Embed Size (px)
Citation preview
Coins, Clubs, and Crowds:Scaling and Decentralization inNext-Generation Blockchains
Prof. Bryan FordDecentralized/Distributed Systems (DEDIS)
Delft Blockchain Symposium – January 31, 2019
A Fundamental Problem
In today’s IT systems, security is an afterthought● Designs embody “weakest-link” security
Scaling to bigger systems → weaker security● Greater chance of any “weak link” breaking
The DEDIS lab at EPFL: Mission
Design, build, and deploy secure privacy-preservingDecentralized and Distributed Systems (DEDIS)
• Distributed: spread widely across the Internet & world
• Decentralized: independent participants, no central authority,no single points of failure or compromise
Overarching theme: building decentralized systemsthat distribute trust widely with strongest-link security
Weakest-LinkSecurity
Strongest-LinkSecurity
Turning Around the Security Game
Design IT systems so that making them biggermakes their security increase instead of decrease
Weakest-linksecurity
Strongest-linksecurity
ScalableStrongest-link
security
DEDIS Laboratory Members
Bryan FordAssociate Professor
Philipp JovanovicPostdoctoral Scholar
Stevens Le BlondResearch Scientist
Linus GasserSoftware Engineer
Lefteris Kokoris-KogiasPh.D. Student
Kirill NikitinPh.D. Student
Cristina BasescuPh.D. Student
Enis Ceyhun AlpPh.D. Student
Jeff R. AllenSoftware Engineer
Kelong CongSoftware Engineer
Gaylor BossonSoftware Engineer
The Call of the Blockchain
(credit: Tony Arcieri)
Bitcoin (2008)
First successful decentralized cryptocurrency…
Bitcoin (2008)
First successful decentralized cryptocurrency…
...and a fascinating study in seductively wrong answers to key issues in decentralized systems
How to track wealth(or anything)?
Things● Gold, beads, cash...
Ledgers● Who owns what?
Alice 5 BTC
Bob 2 BTC
Charlie 3 BTC
...
Distributed Ledgers
Problem: we don't want to trust any designated,centralized authority to maintain the ledger
Solution: “everyone” keeps a copy of the ledger!– Everyone checks everyone else's changes to it
Alice 5 BTC
Bob 2 BTC
Charlie 3 BTC
...
Alice's copyAlice 5 BTC
Bob 2 BTC
Charlie 3 BTC
...
Bob's copy
Alice 5 BTC
Bob 2 BTC
Charlie 3 BTC
...
Charlie's copy
Four Key Blockchain Challenges
● Scaling: doing enough, fast enough● Availability: is it there when you need it?● Privacy: keeping, storing, processing secrets● Stake: who gets how much, when, and why
Four Key Blockchain Challenges
● Scaling: doing enough, fast enough● Availability: is it there when you need it?● Privacy: keeping, storing, processing secrets● Stake: who gets how much, when, and why
Nakamoto Consensus
Public blockchains such as Bitcoin, Ethereum useconsensus by crypto-lottery
1) Miners print their own “lottery tickets”by solving crypto-puzzle (proof-of-work)
2) Winner gets to add one block to blockchain;typically gets reward: e.g., print new money
3) All miners gravitate to longest chain. Repeat.
Drawbacks of Nakamoto Consensus
● Transaction delay– Any transaction takes ~10 mins minimum in Bitcoin
● Weak consistency: – You’re not really certain your
transaction is committed untilyou wait ~1 hour or more
● Low throughput:– Bitcoin: ~7 transactions/second
● Proof-of-work mining:– Wastes huge amount of energy
Scaling Blockchains is Not Easy
Relevant Scaling Goals
● Increased transaction processing throughput– From 4.7 TPS to VISA (1000s of TPS) and beyond
● Reduced transaction processing latency– From 10s of minutes to seconds to milliseconds…
● Reduced cost of on-chain data storage– Don’t make everyone store everything, forever
● Reduced cost of on-chain computation– Preferably not millions of times slower than native
On- versus Off-Chain Scaling
Scalable BFT
Horizontal Sharding
Sidechains
Payment Networks
L
share window of size w
L
keyblock (co-signed)
microblock (co-signed)
share
miner (co-signer)
leader
Keyblocks
Microblocks
Miners
Transactions
Shard 1Shard 2
Shard 3
ByzCoin: Fast, Scalable BlockchainsScalable PBFT blockchain consensus [USENIX Security ‘16]
● Permanent transaction commitment in seconds
● 700+ TPS demonstrated (100x Bitcoin, ~PayPal)
1 2 3
1 2 3 4 5
...
5-10 sec
BitcoinCothority
Miner Witnesses
Key-Block
Micro-Block
depends on
6
Co-Signature
Horizontal Scaling via Sharding
OmniLedger: A Secure Scale-Out Ledger [S&P 18]● Break large collective into smaller subgroups● Builds on scalable bias-resistant randomness protocol
(IEEE S&P 2017)● 6000 transactions/second: competitive with VISA
Transactions
Shard 1Shard 2
Shard 3
OmniLedger Throughput
Wide range of performance/security settings
Problem: Secure Public Randomness
Vietnam War Lotteries (1969)
RandHound/RandHerd
“Scalable Bias-Resistant Distributed Randomness” [IEEE Security & Privacy ‘17]● Standard t-of-n
threshold model● Efficient, scales to
thousands of parties● Compatible with
ByzCoin, OmniLedgerblockchains
(c,r)
collective randomness
CLCL
TSS group 1 TSS group 2
TSS group 0
GLGLGLGL
(c,r0)
(c,r1) (c,r2)
Four Key Blockchain Challenges
● Scaling: doing enough, fast enough● Availability: is it there when you need it?● Privacy: keeping, storing, processing secrets● Stake: who gets how much, when, and why
Blockchain Availability Challenges
Blockchains need reliable global connectivity● Must gossip: costs bandwidth, energy, time
Unusable in many important environments● Disconnected networks (high-security, IoT)● Intermittent connectivity (developing world)
Outages also compromise blockchain integrity● Eclipse and routing attackers can create
fake chains [Heilman ‘15, Apostolaki ‘16]
Problem: Local/Offline Verification
How can clients know what’s on a blockchain?● Bitcoin offers no absolute truth, only relative:
clients must gossip & seek head w/ most work● Clients must be online, consuming bandwidth
– Even when downloading only block headers (SPV)– Costly catch-up if client app used only intermittently
● Vulnerable to attacks on routing & gossip– Details: see [Heilman ‘15, Apostolaki ‘16]
Can blockchains offer offline-verifiable truth?
Offline-Verifiable SkipChains
CHAINIAC: appeared in [USENIX Security ‘17]● Introduced SkipChains: blockchains supporting
offline cryptographic traversal & verification
Applied to E2E-secure software updates● Decentralized offline/P2P update distribution
Backward and Forward Verifiability
Standard blockchains traversable only backward● Via hash back-links from current head
Chainiac adds traversability forward in time● Collective signature by prior consensus group
Time
Backward hash links, embedded in blocks at commit time
Collectively signed forward links, added later once target exists
Time
Backward hash links, embedded in blocks at commit time
Leaping Through Time: SkipChains
Each block validates prev w/hash, next w/sig● Higher level hashes, sigs → longer hops● O(log N) traversal arbitrarily forward, back
Time
Backward hash links, embedded in blocks at commit time
Collectively signed forward links, added later once target exists
B3
B2
B1
F1
F2
F3
Level
Other Applications of SkipChains
Enable Offline/P2P verification● Works even if Internet is
unavailable, slow, costly
Broad applications● Software/key updates● Blockchain-Attested
Degrees, Awards, … ● Chain-of-Custody,
Bills of Lading, …
See: “How Do You Know It’s On the Blockchain?”
Problem: Local/Offline Transactions
Global blockchains (e.g., Bitcoin, Ethereum) become unusable or inconsistent if disconnected
Can we create resilient blockchains that are● Operable locally without global connectivity
– Secured networks, IoT, remote villages
● Able to sync with global statewhen intermittently connected
● Secure against local compromises– Global state protected from local attacks
Resilience via Localized Structuring
Crux: Locality-Preserving Distributed Systems work-in-progress [preprint]
Four Key Blockchain Challenges
● Scaling: doing enough, fast enough● Availability: is it there when you need it?● Privacy: keeping, storing, processing secrets● Stake: who gets how much, when, and why
The Blockchain Privacy Challenge
Blockchains protect the integrity of data bygiving everyone a copy for independent checking● This works against privacy & confidentiality● Current privacy provisions are leaky● Solvable with proper use of encryption
– It’s the encryption, not the blockchain,that protects privacy.
Key Privacy Challenges
● Ensuring secrets are not disclosed improperly– Off-chain secrets, encryption, ZK proofs are useful
● Ensuring secrets are disclosed when required– Off-chain secrets can be lost, or “lost”
● Ensuring usage of secret data is accountable– Enforcing correct reporting of data access & use
● Enabling rich computation on secret data– Privacy-preserving queries, aggregation, ML, …
Off-Chain Secrets
Most current blockchains address privacy by just keeping sensitive data off-chain● Just put a hash, or ZK proofs about it, on-chain● Encrypt, put ciphertext on-chain, keys off-chain
But off-chain data- or key-holder is a trusted party● May “forget” to report [improper] uses on-chain● May “forget” to store, disclose when required● Off-chain encryption keys irrevocable if leaked
On-Chain Secrets
“CALYPSO: Auditable Sharing of Private Data”
Encrypt(*) secrets care-of the blockchain itself,under a specific access policy or smart contract● Threshold of trustees
mediate all accesses● Enforce policies,
access recording● Ensure data both
hidden and disclosedwhen policy requires
● Can revoke access ifpolicy/ACLs change
Access-control cothorityWanda
Ron
(1.1) Store secret and access policy for idRon
Blockchain
(2.1) Download
encrypted secret
(3.1) Request secret re-encryption
Secret-management cothority
(1.2) Log secret
(2.3) Log access
(4) Decrypt secret
(2.2) Request
access to
secret
(3.2) Deliver re-encrypted secret
Ron’s identity skipchain (idRon)
(*) with post-quantum security if desired
Application: Personalized Health
Application: Data Science
Defense-grade Data Security
Application: Blockchain E-voting
Prototyped blockchain-based e-voting system● State-of-the-art cryptographic security/privacy● Validated, approved for deployment within
EPFL community of 10,000+
Exploring next-generatione-voting technologies● In contact with
Geneva, Swiss Poste-voting efforts
Privacy-Preserving Processing
Can we compute on private data? At what cost?
Intensely active area of cryptography research…● Fully-homomorphic encryption (FHE)● Secure multiparty computation (SMPC)
…and blockchain/smart contract activities, e.g.,● MIT Enigma project● EPFL UnLynx project
UnLynx: Privacy-Conscious, Blockchain-Secured Medical Data Sharing
Functionality:• Allow queriers to query a set of
distributed databases
Requirements:• Data Providers data confidentiality• No single point of failure• Computation correctness• Privacy of data providers (DP) and
individuals storing their data in DPs
Threat model:• Queriers, servers may be compromised• Data providers honest-but-curious
SELECT AVG(cholesterol_rate) FROM DP1, …, DPn
WHERE age in [40:50] AND ethnicity = CaucasianGROUP BY gender
Four Key Blockchain Challenges
● Scaling: doing enough, fast enough● Availability: is it there when you need it?● Privacy: keeping, storing, processing secrets● Stake: who gets how much, when, and why
Any human organization need a way to decide:● Who holds a stake in decision-making● How much
influence eachstakeholderwields
● How decisionsare a actuallyagreed on:consensus
Without consensus, organizations fail
Stake, Influence, and Consensus
Some Approaches to Membership
Permissioned: prove you’re in a meatspace club
Proof-of-Work: prove you’re wasting energy
Proof-of-Stake: prove you’re already rich
Proof-of-Storage: prove you have a big disk
Proof-of-*: prove you have a lot of *’s
Proof-of-Personhood: prove you’re a real person
Proof-of-Work as a Basis for Stake
Proof-of-Work requires miners to expend energy surmounting an artificial barrier to entry,just in order to prove they did that.
Important point: Proof-of-Work servers no purposeother than to erect an artificial barrier to entryand create competition for mining rewards!
Have we seen human practices like this before?
Membership by Hazing Ritual
Anything that not everyone will do on a whim:entire purpose is to create a barrier to entry
May be uncomfortable and/or embarrassing…
Membership by Hazing Ritual
Or just plain weird… ● MIT ‘58: using Oliver Smoot to measure bridge
Membership by Hazing Ritual
Or difficult, requiring energy and cooperation● Yap: chisel a giant circular “coin” out of stone
available only on another, distant island
Bitcoin’s Hazing Ritual
Digitally flip coins.
Many coins.
Billions of them.
By forming new “blocks”and feeding them into acryptographic hash● Converts any information
to pseudorandom number
Repeat endlessly.
Environmental Costs
Proof-of-work = “scorched-earth” blockchains● Bitcoin makes BTC scarce by making miners
prove they wasted energy● Serves no purpose except to prove they did it●
Bitcoin Energy Consumption Index
Bitcoin now wastes more energy than159 countries use for their people to live on!
Not Even Decentralized Anymore
Market incentives drive consolidation of hashrate or “voting power” to a few powerful mining pools● Over 60% currently in one country (China)● Any faction >51%
can control orveto decisions,censor, etc.
A Problem Not Unique to Bitcoin
Most cryptocurrencies aren’t that decentralized
Permissioned Ledgers
Just decide administratively who participates;Fixed or manually-changed group of “miners”
– No proof-of-work needed → low energy cost– More mature consensus protocols applicable– Higher human organizational costs– No longer open for “anyone” to participate
The Weakness of Limited Scale
Public/permissionless designs in principle have the advantage of security scaling with size● As more participants arrive, security increases
Closed participation designs limit security scaling!
Weakest-linksecurity
Strongest-linksecurity
ScalableStrongest-link
security
Alternative: Proof-of-Stake (PoS)
● Proof-of-Stake: assigns consensus shares in proportion to prior capital investment– Could address energy waste problem– Major unsolved security & incentive problems
● Securing proof-of-stakeis a nontrivial, interesting,but mostly-solved problem– e.g., Orobouros, Algorand– Also implementable with
CoSi + SkipChains +OmniLedger + RandHound
How important is Proof-of-Stake?
A Proof-of-Stake cryptocurrency is essentially an automated analog of a shareholder corporation.● May help hasten the takeover of automation,
but won’t fix the world.
It’s all just “Proof-of-Investment”
Proof-of-Work, Proof-of-Stake, Proof-of-* are allProof-of-Investment, aka investment capitalism.● The more * you invest, the greater your reward.
All prone to re-centralization, aka rich get richer● Larger stakeholders always in a better position
to exploit economies of scale – or just cheat –to further increase their percentage of the pie.
Proof-of-stake won’t keep systems decentralized!
Toward People-Centric Blockchains
Can we build decentralized technology that will● Securely stay open and widely decentralized?● Offer a fairness metric meaningful to people?● Be accountable to users rather than wealth?
“We must act to ensure that technology is designed and developed to serve humankind, and not the other way around”
- Tim Cook, Oct 24, 2018
One Person One Vote?
Proof-of-Personhood [IEEE S&B ‘17]● Proof-of-Stake but one stake unit per person
Proof-of-Personhood: Approaches
● Legacy Identities (e.g., government-issued)– Require costly ID-checking, not that hard to fake
● Global Biometric Databases (India, UNHCR)– Huge privacy issues, false positives+negatives
● Trust Networks (PGP “Web of Trust” model)– Unusable in practice, doesn’t address Sybil attacks
● Pseudonym Parties [SocialNets ‘08]– Requires in-person participation, physical security– Low-cost: verifies only personhood, not ID or trust
Conclusion: Key Challenges
● Scaling: doing enough, fast enough● Availability: is it there when you need it?● Privacy: keeping, storing, processing secrets● Stake: who gets how much, when, and why
Conclusion
Blockchains are exciting technology, but have a ways to go to achieve the properties we need!● We’ve taken a few steps in scalability,
availability, privacy, foundation for stake… ● But many open questions and challenges,
in these and many other areas.
Further information: http://dedis.epfl.ch/
