Transcript
Page 1: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena: Efficient Non-equivocation via Bitcoin

Alin [email protected]

Srinivas [email protected]

Wednesday, Feb. 28th, 2018 MAS.S62

1

Page 2: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Overview

1. What?2. How?3. Why?

2

Page 3: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Malicious service

Bob

Alice

Non-equivocation: "Saying the same thing to everybody."

The equivocation problem

S1 S2 S3

Might be false, but everybody sees it.

Various clip art images in this document © unknown. All rights reserved. This content is excluded from our Creative Commons license. For more information, see https://ocw.mit.edu/fairuse.

3

Page 4: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Malicious service

Bob

Alice

Equivocation: "Saying different things to different people."

The equivocation problem

S1 S2 S3

S4

S'4

4

Page 5: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Jimmy

Dad

Mom

Equivocation: "Saying different things to different people."

The equivocation problem

S1 S2 S3

S4

S'4

5

Page 6: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Jimmy

Dad

Mom

Equivocation: "Saying different things to different people."

The equivocation problem

S1 S2 S3

S4

S'4

"Mom said I can go outside…"

6

Page 7: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Jimmy

Dad

Mom

Equivocation: "Saying different things to different people."

The equivocation problem

S1 S2 S3

S4

S'4

"Mom said I can go outside…"

"Dad said I can go outside…"

7

Page 8: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Alice

t2

PKA PKB PKB'

What is equivocation?

PKA PKB

t1

Public-key directory

S1

S2

● s2: Leave Alice's key intact, add fake PKB' for Bob

8

Page 9: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Alice

t2

PKA PKB PKB'

What is equivocation?

PKA PKB

t1

Public-key directory

S1

S2

● s2: Leave Alice's key intact, add fake PKB' for Bob

9

Page 10: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Bob

Alice

t2'

PKA PKB PKA'

t2

PKA PKB PKB'

What is equivocation?

PKA PKB

t1

Public-key directory

S1

S2

S2'

● s2': Leave Bob's key intact, add fake PKA' for Alice

10

Page 11: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Bob

Alice

t2'

PKA PKB PKA'

t2

PKA PKB PKB'

What is equivocation?

PKA PKB

t1

Public-key directory

S1

S2

S2'

● Alice not impersonated in her view, but Bob is.

11

Page 12: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Bob

Alice

t2'

PKA PKB PKA'

t2

PKA PKB PKB'

What is equivocation?

PKA PKB

t1

Public-key directory

S1

S2

S2'

● Bob not impersonated in his view, but Alice is.

12

Page 13: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

MITM

Bob

Alice

t2'

PKA PKB PKA'

t2

PKA PKB PKB'

What is equivocation?

PKA PKB

t1

Public-key directory

S1

S2

S2'

● Obtain fake keys for each other ⇒ MITM

13

Page 14: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

MITM

Bob

Alice

t2'

PKA PKB PKA'

t2

PKA PKB PKB'

Bad: "Stating different things to different people.'"

What is equivocation?

PKA PKB

t1

Public-key directory

S1

S2

S2'

14

Page 15: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Malicious service with

Catena

Bob

Alice

Catena prevents equivocation!

S1 S2 S3

Damn.

15

Page 16: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Malicious service with

Catena

Bob

Alice

Catena prevents equivocation!

S1 S2 S3

I gotta show Alice and Bob the same S4...

S4

16

Page 17: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Secure software update- Attacks on Bitcoin binaries

Secure messaging- HTTPS- "We assume a PKI."

So what?

17

Page 18: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Secure software update- Attacks on Bitcoin binaries

Secure messaging- HTTPS- "We assume a PKI."

"Blockchain" for X

So what?

18

Page 19: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

10,000 feet view● Bitcoin-based append-only log,

○ Generalizes to other cryptocurrencies

● ...as hard-to-fork as the Bitcoin blockchain

○ Want to fork? Do some work!

● ...but efficiently auditable

○ 600 bytes / statement (but can batch!)

○ 80 bytes / Bitcoin block

● Java implementation (3500 SLOC)

○ https://github.com/alinush/catena-java

19

Page 20: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Overview

1. What?2. How?

a. Bitcoin background3. Why?

20

Page 21: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Block nBlock i Block j

Bitcoin blockchain

● Hash chain of blocks○ Arrows are hash pointers

● Merkle tree of TXNs in each block● Proof-of-work (PoW) consensus

21

Page 22: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Block nBlock i Block j

txa

Bitcoin blockchain

● Transactions mint coins

22

Page 23: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Block nBlock i Block j

Bitcoin blockchain

● Transactions mint coins● Output = # of coins and owner's PK

txa

PKA minted 4Ƀ

23

Page 24: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Block nBlock i Block j

txa

Bitcoin blockchain

PKA minted 4Ƀ

txb

PKB has 3Ƀ

● Transactions mint coins● Output = # of coins and owner's PK● Transactions transfer coins (and pay fees)

24

Page 25: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Block nBlock i Block j

txb

txa

Bitcoin blockchain

PKA minted 4Ƀ from SKA PKB has 3Ƀ

● Transactions mint coins● Output = # of coins and owner's PK● Transactions transfer coins (and pay fees)● Input = hash pointer to output + digital signature

25

Page 26: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Block nBlock i Block j

txb

txa

Bitcoin blockchain

PKA minted 4Ƀ from SKA PKB has 3Ƀ

● Transactions mint coins● Output = # of coins and owner's PK● Transactions transfer coins (and pay fees)● Input = hash pointer to output + digital signature

txb "spends" txa's first output

26

Page 27: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Block nBlock i Block j

txb

txa

s1

Bitcoin blockchain

PKA minted 4Ƀ from SKA

Arbitrary statement s1

PKB has 3Ƀ

Data can be embedded in TXNs.

27

Page 28: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Block nBlock i Block j

txb

txa

Bitcoin blockchain

PKA minted 4Ƀ from SKA PKB has 3Ƀ

Alice gives Bob 3Ƀ,Bitcoin miners collected 1Ƀ as a fee.

s1

28

Page 29: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Block nBlock i Block j

txb

txc

s1

Bitcoin blockchain

PKB has 3Ƀ from SKB PKC has 2Ƀ

Bob gives Carol 2Ƀ,Bitcoin miners collected another Ƀ as a fee.

29

Page 30: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Bitcoin blockchain

Block i Block j Block n

s1

txb

txc

txc'

No double-spent coins: A TXN output can only be referred to by a single TXN input.

30

Page 31: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Moral of the story

TX1

TX2'

TX2

Proof-of-work (PoW) consensus ⇒ No double spends

Either TX2 or TX2' but not both!

31

Page 32: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Moral of the story

TX1

TX2'

TX2

Proof-of-work (PoW) consensus ⇒ No double spends

Either s2 or s2' but not both!s1

s2

s'2

32

Page 33: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Overview

1. What?2. How?

a. Bitcoin backgroundb. Previous work

3. Why?

33

Page 34: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Previous work

Block i Block j Block n

s1 s2TX TX

TX s3

34

Page 35: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Previous work

Block i Block j Block n

Need to download full blocks to find

inconsistent s'3

s1 s2TX TX

TX s3

TX s'3

35

Page 36: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Previous work

Block i Block j Block n

...or trust majority of nodes to not hide

statements.

s1 s2TX TX

TX s3

TX s'3

36

Page 37: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Our work

Block i Block j Block n

s1 s2TX TX

TX s3

TX s'3

No inconsistent s'3 as it would require a

double-spend!

37

Page 38: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Previous work

Block i Block j Block n

s1 s2TX TX

TX s3

TX s'3

38

Page 39: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Our work

Block i Block j Block n

s1 s2TX TX

TX s3

TX s'3

39

Page 40: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Overview

1. What?2. How?

a. Bitcoin backgroundb. Previous workc. Design

3. Why?

40

Page 41: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

GTX

Block i

Genesis TXNCatena

log server

Starting a Catena log

● Genesis TXN (GTX) = log's "public key"● Coins from server back to server (minus fees)

41

Page 42: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

s1GTX

Block i Block j

Catena log server

TX1

Appending to a Catena log

● TX1 "spends" GTX's output, publishes s1● Coins from server back to server (minus fees)● Inconsistent s1' would require a double-spend

42

Page 43: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

s1GTX TX1

Block i Block j

s2TX2

Block n

Catena log server

Appending to a Catena log

● TX2 "spends" TX1's output, publishes s2● Coins from server back to server (minus fees)● Inconsistent s2' would require a double-spend

43

Page 44: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

s1GTX

Block i Block j

Catena log server

s2

Block n

Next,

unique s3

TX1 TX2

Appending to a Catena log

● Server is compromised, still cannot equivocate.

44

Page 45: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

s1GTX

Block i Block j

Catena log server

s2

Block n

Next,

unique s3

TX1 TX2

Appending to a Catena log

Advantages: (1) Hard to fork(2) Efficient to verify

45

Page 46: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

s1GTX

Block i Block j

Catena log server

s2

Block n

Advantages: (1) Hard to fork (2) Efficient to verify

Disadvantages: (1) 6-block confirmation delay

TX1 TX2

Next,

unique s3

Appending to a Catena log

46

Page 47: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

s1GTX

Block i Block j

Catena log server

s2

Block n

Advantages: (1) Hard to fork (2) Efficient to verify

Disadvantages: (1) 6-block confirmation delay(2) 1 statement every 10 minutes

TX1 TX2

Next,

unique s3

Appending to a Catena log

47

Page 48: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

s1GTX

Block i Block j

Catena log server

s2

Block n

Advantages: (1) Hard to fork (2) Efficient to verify

Disadvantages: (1) 6-block confirmation delay(2) 1 statement every 10 minutes(3) Must pay Bitcoin TXN fees

TX1 TX2

Next,

unique s3

Appending to a Catena log

48

Page 49: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

s1GTX

Block i Block j

Catena log server

s2

Block n

Advantages: (1) Hard to fork (2) Efficient to verify

Disadvantages: (1) 6-block confirmation delay(2) 1 statement every 10 minutes(3) Must pay Bitcoin TXN fees(4) No freshness guarantee

TX1 TX2

Next,

unique s3

Appending to a Catena log

49

Page 50: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Overview

1. Catena: What?2. Catena: How?

a. Bitcoin backgroundb. Previous workc. Designd. Efficient auditing

3. Potentially-interesting applications

50

Page 51: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Efficient auditing

Catena log server

Catena client

Header i

GTX

Bitcoin P2P(11,500 nodes)

51

Page 52: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena log server

Catena client

Header i

GTX

Bitcoin P2P(11,500 nodes)

Q: Next block header(s)?

Efficient auditing

52

Page 53: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena log server

Catena client

Header i

GTX

Bitcoin P2P(11,500 nodes)

Header i+1 Header j

Efficient auditing

80 bytes each

53

Page 54: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena log server

Catena client

Header i Header j

GTX

Bitcoin P2P(11,500 nodes)

Efficient auditing

54

Page 55: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena log server

Catena client

Header i Header j

GTX

Bitcoin P2P(11,500 nodes)

Q: What is s1 in the log?

Efficient auditing

55

Page 56: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena log server

Catena client

Header i Header j

GTX

Bitcoin P2P(11,500 nodes)

TX1 s1

Efficient auditing

600 bytes 56

Page 57: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena log server

Catena client

Header i Header j

TX1 s1GTX

Efficient auditing

Bitcoin P2P(11,500 nodes)

57

Page 58: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena log server

Catena client

Header i Header j

TX1 s1GTX

Q: Next block header(s)?

Efficient auditing

Bitcoin P2P(11,500 nodes)

58

Page 59: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena log server

Catena client

Header i Header j

TX1 s1GTX

Header j+1 Header n

Efficient auditing

Bitcoin P2P(11,500 nodes)

59

Page 60: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena log server

Catena client

Header i Header j Header n

TX1 s1GTX

Efficient auditing

Bitcoin P2P(11,500 nodes)

60

Page 61: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena log server

Catena client

Header i Header j Header n

TX1 s1GTX

Q: What is s2 in the log?

Efficient auditing

Bitcoin P2P(11,500 nodes)

61

Page 62: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena log server

Catena client

Header i Header j Header n

TX1 s1GTX

TX2 s2

Efficient auditing

Bitcoin P2P(11,500 nodes)

62

Page 63: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena log server

Catena client

Header i Header j Header n

TX1 s1GTX TX2 s2

Efficient auditing

Bitcoin P2P(11,500 nodes)

63

Page 64: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Auditing bandwidth

e.g., 500K block headers + 10K statements = ~46 MB (80 bytes each) (around 600 bytes each)

64

Page 65: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Overview

1. What?2. How?

a. Bitcoin backgroundb. Previous workc. Designd. Efficient auditinge. Scalability

3. Why?

65

Page 66: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena scalability

Catena client 2

Catena client 1

Catena client 200,000?

...

P2P>11,500 full nodes

Supports up to ~1,345,500 incoming connections

Source: https://bitnodes.earn.com/ 66

Page 67: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena scalability

Catena client 2

Catena client 1

Catena client 200,000?

Q: Next block header(s)?

...

Q: Next block header(s)?

Q: Next block header(s)?

P2P>11,500 full nodes

Supports up to ~1,345,500 incoming connections

Source: https://bitnodes.earn.com/ 67

Page 68: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena scalability

Q: Next block header(s)?

Catena client 2

Catena client 1

Catena client 200,000?

Q: Next block header(s)?

Q: Next block header(s)?

...

200,000 Catena clients ⇒ "Accidental" DDoS

attack on Bitcoin.

P2P>11,500 full nodes

Supports up to ~1,345,500 incoming connections

Source: https://bitnodes.earn.com/ 68

Page 69: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena scalability

Header Relay Network (HRN)Volunteer nodes

Blockchain explorersFacebook, Twitter, GitHub,

etc.

...

P2P

Header 1 Header n

Catena client 2

Catena client 1

Catena client 200,00069

Page 70: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Catena scalability

Header Relay Network (HRN)Volunteer nodes

Blockchain explorersFacebook, Twitter, GitHub,

etc.

Q: Next block header(s)?

...

P2P

Header 1 Header n

Catena client 2

Catena client 1

Catena client 200,000

Q: Next block header(s)?

Q: Next block header(s)?

70

Page 71: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Q: Next block header(s)?

Q: Next block header(s)?

Q: Next block header(s)?

Catena scalability

Header Relay Network (HRN)Volunteer nodes

Blockchain explorersFacebook, Twitter, GitHub,

etc.

...

P2P

Header 1 Header n

Catena client 2

Catena client 1

Catena client 200,00071

Page 72: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

The cost of a statement

To append a statement, must issue TXN and pay fee.

TXN size: 235-byteFee as of Dec 13th, 2017: $16.24 (10 mins)Fee as of Feb 28th, 2017: $0.78 (10 mins)

PS: Statements can be "batched" using Merkle trees.

Latest fees: https://bitcoinfees.info/ 72

Page 73: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Overview

1. What?2. How?3. Why?

a. Secure software update

73

Page 74: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Secure software update

Example attack: (1) Compromise bitcoin.org (or the network)(2) Change the Bitcoin binary to your malicious binary(3) Wait for people to install your malicious Bitcoin binary(4) Steal their coins, steal their data, etc.Example: bitcoin.org, "0.13.0 Binary Safety Warning," August 17th, 2016

Typical defense: Devs sign Bitcoin binaries with SK and protect SK.Problem: (1) Not everyone checks sig. (2) Hard to detect stolen SK.Solution: Publish signatures in a Catena log ⇒ Can at least detect.

74

Page 75: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Software transparency to the rescue

h1GTX

Block i Block j

Catena log for Bitcoin binaries

h1 = SHA256(bitcoin-0.0.1.tar.gz)

75

Page 76: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Software transparency to the rescue

h1GTX

Block i Block j

h2'

Block n

h1 = SHA256(bitcoin-0.0.1.tar.gz)h2' = SHA256(evilcoin-0.0.2.tar.gz)

Catena log for Bitcoin binaries

76

Page 77: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Software transparency to the rescue

h1GTX

Block i Block j

h2'

Block n

Catena log for Bitcoin binaries

h1 = SHA256(bitcoin-0.0.1.tar.gz)h2' = SHA256(evilcoin-0.0.2.tar.gz)h2 = SHA256(bitcoin-0.0.2.tar.gz)

h2

77

Page 78: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Software transparency to the rescue

h1GTX

Block i Block j

h2'

Block n

Catena log for Bitcoin binaries

h1 = SHA256(bitcoin-0.0.1.tar.gz)h2' = SHA256(evilcoin-0.0.2.tar.gz)h2 = SHA256(bitcoin-0.0.2.tar.gz)

h2

Must double-spend to equivocate!

78

Page 79: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Overview

1. What?2. How?3. Why?

a. Secure software updateb. Secure messaging

79

Page 80: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Public-key distribution

A = {Alice, PKA}, SKA B = {Bob, PKB}, SKB

A B

t1

80

Page 81: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Public-key distribution

A = {Alice, PKA}, SKA B = {Bob, PKB}, SKB

C A

E D

B

A B

t1

t2

81

Page 82: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Public-key distribution

A = {Alice, PKA}, SKA B = {Bob, PKB}, SKB

C A

E D

B

A B

t1

A' = {Alice, PKM}, SKMB' = {Bob, PKM}, SKM

t2

A' B'

t3

82

Page 83: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Public-key distribution

A = {Alice, PKA}, SKA B = {Bob, PKB}, SKB

C A

E D

B

A B

t1

A' = {Alice, PKM}, SKMB' = {Bob, PKM}, SKM

t2

A' B'

t3

I've been impersonated!

I've been impersonated!

83

Page 84: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Public-key distribution

A = {Alice, PKA}, SKA B = {Bob, PKB}, SKB

C A

E D

B

A B

t1

A' = {Alice, PKM}, SKMB' = {Bob, PKM}, SKM

t2

A' B'

t3

I've been impersonated!

I've been impersonated!

84

Page 85: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Public-key distribution

A = {Alice, PKA}, SKA B = {Bob, PKB}, SKB

C A

E D

B

A B

t1

A' = {Alice, PKM}, SKMB' = {Bob, PKM}, SKM

A' B

t3

A B'

t3'

t2

I'm not impersonated.

I'm not impersonated.

85

Page 86: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

KeyChat

C B

E D

A

B A

t1B' A

t3

B A'

t3'

t2

Block i Block j Block n

t1 t2

t3

t'3

Publishing t'3 and t3 would require a double-spend!

Idea: Store t1, t2, ..., tn in a Catena log.

86

Page 87: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Overview

1. What?2. How?3. Why?

a. Secure software updateb. Secure messagingc. "Blockchain" for X

87

Page 88: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

I need a "blockchain" for ...

IoT? Self-driving cars? Digital identity? Issue diplomas? Health care? Voting?

"Blockchain" = Byzantine State Machine Replication (SMR) == Agree on log of ops + Execute ops = Agree on final state.

Permissioned "blockchain" via:- Your favorite Byzantine SMR algorithm- Ethereum Smart Contract (pay fees per Ethereum op)- Catena + 2f+1 replicas (pay fees per op batch)

88

Page 89: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

I need a "blockchain" for ...

IoT? Self-driving cars? Digital identity? Issue diplomas? Health care? Voting?

"Blockchain" = Byzantine State Machine Replication (SMR) == Agree on log of ops + Execute ops = Agree on final state.

Permissioned "blockchain" via:- Your favorite Byzantine SMR algorithm- Ethereum Smart Contract (pay fees per Ethereum op)- Catena + 2f+1 replicas (pay fees per op batch)- Don't need execution? Use Catena directly.

Permissionless "blockchain:" Roll your own. But proceed with caution?

89

Page 90: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Conclusions

What we did: - Enabled applications to efficiently leverage Bitcoin's

publicly-verifiable consensus- Download transactions selectively rather than full blockchain- ~46 MB instead of gigabytes of bandwidth

Why it matters:- Secure software update schemes- Public-key directories for HTTPS and secure messaging- "Blockchain" for X

For more, read our paper!

90

Page 91: Catena: Efficient Non-equivocation via Bitcoin · 2 ' PK A PK B PK A ' t2 PK A PK B PK B ' What is equivocation? PKA PKB t 1 Public-key directory S 1 S 2 S 2' ... Transactions transfer

Ask me questions!

Block j Block n

s1 s2

s'3

Block i Block j Block n

s1 s2

s3

s'3

s3

Block i

No inconsistent s'3 as it would require

a double-spend!

Need to download full blocks to find

inconsistent s'3

Prev

ious

wor

kC

aten

ahttps://people.csail.mit.edu/alinush/

91


Top Related