ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o...
Transcript of ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o...
![Page 1: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/1.jpg)
ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH STRONG CONSISTENCY VIA COLLECTIVE SIGNING
Swiss Federal Institute of Technology Lausanne
25th USENIX Security Symposium – Austin, TX, August 10th, 2016
Lefteris Kokoris-Kogias, Philipp Jovanovic, Nicolas Gailly, Ismail Khoffi, Linus Gasser and Bryan FordEPFL
@LefKok
1
![Page 2: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/2.jpg)
Cryptocurrency Ecosystem
729 Companies
2
![Page 3: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/3.jpg)
Distributed Ledger (Blockchain)
o Cheaper transaction managemento M2M payments (IoT)
3
![Page 4: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/4.jpg)
Distributed Ledger (Blockchain)
o Real-time verification is not safe (need 1 hour of delay)o Throughput is low (7 tx/sec)
4
![Page 5: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/5.jpg)
Talk Outlineo Bitcoin and its limitationso Strawman design: PBFTCoino Opening the consensus group o From MACs to Collective Signingo Decoupling transaction verification from leader election o Performance Evaluationo Future work and conclusions
5
![Page 6: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/6.jpg)
6
Transaction Verification in Bitcoin
AàB
![Page 7: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/7.jpg)
Transaction Conflicts
AàB
7
AàC
![Page 8: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/8.jpg)
Transaction Conflicts8
AàB
AàC
![Page 9: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/9.jpg)
Resolving Conflicts9
AàB
AàC
![Page 10: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/10.jpg)
Proof-of-Work
TX TX TX
Hash(Previous Block)
BLOCK
nonce
H(Block, nonce=0) =abc3426fe31233H(Block, nonce=1) =fe541200abc229
.
.
.
.
H(Block, nonce=2) =0bc3429831233
H(Block, nonce=29) =0000fed98312
10
TX TX TX
![Page 11: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/11.jpg)
The Blockchain11
![Page 12: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/12.jpg)
Problem Statement
1. In Bitcoin there is no verifiable commitment of the system that a block will persist
o Clients rely on probabilities to gain confidence.o Probability of successful fork-attack decreases exponentially
12
![Page 13: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/13.jpg)
Talk Outlineo Bitcoin and its limitationso Strawman design: PBFTCoino Opening the consensus group o From MACs to Collective Signingo Decoupling transaction verification from leader election o Performance Evaluationo Future work and conclusions
13
![Page 14: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/14.jpg)
Strawman Design: PBFTCoino 3f+1 fixed “trustees” running PBFT* to withstand f
failureso Non-probabilistic strong consistency
o Low latency
o No forks/inconsistencieso No double-spending
14
L
blockchain
L
block
trustees
leader
*Practical Byzantine Fault Tolerance [Castro/Liskov]
![Page 15: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/15.jpg)
Strawman Design: PBFTCoino Problem: Needs a static consensus groupo Problem: Scalability
o O(n2) communication complexityo O(n) verification complexityo Absence of third-party verifiable proofs (due to MACs)
15
ClientPrimary
Replica 2Replica 3Replica 4
Request Pre-Prepare Prepare Commit Reply
![Page 16: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/16.jpg)
Talk Outlineo Bitcoin and its limitationso Strawman design: PBFTCoino Opening the consensus group o From MACs to Collective Signingo Decoupling transaction verification from leader election o Performance Evaluationo Future work and conclusions
16
![Page 17: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/17.jpg)
Opening the Consensus Group 17
L
blockchain
share window of size w
L
block
share
miner
leader
o PoW against Sybil attackso One share per block
o % of shares ∝ hash-power
o Window mechanismo Protect from inactive miners
![Page 18: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/18.jpg)
Talk Outlineo Bitcoin and its limitationso Strawman design: PBFTCoino Opening the consensus group o From MACs to Collective Signingo Decoupling transaction verification from leader election o Performance Evaluationo Future work and conclusions
18
![Page 19: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/19.jpg)
From MACs to Signing19
o Substitute MACs with public-key cryptographyo ECDSA provides more efficiencyo Third-party verifiableo PoW Blockchain as PKIo Enables sparser communication patterns (ring or star
topologies)
![Page 20: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/20.jpg)
From MACs to Collective Signing20
o Can we do better than O(n) communication complexity?o Multicast protocols transmit information in O(log n)o Use trees!!
o Can we do better than O(n) complexity to verify?o Schnorr multisignatures could be verified in O(1)o Use aggregation!!
o Schnorr multisignatures + communication trees = Collective Signing [Syta et all, IEEE S&P ’16]
![Page 21: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/21.jpg)
21
CoSio Efficient collective signature, verifiable as a
simple signatureo 80 bytes instead of 9KB for 144* co-signers
(Ed25519)
21
* Number of ~10-minute blocks in 1-day time window
![Page 22: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/22.jpg)
Discussiono CoSi is not a BFT protocolo PBFT can be implemented over two subsequent CoSi rounds
o Prepare roundo Commit round
22
L
blockchain
share window of size w
L
block
share
miner
leader
![Page 23: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/23.jpg)
Problem Statement1. In Bitcoin ByzCoin there is no a verifiable commitment
of the system that a block will persist2. Throughput is limited by forkso Increasing block size increases fork probabilityo Liveness exacerbation
23
![Page 24: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/24.jpg)
Talk Outlineo Bitcoin and its limitationso Strawman design: PBFTCoin
o Opening the consensus group
o From MACs to Collective Signing
o Decoupling transaction verification from leader election
o Performance Evaluationo Future work and conclusions
24
![Page 25: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/25.jpg)
Bitcoin-NG [Eyal et all, NSDI ’16]
o Makes the observation that block mining implement two distinct functionalitieso Transaction verificationo Leader election
o But, Bitcoin-NG inherits many of Bitcoin’s problemso Double-spendingo Leader is checked after his epoch ends
25
![Page 26: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/26.jpg)
Decoupling Transaction Verification from Leader Election
o Key blocks: o PoW & share valueo Leader election
o Microblocks: o Validating client transactionso Issued by the leader
26
1 2
1 2 3 4 5
Keyblock
Microblock
Collective Signature
![Page 27: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/27.jpg)
Talk Outlineo Bitcoin and its limitationso Strawman design: PBFTCoino Opening the consensus group o From MACs to Collective Signingo Decoupling transaction verification from leader election o Performance Evaluationo Future work and conclusions
27
![Page 28: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/28.jpg)
Performance Evaluation28
o Experiments run on DeterLab network testbedo Up to 1,008* miners multiplexed atop 36 machineso Impose 200 ms roundtrip latencies between all serverso Impose 35 Mbps bandwidth per miner
* 1008 = # of ~10-minute key-blocks in 1-week time window
![Page 29: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/29.jpg)
Performance Evaluation29
o Key questions to evaluate:o What size consensus groups can ByzCoin scale to?o What transaction throughput can it handle?
![Page 30: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/30.jpg)
Consensus Latency 30
![Page 31: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/31.jpg)
Throughput31
![Page 32: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/32.jpg)
Talk Outlineo Bitcoin and its limitationso Strawman design: PBFTCoino Opening the consensus group o From MACs to Collective Signingo Decoupling transaction verification from leader election o Performance Evaluationo Future work and conclusions
32
![Page 33: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/33.jpg)
Limitationso Attacker with >= 1/3 of the shares
o Can trivially censor transactions / DoS the systemo Can double-spend if he splits the network
o Can currently only scale-up not scale-outo Leader can exclude miners from the consensus
33
![Page 34: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/34.jpg)
Future Work
o Alternatives to PoWo Sharding to enable scaling-outo Incremental deployment to existing cryptocurrencieso Fail more gracefully under 33% attacks
34
![Page 35: ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH … · Talk Outline o Bitcoin and its limitations o Strawmandesign: PBFTCoin o Opening the consensus group o From MACs to Collective](https://reader034.fdocuments.in/reader034/viewer/2022042407/5f218823fc26e208e73f9dd3/html5/thumbnails/35.jpg)
Conclusiono Use Collective Signing to scale BFT protocols o Use PoW to create hybrid permissionless BFTo Combine the above with Bitcoin-NG to create
ByzCoino Demonstrate experimentally its practicalityo ByzCoin increases the security and performance of
cryptocurrencies.
35