REM: Resource Efficient Mining for Blockchains · REM: Resource Efficient Mining for Blockchains Fan Zhang, Ittay Eyal, Robert Escriva, Ari Juels, Robbert van Renesse 1 Vancouver,

REM: Resource Efficient Mining for Blockchains

FanZhang,IttayEyal,RobertEscriva,AriJuels,RobbertvanRenesse

1

Vancouver, Canada

13 September 2017 USENIX Security 2017

The Cryptocurrency Vision

13 September 2017 USENIX Security 2017 2

Originally• SatoshiNakamoto’s Bitcoin(’08-’09)• Decentralizedcurrency

The Cryptocurrency Vision


Originally• SatoshiNakamoto’s Bitcoin(’08-’09)• Decentralizedcurrency

Fintech Blockchain / DLT Vision • Banktobanktransactions(money,securities)• Smartcontractsinfrastructure• Securitystructuring• Insurance• Provenance(supplychain,art,fairtrade)• IoT micropayments


Towards a Fintech blockchain Reality Fintech

Probabilisticguarantees HardrequirementsHandfultx/sec Thousandstx/secMinutes/hoursforconfirmation

Secondsforconfirmation

Problematic resourceconsumption

No“waste”


PoW: Proof of Waste? Blockproves(statistically)real-worldwaste• Capitalexpenditure• Operationalexpenditure

Attackermustsimilarlywasteresources

13 September 2017 USENIX Security 2017 6https://digiconomist.net/bitcoin-energy-consumption

16 TWh!

1.4millionhousehold

Environment-Friendly Alternativesin other settings

Permissionedsystem(BFT)• Centralized

ProofofStake• needsagoodsolutionfor“nothing-at-stake”

ProofofStorage(Space)• consumesstorageinsteadofcomputation


8

Achieve the robustness of PoWwithout the waste?


9

Proof of Useful Work (PoUW):Repurpose innately useful work as

mining effort


Software Guard eXtension


Integrity

OthersoftwareandevenOS cannottamperwithcontrolflow.

Confidentiality

OthersofwareandevenOS canlearnnothingabouttheinteralstate*.

* Modulosidechannels

UntrustedOperatingSystem&Hypervisor

UntrustedApplicationCode

UntrustedHardware

TrustedProcessor

Code&Data

“Enclave”

SGX: remote attestation

11

RemoteentityUntrustedOperatingSystem&Hypervisor

UntrustedApplicationCode

UntrustedHardware

TrustedProcessor

Code&Data


Sig[SKsgx

, ]

Only known to SGX

Group Signature

SGX-backed blockchain: A newsecurity model

12

• Permissionless• Anyonecanjoin

• Partiallydecentralized• SGXworksasadvertised• Intelmanagesthegroupsignature


Related: Proof of Elapsed Time (PoET)


•SimulatePoW bysleeping😴.•Consensusinpartiallydecentralizedmodel•(ideally)lowminingcost+offhandmining

Unaddressed challenges in PoETMiningpowernotproportionaltoCPUvalue

TheStaleChipsProblem:• Theequilibrium istomineusingold,uselessdevices• Builddedicatedfarms

Highminingcost(contrarytotheoriginalintent)


Intel’s PoET

IndividualCPUscanbecompromised

TheBrokenChipsProblem

Intelproposesasimplestatisticaltest.But1. Whatistheadversary’sadvantage?2. Whatisthecostofthistest?


ProofofUsefulWork

13September2017 USENIXSecurity2017 16

o Replace the hash calculation in PoW with “useful” mining work

o Each unit of useful work grants a Bernoulli test

o Similar exponential block time

17

• Count CPUinstructions

• Why?• Arepresentative(althoughnotperfect)metric

• Canbedoneinatrustworthyway(i.e.w/otrustingOSetc.)

• Switchingtobetteroptions(ifany)doesn’tchangeREM.


UsefulworkMeter the useful work

Secure Instruction Counting

18

• Arbitrary(malicious)programs• Publiclyverifiable• Dynamic+staticprogramanalysis


P P’Self-metering instrumentationDynamicanalysis

- EnforcingW⊕Xcodepermission- Enforcingsingle-threadedenclaves- Detailsin thepaper

Ifanysuccess

𝑛 instructions

,blockheader

PoUW Enclave

Simulate𝑛Bernoullitests

13 September 2017 19

P’

Eval[]P’ ResultofP

Yieldsimilarexponentialblock

interval.

Public Verifiability

20

Twothingstoverify:• ValidityofPoUW• Compliance

• i.e.P’ iscorrectlyinstrumented• RequiresthecodeofP’


P P’Self-metering instrumentation

• ❌ Putcodeonchain• ❌ PredefinedP’• ✅ ArbitraryP’

Hierarchical Attestation

ComplianceChecker

Alice’sProgram

Bob’sProgram

Carols’sProgram


Validity+Compliance

PoUW:

compliant:

SGX might not be perfect!


Picture source: https://www.forbes.com/sites/susanadams/2015/12/02/how-to-get-paid-to-do-nothing-5/#3fbbe0b14eaa

• IndividualCPUmightbebroken• ->CanforgePoUW atwill• “Brokenchipproblem”

Implicit PKI in SGX

23

Broken SGX CPUs cannot forge identities

Intel manages the signature group


Tolerating Compromised SGX CPUs• AdversarialModel:

• mayforgePoUW atwill

• cannotforgeidentities

• Mitigation:statisticaltest• “Ifamineriswaytoolucky,herblockshallnotbeaccepted.”

• Devisedrigorousframework


Advantage: adv revenue / honest revenue

25

Adversarial Advantage(1 is optimal)


Cost: probability of false rejection

26

False Rejection(0 is optimal)


Performance of REM


Conclusion• PoUW:aproofofusefulwork schemethatavoidswaste• REM:aPoUW-basedblockchain

• Efficient:upto15%overheadrelativetonativelinux programs• Brokenchipproblem:rigorousframeworkandeffectivepolicies.


Documents

REM: Resource Efficient Mining for Blockchains · REM: Resource Efficient Mining for Blockchains Fan Zhang, Ittay Eyal, Robert Escriva, Ari Juels, Robbert van Renesse 1 Vancouver,