Catena: Preventing Lies with

Size: px

Start display at page:

Download "Catena: Preventing Lies with"

Bennett Boyd
6 years ago
Views:

1 November 28th, 2016 Catena: Preventing Lies with Alin Tomescu MIT CSAIL Srinivas Devadas MIT CSAIL New England Security Day (NESD), Fall '16

2 The problem: Equivocation

3 The problem: Equivocation Good: "Stating the same thing to all people." Statement S Bob Public-key directory PKA PKB Alice

4 The problem: Equivocation Bad: "Stating different things to different people.'" Statement S PK'A Public-key directory PKB Bob

5 The problem: Equivocation Bad: "Stating different things to different people.'" Statement S PK'A PKB Bob Statement S' Public-key directory PKA PK'B Alice

6 The problem: Equivocation Bad: "Stating different things to different people.'" Statement S PK'A PKB Bob MITM Statement S' Public-key directory PKA PK'B Alice

7 Why is non-equivocation important?

8 Why is non-equivocation important? Public-key distribution - HTTPS - Secure messaging - Security research often assumes a PKI

9 Why is non-equivocation important? Public-key distribution - HTTPS - Secure messaging - Security research often assumes a PKI Tor Directory Servers

10 Why is non-equivocation important? Public-key distribution - HTTPS - Secure messaging - Security research often assumes a PKI Tor Directory Servers Software transparency schemes - Apple vs. FBI

11 Previous work

12 Previous work Can detect, but not prevent equivocation with gossip.

13 Previous work Can detect, but not prevent equivocation with gossip. Must download 90 GB of blockchain data.

14 Previous work Can detect, but not prevent equivocation with gossip. Must download 90 GB of blockchain data. CoSi (S&P '16) Requires a large, diverse, trustworthy set of witnesses.

15 Previous work Can detect, but not prevent equivocation with gossip. Must download 90 GB of blockchain data. CoSi (S&P '16) "Liar, liar, coins on fire!" (CCS '15) Requires a large, diverse, trustworthy set of witnesses. Only disincentivizes equivocation. Vulnerable to malicious outsiders.

16 Key idea

17 Key idea Efficiently use Bitcoin's mechanism that prevents double spends as a proof of non-equivocation.

18 Key idea Efficiently use Bitcoin's mechanism that prevents double spends as a proof of non-equivocation. TX2 TX1 TX'2

19 Key idea Efficiently use Bitcoin's mechanism that prevents double spends as a proof of non-equivocation. TX1 s 1 TX2 s 2 TX'2 s' 2

20 Results - Bitcoin-based tamper-evident log

21 Results - Bitcoin-based tamper-evident log - As hard-to-fork as the Bitcoin blockchain

22 Results - Bitcoin-based tamper-evident log - As hard-to-fork as the Bitcoin blockchain - Efficient to audit: 620 bytes / statement + 80 bytes / block

23 Results tion a t en m ple SLOC m i Java n 3500 i - Bitcoin-based tamper-evident log - As hard-to-fork as the Bitcoin blockchain - Efficient to audit: 620 bytes / statement + 80 bytes / block

24 Bitcoin transactions

25 Bitcoin transactions 1. Generate coins (assigns them to a PK) TXa

26 Bitcoin transactions 1. Generate coins (assigns them to a PK) 2Ƀ, PK TXa

27 Bitcoin transactions 1. Generate coins (assigns them to a PK) 2. Transfer coins (reassign to a new PK via a signature under old PK) 2Ƀ, PK TXa TXb

28 Bitcoin transactions 1. Generate coins (assigns them to a PK) 2. Transfer coins (reassign to a new PK via a signature under old PK) 2Ƀ, PK TXa SigPK(TXa:0, TXb) TXb

29 Bitcoin transactions 1. Generate coins (assigns them to a PK) 2. Transfer coins (reassign to a new PK via a signature under old PK) 2Ƀ, PK TXa SigPK(TXa:0, TXb) TXb 1Ƀ, PK'

30 Bitcoin transactions 1. Generate coins (assigns them to a PK) 2. Transfer coins (reassign to a new PK via a signature under old PK) 2Ƀ, PK TXa SigPK(TXa:0, TXb) TXb 1Ƀ TX fee! 1Ƀ, PK'

31 Bitcoin transactions 1. Generate coins (assigns them to a PK) 2. Transfer coins (reassign to a new PK via a signature under old PK) TXa TXb TXi

32 Bitcoin transactions 1. Generate coins (assigns them to a PK) 2. Transfer coins (reassign to a new PK via a signature under old PK) TXa TXb TXi

33 Bitcoin transactions 1. Generate coins (assigns them to a PK) 2. Transfer coins (reassign to a new PK via a signature under old PK) TXa TXb TXi

34 Bitcoin blockchain

35 Bitcoin blockchain 1. The time-ordered log of valid transactions (PoW consensus) Block i Block j Block n

36 Bitcoin blockchain 1. The time-ordered log of valid transactions (PoW consensus) Block j Block i txa txb txi Block n txj

37 Bitcoin blockchain 1. The time-ordered log of valid transactions (PoW consensus) 2. No double spends: A transaction output can only be referred to by a single transaction input. Block j Block i txa txb txi Block n txj

38 Bitcoin blockchain 1. The time-ordered log of valid transactions (PoW consensus) 2. No double spends: A transaction output can only be referred to by a single transaction input. Block j Block i txa txb txi Block n txj txk

39 Bitcoin blockchain 1. The time-ordered log of valid transactions (PoW consensus) 2. No double spends: A transaction output can only be referred to by a single transaction input. Blockchain forks Double-spent coins Block n' Block j Block i txa txb txi Block n txj txk

40 Catena transaction format

41 Catena transaction format txi <data>

42 Catena transaction format Coins from server for paying TX fees (digital signature) txi <data>

43 Catena transaction format Coins from server for paying TX fees (digital signature) "Change" coins back to server (public key) txi <data>

44 Catena transaction format Coins from server for paying TX fees (digital signature) "Change" coins back to server (public key) txi <data> Unspendable OP_RETURN output with arbitrary data

45 Catena transaction format Coins from server for paying TX fees (digital signature) "Change" coins back to server (public key) txi <data> A single spendable output No forks Unspendable OP_RETURN output with arbitrary data txi txj txk

46 Catena design Transaction fee funds Catena log server

47 Catena design Block i GTX Catena log server Genesis TXN n

48 Catena design Block i GTX Catena log server Block j n TX1 s 1

49 Catena design Block i GTX Catena log server Block j n TX1 s 1 Block n TX2 s 2

50 Catena design Block i Block j Block n Next, unique s3 GTX Catena log server n TX1 s 1 TX2 s 2

51 Catena design Block i Block j Block n Next, unique s3 GTX Catena log server n Advantages: (1) Hard to fork (2) Efficient to verify TX1 s 1 TX2 s 2

52 Catena design Block i Block j Block n Next, unique s3 GTX Catena log server n Advantages: (1) Hard to fork (2) Efficient to verify TX1 s 1 TX2 s 2 Disadvantages: (1) 6-block confirmation delay (2) 1 statement every 10 minutes

53 Client bandwidth

54 Client bandwidth n block headers (80 bytes each) + k statements (around 600 bytes each)

55 Client bandwidth e.g., 440K block headers + 10K statements = ~41 MB (80 bytes each) (around 600 bytes each)

56 Conclusions - Efficient Bitcoin witnessing is possible! - ~40 MB instead of 90 GB bandwidth overhead

57 Conclusions - Efficient Bitcoin witnessing is possible! - ~40 MB instead of 90 GB bandwidth overhead - Important applications - Public-key directories - Tor Consensus Transparency - Software transparency schemes

58 Conclusions - Efficient Bitcoin witnessing is possible! - ~40 MB instead of 90 GB bandwidth overhead - Important applications - Public-key directories - Tor Consensus Transparency - Software transparency schemes - Publicly-verifiable consensus like Bitcoin should be leveraged by applications, efficiently.

59 The end.

60 Extra slides...just in case.

61 Catena: Preventing forks Attacker has to create an invalid block n to fork the log Attacker has to fork Bitcoin. Block i TX Catena log server Block j s0 TX Invalid block: Breaks miner-enforced TXO invariant. Block n TX s2 TX s'2 s1

62 Malicious blockchain fork. Catena: Preventing forks Attacker has to fork Bitcoin. Attacker needs to mine at least 6 blocks on one of the forks. Block i Block j Block n TX s2 Block n' TX Catena log server s0 TX s1 TX s'2

63 Key idea Q: How can we prove to a thin client that there's no s'2? Block k Block i TX Block j s0 TX TX s2 TX s'2 s1

64 Key idea Q: How can we prove to a thin client that there's no s'2? A: Leverage Bitcoin's mechanism against double-spends! Block i TX Catena log server Violates Bitcoin's security against double spends. Block j s0 TX TX s2 TX s'2 s1

65 Graveyard...where old slides rest in peace.

66 Bitcoin background genesis block1 block2 block3 null txns: H( merkle1 ) H( block1 ) txns: H( merkle2 ) H( block2 ) txns: H( merkle3 ) prev: prev: prev: TX output: Coins and PKs tx1 e.g., 2Ƀ for PKDan tx1 Membership proof for tx1

67 Bitcoin background genesis block1 block2 block3 null txns: H( merkle1 ) H( block1 ) txns: H( merkle2 ) H( block2 ) txns: H( merkle3 ) prev: prev: prev: TX inputs: Signatures txa txb txd tx2 tx2 txc PKCarol Carol's signature under her PK 3Ƀ for PKEva (unspent) 2Ƀ for PKDan (spent) Membership proof for tx2

Keychat: Secure Messaging via Bitcoin. Robert Chen, John Kuszmaul, Yiming Zheng Mentored By Alin Tomescu

Keychat: Secure Messaging via Bitcoin Robert Chen, John Kuszmaul, Yiming Zheng Mentored By Alin Tomescu 1 Motivation We want to secure communications. Alice Bob Sensitive Financial Information Yay, Money!