Workshop on Blockchain Technology and Theory – October 16, 2017

Ittay EyalTechnion, EE and IC3

Resource-Efficient Mining (REM) withProofs of Useful Work (PoUW)

with Fan Zhang, Robert Escriva. Ari Juels, and Robbert van Renesse

2

Fintech Blockchain / DLT Vision

• Bank to bank transactions (money, securities) • Smart contracts infrastructure • Security structuring • Insurance • Provenance (supply chain, art, fair trade) • IoT micropayments

3

The Blockchain

Log Blockchain

block

header

4

The Blockchain

Log Blockchain

block

header

5

The Blockchain

Log Blockchain

hash( ) < target*

* target: a deterministic function of previous blocks

6

The Blockchain

7

The Blockchain

8

The Blockchain

Block validation: Proof of work Ok – one hash function(and transactions Ok)

9

PoW Requirements

• Memoryless random distribution • Tunable difficulty • O(1) validation • All data on the blockchain

10

Fork Resolution

Longest chain wins

Minority attacker cannot out-run honest parties

11

Mining Farms

12

PoW: Proof of Waste?

Block proves (statistically) real-world waste • Capital expenditure • Operational expenditure

Attacker must similarly waste resources

13

PoW: Proof of Waste?

Block proves (statistically) real-world waste • Capital expenditure • Operational expenditure

Attacker must similarly waste resources

That’s not waste!

14

Environment-Friendly Alternatives

Permissioned system (BFT)• Centralized

Internal waste – Proof of Stake • Different properties

“Useful” resources (storage, prime numbers) • Useful? • For whom? Unfair

15

Partially Decentralized

Guarantees• Similar to PoW

Assumptions • Permissionless• Trust secure-hardware manufacturer

16

Software Guard Extensions (SGX)

Untrusted Operating System & Hypervisor

Untrusted Application Code

Code & Data

Untrusted Hardware

TrustedProcessor

Attestation: • Output • Fingerprint • signature

B

1. Confidentiality (incl. SRNG)2. Integrity 3. Remote attestation

output

17

Intel’s Proof of Elapsed Time (PoET)

Model: Partially decentralized

Idea: Simulate PoW by sleeping.

Pros: • PoW-like guarantees • Energy-waste-free

18

Intel’s Proof of Elapsed Time

Mining power not proportional to CPU value

The Stale Chips Problem: • Build a mining farm • Old useless CPUs

Waste hardware rather than power

19

Intel’s Proof of Elapsed Time

Individual CPUs can be compromised

The Broken Chips Problem

Intel proposes a simple statistical test. But 1. What is the adversary’s advantage? 2. What is the cost of this test?

Proof of Useful Work

21

Proof of Useful Work

Dedicate useful work rather than useless

How to measure and prove?

• Memoryless random distribution • Tunable difficulty • O(1) validation • All data on the blockchain

22

Proof of Useful Work

Proof of

Useful Work

Useful

Work

ResultInstruction

count 𝑛

Useful work, block header

SGX

Enclave

Simulate 𝑛Bernoulli tests

Run

Useful

Work

If success

23

Hierarchical Attestation

Only predefined programs?

Alice’s Enclave

Bob’sEnclave

Carols’sEnclave

output

24

Hierarchical Attestation

Only predefined programs?

Hierarchical attestation!

Compliance Checker

Alice’s Enclave

Bob’sEnclave

Carols’sEnclave

output:

output

25

Hierarchical Attestation

Only predefined programs?

Hierarchical attestation! Add instruction counting

Return count

26

State

New block

Block-chainagent

Block template

PoUW

Miner

PoUWEnclave

Blockchain PNetwork

TEE

Useful tasks

Useful results

1

2

2

3 45

Useful Workclient

27

State

New block

Blockchain P2P Network

State

Blockchain Agent

Content

Compliance

Effort

Verifiers1

5

6

28

Performance

29

SGX Compromise

Individual SGX instances might be broken • Compromised SGX will attest to anything • Compromise does not allow key forgery

The Broken Chip problem

30

The Broken Chip Problem

Statistically test likelihood of blocks from same CPU. Reject if unlikely.

Too permissive: Attacker gains

Too restrictive: Lose mining power

31

Attacker’s Advantage

Blo

ck C

ou

nt

Att

acke

r’s

Ad

van

tage

32

Wasted Proof of Work

Blo

ck C

ou

nt

Was

te

33

ConclusionBlockchain security in partially-decentralized model

Proof of Useful Work with TEE (SGX)

PoCtool-chain

Hierarchical Attestation

Practical Performance

Broken Chip Resilience

Zhang, Eyal, Escriva, Juels, van Renesse. USENIX Security 2017