain data.
Requires a large, diverse, trustworthy set of witnesses.
Only disincentivizes equivocation. Vulnerable to malicious outsiders.
![Page 16: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/16.jpg)
Key idea
![Page 17: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/17.jpg)
Key ideaEfficiently use Bitcoin's mechanism that prevents double spends as a proof of non-equivocation.
![Page 18: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/18.jpg)
Key idea
TX1
TX'2
TX2
Efficiently use Bitcoin's mechanism that prevents double spends as a proof of non-equivocation.
![Page 19: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/19.jpg)
Key idea
TX1
TX'2
TX2
Efficiently use Bitcoin's mechanism that prevents double spends as a proof of non-equivocation.
s1
s2
s'2
![Page 20: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/20.jpg)
Results- Bitcoin-based tamper-evident log
![Page 21: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/21.jpg)
Results- Bitcoin-based tamper-evident log- As hard-to-fork as the Bitcoin blockchain
![Page 22: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/22.jpg)
Results- Bitcoin-based tamper-evident log- As hard-to-fork as the Bitcoin blockchain- Efficient to audit: 620 bytes / statement + 80 bytes / block
![Page 23: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/23.jpg)
Results- Bitcoin-based tamper-evident log- As hard-to-fork as the Bitcoin blockchain- Efficient to audit: 620 bytes / statement + 80 bytes / block
Java implem
entation
in 3500 SLOC
![Page 24: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/24.jpg)
Bitcoin transactions
![Page 25: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/25.jpg)
Bitcoin transactions
1. Generate coins (assigns them to a PK)
TXa
![Page 26: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/26.jpg)
Bitcoin transactions
1. Generate coins (assigns them to a PK)
TXa
〈2Ƀ, PK〉
![Page 27: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/27.jpg)
Bitcoin transactions
1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a
signature under old PK)
TXa TXb
〈2Ƀ, PK〉
![Page 28: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/28.jpg)
Bitcoin transactions
1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a
signature under old PK)
TXa TXb
SigPK(TXa:0, TXb)〈2Ƀ, PK〉
![Page 29: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/29.jpg)
Bitcoin transactions
1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a
signature under old PK)
TXa TXb
〈2Ƀ, PK〉 〈1Ƀ, PK'〉SigPK(TXa:0, TXb)
![Page 30: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/30.jpg)
Bitcoin transactions
1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a
signature under old PK)
TXa TXb
1Ƀ TX fee!
〈2Ƀ, PK〉 〈1Ƀ, PK'〉SigPK(TXa:0, TXb)
![Page 31: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/31.jpg)
Bitcoin transactions
1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a
signature under old PK)
TXi
TXa TXb
![Page 32: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/32.jpg)
Bitcoin transactions
1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a
signature under old PK)
TXi
TXa TXb
![Page 33: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/33.jpg)
Bitcoin transactions
1. Generate coins (assigns them to a PK)2. Transfer coins (reassign to a new PK via a
signature under old PK)
TXi
TXa TXb
![Page 34: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/34.jpg)
Bitcoin blockchain
![Page 35: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/35.jpg)
Bitcoin blockchain
Block i Block j Block n
1. The time-ordered log of valid transactions (PoW consensus)
![Page 36: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/36.jpg)
txitxjtxa
Bitcoin blockchain
Block i Block j Block n
1. The time-ordered log of valid transactions (PoW consensus)
txb
![Page 37: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/37.jpg)
txitxjtxa
txb
Bitcoin blockchain
Block i Block j Block n
1. The time-ordered log of valid transactions (PoW consensus)2. No double spends: A transaction output can only be referred
to by a single transaction input.
![Page 38: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/38.jpg)
Bitcoin blockchain
txitxjtxa
txk
Block i Block j Block n
1. The time-ordered log of valid transactions (PoW consensus)2. No double spends: A transaction output can only be referred
to by a single transaction input.
txb
![Page 39: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/39.jpg)
Bitcoin blockchain
txitxjtxa
txk
Block i Block j
1. The time-ordered log of valid transactions (PoW consensus)2. No double spends: A transaction output can only be referred
to by a single transaction input.
txb
Blockchain forks ⇔ Double-spent coinsBlock n'
Block n
![Page 40: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/40.jpg)
Catena transaction format
![Page 41: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/41.jpg)
Catena transaction format
txi
<data>
![Page 42: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/42.jpg)
Catena transaction format
txi
<data>
Coins from server for paying TX fees(digital signature)
![Page 43: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/43.jpg)
Catena transaction format
txi
<data>
"Change" coins back to server(public key)
Coins from server for paying TX fees(digital signature)
![Page 44: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/44.jpg)
Catena transaction format
txi"Change" coins back to server(public key)
Unspendable OP_RETURN output with arbitrary data
Coins from server for paying TX fees(digital signature)
<data>
![Page 45: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/45.jpg)
Catena transaction format
txi"Change" coins back to server(public key)
Unspendable OP_RETURN output with arbitrary data
Coins from server for paying TX fees(digital signature)
A single spendable output ⇒ No forks txjtxi
txk
<data>
![Page 46: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/46.jpg)
Catena log server
Catena design
Transaction fee funds
![Page 47: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/47.jpg)
GTX
Block i
Catena design
Genesis TXNCatena
log server
n
![Page 48: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/48.jpg)
s1GTX
Block i Block j
Catena design
Catena log server
n TX1
![Page 49: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/49.jpg)
n s1GTX TX1
Block i Block j
Catena design
s2TX2
Block n
Catena log server
![Page 50: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/50.jpg)
s1GTX
Block i Block j
Catena log server
Catena design
s2
Block n
Next,
unique s3
n TX1 TX2
![Page 51: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/51.jpg)
s1GTX
Block i Block j
Catena log server
Catena design
s2
Block n
Next,
unique s3
Advantages: (1) Hard to fork (2) Efficient to verify
n TX1 TX2
![Page 52: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/52.jpg)
s1GTX
Block i Block j
Catena log server
Catena design
s2
Block n
Advantages: (1) Hard to fork (2) Efficient to verify
Disadvantages: (1) 6-block confirmation delay(2) 1 statement every 10 minutes
n TX1 TX2
Next,
unique s3
![Page 53: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/53.jpg)
Client bandwidth
![Page 54: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/54.jpg)
Client bandwidth
n block headers + k statements(80 bytes each) (around 600 bytes each)
![Page 55: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/55.jpg)
Client bandwidth
e.g., 440K block headers + 10K statements = ~41 MB (80 bytes each) (around 600 bytes each)
![Page 56: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/56.jpg)
Conclusions
- Efficient Bitcoin witnessing is possible!- ~40 MB instead of 90 GB bandwidth overhead
![Page 57: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/57.jpg)
Conclusions
- Efficient Bitcoin witnessing is possible!- ~40 MB instead of 90 GB bandwidth overhead
- Important applications- Public-key directories- Tor Consensus Transparency- Software transparency schemes
![Page 58: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/58.jpg)
Conclusions
- Efficient Bitcoin witnessing is possible!- ~40 MB instead of 90 GB bandwidth overhead
- Important applications- Public-key directories- Tor Consensus Transparency- Software transparency schemes
- Publicly-verifiable consensus like Bitcoin should be leveraged by applications, efficiently.
![Page 59: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/59.jpg)
The end.
![Page 60: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/60.jpg)
Extra slides...just in case.
![Page 61: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/61.jpg)
Catena: Preventing forks
s0 s1TX TX
TX
Block i Block j
s2TX
s'2
Catena log server
Block n
Invalid block: Breaks miner-enforced TXO invariant.
Attacker has to create an invalid block n to fork the log ⇒ Attacker has to fork Bitcoin.
![Page 62: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/62.jpg)
Catena: Preventing forks
s0 s1TX TX
TX
Block i Block j
s2TX
s'2
Catena log server
Block n'
Block n
Malicious blockchain fork.
Attacker has to fork Bitcoin. Attacker needs to mine at least 6 blocks on one of the forks.
![Page 63: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/63.jpg)
Key idea
Q: How can we prove to a thin client that there's no s'2?
s0 s1TX TX
Block i Block j
TX
s2TX
s'2
Block k
![Page 64: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/64.jpg)
s0 s1TX TX
TX
Block i Block j
s2TX
s'2
Violates Bitcoin's security against double spends.
Catena log server
Key idea
Q: How can we prove to a thin client that there's no s'2?A: Leverage Bitcoin's mechanism against double-spends!
![Page 65: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/65.jpg)
Graveyard...where old slides rest in peace.
![Page 66: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/66.jpg)
Bitcoin background
prev: H( block1 )txns: H( merkle2 )
prev: H( block2 )txns: H( merkle3 )
block2 block3
prev: nulltxns: H( merkle1 )
genesis block1
Membership proof for tx1
tx1
tx1e.g., 2Ƀ for PKDan
TX output:Coins and PKs
![Page 67: Catena: Preventing Lies withrjwalls/nesd/slides/catena...Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL November 28th, 2016 Srinivas Devadas devadas@mit.edu MIT](https://reader035.vdocuments.site/reader035/viewer/2022062603/5f15d7d996efb572ac5c721f/html5/thumbnails/67.jpg)
Bitcoin background
prev: H( block1 )txns: H( merkle2 )
prev: H( block2 )txns: H( merkle3 )
block2 block3
prev: nulltxns: H( merkle1 )
genesis block1
Membership proof for tx2
tx2txd
txa
txb
txc
3Ƀ for PKEva(unspent)
tx2
TX inputs:Signatures
Carol's signature under her PK
2Ƀ for PKDan(spent)
PKCarol