Keychat: Secure Messaging via Bitcoin. Robert Chen, John Kuszmaul, Yiming Zheng Mentored By Alin Tomescu

Size: px

Start display at page:

Download "Keychat: Secure Messaging via Bitcoin. Robert Chen, John Kuszmaul, Yiming Zheng Mentored By Alin Tomescu"

Daniel Allison
5 years ago
Views:

1 Keychat: Secure Messaging via Bitcoin Robert Chen, John Kuszmaul, Yiming Zheng Mentored By Alin Tomescu 1

2 Motivation We want to secure communications. Alice Bob Sensitive Financial Information Yay, Money! 2

3 End-to-end Encryption People generate a key pair. They broadcast public keys. Alice SKB(C) = Financial Information Bob C = PKB(Financial Information) I can t decrypt this because I don t have Bob s secret key. 3

4 The Problem: Public Key Distribution People can encrypt messages, but they might be encrypting them for the wrong person. Alice Bob C = PKM(Financial Information) C = PKB(Financial Information) Mallory 4

5 The Current State of Common Communications Apps Facebook Messenger, Gmail - Do not use end-to-end encryption by default WhatsApp, Signal - Public keys are stored in a central directory that may be insecure. Alice What is Bob s Public Key? Signal PKD I know! It s PKB. 5

6 Are append-only PKDs enough for security? If append-only, then Bob can detect fake PKM What else can the malicious PKD do? Public Key Directory Name Public Key Alice PKA Bob PKB PKM 6

7 Our Work: Public Key Directory Equivocation Name Public Key Alice PKA Version 1 Version 2A Version 2B Alice s Perspective Bob s Perspective Name Public Key Name Public Key Alice PKA Alice PKA Bob PKM Bob PKB 7

8 Outline Keybase Bitcoin Catena Catena Op tim ize s Keychat Witnesses Keybase Bitcoin 8

9 Keybase: A public key directory S1 = H(DIR1) S2 = H(DIR2) Name Public Key Name Public Key John PKJ John PKJ Robert PKR Robert PKR Keybase PKD Server Yiming PKY 9

10 Keybase Summaries Yiming S1 (1) Yiming PK? Keybase PKD Server (2) PKY (3) Verify PKY against S1 (1) Yiming PK? Robert S1 (2) PKY (3) Verify PKY against S1 10

11 Keybase Equivocation Yiming S1, S2 (1) Yiming PK? Keybase PKD Server (2) PKY (3) Verify PKY against S2 (1) Yiming PK? Robert S1, S2' (2) PKM (3) Verify PKM against S2 11

12 Keybase Non-equivocation Important that Yiming and Robert have the same history of hashes/summaries: S1, S2, S3... Bitcoin Keybase PKD Server S1, S2, S3... Download S1, S2, S3... Robert's, Yiming's Keychat apps 12

13 Outline Keybase Bitcoin Catena Catena Op tim ize s Keychat Witnesses Keybase Bitcoin 13

14 Bitcoin: Blockchain Block 1 A B, 5 BTC C D, 10 BTC 14

15 Bitcoin: Blockchain Block 1 Block 2 A B, 5 BTC D B, 2 BTC C D, 10 BTC A B, 1 BTC 15

16 Bitcoin: Blockchain Block 1 Block 2 A B, 5 BTC D B, 2 BTC C D, 10 BTC A B, 1 BTC Block n M A, 2 BTC 16

17 However, Can Forks Happen? Block 1 Block 2 A B, 5 BTC D B, 2 BTC C D, 10 BTC A B, 1 BTC Block n M A, 2 BTC Block n M B, 2 BTC 17

18 However, Can Forks Happen? Answer: No! Block 1 Block 2 A B, 5 BTC D B, 2 BTC C D, 10 BTC A B, 1 BTC Block n M A, 2 BTC Block n M B, 2 BTC 18

19 Keybase Witnessing Summaries Block j Block i A B, 5 BTC D B, 2 BTC C D, 10 BTC A B, 1 BTC K K, 1 BTC S1 K K, 1 BTC S2 Block n M A, 2 BTC K K, 1 BTC S3 19

20 Equivocation Within a Block? Block j D B, 2 BTC A B, 1 BTC K K, 1 BTC S2 K K, 1 BTC S 2 20

21 Hashes: A Reminder SHA 256 (Hash Function) 21

22 Hashes: A Reminder SHA 256 (Hash Function) 22

23 Hashes: A Reminder SHA 256 (Hash Function) 46f4e4edb a20af8d92 7b6416a dd e441ac0bf26e2e 23

24 More Properties of Ideal Hash Functions SHA 256 (Hash Function) '46f4e4edb a20af8d92 7b6416a dd e441ac0bf26e2e' Always 256 bits Bitcoin block C D, 10 BTC SHA 256 (Hash Function) b7a4c0d08a9f74f47ce44d1f7 a58d9344b35aab00c ffb6fea556e6fa Always 256 bits 24

25 More Properties of Ideal Hash Functions Given the output:?????? SHA 256 (Hash Function) We should not be able to easily find the input 'c74c28b6dfc5099a3ce5386ae 9866fadd44618c7db489ebe87 b f988d' One Way (OW): Given y, infeasible to find any x such that h(x) = y. 25

26 Takeaways - Can feed in any size data as input fixed length output - Randomness: Small change in input data entirely different output - One-way: Given a hash, can t feasibly find any data that hashes to it - Perfect for a tamper-evident, append-only log! 26

27 Blockchain: A Closer Look! Block 1 h1= H( H(TXNS1) ) TXNS1 Block Header: - Contains hash pointer to TXN data - Contains hash pointer to previous block 27

28 Blockchain: A Closer Look! Block 1 h1= H( H(TXNS1) TXNS1 Block 2 ) h2= H( h1, H(TXNS2) ) TXNS2 Block Header: - Contains hash pointer to TXN data - Contains hash pointer to previous block 28

29 Blockchain: A Closer Look! Block 1 h1= H( H(TXNS1) TXNS1 Block 2 ) h2= H( h1, H(TXNS2) TXNS2 Block n ) h3 hn-1 hn= H( hn-1, H(TXNSn) ) TXNSn Block Header: - Contains hash pointer to TXN data - Contains hash pointer to previous block 29

30 Transactions: A Closer Look! - Block n Transactions stored in Merkle Tree Merkle Root hash stored in header hn= H( hn-1,rn ) TXNSn Rn=H(M1,M2) tx2 M1=H(H(tx1),H(tx2)) M2=H(H(tx3),H(tx4)) A C, 5 BTC B C, 10 BTC H(tx1) H(tx2) H(tx3) H(tx4) 30

31 Transactions: Membership Proof Block n hn= H( hn-1,rn ) TXNSn tx2 A C, 5 BTC B C, 10 BTC H(tx1) H(tx2) H(tx3) H(tx4) Membership proof for tx2? 31

32 Transactions: Membership Proof Block n hn= H( hn-1,rn ) TXNSn tx2 A C, 5 BTC B C, 10 BTC H(tx1) H(tx2) H(tx3) H(tx4) Membership proof for tx2 32

33 Transactions: Membership Proof Block n hn= H( hn-1,rn ) TXNSn tx2 M2 A C, 5 BTC B C, 10 BTC H(tx1) H(tx2) H(tx3) H(tx4) Membership proof for tx2 33

34 Transactions: Membership Proof Block n hn= H( hn-1,rn ) TXNSn tx2 M2 A C, 5 BTC B C, 10 BTC H(tx1) H(tx2) H(tx3) H(tx4) Membership proof for tx2 34

35 Transactions: Membership Proof Block n hn= H( hn-1,rn ) TXNSn tx2 M1=H(H(tx1),H(tx2)) M2 A C, 5 BTC B C, 10 BTC H(tx1) H(tx2) H(tx3) H(tx4) Membership proof for tx2 35

36 Yay! Membership Proof Success Block n hn= H( hn-1, Rn ) = Rn TXNSn Rn'=H(M1,M2) tx2 M1=H(H(tx1),H(tx2)) M2 A C, 5 BTC B C, 10 BTC H(tx1) H(tx2) H(tx3) H(tx4) Membership proof for tx2 36

37 Transaction Format Block i Block j Block n Merkle tree of TXNs in each block 37

38 Transaction Format Block j Block i Block n PKB has 3Ƀ PKA has 3Ƀ txa txb Transactions transfer coins 38

39 Transaction Format Block j Block i from SKA PKA has 3Ƀ txa Block n PKB has 3Ƀ txb Transactions transfer coins Output = # of coins and owner's PK Input "spends" previous output 39

40 Transaction Format Block j Block i Block n from SKA PKA has 3Ƀ txa txb PKB has 3Ƀ s1 Arbitrary statement s1 Data can be embedded in TXNs. 40

41 Transaction Format Block i Block j Block n PKB has 3Ƀ txb txc s1 Bob gives Carl 3Ƀ, What happens if Bob tries to double spend? 41

42 Transaction Format Block i Block j txb Block n txc s1 txc' No double-spent coins: A TXN output can only be referred to by a single TXN input. 42

43 Outline Keybase Bitcoin Catena Catena Op tim ize s Keychat Witnesses Keybase Bitcoin 43

44 Problem with Keybase - Equivocation Within a Block? Block j D B, 2 BTC A B, 1 BTC K K, 1 BTC S2 K K, 1 BTC S 2 Auditors must download the entire Bitcoin blockchain to check if any blocks contain invalid Keybase transactions 44

45 Key idea behind Catena Efficiently use Bitcoin's mechanism that prevents double spends as proof of non-equivocation. TX2 TX1 TX'2 45

46 Key idea behind Catena Efficiently use Bitcoin's mechanism that prevents double spends as proof of non-equivocation. TX1 s 1 TX2 s 2 TX'2 s' 2 46

47 Catena Block i TX s 1 Block j Block n No inconsistent s'3 as it would require a double-spend! TX s' 3 TX s 2 TX s 3 Linear chain of transactions containing statements 47

48 Efficient auditing Header i Keychat client Bitcoin Network GTX Keybase server 48

49 Efficient auditing Header i Keychat client GTX Q: Next block header(s)? Bitcoin Network Keybase server 49

50 Efficient auditing Header i Keychat client Header i+1 Bitcoin Network GTX Header j Keybase server 50

51 Efficient auditing Header i Keychat client Bitcoin Network Header j GTX Keybase server 51

52 Efficient auditing Header i Keychat client Header j GTX Q: What is s1 in the log? Bitcoin Network Keybase server 52

53 Efficient auditing Header i Keychat client Bitcoin Network Header j GTX TX1 s 1 Keybase server 53

54 Efficient auditing Header i Keychat client Bitcoin Network GTX Header j TX1 s 1 Keybase server 54

55 Efficient auditing Header i Keychat client GTX Header j TX1 s 1 Q: Next block header(s)? Bitcoin Network Keybase server 55

56 Efficient auditing Header i Keychat client Header j+1 Bitcoin Network GTX Header j TX1 s 1 Header n Keybase server 56

57 Efficient auditing Header i Keychat client Bitcoin Network GTX Header j Header n TX1 s 1 Keybase server 57

58 Efficient auditing Header i Keychat client GTX Header j Header n TX1 s 1 Q: What is s2 in the log? Bitcoin Network Keybase server 58

59 Efficient auditing Header i Keychat client Bitcoin Network GTX Header j Header n TX1 s 1 TX2 s 2 Keybase server 59

60 Efficient auditing Header i Keychat client Bitcoin Network GTX Header j TX1 s 1 Header n TX2 s 2 Keybase server 60

61 Auditing bandwidth e.g., 460K block headers + 10K statements = ~41 MB (80 bytes each) (around 600 bytes each) 61

62 Recap Keybase can equivocate, so they witness the directory in Bitcoin, but inefficiently S1, S2, S3,... Keybase Bitcoin S1, S2, S3,... Keychat client (110 GB) 62

63 Recap Keybase can equivocate, so they witness the directory in Bitcoin, but inefficiently Use Catena to make auditing the Keybase PKD more efficient S1, S2, S3,... Keybase Bitcoin Catena.,..,S3,S2 S1 Keychat client (41 MB) 63

64 Outline Keybase Bitcoin Catena Catena Op tim ize s Keychat Witnesses Keybase Bitcoin 64

65 Keychat Uses the Keybase PKD, so users can communicate securely without fear of public key equivocation Implemented using Meteor, a Javascript framework that allows KeyChat to work as both a website and an Android app Keychat 65

66 Next steps Implement Catena for Keybase using Java to efficiently witness the Keybase Public Key Directory in the Bitcoin blockchain Implement Keychat using Meteor 66

67 Acknowledgements Thanks to our mentor Alin Tomescu for his support and guidance! Thanks to PRIMES for this opportunity! Thanks to our parents for their support! Thanks to all of you for being such a great audience! 67

68 Ask us questions! Keychat Catena Op tim es ize s Us Witnesses Keybase Bitcoin 68

Catena: Preventing Lies with

November 28th, 2016 Catena: Preventing Lies with Alin Tomescu alinush@mit.edu MIT CSAIL Srinivas Devadas devadas@mit.edu MIT CSAIL New England Security Day (NESD), Fall '16 The problem: Equivocation The