View
10
Download
0
Category
Preview:
Citation preview
REM: Resource Efficient Mining for Blockchains
FanZhang,IttayEyal,RobertEscriva,AriJuels,RobbertvanRenesse
1
Vancouver, Canada
13 September 2017 USENIX Security 2017
The Cryptocurrency Vision
13 September 2017 USENIX Security 2017 2
Originally• SatoshiNakamoto’s Bitcoin(’08-’09)• Decentralizedcurrency
The Cryptocurrency Vision
13 September 2017 USENIX Security 2017 3
Originally• SatoshiNakamoto’s Bitcoin(’08-’09)• Decentralizedcurrency
Fintech Blockchain / DLT Vision • Banktobanktransactions(money,securities)• Smartcontractsinfrastructure• Securitystructuring• Insurance• Provenance(supplychain,art,fairtrade)• IoT micropayments
13 September 2017 USENIX Security 2017 4
Towards a Fintech blockchain Reality Fintech
Probabilisticguarantees HardrequirementsHandfultx/sec Thousandstx/secMinutes/hoursforconfirmation
Secondsforconfirmation
Problematic resourceconsumption
No“waste”
13 September 2017 USENIX Security 2017 5
PoW: Proof of Waste? Blockproves(statistically)real-worldwaste• Capitalexpenditure• Operationalexpenditure
Attackermustsimilarlywasteresources
13 September 2017 USENIX Security 2017 6https://digiconomist.net/bitcoin-energy-consumption
16 TWh!
1.4millionhousehold
Environment-Friendly Alternativesin other settings
Permissionedsystem(BFT)• Centralized
ProofofStake• needsagoodsolutionfor“nothing-at-stake”
ProofofStorage(Space)• consumesstorageinsteadofcomputation
13 September 2017 USENIX Security 2017 7
9
Proof of Useful Work (PoUW):Repurpose innately useful work as
mining effort
13 September 2017 USENIX Security 2017
Software Guard eXtension
13 September 2017 USENIX Security 2017 10
Integrity
OthersoftwareandevenOS cannottamperwithcontrolflow.
Confidentiality
OthersofwareandevenOS canlearnnothingabouttheinteralstate*.
* Modulosidechannels
UntrustedOperatingSystem&Hypervisor
UntrustedApplicationCode
UntrustedHardware
TrustedProcessor
Code&Data
“Enclave”
SGX: remote attestation
11
RemoteentityUntrustedOperatingSystem&Hypervisor
UntrustedApplicationCode
UntrustedHardware
TrustedProcessor
Code&Data
13 September 2017 USENIX Security 2017
Sig[SKsgx
, ]
Only known to SGX
Group Signature
SGX-backed blockchain: A newsecurity model
12
• Permissionless• Anyonecanjoin
• Partiallydecentralized• SGXworksasadvertised• Intelmanagesthegroupsignature
13 September 2017 USENIX Security 2017
Related: Proof of Elapsed Time (PoET)
1313 September 2017 USENIX Security 2017
•SimulatePoW bysleeping😴.•Consensusinpartiallydecentralizedmodel•(ideally)lowminingcost+offhandmining
Unaddressed challenges in PoETMiningpowernotproportionaltoCPUvalue
TheStaleChipsProblem:• Theequilibrium istomineusingold,uselessdevices• Builddedicatedfarms
Highminingcost(contrarytotheoriginalintent)
13 September 2017 USENIX Security 2017 14
Intel’s PoET
IndividualCPUscanbecompromised
TheBrokenChipsProblem
Intelproposesasimplestatisticaltest.But1. Whatistheadversary’sadvantage?2. Whatisthecostofthistest?
13 September 2017 USENIX Security 2017 15
ProofofUsefulWork
13September2017 USENIXSecurity2017 16
o Replace the hash calculation in PoW with “useful” mining work
o Each unit of useful work grants a Bernoulli test
o Similar exponential block time
17
• Count CPUinstructions
• Why?• Arepresentative(althoughnotperfect)metric
• Canbedoneinatrustworthyway(i.e.w/otrustingOSetc.)
• Switchingtobetteroptions(ifany)doesn’tchangeREM.
13 September 2017 USENIX Security 2017
UsefulworkMeter the useful work
Secure Instruction Counting
18
• Arbitrary(malicious)programs• Publiclyverifiable• Dynamic+staticprogramanalysis
13 September 2017 USENIX Security 2017
P P’Self-metering instrumentationDynamicanalysis
- EnforcingW⊕Xcodepermission- Enforcingsingle-threadedenclaves- Detailsin thepaper
Ifanysuccess
𝑛 instructions
,blockheader
PoUW Enclave
Simulate𝑛Bernoullitests
13 September 2017 19
P’
Eval[]P’ ResultofP
Yieldsimilarexponentialblock
interval.
Public Verifiability
20
Twothingstoverify:• ValidityofPoUW• Compliance
• i.e.P’ iscorrectlyinstrumented• RequiresthecodeofP’
13 September 2017 USENIX Security 2017
P P’Self-metering instrumentation
• ❌ Putcodeonchain• ❌ PredefinedP’• ✅ ArbitraryP’
Hierarchical Attestation
ComplianceChecker
Alice’sProgram
Bob’sProgram
Carols’sProgram
13 September 2017 USENIX Security 2017 21
Validity+Compliance
PoUW:
compliant:
SGX might not be perfect!
2213 September 2017 USENIX Security 2017
Picture source: https://www.forbes.com/sites/susanadams/2015/12/02/how-to-get-paid-to-do-nothing-5/#3fbbe0b14eaa
• IndividualCPUmightbebroken• ->CanforgePoUW atwill• “Brokenchipproblem”
Implicit PKI in SGX
23
Broken SGX CPUs cannot forge identities
Intel manages the signature group
13 September 2017 USENIX Security 2017
Tolerating Compromised SGX CPUs• AdversarialModel:
• mayforgePoUW atwill
• cannotforgeidentities
• Mitigation:statisticaltest• “Ifamineriswaytoolucky,herblockshallnotbeaccepted.”
• Devisedrigorousframework
2413 September 2017 USENIX Security 2017
Advantage: adv revenue / honest revenue
25
Adversarial Advantage(1 is optimal)
13 September 2017 USENIX Security 2017
Cost: probability of false rejection
26
False Rejection(0 is optimal)
13 September 2017 USENIX Security 2017
Recommended