Distributed ledgers: how, why, and why not?
Sarah Meiklejohn (University College London)
2
data consumers data producers
company
(icons by parkjisun from noun project)
company
company
company
3
data consumers data producers
(icons by parkjisun from noun project)
4
10 usability9 governance8 comparisons7 key management6 agility5 interoperability4 scalability3 cost-effectiveness2 privacy1 scalability
top ten obstacles for blockchains
5
1 scalability
10 usability9 governance8 comparisons7 key management6 agility5 interoperability4 scalability3 cost-effectiveness2 privacy
6
Bitcoin / blockchains / distributed ledgers
“mining”
7
over 4 EH/s (4 × 1018 H/s) to achieve 7 tx/s!
8
full state replication
9
120 GB and (always) rising
10
full state replication
↑ computational power ⇒ ↓ throughput
11
monetary supplyledger centraldistributedecentral
decentral centralcentral
transparent? y y (or n) n
pseudonyms? y y (or n) n
computation high! low low
RSCoin
RSCoin [DM NDSS’16]
12
mintettemintette
mintette mintette
bank
user
mintettes already reachconsensus before sending info to bank
mintettes store info onlywithin a given shard
13
RSCoin consensus
mintette1
mintette1
user
1 2tx:
✓
3
4 service
mintette1
✓
1
21
mintette2
mintette2
mintette2
1tx ✓✓2
tx
tx
simple adaptation of Two-Phase Commit (2PC)
14
user
1 2tx:
service1
21
t r a n s a c t i o n smintettemintettemintette
mintettemintettemintettemintettemintettemintette
mintettemintettemintettemintettemintettemintette
mintettemintettemintette
1 : 2 :
15
mintette1
mintette1
user
1 2tx:
mintette1
1
service1
21
mintettes check for double spending…
…using lists of unspent transaction outputs (utxo)
16
mintette1
mintette1
user
1 2tx:
✓ mintette1
✓
12
service1
21
signed ‘yes’ vote
17
mintette1
mintette1
user
1 2tx:
✓
3
service
mintette1
✓
1
21
mintette2
mintette2
mintette2
1tx ✓✓2
“bundle of evidence” contains ‘yes’ votes from majority of mintettes in shard
mintettes check validity of bundle by checkingfor signatures from authorized mintettes…
18
mintette1
mintette1
user
1 2tx:
✓
3
4 service
mintette1
✓
1
21
mintette2
mintette2
mintette2
1tx ✓✓2
tx
tx
…and if satisfied they add transaction to be committed and send back receipt
19
security properties
no double spending (if honest majority per shard)non-repudiationauditability (if mintettes log their behavior)
20
consensus features
conceptually simpleno broadcastmintettes communicate only with usersno expensive hashing!scalable
↑ computational power ⇒ ↑ throughput
21
T = set of txs generated per second Q = # mintettes per shard
M = # mintettes
comm. per mintette per sec = ∑tx∈T 2(mtx+1)Q
scales infinitely as more mintettes are added!
M
consensus features
22
each new mintette adds≈ 75 tx/sec
compared to Bitcoin’s 7
23
mintettemintette
mintette mintette
bank
user
24
Elastico [LNZBGS CCS’16]
committee member
consensus committee
directory committee
committee member
committee member
committee member
run PBFT
run PBFT
25
Elastico [LNZBGS CCS’16]
26
1 scalability
10 usability9 governance8 comparisons7 key management6 agility5 interoperability4 scalability3 cost-effectiveness2 privacy
27
8 comparisons
1 scalability
10 usability9 governance
7 key management6 agility5 interoperability4 scalability3 cost-effectiveness2 privacy
28
mintettemintette
mintette mintette
bank
RSCoin [DM NDSS’16]user
29
mintettemintette
mintette mintette
user
30
user
log server log
log server log log server log
log server log
no unified log ⇒ no need for consensuscan (retroactively) detect inconsistencies between logs
31
system
Log
CheckEntry
GenEventSet
Inspect
Gossip evidence
log server log
monitor snapBEE auditor snap
CheckEvidence
transparency overlays [CM CCS’16]
32
system
LogGenEventSetGenEventSet
log server log
log server log log server log
log server log
33
auditors (efficiently) determine if events are in the log
system
Log
CheckEntry
GenEventSet
(meaning |snap| ≪ |log|)
auditor snap
log server log
34
monitors (inefficiently) detect bad events in the log
system
Log
CheckEntry
GenEventSet
Inspect
log server log
auditor snap monitor snapBEE
(meaning |E| ≈ |log|)
35
auditors and monitors ensure consistent view of log
system
Log
CheckEntry
GenEventSet
Inspect
Gossip evidence
log server log
monitor snapBEE auditor snap
CheckEvidence
(can output evidence of inconsistencies)
36
security properties
consistency: log server can’t offer different views of lognon-frameability: auditor and monitor can’t frame the logaccountability: log server is held to its promises
37
log server log
monitor snapBEE auditor snap
prover verifier
? ?
38
log server log
monitor snapBEE auditor snap
prover verifier
? ?
39
Log
CheckEntry
Inspect
Gossip evidence
log server log
monitor snapBEE auditor snap
CheckEvidence
Bitcoin
sender receiverminer blockchain
sender and receiver don’t need to store blockchaingives rise to hybrid system (≈RSCoin) with no mining
40
Log
CheckEntry
Inspect
Gossip evidence
log server log
monitor snapBEE auditor snap
CheckEvidence
Certificate Transparency [LL13]CA clientwebsite
bad certificate issuance is exposed⇒ clients are less likely to accept bad certificates
(icon by parkjisun from noun project)
41
Log
CheckEntry
id provider log
auditor snap
CONIKS [MBBFF USENIX Sec’16]client client
(icon by parkjisun from noun project)
Inspect
42
Log
CheckEntry
ILS log
validator snap
ARPKI [BCKPSS CCS’13]CA clientwebsite
(icon by parkjisun from noun project)
ILS log
43
RSCoin
opaque centralized
transparent decentralized
what is this distance?
CONIKSARPKI
44
security properties
consistencynon-frameabilityaccountability
no double spendingnon-repudiationauditability
⇔⇔⇔
privacy (of what)?privacy (of what)?
(transparency overlays) (RSCoin)
45
RSCoin
opaque centralized
transparent decentralized
what is this distance?
what security properties to look for?
CONIKSARPKI
46
8 comparisons
1 scalability
10 usability9 governance
7 key management6 agility5 interoperability4 scalability3 cost-effectiveness2 privacy
47
1 scalability
10 usability9 governance
7 key management6 agility5 interoperability4 scalability3 cost-effectiveness2 privacy
Thanks! Any questions?
8 comparisons