7.カテナビットコインによる効率的な非等価化 (7. Catena: Efficient Non-equivocation via Bitcoin)

字幕表動画を再生する

The following content is provided under a Creative
Commons license.
Your support will help MIT OpenCourseWare
continue to offer high quality educational resources for free.
To make a donation or to view additional materials
from hundreds of MIT courses, visit MIT OpenCourseWare
at ocw.mit.edu.
ALIN TOMESCU: My name is Alin.
I work in Stata, in the Stata Center.
I'm a PhD student there in my fifth year.
And today we're going to be talking about one
of our research project called Catena.
And Catena is a really nice way of using bitcoin
to build append-only logs.
Bitcoin itself is an append-only log.
And a lot of people have been using it to put data in it.
And I'll describe a really efficient way
of doing that and its applications.
And if there is time, we'll talk about a tax and maybe colored
coins and some other stuff.
We'll talk about the what, the how and the why.
And that's the overview of the presentation.
So let's talk about this problem called the equivocation
problem.
So what is this?
In general, non-equivocation means saying the same thing
to everybody.
So for example, if you have a malicious service
and you have Alice and Bob, the service
should say the same thing to Alice and Bob.
So it would make a bunch of statements.
Let's say s1, s2, s3 over time and Alice and Bob
would see all of these statements.
So this is very similar to what bitcoin provides, right?
In bitcoin you see block one, block two, block three.
And everybody agrees on these blocks in sequence, right?
Does that make sense?
So this is non-equivocation and in some sense
this is what bitcoin already offers.
And in general with non-equivocation,
what you might get is some of these statements
might actually be false or incorrect.
Non-equivocation doesn't guarantee you
that this statement is a correct statement.
But it just guarantees you that everybody
sees the same statements.
And then they can detect incorrect statements.
In bitcoin you get a little bit more.
You actually know that if this is a block,
it's a valid block, assuming there are enough blocks on top
of it, right?
So equivocation means saying the same thing to everybody.
So for example, this malicious service at time four,
he might show Bob a different statement than Alice.
So Bob sees s4 and Alice sees s4 prime.
This is what happens in bitcoin sometimes.
And that's how you can double spend in bitcoin
by putting the transaction here sending money to the merchant,
and then putting another transaction
here sending money back to you.
Right, are you guys familiar with this?
Yeah, OK.
All right, so why does this matter?
Let me give you a silly example.
Suppose we have Jimmy and we have Jimmy's mom and Jimmy's
dad, right?
And Jimmy wants to go outside and play.
But he knows that mom and dad usually don't let him play.
So what he does is he tells dad, hey dad,
mom said I can go outside.
Right, and then he tells mom, hey mom.
Dad said I can go outside.
And let's say mom and dad are in different rooms
and they're watching soap operas and they're not
talking to one another.
So they can actually confirm that.
You know, mom can confirm that dad really said that.
And dad can really confirm that mom said that.
But they both trust Jimmy.
So you see how equivocation can be really problematic
because now mom and dad will say sure,
go outside as long as the other person said that, right?
But let me give you a more practical example.
So let's look at something called a public-key directory.
A public-key directory allows you to map user's public keys--
a user name to a public key.
Right, so here I have the public key for Alice
and here I have the public key for Bob.
And they look up each other's keys in this directory.
And then they can set up a secure channel.
How many of you guys use Whatsapp, for example?
So the Whatsapp server has a public-key directory.
And when I want to send you a message,
I look up your phone number in that directory
and I get your public key, right?
If that directory equivocates, the following thing can happen.
What the directory can do is it can create a new directory
at time two where he puts a fake public key for Bob
and he shows this to Alice, right?
And at time two also, he creates another directory for Bob
where he puts a fake public key for Alice, right?
So now the problem here is that when
Alice checks in this directory, she looks at her own public key
to make sure she's not impersonated.
And Alice looks in this version and sees, OK.
That is my public key.
I'm good.
She looks in this version, OK.
This is my public key.
I'm good.
So now I'm ready to use this directory.
And I'll look up Bob and I'll get his public key.
But Alice will actually get the wrong public key.
Does everybody see that?
And similarly Bob will do the same.
So Bob will look in his fork of the directory, right?
And he looks up his key here and his key here.
And he thinks he's OK.
He's not impersonated.
But in fact, Alice has impersonated there.
OK?
And now as a result, they will obtain fake keys
for each other.
And this man in the middle, attacker
who knows the corresponding secret keys
for these public keys can basically
read all of their communications.
Any questions about this?
This is just one example of how equivocation
can be really disastrous.
So in a public-key directory, if you can equivocate,
you can show fake public keys for people
and impersonate them.
So in other words, it's really important
that Alice and Bob both see the same directory.
Because if Bob saw this directory,
the same one Alice saw, then Bob would notice that this is not
the public key he had.
He would notice his first public key and then
that there's a second one there.
And then he would know he's impersonated.
And he could let's say, talk to the New York Times,
and say, look.
This directory is impersonating me.
So in conclusion, equivocation can be pretty bad.
So this idea that you say different things
to different people can be pretty disastrous.
And what Catena does is it prevents that.
So in general, if you have this malicious service that is
backed by Catena, if it wants to say different things
to different people. it cannot do that.
It has to show the same thing to everybody.
And the way we achieve that is by building on top of bitcoin.
And that's what we're going to be talking about today.
So any questions about sort of the general setting
of the problem and our goals here?
So let's move on then.
So why does this matter?
So this matters for a bunch of other reasons,
not just public-key directories and secure messaging.
It matters because when you want to do secure software update,
equivocation is a problem.
And I'll talk about that later.
So for example, at some point bitcoin
was concerned about malicious bitcoin binaries
being published on the web and people
like you and me downloading those binaries
and getting our coins stolen.
Right, and it turns out that that's an equivocation problem.
Somebody is equivocating, right?
It's equivocating about the bitcoin binary.
It's showing us a fake version and maybe
other people the real version.
Secure messaging, like I said before,
has applications here and.
Not just secure messaging but also the web.
Like when you go on Facebook.com,
you're looking up Facebook's public key.
And if somebody lies to you about that public key,
you could be going to a malicious service
and you could be giving them your Facebook password.
Does that make sense?
And also it has applications in the sense
that if you have a way of building a append-only log,
you really have a way of building a blockchain right
for whatever purpose you want.
And we'll talk about that as well.
So the 10,000 feet view of the system
is we built this bitcoin based append-only log.
And the way to think about is that bitcoin is already
an append-only log.
It's just that it's kind of inefficient to look
in that log.
If you want to pick certain things from the Bitcoin
blockchain, like you put your certain bits and pieces of data
there, you have to kind of download
the whole thing to make sure you're not missing anything.
And I'll tell you why soon.
So instead of putting stuff naively
in the Bitcoin blockchain, we put it
in a more principled way.
And in a sense we get a log and another log.
We get our log and the bitcoin log.
And this generalizes to other cryptocurrencies.
Like you could do this in light coin,
for example, or even in ethereum.
Though I don't think you guys yet
talked about how the ethereum blockchain works.
And the cool thing about this Catena log that we're building
is that the Catena log is as hard to fork as the bitcoin
blockchain.
If you want to fork our log, you have to fork bitcoin.
However, unlike the Bitcoin blockchain,
Catena is super efficient to verify.
So in particular, remember, I described the log
in terms of the statements in it.
So if you have 10 statements, each statement
will be 600 bytes to audit.
So you don't have to download the whole Bitcoin
blockchain to make sure you're not missing a statement.
And you also have to download 80 bytes per bitcoin block.
And we have a Java implementation of this.
And if you guys are curious, you can go to my GitHub page,
and take a look at the code.
All right, so before we start, I know you guys already
know a lot about how the Bitcoin blockchain,
but it's important that I reintroduce some terminology
just so we're on the same page.
So this is the bitcoin blockchain.
We have a bunch of blocks connected
by hash chain pointers.
And we have Merkle trees of transactions.
And you know, these arrows indicate hash pointers.
It means that block n stores a hash of block n minus 1 in it,
right?
So in that sense.
Block n has a hash pointer to block n minus 1.
All right, and like I said, each tree has a Merkle tree.
Each block has a Merkle tree.
And everybody agrees on this chain
of blocks via proof of work consensus, which all of you
already know.
And importantly, in the Merkle trees, we have transactions.
And transactions can do two things.
Right, a transaction can mint coins, create new coins.
So here I have transaction a.
It created four coins by storing them in an output.
Are you familiar with outputs?
So you guys already discussed transaction outputs and inputs.
So that's what we're going over here again real quick.
So an output specifies the number of coins
and the public key of the owner of those coins,
as you already know.
And the second purpose of transactions
is that they can transfer coins, right, and pay fees
in the process.
So here if you have a transaction b,
this transaction b might say, hey, here's
a signature from the owner of these coins here.
Here's a signature and transaction b.
And here's the new owner with public key
b of three of those four coins.
And one of those coins I'll just give it
to the miners as a transaction fee.
Does this make sense?
How many of you are with me?
All right, any questions about how transaction inputs
and outputs work?
So if you remember in the input here,
you have a hash pointer to the output here.
All right.
So and the high level idea here is
that the output is just the number
of coins in a public key.
And the input is a hash pointer to an output
plus a digital signature from that output's public key, OK?
And yeah, so what happens here is
that transaction b is spending transaction a's first output.
Right, that's the terminology that we're going to use.
And I think you guys have already
used terminology like this.
And in addition, what we're going to talk about today
is the fact that in these bitcoin transactions
you can actually embed data.
And I think you touched briefly on this concept of op return
transaction outputs.
Right, so this is an output that sends coins to a public key.
But here I can have an output that sends coins to nobody.
It just specifies some data.
And in fact, I'll use that data to specify the statements
that I was talking about earlier.
So that the high level point here
is that you can embed data in bitcoin transactions using
these operations.
And there's a bunch of other ways to do it, actually.
Like initially what people did is
they put the data as the public key.
They just set the public key to the data.
And in that sense, they kind of wasted bitcoins.
Right, they said hey, send these three bitcoins
to this public key, which is just some random data.
But nobody would know the corresponding secret key
of that public key.
So therefore those coins would be burned.
Did you did you cover this in class already?
Maybe, maybe a little bit.
So but that's kind of inefficient
because if you remember, the miners
have to build this UTXO set.
And they have to keep this output that
has this bad public key in their memory
forever because nobody's going to be able to spend it.
So we don't want to do that.
We want to build a nice system, a system that treats bitcoin
nicely, the bitcoin miners.
So that's why we use these return outputs.
All right, so the high level here
is that Alice gives Bob three bitcoins.
And the miners collect a bitcoin as a fee.
And of course, you can keep doing this, right?
Like Bob can give Carol these two bitcoins later by creating
another transaction with an input referring to that output
and with an output specifying Carol's public key.
All right, and the high level idea of bitcoin is that you
don't-- you cannot double spend coins.
And what that means is that a transaction output can only
be referred to by a single transaction input.
So this thing right here in bitcoin where I have two inputs
spending an output cannot happen, right?
How many of you are familiar with this already?
OK, good.
So actually this is the essential trick
that Catena leverages.
And we'll talk about it soon.
And yeah, the moral of the story,
the reason I told you all of this is because you know,
basically if you have proof of work consensus in the bitcoin
sense, you cannot do double spends.
So this thing right here, that I said before,
just cannot occur in the Bitcoin blockchain unless you break
the assumptions, right, unless you have more mining power than
you should.
In that case, you either have to tx2 or tx2
prime, but not both, right?
And what Catena really realizes is
that if I put statements in these transactions now,
what that means is that I can only have a second statement.
I cannot have two second statements.
I cannot equivocate about the second statements if I just
restrict my way of issuing statements in this way.
I put the first statement in the transaction
and the second statement I put it
in a transaction that spends the first one.
So does everybody agree that if I do things in this way
and I want to equivocate about the second statement,
I would have to double spend?
So that's the key insight behind our system.
Any questions about this so far?
You know it's really hard to talk if you guys talk back,
it's way easier.
Yeah?
AUDIENCE: A question.
And maybe, I think I'm getting this right.
If you're setting up the first transaction,
then you're adding data on?
You're burning bitcoins every time you're doing it,
so at some point, you're going to run out.
ALIN TOMESCU: That's an excellent question.
So let's-- we'll go over that.
But the idea is that in this output,
I won't burn any bitcoins.
I'll actually specify my own public key here.
And I'll just send the bitcoins back to myself.
And in the process I'll pay a fee to issue this transaction.
Does that make sense?
Yeah?
And we'll talk about it later.
OK, so real quickly, what did previous work
do regarding this?
So how many of you are familiar with blockstack?
1, 2, only two people?
OK how many of you are familiar with Keybase?
OK, so blockstack and Keybase actually post statements
in the Bitcoin blockchain.
And they're both public directories.
They map user names to public keys.
And for example, Keybase, what Keybase does
is they take this Merkle route hash,
and they put it in the transaction.
And then six hours later, they take the new route hash,
and they put it in another transaction, and so on.
Every six hours, they post the transaction.
But unfortunately, they don't actually do what Catena does.
So they don't have their new transaction spend the old one.
And as a result, if you're trying
to make sure you see all of the statements for Keybase,
you don't have a lot of recourse other
than just downloading each block and looking in the block
for all of the relevant transactions.
Another thing you could do is you could sort of
trust the bitcoin miners--
the bitcoin full nodes to filter the blocks for you.
So you could contact a bunch of bitcoin full nodes
and say, look.
I'm only interested in transactions
that have a certain IP return prefix in the data.
And they could do that for you.
But unfortunately, bitcoin full nodes
could also lie to you very easily.
And there is no cost for them to lie to you.
Everybody can be a bitcoin full node.
So then it becomes a very bandwidth intensive process
because you have to ask a lot of full nodes
to deal with the fact that someone might lie to you.
But you either need to download full blocks
to find let's say, a missing statement like this one
that a bitcoin full node might hide from you,
or you can trust the majority of bitcoin full nodes
to not hide statements, which is not very good, right?
So I don't want to trust these full nodes
because all of you guys could run a full node right
now in the bitcoin network.
It doesn't cost you anything.
And if I talk to your malicious full node, I could be screwed.
So our work just says, look.
Instead of issuing transactions in sort
of an uncorrelated fashion, just do the following thing.
Every transaction you issue should spend the previous one.
So as a result, if someone wants to equivocate
about the third statement, they have
to double spend like I said before.
Right?
Yeah?
AUDIENCE: So what's the connection back
to Keybase and blockstack again?
ALIN TOMESCU: Yeah, so Keybase and blockstack
are public directories.
And what they do is they want to prevent themselves from--
is there a whiteboard I can draw here?
Yeah so, let's say, you know, if you remember the picture
from the beginning, I can have a public directory
that evolves over time, right?
So this is v1 of the directory, and it
might have the right public keys for Alice and Bob.
But at v2, the directory might do this.
It might do v2.
It might have Alice, Bob, but then put a fake key for Alice.
And at V2 prime, it might do Alice, Bob as before,
and put a fake key for Bob.
So in other words it keeps the directory append-only.
But it just adds fake public keys for the right people
in the right version.
So here this one is shown to Bob.
And here this one is shown to Alice.
So now Alice will use this fake key for Bob.
So she'll encrypt a message with b prime for Bob.
And now the attacker can easily decrypt this message
because he has the secret key.
So what the attacker can do then is re-encrypt it
with the right public key for Bob
and now he can read Alice's messages.
And the whole idea is that the attacker--
you know, this b prime is the public key, is pk b prime,
let's say.
But the attacker has this sk b prime.
He knows sk b prime because the attacker put this in there.
The attacker being really, blockstack or Keybase.
And of course, they're not attackers in the sense
that they want to be good guys.
But they're going to be compromised eventually.
So they want to prevent themselves
from doing things like these.
Is that sort of answer your question?
Yeah.
All right, so yeah, a really simple summary.
If I had two slides to summarize our work, this would be it.
Right, they would be these two.
Look, don't do things this way.
Do them this way.
All right, so let's see, let's look a little bit
at the design.
So remember we have these authorities that
could equivocate about statements they issued
like blockstack and Keybase.
So what we propose is look, these authorities
can run a lock server, a Catena lock server.
And they start with some funds locked in some output.
And what they can do first is they
can issue this genesis transaction
to start a new lock.
So for example, Keybase would issue this genesis transaction
starting the log of their public directory Merkle routes.
And this genesis transaction can be
thought of as the public key of the log.
Once you have this genesis transaction,
you know it's transaction ID.
You can verify any future statements,
and you can implicitly prevent equivocation about statements.
And what the lock server is going to do
is it's going to take these coins
and send them back to the server to answer your question.
So if there was a public key, if these coins
are owned by some public key, they're
just sent back to same public key here
and paying some fees in the process.
Right, so we're not burning coins in the sense
that we're just paying fees that are
miners, which we have to do.
OK, so now what you can do is if you
want to issue the first statements,
you create a transaction.
You send the coins from this output to this other output.
You pay some fees in the process.
You put your statement in an op return output.
And as a result, if this lock server wants to equivocate,
it has to again, double spend here,
which it cannot do unless it has enough mining power.
So Keybase and blockstack, if they
were to use a system like this, they
could prevent themselves from equivocating.
And this can keep going, right?
So you issue another transaction.
Spend the previous output.
Put the new statement.
Yes?
AUDIENCE: This doesn't seem like a new problem.
How have authorities prevented equivocation in the past?
ALIN TOMESCU: This doesn't seem like a new problem.
How did authorities do it?
The problem is not new.
The problem is eternal.
So you are correct there.
How did they do it in the past?
They just used a Byzantine consensus algorithm.
So in some sense this is what we're doing here as well.
We're just piggybacking on top of Bitcoin's
Byzantine consensus algorithm.
AUDIENCE: So you're rolling down to a newer Byzantine consensus
algorithm basically.
ALIN TOMESCU: Sure, I'm not sure what rolling down means.
But yeah, we're piggybacking on top of bitcoin.
The idea is that look, a byzantine consensus
is actually quite complex to get right.
We already have a publicly verifiable business consensus
algorithm.
It's bitcoin.
Why can't we use it to verify, let's say, a log of statements
super efficiently?
So up until our work, people didn't seem to do this.
So Keybase didn't do this.
Blockstack didn't do this.
They kind of forced it to download the entire bitcoin
block chain to verify let's say, three statements.
So in our case, you only have to download a few kilobytes
of data to verify these three statements,
assuming you have the bitcoin block headers, right,
which we think is a step forward.
And it's sort of like the right way
to use these systems should be you
know, the efficient way, not the inefficient way.
Because bandwidth is expensive, right?
Computation is cheap.
Bandwidth is expensive.
All right, so anyway the idea is that if the lock server becomes
malicious, if Keybase or blockstack gets hacked,
they cannot equivocate about the third statement.
They can only issue one unique third statement.
And the advantages are, you know,
it's hard to fork this lock.
It's hard to equivocate about third statement.
But it's efficient to verify.
And I'll walk you through how clients verify soon.
The disadvantages are that if I want
to know that this is the second statement in the log,
I have to wait for six more blocks
to be built on top of this statement's block, right?
Just like in bitcoin, you have to wait for six blocks
to make sure a transaction is confirmed, right?
Why do you do that?
The reason you do that is because there could
be another transaction here, double spending
because sometimes there are accidental forks in bitcoin
and things like that.
What are some other disadvantages
that you guys can point out?
Yeah?
AUDIENCE: It's going to be expensive.
ALIN TOMESCU: It's going to be expensive to issue
these trends.
So Alin-- Alin and I share the same name.
So Alin is pointing out that you know,
every time I issue these statements,
I have to pay a fee, right?
And if you remember, the fees were quite ridiculous
in bitcoin.
So that's a problem, right?
So let's see, is that the next thing?
The next thing was you have to issue--
you can only issue a statement every 10 minutes, right?
So if you want to issue statements really fast.
you can't do that.
All right, like Alin said you have to pay bitcoin transaction
fees.
And the other problem is that you don't get freshness
in the sense that it's kind of easy for this lock server
to hide from you the latest statement.
You know, unless you have a lot of these log servers
and you ask many of them, hey, what's the latest statement?
And they show you back the latest statement.
If there is just one log server and it's compromised,
it could always pretend no, no, no.
This is the latest statement.
And if you don't trust it, the best recourse you have
is to download the full block and look for the statement
yourself.
So you don't get freshness.
Those are some disadvantages.
Now let's look at how clients audit this log?
So I was claiming that it's very efficient
to get these statements and make sure
that no equivocation happened.
So let's say, you have a Catena client
and you're running on your phone with this client.
And your goal is to get that list of statements.
And there's the Catena log server over there in the back.
And there's the bitcoin peer to peer
network which at the moment has about 11,000 nodes.
And remember, I said the first thing you need
is the genesis transaction.
Does everybody sort of understand
that if you get the wrong Genesis transaction,
you're completely screwed, right?
Because it's very easy to equivocate
if you have the wrong Genesis transaction, right?
I mean, you know there's the right GTX here where you have,
let's say, a s1.
And then you have s2 in their own transactions, right?
But if there's another GTX prime here and you're using that one,
you're going to get s1 prime, s2 prime, different statements.
So if Alice uses GTX but Bob uses GTX prime,
Alice and Bob are back to square one.
So in some sense, you might ask, OK, so then what's the point?
What have you solved here?
I still need to get this GTX, right?
So what we claim is that this is a step forward because you only
have to do this once.
Once you've got this GTX, you can
be sure you're never equivocated to, right?
Whereas in the past, you would have
to for each individual statement,
you'd have to do additional checks
to make sure you're not being equivocated
to, like you would have to ask in a full node, let's say.
Right, so as long as you have the right GTX, you're good.
And how do you get the right GTX?
Well, usually you ship it with the software on your phone.
And there's some problems there as well,
like there is no problem solved in computer
science in some sense.
But you know, we're trying to make progress here.
OK, so let's say you have the right GTX because it
got shipped with your software.
Now the next thing you want to do is get the block headers.
So you have header i, but there are
some new headers being posted.
Let's say the bitcoin peer to peer network sends them to you.
You have these headers.
You verify the proof of work, right?
So this only costs you 80 bytes per header, right?
Does everyone see that this is very cheap?
So far, so far I have the GTX, which is let's say 235 bytes.
And now I'm downloading some headers.
And now I'm ready to ask the log server what's
the first statement in the log, right?
And what the log server will do is
he's going to reply with the transaction
with the statement, which is 600 bytes and the Merkle proof.
So all of this is 600 bytes, actually.
Right, and now what the Catena client will do
is he'll check the Merkle proof against one
of the headers so to see in which headers does it fit.
And then he'll also check that the input here
has a valid signature from the public key in the output here.
All right, I want at least one question about this.
Yeah?
AUDIENCE: Sorry I came in late, but is the Catena client
over there similar to the SPV?
ALIN TOMESCU: Yeah, so that exactly.
It's an SPV client.
Yeah, so the idea is that we want SPV clients.
We don't want these mobile phone clients
to download 150 gigabytes of data.
We want them to download let's say 40 megabytes worth of block
headers, which they can discard very quickly as they verify.
And then we want them to download
600 bytes per statement, but still
be sure that they saw all of the statements in sequence,
and that there was no equivocation.
Yeah?
AUDIENCE: So in our previous classes,
we discussed, if you can have a full node and an SPV node,
do these sort of vulnerabilities exist with the [INAUDIBLE]
client?
ALIN TOMESCU: So which vulnerabilities
that you did talk about?
AUDIENCE: I forget.
ALIN TOMESCU: Did you talk about--
AUDIENCE: There was just a box that was like less secure.
And then there was another box that was something else bad.
There was one about [INAUDIBLE].
The clients would lie to you about--
If you say, here's some transactions
or here are some unspent outputs,
then they could just tell you something different.
ALIN TOMESCU: Yes.
Yeah?
Sorry.
AUDIENCE: Well, they can't tell you
that transactions exist or don't exist.
They can just not tell you--
ALIN TOMESCU: Yeah, they can hide transactions
from you, which gets back to the freshness issue
that we could discussed.
They could also-- this block header
could be an header for an invalid block.
But remember, that before you accept this tx1,
you wait for enough proof of work,
you wait for more block headers on top of this guy
to sort of get some assurance that no, this
was a valid block because a bunch of other miners built
on top of it.
Right?
So as long as you're willing to trust that the miners do
the right thing, which they have an incentive
to do the right thing, you should be good.
But like you said, what's your name?
AUDIENCE: Anne.
ALIN TOMESCU: Anne?
Like Anne said, there are actually bigger problems
with SPV clients.
And if there is time, we can talk about it.
But it's actually easier to trick SPV clients to fork them.
And there's something called a generalized vector 76 attack.
Have any of your guys heard about this?
So it's like a pre-mining attack but it's
a bit easier to pull off.
Actually, it's a lot easier to pull off on an SPV node
than on a full node.
And if there's time at the end, we can talk about it.
If there isn't, you can read our paper,
which is online on my website.
And you can read about these pre-mining attacks
that work easier for SPV nodes.
But anyway, this can keep going, right?
You get block headers, 80 bytes each.
You ask the log server, hey what's
the next statement in the log?
You get a Merkle proof in a transaction.
And then you verify the Merkle proof.
You put this transaction in one of these blocks
and you verify that it spends the previous one.
Right, and as a result, you implicitly
by doing this verification, by checking that hey,
this is a transaction and a valid block.
This block has enough stuff built on top of it
and this transaction spends this guy here,
you implicitly prevent equivocation.
Right, then you don't have to download anything else.
Right, you only have to download these Merkle proofs
and transactions in these block headers.
Whereas in previous work, you could be missing these s1's,
these s2's, they could be hidden away
in some other branch of the Merkle tree.
And you'd have to do peer to peer bloom
filtering on the full nodes.
And those full nodes could lie to you.
Yeah, so the bandwidth is actually very small.
So suppose we have 500k block headers--
I think bitcoin has a bit more right now--
which are 80 bytes each and we have
10,000 statements in this log, which are 600 bytes each.
Then we only need now with 46 megabytes, right?
What's the what's the other way of doing it?
You have to download hundreds of gigabytes.
All right, so let's talk about scalability a little bit.
So suppose the system gets deployed widely.
Let's say Whatsapp starts to use the system to witness--
to publish their public directory in bitcoin, right?
And everybody, a lot of you here have Whatsapp.
And this is you guys.
Let's say there are 200,000 people using Whatsapp.
I think there's more like a billion.
So what are they going to do?
Remember that part of the verification protocol
is asking for these block headers
from the peer to peer network, right?
And in fact, if you're SPV clients,
you usually open up around eight connections to the peer
to peer network.
And if you're a full node in the bitcoin peer to peer network,
you usually have around 117 incoming connections.
That that's how much you support.
You support 117 incoming connections as a full node.
So that means in total, you support about a million
incoming connections.
So you know, this guy supports a million.
But we need about 1.6 million connections
from these 200,000 clients, right?
So it's a bit of a problem if you
deploy Catena and it becomes wildly popular.
Being a bit optimistic here, but you know,
let's say that happened, right?
So how can we fix this?
How can we avoid this problem because in this case, what
we would basically be doing is we
would be accidentally DDOSing bitcoin.
And we don't want to do that.
Does everybody see that there's a problem here, first of all?
OK, so the idea is very simple.
We just introduced something called a header relay network.
And what that means is look, you don't really
have to ask for these block headers from the Bitcoin peer
to peer network.
You could just outsource these block headers anywhere
because they're publicly verifiable.
Right, the block headers have proof of work on them.
So you can use volunteer nodes that sort of push block
headers to whoever asks for them.
You could use blockchain explorers like blockchain.info,
right?
You could use Facebook.
You could just post block headers on Facebook.
Right, like in a Facebook feed.
You could use Twitter for that.
You could use GitHub gists.
You know, so you could--
there's a lot of ways to implement this.
The simplest way is have servers and have
them send these headers to whoever asks for them.
So it's easy to scale in that sense
because if you now ask these header relay
network for the block headers, you
know, it's much easier to scale this than to scale the bitcoin
peer to peer network, which has to do a bit more than just
block headers.
They have to verify blocks.
They have to verify signatures.
Yeah?
AUDIENCE: Did you consider having
the clients being peer to peer?
ALIN TOMESCU: , Yes so another way.
And I think we'll talk about that in the paper--
is you can implement the header relay network as a peer to peer
network on top of the clients.
Yeah, so that's another way to do it.
There's some subtleties there that you have to get right.
But you can do it, I think.
Yeah?
AUDIENCE: Would you you expect that if a company like Whatsapp
decided adopt Catena, they would run their own servers
to make sure that there was the capacity for it?
ALIN TOMESCU: For the header relay network?
AUDIENCE: Yes.
ALIN TOMESCU: I mean, I would be just be speculating,
wishful thinking.
They could.
There is some problem with this header relay network as well.
And we talk about it in the paper
because this had a really network could withhold
block headers from you.
So you do have to distribute it.
Like usually you don't want to just trust
Whatsapp who's also doing the statements, who's
also pushing the statements in the blockchain.
You don't want to trust them to also give you
the block headers.
You actually want to fetch them from a different source
that Whatsapp doesn't collude with.
Yeah, Anne, you had a question?
AUDIENCE: Are there other header relay networks
that are deployed already?
ALIN TOMESCU: Yeah, there was actually one on ethereum.
There's a smart contract in ethereum,
I think, that if you submit bitcoin block headers to it,
you get something back.
And then you can just query bitcoin block headers
from the ethereum blockchain.
Is anyone familiar with this?
So I guess I didn't include it here.
But another way to do it is to just publish the header
is in an ethereum smart contract.
Yeah.
So there's crazy ways you could do this too.
Yeah?
AUDIENCE: Will that one go out of gas?
I don't know, my understanding of ethereum is pretty decent,
but would that smart contract eventually run out of gas
and not publish anymore?
ALIN TOMESCU: So to fetch from it, you don't need to pay gas.
But I suspect to push in it, I actually
don't know who funds that contract.
So I guess you fund that when you push maybe.
Maybe not because then you also want something back.
Why would you push?
I'm not sure.
But we can look at it after.
Yeah.
It's a good question.
So anyway, even if this header relay network is compromised,
if you implement it in the right way,
you've distributed on a sufficient number of parties,
you can still get all of the properties that you need to,
meaning freshness for the block headers.
That's really the only property that you need to.
The header relay network should always
reply with the latest block headers.
So let's look at costs since Alin was mentioning the costs.
So to open a statement, you have to issue a transaction, right?
And the size of our transactions are around 235 bytes.
So and the fee as of December 13 was $16.24 for transactions
if you guys remember those great bitcoin times.
I think it went up to $40 at some point too.
So it was it was really hard for me to talk to people
about this research back then.
But guess what, the fees are today?
So today, this morning I checked.
And there were $0.78, right?
When we wrote the paper, they were like $0.12.
So you know, here I am standing in front
of you pitching our work.
In two minutes they could be back to $100, but who knows?
Yes, you had a question.
AUDIENCE: Maybe I'm wrong, but in a transaction,
you can have some outputs.
Can you have several statements in there?
ALIN TOMESCU: So that's a good question.
So can you batch statements?
And then the answer is yes.
You can definitely batch statements.
What we've said so far is in a transaction--
in a Catena transaction, you have this output.
And you have this op return output
where you put the statement, right?
And you know, it spends a previous transaction.
But as a matter of fact, what you can do and some of you
may already notice this.
There is no reason to put just one statement in here.
There is some reason-- so the only reason
is that it only fits 80 bytes.
So you could put easily, let's say, two or three statements
in there if you hashed them with the right hash function.
But a better way to do it is why didn't you
put here a Merkle root hash?
And then you can have as many statements
as you want in the leafs of that Merkle tree, right?
In fact, here you could have I don't know,
billions of statements.
So keep in mind, you will only be
able to issue billions of statements every 10 minutes.
But you can definitely have billions
of statements in a single transaction
if you just batch them.
So now, remember the blockchain will only store the root hash.
This Merkle tree will be stored by the log server perhaps
or by a different party.
They don't have to be the same party.
Does that make sense?
Does that answer your question?
Yeah.
Right, that was my next point.
Statements can be batched with Merkle trees.
OK, so let's talk about the why since so far
we've been talking abstractly about these statements.
But what could these statements actually be.
So let's look at a secure software update.
So how do you do secure software update?
An example attack on a software update scheme
is that somebody compromises the bitcoin.org domain.
And they change the bitcoin binary to a malicious binary.
And they wait for people to install that malicious binary.
And then they steal their coins.
They steal their data.
They could execute arbitrary code.
And an example of this was sort of this binary safety
warning on the bitcoin website.
At some point, they were very concerned
that a state actor is going to mess with the DNS servers
and redirect clients to a different server
and make them download a bad bitcoin binary.
So does the attack make sense?
Does everybody see why this is possible?
You do need to sort of accept that the DNS service that we
currently have on the internet is fundamentally flawed.
It's not built for security.
So the typical defense the typical defense for this
is that the Bitcoin developers-- they sign the bitcoin
binaries with some secret key.
And they protect that secret key.
And then there's a public key associated
with the secret key that's posted on the bitcoin website,
right?
And maybe some of you'll notice that sometimes it's
also very easy to change the public key on the website,
you know, if you can just redirect
the victim to another website.
And another problem is that not everyone checks the signature.
Even if let's say you have the public key on your computer,
you know what the right public key is,
only if you're like an expert user
and you know how to use GPG, you will check that signature,
right?
And the other problem that's probably I
think a much, much bigger problem
is that for the bitcoin devs themselves,
it's very hard to detect if someone stole their secret key.
Like if I'm a state actor and I break your computer
and I steal your secret key, I will sign this bitcoin binary.
And I'll give it to let's say, one guy.
I'll give it to you.
You know, and I'll just target you individually
because I'm really--
I know you have a lot of bitcoin.
Right, and then the bitcoin devs will never find out about it
unless you know you kind of realize what happened.
Then you take your bitcoin binary
and you go with it to the bitcoin devs.
And they check the signature on it and they say, oh wow.
This is a valid signature and we never signed it.
So somebody must have stolen our secret key.
So this is really a bad--
kind of the core of the problem is
that it's hard for whoever publishes software
to detect that their secret key has
been stolen-- to detect malicious signatures
on their binaries.
Does that make sense?
So the solution, of course, is you know, publish
the signatures of bitcoin binaries in a Catena log
So now if there's a malicious binary being published
by a state actor, people won't accept that binary
unless it's in the Catena log, which
means people in the bitcoin devs will see the same binary.
Right, so let me let me show you what I mean with a picture.
So we have this Catena log for Bitcoin binaries.
And let's say, the first transaction
has a hash of the bitcoin 0.001 tar file, right,
the bitcoin binaries.
And this hash here is implicitly signed
by the signature in this input because it
signs the whole transaction.
So now if I put this hash in a Catena log,
I get a signature on it for free.
And now, if let's say, a state actor compromises the log
server, gets the secret key, he can
publish this second malicious binary in the log, right?
But what that malicious state actor will want to do,
he will want to hide this from the Bitcoin devs
and show it to all of you guys.
All right, so he'll want to equivocate.
So as a result, he will want to create a different transaction
with the right bitcoin binary there,
show this to the bitcoin devs while showing this to you guys.
All right, so the bitcoin devs would think they're good.
This is the binary they wanted to publish while you guys would
be using this malicious binary published by the state actor.
Of course this cannot happen because in Catena you cannot
equivocate.
Right?
Does everybody see this?
Right, any questions about this?
There has to be a question on this.
No?
So this mechanism is called software transparency.
It's this idea that rather than just downloading software
like a crazy person from the internet and installing it,
we should just be publishing these binaries
in a log that everybody can see, including the software vendors
that created those binaries.
So in this way, if somebody compromises a software vendor,
that vendor can notice that in the log
there's a new version for their software
that they didn't publish.
So you know, this isn't to say that it'll prevent attacks.
You know, what a state actor can do anyway
is they can just do this.
They can post this H2 prime in here,
show it to you guys including the bitcoin devs
and still screw everyone over.
But at least these attacks then go undetected anymore.
All right, so it's a step forward in that sense.
Yes, so the idea is that you have
to double spend to equivocate.
And the other example that really--
the reason I wanted to start this research
had to do with public key distribution.
So let's say we have Alice and we have Bob.
And they both have their public keys.
And I'm using this letter b to denote
Bob and his public key and the letter
a to denote Alice and her public key.
And they have their corresponding secret keys,
right?
And Alice and Bob, they want to chat securely, right?
So they want to set up a secure channel.
And there's this directory which stores their public keys.
So this guy stores Alice, pk Alice.
This guy stores Bob, pk Bob.
All right, and the directory gets updated over time,
maybe Karl, Ellen and Dan registered.
And if you have non-equivocation,
if the attacker wants to impersonate Alice and Bob,
he kind of has to put their public keys,
the fake public keys in the same directory,
which means that when Alice and Bob monitor--
they check their own public keys,
they both notice they've been impersonated, right?
So again, the idea is that you can detect.
Now how can this attacker still trick
Alice to send an encrypted message to Bob
with Bob's fake public key?
Is there a way even if you have non-equivocation?
So what's the attack?
Even I have non-equivocation and I
claim that the attacker can still
get Alice to send a fake, an encrypted message to Bob
that the attacker can decrypt.
What should the attacker do?
So pretend that we are here without the ability
to equivocate.
So the attacker cannot equivocate.
But I claimed that the attacker can still
trick Alice into sending a message to Bob
that the attacker can read.
So now it's time to see if you guys paid attention.
Somebody?
Alin?
Oh, you?
AUDIENCE: Does the attacker have to have the secret key?
ALIN TOMESCU: No, no.
He does not.
Yeah.
He does not have to have the secret key.
The attacker just creates fake public keys.
Here's a hint.
AUDIENCE: If you only changed one person to choose,
they don't know that it's a fake key so they could send it
to a fake key for a bit?
ALIN TOMESCU: Yeah, so whose person should they
attack or change the key for?
AUDIENCE: Like if they change Bob's, Alice
will still think Bob's is correct
so she'll send it to the fake Bob until Bob checks it.
ALIN TOMESCU: Exactly.
So that's exactly right.
So what's your name?
AUDIENCE: Lucas.
ALIN TOMESCU: Lucas.
So what Lucas is saying is look, even without equivocation,
I had this directory at T1.
I had another one at T2.
But at T3 and both of these had keys for Alice and Bob, right?
But at T3, Lucas is saying look, just put the fake key for Bob
here.
And that's it.
Don't put a fake key for Alice there, just for Bob.
And now when Alice looks up this public key for Bob here,
she sends a query to the directory hey,
what's Bob's public key?
She gets back b prime, which is equal to Bob pk
Bob prime, right?
Alice can't tell if that's really Bob's fake public key.
That's the reason she's using the directory
in the first place.
She wants sort of a trustworthy place to get it from.
Bob can tell if Bob looks.
But by the time Bob looks, it might be too late.
Alice might have already encrypted a message, right?
So again, what's the point of doing all of this?
It's not like you're preventing attacks, right?
And the point of doing all of this
is that you get transparency.
Bob can detect, whereas right now Bob has no hope.
In fact, so you said, a lot of you use Whatsapp.
So you know in Whatsapp, if you really
want to be sure, so I have a conversation here
with Alin Dragos.
So, Alin, do you what to to bring your phone here?
Do you have Whatsapp?
So if you really want to be sure that you're
talking to the real Alin and not some other guy,
you have to go on this encryption tab.
Can you tape this?
So my phone is black and white.
It's going through a depression phase.
I apologize.
So you have to go here and there's a code here, right?
And Alin, can you do the same thing?
You know what I'm talking about?
I really hope I don't get some weird text message right now
with the camera on the phone.
OK, so now with Alin's phone, is that the same code?
Can somebody tell me?
I can't see it.
AUDIENCE: It's hard to see.
ALIN TOMESCU: OK, so we have 27836 and yeah.
So it's the same code.
Can you see it on the camera?
So now because we have the same code here.
With this code here, it really is
a hash of my public key and Alin's public key.
And if we've got the same hash of both of our public keys,
then we know we're talking to one another.
But we won't really know that's the case until we actually
meet in person and do this exchange, right?
So what this system does instead is
it allows Alin to check his own public key
and it allows me to check my own public key.
This way if we check our own public key,
we'll always know when we're impersonated even though I
might send an encrypted message to the wrong Alin,
Alin will eventually find out.
It's a bit confusing because we're both called Alin.
So does that sort of makes sense?
Yeah?
AUDIENCE: So what do you do when you realize
that your key is the wrong key?
ALIN TOMESCU: Good question.
So that's really the crucial question.
What the hell can you do?
Right, so this directory impersonated you.
In fact, you can't even--
here's the problem.
If you're Bob here and you see this fake public key.
And you go to the New York Times and you
say hey, New York Times, this Whatsapp directory
started impersonating me.
And the New York Times can go to the directory
and say, hey directory, why did you impersonate Bob?
And the directory can say, no, I did not impersonate Bob.
Bob really just ask for a new public key.
And this was the public key that Bob gave me.
And it's just a he said, they said, kind of a thing, right?
So it's really a sort of an open research area
to figure out what's the right way to whistle blow here.
So for example, one project that we're trying to work on
is there a way to track the directory somehow
so that when he does stuff like this,
you get a publicly verifiable cryptographic proof that he
really misbehaved, right?
No, there's no cryptographic proof.
The fact that that public key is there
could have come from the malicious directory
or could have come from an honest Bob who
just changed his public key.
So yeah.
So again, a step forward but we're not there.
You know, it's just that there's much more work to do here.
And I think you also had a question.
AUDIENCE: Can't Alice just ask Bob if this is you?
ALIN TOMESCU: So that's a chicken and an egg, right?
So we have Alice.
We have Bob.
And we have the attacker.
Alice asks Bob, is this your public key?
You know, let's say, b prime.
Let me make this more readable.
So attacker, right?
So Alice asks, hey Bob.
Is this b prime your public key?
The attacker changes it.
Hey Bob, is b your public key?
The attacker-- Bob says yes.
Attacker forwards yes to Alice, right?
Remember, Bob and Alice don't have a secure channel.
That's the problem we're trying to solve with this directory,
right?
So the attacker can always man in the middle people.
Well, people like Alice and Bob.
If the attacker can man in the middle everything,
then there's really no hope.
And we're living in a very sad, sad world if that's the case.
Yeah, it actually might be the case but we'll see.
Anyway, so yeah, so I claim here that this is a step forward.
But there's still much work to do.
All right, so we get transparency.
Bob can detect.
He'll know.
He won't be able to convince anybody.
But if a lot of Bobs get compromised,
you're still like in a place where everybody
knows that something's off and will all stop using Whatsapp,
for example.
Right?
By the way, Whatsapp is a great tool.
You should continue using it.
I'm just saying it's difficult to use right
like if somebody really wants to target it,
they can play a lot of tricks to still trick you.
So yeah, so all right, we already talked about this.
And yeah, again if the director can equivocate, then you know,
all bets are off because now Bob will look in this directory,
he'll think he's not impersonated.
Alice will look in this directory.
She'll think she's not impersonated, right?
So the reason we started this research
is because I really want to--
my thesis is on building these directories that
are efficiently auditable and have a hard time impersonating
people.
So that's why we decided to look at how could you
do this with Bitcoin.
Yeah, so of course there's one project called KeyChat
that we're working on with some high school students.
And we're using the key based public key directory.
And we're witnessing it in a Catena log
so that stuff like that doesn't happen.
OK, so now let's talk about the blockchains.
In general, people nowadays like to say I
need a blockchain for x, right?
I need a blockchain for supply chain management.
I mean a blockchain for cats, for whatever.
I've heard a lot of crazy stories.
IOT, self-driving cars, blah, blah, blah.
And I think the right way to think about blockchain
is to never ever say that word unless you
use quotes, first of all.
And second of all, to understand what Byzantine state
machine replication is.
Right, and if you understand what Byzantine state machine
replication is or a Byzantine consensus,
you understand blockchain.
And you understand all the hype.
And then you can make some progress in solving problems.
In the sense that what is blockchain?
So what we're doing here is we're
doing a Byzantine consensus algorithm.
We're agreeing on a log of operations.
Right, by the way, that's what Catena does too
by piggybacking on bitcoin.
It agrees on a lot on a log of operations.
Right, but the other thing that SMR or Byzantine consensus does
is that it also allows you to agree
on the execution of the ops in that log.
So in Catena, you don't agree on the execution,
you just agree on the statements.
But there is no execution of those statements in the sense
that you can't build another bitcoin
on top of bitcoin in Catena because you can't prevent
double spends of transactions that
are Catena statements, right?
Like the Catena statements, you have to look in each one
and tell if it's correct.
So to detect a double spend in a Catena backed cryptocurrency,
you would have to download all of the transactions
and because you cannot execute it like the bitcoin miners do
and build this UTXO set.
I'm not sure this is making a lot of sense.
But let's put it another way.
In bitcoin, you have block one and then
you have block two, right?
And there's a hash pointer and there's a bunch of transactions
here, right?
And remember that what prevents me from double spending
something here--
I can have two transactions in this block
that double spend the same one here.
What prevents me from doing that is exactly this execution
stage, right?
Because in the execution stage, when I try to I execute this
first transaction and I mark this output as spent,
when I execute the second transaction,
I cannot spend that output anymore, right?
In Catena, you can't do anything like that with the statements.
You just agree on the statements.
In Catena, you would put this transaction
in the log, this one and then that one and someone would
have to detect that the second one is a bad one by actually
downloading it.
That's kind of what I'm trying to say here.
So in general, the way should you
should be thinking about blockchain
is through the lens of Byzantine consensus.
And that'll get you ahead of the curve
in this overly hyped space, right,
because it's really just this.
You're agreeing on a log of operations.
And then you're agreeing on the execution of those operations
according to some rules.
The rules in bitcoin are transaction cannot--
there cannot be two inputs spending the same output more
or less.
There's other things too.
What that gives you is it allows you
to agree on a final state which in bitcoin are
the valid transactions.
That's the final state right.
In ethereum, for example, the final state
are the valid transactions, and the account
balances of everything, and the smart contract
state for everything.
And I guess you'll learn about that later.
So you can build arbitrarily complex things
with Byzantine consensus or with blockchains.
And the high level bit, if you want to look at it another way,
is that you have a program p, right, which could be anything,
could be a cryptocurrency.
And then, instead of running this program p
on a single server s, what do you do is you
distribute it on a bunch of servers, s1, s2, s3, s4, right?
And now as a result, to mess with this program p,
it's not enough to compromise one server,
you have to compromise a bunch of them.
right?
OK so, and some of you might also
be familiar with this term permissioned blockchain.
So when you distribute this program o amongst n servers
where n is equal let's say, three f plus 1 and f
is equal to 1 in this particular case.
In a permission blockchain, this n is fixed, right?
Once you've set n to 4, it has to stay 4.
These servers have to know one another.
They need to know each other's public keys.
And only one of the servers, f is equal to 1, can fail.
If more than one server fails, then all bets are off.
Your program can start doing arbitrary things.
In particular, if your program is bitcoin,
it can start double spending.
I'm moving a little bit fast, so I'll take some questions up
until this point before I go on.
Yes?
AUDIENCE: In a permissioned blockchain,
do they use proof of work?
ALIN TOMESCU: No, you don't have to.
And that's kind of what the hype is about.
This stuff, there is like--
the first interesting paper on this
was 1976 or something like that.
So this is 40-30, 40-year-old research.
We've known how to do permissioned consensus-- we
used to call it Byzantine consensus for 30 or 40
years, right?
So there's nothing new there.
It's just that it's very useful nowadays to say blockchain then
to say consensus because then you
get 10 more million from your venture capitalist folks.
AUDIENCE: But if you don't have to do proof of work,
do they ever do proof of work?
ALIN TOMESCU: It would be such a bad idea
technically to do prefer working a permissioned consensus
algorithm.
It just-- completely unnecessary, plus probably
insecure too.
Yeah, so now the reason you do proof of work
is because in a permissionless blockchain,
this n is not fixed.
n could go, let's say, n was 4.
It could go to 8.
Then it could go to 3.
Then it could go to 12.
In other words, people are joining and leaving
as they please.
And the reason you need proof of work
in bitcoin, one way you can look at it
is that you're really turning a permissioned consensus
algorithm into a permissionless one.
And a consensus algorithm is just voting.
These n folks are just voting.
And you need 2f plus 1 votes to sort of move on, right?
And if this n changes over time, like if the n becomes bigger,
it's very easy to take over a majority of the voters.
If I can just add fake voters to a permissioned consensus
algorithm, I can just take over the consensus algorithm.
In other words, I can take over more than f nodes.
Right, so the trick there is you have
to prevent that from happening.
And the only way to prevent that is to say,
look if you're going to join and then make my n bigger,
you better do some work.
So that it's not easy for you to join
because if you're a bad guy and you want to join, you know,
you can do that very easily unless I
require you to do some work.
So that's kind of the trick in turning
a permissioned consensus algorithm
into a permissionless one.
And in fact, the way these permissioned animals work
is completely different than bitcoin.
They are much more complex.
Bitcoin is incredibly simple as a consensus algorithm.
If you ever read a consensus algorithm paper,
you know, it's a bit insane.
Also to implement, it's a bit insane.
Bitcoin is very simple to implement compared
to these other things, I mean, bitcoin is,
of course, a complex beast as well.
But you should look at let's say, practical Byzantine fault
tolerant paper, PBFT, and try and implement that.
So anyway, why am I telling you all of this?
The reason I'm telling you all of this
is because if you want to do a permissioned blockchain
for whatever reason, one way to do
that is to use your favorite Byzantine consensus algorithm.
So that would be--
let's say pbft.
This was 1999 from MIT.
So you could use that.
You could have a lot of fun implementing it.
Another thing you could do is you could take your program p
and just give it to an ethereum smart contract.
And you know, that the ethereum smart contract,
if the ethereum security assumption holds,
it will do the right thing.
It will execute your program p correctly, right?
But the other thing that you could do actually,
is you could use Catena to agree on these logs,
on the log of operations for your program.
And then you could use another 2f plus 1 servers or replicas
to do the execution stuff so that you
can agree on the final state.
And this gives you a very simple Byzantine consensus algorithm.
So remember Catena doesn't give you execution.
It allows you to agree on the log of ops.
To get the execution, you'd basically take a majority vote.
If you see you have 2f plus 1 replica servers
and if you see f plus 1 votes on a final state,
you know that's the right state because only f of them
are malicious.
So in fact, if you use Catena with 2f plus 1 replicas,
I claim that you can get sort of a permissioned blockchain that
sort of leverages the bitcoin blockchain to do the agreement
on the log of ops.
So in that sense, it's sort of a mix of a permissioned
and permissionless.
We haven't studied this like we don't know
what properties it would have.
So that's future work.
And if you don't need the execution, for example,
if all you're doing is you're agreeing
on a public key directory-- like here, there's no execution.
This directory just is supposed to stay append-only,
we have some research that allows
you to prove that every transition is
an append-only directory.
And if you only need execution, you
can just use Catena directly as I already
told you guys for the software transparency
application for the public key directory application.
And if you want to do a permissionless blockchain then,
of course, you would have to roll your own.
But you have to proceed with caution there, right?
It's not an easy thing to do.
OK, so let's conclude now.
What we did here is that we enabled these applications
to efficiently leverage bitcoin's consensus, right?
So clients can download transactions selectively
rather than full blockchain and prevent equivocation.
Right, and you only need to get 46 megabytes instead
of gigabytes from the Bitcoin blockchain.
So why does this matter?
These are just I think the three killer apps--
secure software update, public key directories--
by the way, the public directories
also are applicable to https.
So when you go on Facebook, you have
to get Facebook's public key.
The certificate authorities that sign the public keys
are often compromised.
So they're often fake search for Google,
for big companies like that.
And you might use it.
But if you have a public key directory,
Facebook and Google can immediately
notice those fake sorts.
It's a step forward.
And for more, of course, you can read our paper.
It appeared in a IEEE security and privacy 2017.
And I'll post the slide on GitHub too.
So there are links there.
Yeah so, again this is the high level overview of everything
that's previous work and our work.
The difference is very small.
And now we can also talk about other stuff.
In fact, I have more stuff to talk.
But before we do, I'd like to have a discussion with you guys
if you have questions.
So?
AUDIENCE: So could you implement Catena in the actual bitcoin
node?
Would that be something that they would want?
It seems like it would be a good feature to add?
Or is it strictly separate?
ALIN TOMESCU: Yeah, I don't think you need to.
That's the whole point, right?
The whole point of the research is
how do we use bitcoin without getting the miners to accept
a new version of bitcoin, without changing bitcoin
in any way?
So no, I don't think-- there's nothing to do really,
we're just--
we're taking bitcoin as it is and we're
piggybacking on top of it.
We couldn't change it.
I mean, there's a lot of things you can do in some sense.
But then you get a very different system.
Very different, we can talk about it more if you want.
Yeah?
AUDIENCE: You were talking about how you can use this system
to verify software binaries and how
you want this to run in SPV modes on phones So
how do you install software on the phones say,
through apple and the app store.
Is there a way to sign the binary that you actually
get from the app store?
ALIN TOMESCU: I think your question is really about how
do appstore binaries--
how do you Verify App store binaries?
It's a chicken and an egg in some sense right,
is that what you're saying?
Yeah, you're right.
Eventually, I mean in the best case,
wishful thinking would be to say that look,
the app store does this already for all of the binaries
that they publish, allowing the developers to make sure nobody
is posting malicious binaries on the app store for them.
Yes?
AUDIENCE: Who do you envision running it?
ALIN TOMESCU: So I'd really like to see Keybase run Catena,
it seems like a missed opportunity
that they don't do this.
I'm sure they have better stuff to do but it's just really
easily allow Keybase--
let's say Keybase has a mobile phone app,
it would allow that mobile phone app to verify the directory
and get much, much, much more security.
You know, no equivocation as long as nobody forks bitcoin.
Since Keybase is already publishing these digests
but they cannot be audited efficiently on a mobile phone.
I mean they can but not securely you know,
because full nodes can lie.
So there's a big problem with everything I said so far.
And nobody caught it.
So one problem is that what do you
do when you run out of funds?
Remember I said the log server starts with two bitcoins.
Let's say it issues thousands of transactions,
starts paying those $40 fees and it runs out of funds.
What do you do?
Then Yeah?
AUDIENCE: You can maybe reload the new transactions
with this transaction [INAUDIBLE]..
ALIN TOMESCU: What's your name?
AUDIENCE: Raul.
ALIN TOMESCU: Raul.
So Raul is saying you can reload.
And that's exactly right.
We just have to change the transaction format slightly.
We talk about this in the paper as well.
But just to demonstrate real quickly.
Suppose, let's take a ridiculous example which hopefully
will never happen in bitcoin.
But suppose that the Bitcoin fee is 1 bitcoin.
So now I have one bitcoin here.
And I have s1 here.
And now I have zero bitcoins here.
All right, so zero bitcoins in this output.
And maybe s2 here.
So that would be terrible.
Right, now I can't go on.
Does everybody see this as a problem?
Right, so what Raul is saying is look at another input
here and make it take coins from some other transaction
whatever, 20 bitcoins.
And now you get 20 bitcoins here.
Right, so you can easily refund transactions.
There is a bit more subtlety there in the sense
that you don't want to join logs--
let's say if you have two logs, GTX and GTX prime
for different applications.
Right, and they start issuing statements-- s1, s2.
You don't want to be able to join--
I'm sorry, s1, s1 prime--
these two locks to a single log for certain reasons right.
But this doesn't actually allow you to join them
in the sense that--
let's say you actually do this and join them.
Right, so let's say this transaction here
came from GTX prime, right?
And there was an s1 prime here.
And you did this, right?
So the problem is this is no longer a valid Catena
transaction for this log because a valid Casino
transaction-- the first input spends
the previous transactions output.
But in this chain, it's the second input that
spends the previous output.
So I cannot join logs.
And this matters for a bunch of reasons
that we don't have to go into.
Yeah, so we talked about the about batching statements.
I want to show you guys some previous work,
so how did some previous work do this since there
we seem to have a bit of time.
OK, so there are some previous work
called liar, liar, coins on fire.
Have you guys seen this?
So the idea here is that it is a really nice piece of work
and lots of people in the bitcoin community
already know about this.
And I think it was an idea before the paper or maybe not,
I'm not sure.
But Tadge has a similar idea.
So for example, suppose we have this authority.
Imagine this is a Catena block server
and it publishes a transaction which locks to bitcoin
and locks those bitcoins to that public key.
And this authority sometimes will want
to say two different things.
It will want to say s and s prime, right?
And it will sign the statements with their secret key.
But the secret key that the authority
uses to sign statements is also a bitcoin secret key.
It's the same secret key that the authority
used to lock to bitcoins, so $20,000 or something.
I'm not sure if bitcoin plummeted since yesterday,
can never be sure.
Does the setting make sense?
So I have an authority.
It issues statements just like before.
And it numbers them with i, let's say.
And we want to prevent this authority from equivocating.
We're not actually going to prevent it.
We're just going to disincentivize it in the sense
that if this authority equivocates like this
for the same statement i, what I claim
is that anybody can then steal that authority's
bitcoin because equivocating like this
reveals the secret key.
And the reason it reveals the secret key
is because the signature shares the same i here.
So how many of you guys actually, you
did cover Schnorr signatures, right?
So did Tadge talk about how to do this with Schnorr?
AUDIENCE: This is the [INAUDIBLE]..
ALIN TOMESCU: But did Tadge cover it?
AUDIENCE: Yes.
ALIN TOMESCU: OK, great.
So yeah so let's go over that less briefly.
So again, the idea is that if someone observes these two
signatures on conflicting statements for the same i,
there is this box where you can put the two signatures
and get back the secret key.
And once you have the secret key,
we can spend this transaction and get
that authority's bitcoins.
And then there's a lot of details
to get it right because you might notice
that if the authority does this, before they do this,
they might already be spending this transaction themselves
so as to prevent you from taking it.
And details on how to prevent the authority from doing that
are in those paper.
Yeah, and then you know, whoever discovered
this can spend those bitcoins.
And the idea is that this disincentivizes equivocation
by locking these funds under the secret key
of the bad authority.
But it does not prevent it.
Right, so in Catena we actually prevent equivocation.
We say, if you want to equivocate,
you better fork bitcoin.
Here they say, if you want to equivocate,
you're going to lose $20,000.
Right?
But you have to understand like this
could be a good authority that locked $20,000 here.
But the attackers are going to be-- they're not going
to care about those $20,000.
They're just going to steal the secret key,
equivocate and then the authority
is going to be left without money.
If the authority is the attacker,
then this makes sense.
But if the attacker is not the authority,
then this makes less sense because the authority sort
of risking their bitcoins on the assumption
that no attacker can compromise them, which you know,
if you could do that in computer science,
I wouldn't be sitting here talking to you guys.
OK, so now how do you do this?
So do you remember Schnorr signatures real quickly?
An easy way to do this is using Schnorr signatures.
And I think--
I could be wrong, but I think this new SegWit
update to bitcoin allows Schnorr signatures, right?
So with SegWit and with Schnorr signature,
as you can definitely do this.
And the idea is that Schnorr signature
if you recall, is just k plus h of m, g to the k s,
where s is the secret key.
Right, so this is a Schnorr signature on m, right?
How many recall this?
Right, and of course, it's not just this.
I mean, the signature is really this and this h of m,
g to the k.
So it's these two things, right.
But now I want to show you that if I sign two different things,
I can actually get s.
But if I sign them in a certain way--
so remember what I said before is I would like this authority
to sign i m and i m prime.
Right, and if the authority does this,
I claim that I can get the secret key out.
But I have to have the same i.
So we relax this in a sense that we're not
going to use i here, we're just going to use this g to the k.
So if the authority uses the same g to the k to sign,
then we can extract the secret key.
And the way we can do that is I'll just show an example,
sig1 would be k plus h of m1 g to the k.
And it'll be sig 1 and I guess the associated hash
E1 would be h m1, g to the k.
Does everybody see this?
And then sig2 would be k plus h of m 2 g to the k.
So again, oh, you guys are clearly not paying attention.
I forgot the secret key.
E2 is hash of m2 g to the k.
OK, so I'm using the same g to the k and the same k.
So now how can I extract the secret key?
Does anybody see a solution to this?
AUDIENCE: It's now just system of two equations and two
variables where k and s are the unknown variables.
ALIN TOMESCU: So I think what Rahul always saying
is that s is just sig1 minus sig2 divided by e1 minus e2.
Is that right?
Yeah.
See this, because if I subtract this from this,
I just get h m1--
I'm not going to have space here.
I get-- let's say it here--
h of m1, g to the k minus h of m2 g into the k times s.
All right?
And now I take this here in the denominator
and I simplify and I get s.
All right.
So it turns out that that's kind of the trick
that this word leverage is more or less.
The only sort of caveat here is that remember I said,
there is a position i for the statement.
But now I'm saying, there's no longer a position.
We have to use this g to the k.
And how do we map positions that are g to the k
is another trick that you have to do but you can do it.
And if you want more details, you can read the paper
and I'm sure Tadge will tell you even more details about this.
I think the lightning network also leverages
this trick in some cases.
All right now, let's talk a little bit about some attacks
if there is time.
The most interesting attack would be the generalized vector
76 attack.
So this is a screenshot from a paper.
Can everybody see this?
So the generalized vector 76 attack is very interesting.
So you have you have an attacker, right?
And remember, the goal of the attacker is to replace--
let's say this TX1 with that TX2.
It's going to show this TX1 to a merchant saying hey,
I paid you money.
And then it's going to show this TX2 to the merchant sending
the money back to himself.
So the whole trick is to fork the merchant on this side
and then to switch him back to that, right.
It's a sort of a pre-mining attack and this attack is much
easier to pull on SPV notes because what the attacker does
is--
let's see-- he works on the secret chain with TX1 in it.
And at some point, the main chain might take him over,
might win.
So the attacker kind of gives up and keeps trying.
But at some point the attacker gets ahead,
right in the second chain.
He gets ahead of the main chain.
This stuff is not posted yet.
And let's see this merchant only for some reason because they're
silly, they only need one confirmation to accept the TX1.
And for other silly reasons, this merchant
is an SPV merchant, right?
Let's draw a figure here.
So this merchant is an SPV merchant
that only needs one confirmation to accept the transaction.
So we have the attacker.
And we have let's say, the SPV merchant.
Right, and now the attacker's sent you know,
this was the main block there, let's say, this was bi.
And the attacker forked it.
He put TX1 here.
And then had a confirmation on it, right?
So he sends this chain to the merchant.
And the other miners haven't found anything yet.
Right, so the attacker is a bit ahead.
So he's pre-mining.
So far, so good.
Are you all with me?
And remember that he really just is showing block headers.
So these are not full blocks.
He's just showing block headers.
They're much smaller blocks, 80 bytes.
And the blocks are missing.
All right, so when he shows TX1, he
is just showing like a Merkle path to TX1 to the merchant.
You guys with me?
OK, so now he did this to the merchant.
And now what the attacker is going to do,
he's going to relax, sit back, and post
the TX2 the mines-- give TX2 to the miners.
Let's say the miners are here.
Hes going to post TX2 to the miners.
And he'll stop mining the attacker.
He's not going to mine anymore.
But he got the merchant to accept the payment.
And the merchant shipped the goods.
Maybe this is an online purchase.
And so now the miners, they will find the next block bi plus 1.
They'll put TX2 here.
They'll find the next block and then the next block.
And they'll take over.
Their chain will be the main chain.
And eventually this merchant will
hear about this main chain.
And he'll just see the headers, of course,
because he's an SPV merchant.
So now the SPV merchant just got double spent.
Does everybody see this?
That I just double spent the merchant?
And sort of the fundamental problem
here is that the merchant only received block headers.
So he cannot take these block headers and broadcast them
to the miners because miners don't mine on top of block
headers.
Miners mine on top of full blocks.
So this merchant cannot has no protection against this
if he's doing SPV--
if he's accepting SPV payments.
If these were full blocks, what the merchant could have done
was the following.
The merchant would have would have
received the full block here with the transaction in it,
right.
So again the attacker got ahead.
But now the merchant because he saw a block,
he's going to ship this block with TX1 to the miners
because he's a full node.
Full nodes do that.
When they hear about a block, they broadcast it.
So now the miners know about this block.
They're going to continue mining on top of it.
And in fact, the merchant will send both blocks,
right to the miners.
So now miners will continue building here.
So now the attacker has a bit of a tougher problem on his hands.
There is still a way to trick even full nodes,
even if this guy is a full node, you
can sort of leverage some timing assumptions
to still trick the full node.
And the details are in that paper over there.
But that's one way--
somebody was asking, I think you were asking Anne, right--
about SPV nodes and how they're less secure.
And this is one fundamental way in which they're less secure.
If you accept payments with SPV nodes
you're really playing with fire.
You know, you do need a sufficiently powerful attacker
who can get ahead.
But yeah.
OK, so with that I think that kind of concludes the lecture.
Any final questions?
All right, cool.
Thank you guys.