Alternative architectures for distributed ledgers Sarah Meiklejohn (University College London)
company company data consumers data producers company company (icons by parkjisun from noun project) 2
data consumers data producers (icons by parkjisun from noun project) 3
top ten obstacles for blockchains 10 usability 9 governance 8 comparisons 7 key management 6 agility 5 interoperability 4 scalability 3 cost-effectiveness 2 privacy 1 scalability 4
10 usability 9 governance 8 comparisons 7 key management 6 agility 5 interoperability 4 scalability 3 cost-effectiveness 2 privacy 1 scalability 5
Bitcoin / blockchains / distributed ledgers mining 6
over 4 EH/s (4 10 18 H/s) to achieve 7 tx/s! 7
10 usability 9 governance 8 comparisons 7 key management 6 agility 5 interoperability 4 scalability 3 cost-effectiveness 2 privacy 1 scalability 8
full state replication 9
120 GB and (always) rising 10
10 usability 9 governance 8 comparisons 7 key management 6 agility 5 interoperability 4 scalability 3 cost-effectiveness 2 privacy 1 scalability 11
full state replication computational power throughput 12
RSCoin [DM NDSS 16] RSCoin monetary supply decentralized centralized centralized ledger decentralized distributed centralized transparent? y y (or n) n pseudonyms? y y (or n) n computation high! low low 13
user bank 14
user bank 14
s store info only within a given shard user bank 14
s store info only within a given shard user bank s already reach consensus before sending info to bank 14
RSCoin consensus tx 4 service 2 2 tx 1 1 2 user 1 2 1 1 tx 2 3 tx: 1 2 1 simple adaptation of Two-Phase Commit (2PC) 15
service 1 1 2 user tx: 1 2 16
service 1 1 2 user tx: 1 2 t r a n s a c t i o n s 16
service 1 1 2 user tx: 1 2 t r a n s a c t i o n s 16
service 1 1 2 user tx: 1 2 t r a n s a c t i o n s 16
service 1 1 2 1 : user tx: 1 2 t r a n s a c t i o n s 16
service 1 1 2 1 : 2 : user tx: 1 2 t r a n s a c t i o n s 16
1 service 1 2 1 user 1 1 tx: 1 2 1 17
s check for double spending service 1 1 2 1 user 1 1 tx: 1 2 1 using lists of unspent transaction outputs (utxo) 17
signed yes vote service 1 1 2 user 1 1 2 1 tx: 1 2 1 18
service 2 2 tx 1 1 2 user 1 2 1 1 2 3 tx: 1 2 1 bundle of evidence contains yes votes from majority of s in shard 19
s check validity of bundle by checking for signatures from authorized s service 2 2 tx 1 1 2 user 1 2 1 1 2 3 tx: 1 2 1 bundle of evidence contains yes votes from majority of s in shard 19
and if satisfied they add transaction to be committed and send back receipt tx 4 service 2 2 tx 1 1 2 user 1 2 1 1 tx 2 3 tx: 1 2 1 20
security properties no double spending (if honest majority per shard) non-repudiation auditability (if s log their behavior) 21
consensus features conceptually simple no broadcast s communicate only with users no expensive hashing! scalable 22
consensus features conceptually simple no broadcast s communicate only with users no expensive hashing! scalable computational power throughput 22
consensus features T = set of txs generated per second Q = # s per shard M = # s comm. per per sec = tx T 2(mtx+1)Q M 23
consensus features T = set of txs generated per second Q = # s per shard M = # s comm. per per sec = tx T 2(mtx+1)Q M scales infinitely as more s are added! 23
compared to Bitcoin s 7 each new adds 75 tx/sec 24
user bank 25
user bank 25
Elastico [LNZBGS CCS 16] run PBFT directory committee committee member committee member committee member committee member consensus committee run PBFT 26
Elastico [LNZBGS CCS 16] 27
10 usability 9 governance 8 comparisons 7 key management 6 agility 5 interoperability 4 scalability 3 cost-effectiveness 2 privacy 1 scalability 28
10 usability 9 governance 8 comparisons 7 key management 6 agility 5 interoperability 4 scalability 3 cost-effectiveness 2 privacy 1 scalability 29
RSCoin [DM NDSS 16] user bank 30
user 31
user log server log log server log log server log log server log 32
user log server log log server log log server log log server log no unified log no need for consensus 32
user log server log log server log log server log log server log no unified log no need for consensus can (retroactively) detect inconsistencies between logs 32
transparency overlays [CM CCS 16] log server GenEventSet Log log system CheckEvidence Inspect CheckEntry monitor E BE snap auditor snap Gossip evidence 33
system log server log log server log log server log log server log 34
system log server log 34
GenEventSet system log server log 34
log server GenEventSet Log log system 34
log server GenEventSet Log log system CheckEntry auditor snap (meaning snap log ) auditors (efficiently) determine if events are in the log 35
log server GenEventSet Log log system Inspect CheckEntry monitor E BE snap auditor snap (meaning E log ) monitors (inefficiently) detect bad events in the log 36
log server GenEventSet Log log system CheckEvidence Inspect CheckEntry monitor E BE snap auditor snap Gossip evidence auditors and monitors ensure consistent view of log (can output evidence of inconsistencies) 37
security properties consistency: log server can t offer different views of log non-frameability: auditor and monitor can t frame the log accountability: log server is held to its promises 38
prover verifier log server log monitor E BE snap auditor snap 39
prover verifier log server log monitor E BE snap auditor snap 39
prover verifier log server log? monitor E BE snap auditor snap 39
prover verifier log server log?? monitor E BE snap auditor snap 39
prover verifier log server log?? monitor E BE snap auditor snap 39
prover verifier log server log?? monitor E BE snap auditor snap 39
prover verifier log server log monitor E BE snap auditor snap 40
prover verifier log server log monitor E BE snap auditor snap 40
prover verifier log server log?? monitor E BE snap auditor snap 40
prover verifier log server log?? monitor E BE snap auditor snap 40
prover verifier log server log?? monitor E BE snap auditor snap 40
prover verifier log server log?? monitor E BE snap auditor snap 40
Bitcoin sender miner blockchain receiver Log CheckEvidence log server log CheckEntry Inspect monitor E BE snap auditor snap Gossip evidence sender and receiver don t need to store blockchain 41
Bitcoin sender miner blockchain receiver Log CheckEvidence log server log CheckEntry Inspect monitor E BE snap auditor snap Gossip evidence sender and receiver don t need to store blockchain gives rise to hybrid system ( RSCoin) with no mining 41
Certificate Transparency [LL13] CA website client log server log Log CheckEvidence CheckEntry Inspect monitor E BE snap auditor snap Gossip evidence bad certificate issuance is exposed clients are less likely to accept bad certificates (icon by parkjisun from noun project) 42
CONIKS [MBBFF USENIX Sec 16] client client Inspect id provider log Log CheckEntry auditor snap (icon by parkjisun from noun project) 43
ARPKI [BCKPSS CCS 13] CA website client ILS log Log CheckEntry ILS log validator snap (icon by parkjisun from noun project) 44
ARPKI CONIKS RSCoin opaque centralized transparent decentralized what is this distance? 45
(transparency overlays) consistency non-frameability accountability security properties 46
security properties (transparency overlays) consistency non-frameability accountability (RSCoin) no double spending non-repudiation auditability 46
security properties (transparency overlays) consistency non-frameability accountability (RSCoin) no double spending non-repudiation auditability 46
security properties (transparency overlays) consistency non-frameability accountability privacy (of what)? (RSCoin) no double spending non-repudiation auditability privacy (of what)? 46
ARPKI CONIKS RSCoin opaque centralized transparent decentralized what is this distance? what security properties to look for? 47
10 usability 9 governance 8 comparisons 7 key management 6 agility 5 interoperability 4 scalability 3 cost-effectiveness 2 privacy 1 scalability 48
10 usability 9 governance 8 comparisons 7 key management 6 agility Thanks! Any questions? 5 interoperability 4 scalability 3 cost-effectiveness 2 privacy 1 scalability 49