-
Sharding SMR with Optimal-size Shards for Highly Scalable Blockchains
Authors:
Jianting Zhang,
Zhongtang Luo,
Raghavendra Ramesh,
Aniket Kate
Abstract:
Sharding can enhance blockchain scalability by dividing nodes into multiple shards to handle transactions in parallel. However, the size-security dilemma where a shard must be large enough to ensure its security constrains the overall number of shards, rendering blockchain sharding low parallelism and poor scalability.
This paper presents Arete, an optimally scalable blockchain sharding architec…
▽ More
Sharding can enhance blockchain scalability by dividing nodes into multiple shards to handle transactions in parallel. However, the size-security dilemma where a shard must be large enough to ensure its security constrains the overall number of shards, rendering blockchain sharding low parallelism and poor scalability.
This paper presents Arete, an optimally scalable blockchain sharding architecture designed to resolve the dilemma based on a key observation: higher (Byzantine) fault-resilient shards allow the creation of more secure shards. The main idea of Arete, therefore, is to improve the security resilience/threshold of shards by sharding the blockchain's State Machine Replication (SMR) process itself. First, Arete decouples the three steps in SMR, leading to a single ordering shard performing the ordering task and multiple processing shards performing the dispersing and execution tasks. This frees processing shards from running consensus, allowing up to half compromised nodes per processing shard. Second, Arete considers safety and liveness against Byzantine failures separately to improve the safety threshold further while tolerating temporary liveness violations in a controlled manner. Apart from the creation of more optimal-size shards, such a deconstructed SMR scheme also empowers us to devise a novel certify-order-execute model to fully parallelize transaction handling, thereby significantly improving the performance of sharded blockchain systems. We implement Arete and evaluate it on a geo-distributed AWS environment. Our results demonstrate that Arete outperforms the state-of-the-art sharding protocol in terms of transaction throughput and cross-shard confirmation latency without compromising on intra-shard confirmation latency.
△ Less
Submitted 12 June, 2024;
originally announced June 2024.
-
Delphi: Efficient Asynchronous Approximate Agreement for Distributed Oracles
Authors:
Akhil Bandarupalli,
Adithya Bhat,
Saurabh Bagchi,
Aniket Kate,
Chen-Da Liu-Zhang,
Michael K. Reiter
Abstract:
Agreement protocols are crucial in various emerging applications, spanning from distributed (blockchains) oracles to fault-tolerant cyber-physical systems. In scenarios where sensor/oracle nodes measure a common source, maintaining output within the convex range of correct inputs, known as convex validity, is imperative. Present asynchronous convex agreement protocols employ either randomization,…
▽ More
Agreement protocols are crucial in various emerging applications, spanning from distributed (blockchains) oracles to fault-tolerant cyber-physical systems. In scenarios where sensor/oracle nodes measure a common source, maintaining output within the convex range of correct inputs, known as convex validity, is imperative. Present asynchronous convex agreement protocols employ either randomization, incurring substantial computation overhead, or approximate agreement techniques, leading to high $\mathcal{\tilde{O}}(n^3)$ communication for an $n$-node system.
This paper introduces Delphi, a deterministic protocol with $\mathcal{\tilde{O}}(n^2)$ communication and minimal computation overhead. Delphi assumes that honest inputs are bounded, except with negligible probability, and integrates agreement primitives from literature with a novel weighted averaging technique. Experimental results highlight Delphi's superior performance, showcasing a significantly lower latency compared to state-of-the-art protocols. Specifically, for an $n=160$-node system, Delphi achieves an 8x and 3x improvement in latency within CPS and AWS environments, respectively.
△ Less
Submitted 7 May, 2024; v1 submitted 3 May, 2024;
originally announced May 2024.
-
Constraints on Triton atmospheric evolution from occultations: 1989-2022
Authors:
B. Sicardy,
A. Tej,
A. R. Gomes-Junior,
F. D. Romanov,
T. Bertrand,
N. M. Ashok,
E. Lellouch,
B. E. Morgado,
M. Assafin,
J. Desmars,
J. I. B. Camargo,
Y. Kilic,
J. L. Ortiz,
R. Vieira-Martins,
F. Braga-Ribas,
J. P. Ninan,
B. C. Bhatt,
S. Pramod Kumar,
V. Swain,
S. Sharma,
A. Saha,
D. K. Ojha,
G. Pawar,
S. Deshmukh,
A. Deshpande
, et al. (27 additional authors not shown)
Abstract:
Context - Around the year 2000, Triton's south pole experienced an extreme summer solstice that occurs every about 650 years, when the subsolar latitude reached about 50°. Bracketing this epoch, a few occultations probed Triton's atmosphere in 1989, 1995, 1997, 2008 and 2017. A recent ground-based stellar occultation observed on 6 October 2022 provides a new measurement of Triton's atmospheric pre…
▽ More
Context - Around the year 2000, Triton's south pole experienced an extreme summer solstice that occurs every about 650 years, when the subsolar latitude reached about 50°. Bracketing this epoch, a few occultations probed Triton's atmosphere in 1989, 1995, 1997, 2008 and 2017. A recent ground-based stellar occultation observed on 6 October 2022 provides a new measurement of Triton's atmospheric pressure which is presented here.
Aims- The goal is to constrain the Volatile Transport Models (VTMs) of Triton's atmosphere that is basically in vapor pressure equilibrium with the nitrogen ice at its surface.
Methods - Fits to the occultation light curves yield Triton's atmospheric pressure at the reference radius 1400 km, from which the surface pressure is induced.
Results - The fits provide a pressure p_1400= 1.211 +/- 0.039 microbar at radius 1400 km (47 km altitude), from which a surface pressure of p_surf= 14.54 +/- 0.47 microbar is induced (1-sigma error bars). To within error bars, this is identical to the pressure derived from the previous occultation of 5 October 2017, p_1400 = 1.18 +/- 0.03 microbar and p_surf= 14.1 +/- 0.4 microbar, respectively. Based on recent models of Triton's volatile cycles, the overall evolution over the last 30 years of the surface pressure is consistent with N2 condensation taking place in the northern hemisphere. However, models typically predict a steady decrease in surface pressure for the period 2005-2060, which is not confirmed by this observation. Complex surface-atmosphere interactions, such as ice albedo runaway and formation of local N2 frosts in the equatorial regions of Triton could explain the relatively constant pressure between 2017 and 2022.
△ Less
Submitted 4 February, 2024;
originally announced February 2024.
-
Front-running Attack in Sharded Blockchains and Fair Cross-shard Consensus
Authors:
Jianting Zhang,
Wuhui Chen,
Sifu Luo,
Tiantian Gong,
Zicong Hong,
Aniket Kate
Abstract:
Sharding is a prominent technique for scaling blockchains. By dividing the network into smaller components known as shards, a sharded blockchain can process transactions in parallel without introducing inconsistencies through the coordination of intra-shard and cross-shard consensus protocols. However, we observe a critical security issue with sharded systems: transaction ordering manipulations ca…
▽ More
Sharding is a prominent technique for scaling blockchains. By dividing the network into smaller components known as shards, a sharded blockchain can process transactions in parallel without introducing inconsistencies through the coordination of intra-shard and cross-shard consensus protocols. However, we observe a critical security issue with sharded systems: transaction ordering manipulations can occur when coordinating intra-shard and cross-shard consensus protocols, leaving the system vulnerable to attack. Specifically, we identify a novel security issue known as finalization fairness, which can be exploited through a front-running attack. This attack allows an attacker to manipulate the execution order of transactions, even if the victim's transaction has already been processed and added to the blockchain by a fair intra-shard consensus.
To address the issue, we offer Haechi, a novel cross-shard protocol that is immune to front-running attacks. Haechi introduces an ordering phase between transaction processing and execution, ensuring that the execution order of transactions is the same as the processing order and achieving finalization fairness. To accommodate different consensus speeds among shards, Haechi incorporates a finalization fairness algorithm to achieve a globally fair order with minimal performance loss. By providing a global order, Haechi ensures strong consistency among shards, enabling better parallelism in handling conflicting transactions across shards. These features make Haechi a promising solution for supporting popular smart contracts in the real world. To evaluate Haechi's performance, we implemented the protocol using Tendermint and conducted extensive experiments on a geo-distributed AWS environment. Our results demonstrate that Haechi achieves finalization fairness with little performance sacrifice compared to existing cross-shard consensus protocols.
△ Less
Submitted 8 September, 2023; v1 submitted 9 June, 2023;
originally announced June 2023.
-
DORA: Distributed Oracle Agreement with Simple Majority
Authors:
Prasanth Chakka,
Saurabh Joshi,
Aniket Kate,
Joshua Tobkin,
David Yang
Abstract:
Oracle networks feeding off-chain information to a blockchain are required to solve a distributed agreement problem since these networks receive information from multiple sources and at different times. We make a key observation that in most cases, the value obtained by oracle network nodes from multiple information sources are in close proximity. We define a notion of agreement distance and lever…
▽ More
Oracle networks feeding off-chain information to a blockchain are required to solve a distributed agreement problem since these networks receive information from multiple sources and at different times. We make a key observation that in most cases, the value obtained by oracle network nodes from multiple information sources are in close proximity. We define a notion of agreement distance and leverage the availability of a state machine replication (SMR) service to solve this distributed agreement problem with an honest simple majority of nodes instead of the conventional requirement of an honest super majority of nodes. Values from multiple nodes being in close proximity, therefore, forming a coherent cluster, is one of the keys to its efficiency. Our asynchronous protocol also embeds a fallback mechanism if the coherent cluster formation fails.
Through simulations using real-world exchange data from seven prominent exchanges, we show that even for very small agreement distance values, the protocol would be able to form coherent clusters and therefore, can safely tolerate up to $1/2$ fraction of Byzantine nodes. We also show that, for a small statistical error, it is possible to choose the size of the oracle network to be significantly smaller than the entire system tolerating up to a $1/3$ fraction of Byzantine failures. This allows the oracle network to operate much more efficiently and horizontally scale much better.
△ Less
Submitted 11 May, 2023; v1 submitted 5 May, 2023;
originally announced May 2023.
-
EESMR: Energy Efficient BFT-SMR for the masses
Authors:
Adithya Bhat,
Akhil Bandarupalli,
Manish Nagaraj,
Saurabh Bagchi,
Aniket Kate,
Michael K. Reiter
Abstract:
Modern Byzantine Fault-Tolerant State Machine Replication (BFT-SMR) solutions focus on reducing communication complexity, improving throughput, or lowering latency. This work explores the energy efficiency of BFT-SMR protocols. First, we propose a novel SMR protocol that optimizes for the steady state, i.e., when the leader is correct. This is done by reducing the number of required signatures per…
▽ More
Modern Byzantine Fault-Tolerant State Machine Replication (BFT-SMR) solutions focus on reducing communication complexity, improving throughput, or lowering latency. This work explores the energy efficiency of BFT-SMR protocols. First, we propose a novel SMR protocol that optimizes for the steady state, i.e., when the leader is correct. This is done by reducing the number of required signatures per consensus unit and the communication complexity by order of the number of nodes n compared to the state-of-the-art BFT-SMR solutions. Concretely, we employ the idea that a quorum (collection) of signatures on a proposed value is avoidable during the failure-free runs. Second, we model and analyze the energy efficiency of protocols and argue why the steady-state needs to be optimized. Third, we present an application in the cyber-physical system (CPS) setting, where we consider a partially connected system by optionally leveraging wireless multicasts among neighbors. We analytically determine the parameter ranges for when our proposed protocol offers better energy efficiency than communicating with a baseline protocol utilizing an external trusted node. We present a hypergraph-based network model and generalize previous fault tolerance results to the model. Finally, we demonstrate our approach's practicality by analyzing our protocol's energy efficiency through experiments on a CPS test bed. In particular, we observe as high as 64% energy savings when compared to the state-of-the-art SMR solution for n=10 settings using BLE.
△ Less
Submitted 14 October, 2023; v1 submitted 11 April, 2023;
originally announced April 2023.
-
Order but Not Execute in Order
Authors:
Tiantian Gong,
Aniket Kate
Abstract:
This work aims to address the general order manipulation issue in blockchain-based decentralized exchanges (DEX) by exploring the benefits of employing a novel combination of order-fair atomic broadcast (of-ABC) mechanisms for transaction ordering and frequent batch auction (FBA) for breaking the order while executing those transactions. In of-ABC, transactions submitted to a sufficient number of…
▽ More
This work aims to address the general order manipulation issue in blockchain-based decentralized exchanges (DEX) by exploring the benefits of employing a novel combination of order-fair atomic broadcast (of-ABC) mechanisms for transaction ordering and frequent batch auction (FBA) for breaking the order while executing those transactions. In of-ABC, transactions submitted to a sufficient number of blockchain validators are ordered before or along with later transactions. FBA then executes transactions with a uniform price double auction that prioritizes price instead of transaction order within the same committed batch.
To demonstrate the merits of our order-but-not-execute-in-order design, we compare the welfare loss and liquidity provision in DEX under FBA and its continuous counterpart, the Continuous Limit Order Book (CLOB). Assuming that the exchange is realized over an of-ABC protocol, we find that (1) FBA always achieves better social welfare when no party is privately informed about asset valuations. Even otherwise, FBA incurs less welfare loss compared to CLOB when (2) price takers and public information reflecting asset value changes arrives sufficiently frequently compared to private information, or (3) the priority fees are small, or (4) the market is more balanced on both sides. Our empirical analysis on dYdX transactions indicates additional $8\%-83\%$ costs when transactions are executed continuously. Further, our findings also indicate that liquidity provision is better under FBA under similar conditions.
△ Less
Submitted 27 September, 2023; v1 submitted 2 February, 2023;
originally announced February 2023.
-
Last Mile of Blockchains: RPC and Node-as-a-service
Authors:
Zhongtang Luo,
Rohan Murukutla,
Aniket Kate
Abstract:
While much research focuses on different methods to secure blockchain, information on the chain needs to be accessed by end-users to be useful. This position paper surveys different ways that end-users may access blockchains. We observe that between the two extremes of running a full node and fully utilizing a trusted third-party service, many solutions regarding light nodes are emerging. We analy…
▽ More
While much research focuses on different methods to secure blockchain, information on the chain needs to be accessed by end-users to be useful. This position paper surveys different ways that end-users may access blockchains. We observe that between the two extremes of running a full node and fully utilizing a trusted third-party service, many solutions regarding light nodes are emerging. We analyze these solutions based on three basic properties of web communication: integrity, availability and privacy. We conclude that currently, the best way to access a blockchain while maintaining these three properties is still to run a full node. We consider it essential that future blockchain accessibility services should be built while considering these three expectations.
△ Less
Submitted 6 December, 2022;
originally announced December 2022.
-
The Danger of Small Anonymity Sets in Privacy-Preserving Payment Systems
Authors:
Christiane Kuhn,
Aniket Kate,
Thorsten Strufe
Abstract:
Unlike suggested during their early years of existence, Bitcoin and similar cryptocurrencies in fact offer significantly less privacy as compared to traditional banking. A myriad of privacy-enhancing extensions to those cryptocurrencies as well as several clean-slate privacy-protecting cryptocurrencies have been proposed in turn. To convey a better understanding of the protection of popular design…
▽ More
Unlike suggested during their early years of existence, Bitcoin and similar cryptocurrencies in fact offer significantly less privacy as compared to traditional banking. A myriad of privacy-enhancing extensions to those cryptocurrencies as well as several clean-slate privacy-protecting cryptocurrencies have been proposed in turn. To convey a better understanding of the protection of popular design decisions, we investigate expected anonymity set sizes in an initial simulation study. The large variation of expected transaction values yields soberingly small effective anonymity sets for protocols that leak transaction values. We hence examine the effect of preliminary, intuitive strategies for merging groups of payments into larger anonymity sets, for instance by choosing from pre-specified value classes. The results hold promise, as they indeed induce larger anonymity sets at comparatively low cost, depending on the corresponding strategy
△ Less
Submitted 20 April, 2022;
originally announced April 2022.
-
More is Merrier: Relax the Non-Collusion Assumption in Multi-Server PIR
Authors:
Tiantian Gong,
Ryan Henry,
Alexandros Psomas,
Aniket Kate
Abstract:
A long line of research on secure computation has confirmed that anything that can be computed, can be computed securely using a set of non-colluding parties. Indeed, this non-collusion assumption makes a number of problems solvable, as well as reduces overheads and bypasses computational hardness results, and it is pervasive across different privacy-enhancing technologies. However, it remains hig…
▽ More
A long line of research on secure computation has confirmed that anything that can be computed, can be computed securely using a set of non-colluding parties. Indeed, this non-collusion assumption makes a number of problems solvable, as well as reduces overheads and bypasses computational hardness results, and it is pervasive across different privacy-enhancing technologies. However, it remains highly susceptible to covert, undetectable collusion among computing parties. This work stems from an observation that if the number of available computing parties is much higher than the number of parties required to perform a secure computation task, collusion attempts in privacy-preserving computations could be deterred.
We focus on the prominent privacy-preserving computation task of multi-server $1$-private information retrieval (PIR) that inherently assumes no pair-wise collusion. For PIR application scenarios, such as those for blockchain light clients, where the available servers can be plentiful, a single server's deviating action is not tremendously beneficial to itself. We can make deviations undesired via small amounts of rewards and penalties, thus significantly raising the bar for collusion resistance. We design and implement a collusion mitigation mechanism on a public bulletin board with payment execution functions, considering only rational and malicious parties with no honest non-colluding servers. Privacy protection is offered for an extended period after the query executions.
△ Less
Submitted 4 December, 2023; v1 submitted 19 January, 2022;
originally announced January 2022.
-
HACCLE: Metaprogramming for Secure Multi-Party Computation -- Extended Version
Authors:
Yuyan Bao,
Kirshanthan Sundararajah,
Raghav Malik,
Qianchuan Ye,
Christopher Wagner,
Nouraldin Jaber,
Fei Wang,
Mohammad Hassan Ameri,
Donghang Lu,
Alexander Seto,
Benjamin Delaware,
Roopsha Samanta,
Aniket Kate,
Christina Garman,
Jeremiah Blocki,
Pierre-David Letourneau,
Benoit Meister,
Jonathan Springer,
Tiark Rompf,
Milind Kulkarni
Abstract:
Cryptographic techniques have the potential to enable distrusting parties to collaborate in fundamentally new ways, but their practical implementation poses numerous challenges. An important class of such cryptographic techniques is known as Secure Multi-Party Computation (MPC). Develo** Secure MPC applications in realistic scenarios requires extensive knowledge spanning multiple areas of crypto…
▽ More
Cryptographic techniques have the potential to enable distrusting parties to collaborate in fundamentally new ways, but their practical implementation poses numerous challenges. An important class of such cryptographic techniques is known as Secure Multi-Party Computation (MPC). Develo** Secure MPC applications in realistic scenarios requires extensive knowledge spanning multiple areas of cryptography and systems. And while the steps to arrive at a solution for a particular application are often straightforward, it remains difficult to make the implementation efficient, and tedious to apply those same steps to a slightly different application from scratch. Hence, it is an important problem to design platforms for implementing Secure MPC applications with minimum effort and using techniques accessible to non-experts in cryptography. In this paper, we present the HACCLE (High Assurance Compositional Cryptography: Languages and Environments) toolchain, specifically targeted to MPC applications. HACCLE contains an embedded domain-specific language Harpoon, for software developers without cryptographic expertise to write MPC-based programs, and uses Lightweight Modular Staging (LMS) for code generation. Harpoon programs are compiled into acyclic circuits represented in HACCLE's Intermediate Representation (HIR) that serves as an abstraction over different cryptographic protocols such as secret sharing, homomorphic encryption, or garbled circuits. Implementations of different cryptographic protocols serve as different backends of our toolchain. The extensible design of HIR allows cryptographic experts to plug in new primitives and protocols to realize computation. And the use of standard metaprogramming techniques lowers the development effort significantly.
△ Less
Submitted 30 September, 2021; v1 submitted 3 September, 2020;
originally announced September 2020.
-
Empirical Understanding of Deletion Privacy: Experiences, Expectations, and Measures
Authors:
Mohsen Minaei,
Mainack Mondal,
Aniket Kate
Abstract:
Social platforms are heavily used by individuals to share their thoughts and personal information. However, due to regret over time about posting inappropriate social content, embarrassment, or even life or relationship changes, some past posts might also pose serious privacy concerns for them. To cope with these privacy concerns, social platforms offer deletion mechanisms that allow users to remo…
▽ More
Social platforms are heavily used by individuals to share their thoughts and personal information. However, due to regret over time about posting inappropriate social content, embarrassment, or even life or relationship changes, some past posts might also pose serious privacy concerns for them. To cope with these privacy concerns, social platforms offer deletion mechanisms that allow users to remove their contents. Quite naturally, these deletion mechanisms are really useful for removing past posts as and when needed. However, these same mechanisms also leave the users potentially vulnerable to attacks by adversaries who specifically seek the users' damaging content and exploit the act of deletion as a strong signal for identifying such content. Unfortunately, today user experiences and contextual expectations regarding such attacks on deletion privacy and deletion privacy in general are not well understood.
To that end, in this paper, we conduct a user survey-based exploration involving 191 participants to unpack their prior deletion experiences, their expectations of deletion privacy, and how effective they find the current deletion mechanisms. We find that more than 80% of the users have deleted at least a social media post, and users self-reported that, on average, around 35% of their deletions happened after a week of posting. While the participants identified the irrelevancy (due to time passing) as the main reason for content removal, most of them believed that deletions indicate that the deleted content includes some damaging information to the owner. Importantly, the participants are significantly more concerned about their deletions being noticed by large-scale data collectors (e.g., the government) than individuals from their social circle. Finally, the participants felt that popular deletion mechanisms are not very effective in protecting the privacy of those deletions.
△ Less
Submitted 4 October, 2021; v1 submitted 25 August, 2020;
originally announced August 2020.
-
Towards Overcoming the Undercutting Problem
Authors:
Tiantian Gong,
Mohsen Minaei,
Wenhai Sun,
Aniket Kate
Abstract:
Mining processes of Bitcoin and similar cryptocurrencies are currently incentivized with voluntary transaction fees and fixed block rewards which will halve gradually to zero. In the setting where optional and arbitrary transaction fee becomes the remaining incentive, Carlsten et al.\ [CCS~2016] find that an undercutting attack can become the equilibrium strategy for miners. In undercutting, the a…
▽ More
Mining processes of Bitcoin and similar cryptocurrencies are currently incentivized with voluntary transaction fees and fixed block rewards which will halve gradually to zero. In the setting where optional and arbitrary transaction fee becomes the remaining incentive, Carlsten et al.\ [CCS~2016] find that an undercutting attack can become the equilibrium strategy for miners. In undercutting, the attacker deliberately forks an existing chain by leaving wealthy transactions unclaimed to attract petty complaint miners to its fork. We observe that two simplifying assumptions in [CCS~2016] of fees arriving at fixed rates and miners collecting {\em all} accumulated fees regardless of block size limit are often infeasible in practice and find that they are inaccurately inflating the profitability of undercutting. Studying Bitcoin and Monero blockchain data, we find that the fees deliberately left out by an undercutter may not be attractive to other miners (hence to the attacker itself): the deliberately left out transactions may not fit into a new block without "squeezing out" some other to-be transactions, and thus claimable fees in the next round cannot be raised arbitrarily.
This work views undercutting and shifting among chains rationally as mining strategies of rational miners. We model profitability of undercutting strategy with block size limit present, which bounds the claimable fees in a round and gives rise to a pending (cushion) transaction set. In the proposed model, we first identify the conditions necessary to make undercutting profitable. We then present an easy-to-deploy defense against undercutting by selectively assembling transactions into the new block to invalidate the identified conditions. Under a typical setting with undercutters present, applying this avoidance technique is a Nash Equilibrium. Finally, we complement the above analytical results with experiments.
△ Less
Submitted 13 July, 2022; v1 submitted 22 July, 2020;
originally announced July 2020.
-
Deceptive Deletions for Protecting Withdrawn Posts on Social Platforms
Authors:
Mohsen Minaei,
S Chandra Mouli,
Mainack Mondal,
Bruno Ribeiro,
Aniket Kate
Abstract:
Over-sharing poorly-worded thoughts and personal information is prevalent on online social platforms. In many of these cases, users regret posting such content. To retrospectively rectify these errors in users' sharing decisions, most platforms offer (deletion) mechanisms to withdraw the content, and social media users often utilize them. Ironically and perhaps unfortunately, these deletions make…
▽ More
Over-sharing poorly-worded thoughts and personal information is prevalent on online social platforms. In many of these cases, users regret posting such content. To retrospectively rectify these errors in users' sharing decisions, most platforms offer (deletion) mechanisms to withdraw the content, and social media users often utilize them. Ironically and perhaps unfortunately, these deletions make users more susceptible to privacy violations by malicious actors who specifically hunt post deletions at large scale. The reason for such hunting is simple: deleting a post acts as a powerful signal that the post might be damaging to its owner. Today, multiple archival services are already scanning social media for these deleted posts. Moreover, as we demonstrate in this work, powerful machine learning models can detect damaging deletions at scale.
Towards restraining such a global adversary against users' right to be forgotten, we introduce Deceptive Deletion, a decoy mechanism that minimizes the adversarial advantage. Our mechanism injects decoy deletions, hence creating a two-player minmax game between an adversary that seeks to classify damaging content among the deleted posts and a challenger that employs decoy deletions to masquerade real damaging deletions. We formalize the Deceptive Game between the two players, determine conditions under which either the adversary or the challenger provably wins the game, and discuss the scenarios in-between these two extremes. We apply the Deceptive Deletion mechanism to a real-world task on Twitter: hiding damaging tweet deletions. We show that a powerful global adversary can be beaten by a powerful challenger, raising the bar significantly and giving a glimmer of hope in the ability to be really forgotten on social platforms.
△ Less
Submitted 28 May, 2020;
originally announced May 2020.
-
Reparo: Publicly Verifiable Layer to Repair Blockchains
Authors:
Sri Aravinda Krishnan Thyagarajan,
Adithya Bhat,
Bernardo Magri,
Daniel Tschudi,
Aniket Kate
Abstract:
Although blockchains aim for immutability as their core feature, several instances have exposed the harms with perfect immutability. The permanence of illicit content inserted in Bitcoin poses a challenge to law enforcement agencies like Interpol, and millions of dollars are lost in buggy smart contracts in Ethereum. A line of research then spawned on Redactable blockchains with the aim of solving…
▽ More
Although blockchains aim for immutability as their core feature, several instances have exposed the harms with perfect immutability. The permanence of illicit content inserted in Bitcoin poses a challenge to law enforcement agencies like Interpol, and millions of dollars are lost in buggy smart contracts in Ethereum. A line of research then spawned on Redactable blockchains with the aim of solving the problem of redacting illicit contents from both permissioned and permissionless blockchains. However, all the existing proposals follow the build-new-chain approach for redactions, and cannot be integrated with existing systems like Bitcoin and Ethereum.
We present Reparo, a generic protocol that acts as a publicly verifiable layer on top of any blockchain to perform repairs, ranging from fixing buggy contracts to removing illicit contents from the chain. Reparo facilitates additional functionalities for blockchains while maintaining the same provable security guarantee; thus, Reparo can be integrated with existing blockchains and start performing repairs on the pre-existent data. Any system user may propose a repair and a deliberation process ensues resulting in a decision that complies with the repair policy of the chain and is publicly verifiable.
Our Reparo layer can be easily tailored to different consensus requirements, does not require heavy cryptographic machinery and can, therefore, be efficiently instantiated in any permission-ed or -less setting. We demonstrate it by giving efficient instantiations of Reparo on top of Ethereum (with PoS and PoW), Bitcoin, and Cardano. Moreover, we evaluate Reparo with Ethereum mainnet and show that the cost of fixing several prominent smart contract bugs is almost negligible. For instance, the cost of repairing the prominent Parity Multisig wallet bug with Reparo is as low as 0.000000018% of the Ethers that can be retrieved after the fix.
△ Less
Submitted 10 March, 2021; v1 submitted 2 January, 2020;
originally announced January 2020.
-
Concurrency and Privacy with Payment-Channel Networks
Authors:
Giulio Malavolta,
Pedro Moreno-Sanchez,
Aniket Kate,
Matteo Maffei,
Srivatsan Ravi
Abstract:
Permissionless blockchains protocols such as Bitcoin are inherently limited in transaction throughput and latency. Current efforts to address this key issue focus on off-chain payment channels that can be combined in a Payment-Channel Network (PCN) to enable an unlimited number of payments without requiring to access the blockchain other than to register the initial and final capacity of each chan…
▽ More
Permissionless blockchains protocols such as Bitcoin are inherently limited in transaction throughput and latency. Current efforts to address this key issue focus on off-chain payment channels that can be combined in a Payment-Channel Network (PCN) to enable an unlimited number of payments without requiring to access the blockchain other than to register the initial and final capacity of each channel. While this approach paves the way for low latency and high throughput of payments, its deployment in practice raises several privacy concerns as well as technical challenges related to the inherently concurrent nature of payments, such as race conditions and deadlocks, that have been understudied so far. In this work, we lay the foundations for privacy and concurrency in PCNs, presenting a formal definition in the Universal Composability framework as well as practical and provably secure solutions. In particular, we present Fulgor and Rayo. Fulgor is the first payment protocol for PCNs that provides provable privacy guarantees for PCNs and is fully compatible with the Bitcoin scripting system. However, Fulgor is a blocking protocol and therefore prone to deadlocks of concurrent payments as in currently available PCNs. Instead, Rayo is the first protocol for PCNs that enforces non-blocking progress (i.e., at least one of the concurrent payments terminates). We show through a new impossibility result that non-blocking progress necessarily comes at the cost of weaker privacy. At the core of Fulgor and Rayo is Multi-Hop HTLC, a new smart contract, compatible with the Bitcoin scripting system, that provides conditional payments while reducing running time and communication overhead with respect to previous approaches.
△ Less
Submitted 20 November, 2019;
originally announced November 2019.
-
A Tale of Two Trees: One Writes, and Other Reads. Optimized Oblivious Accesses to Large-Scale Blockchains
Authors:
Duc V. Le,
Lizzy Tengana Hurtado,
Adil Ahmad,
Mohsen Minaei,
Byoungyoung Lee,
Aniket Kate
Abstract:
The Bitcoin network has offered a new way of securely performing financial transactions over the insecure network. Nevertheless, this ability comes with the cost of storing a large (distributed) ledger, which has become unsuitable for personal devices of any kind. Although the simplified payment verification (SPV) clients can address this storage issue, a Bitcoin SPV client has to rely on other Bi…
▽ More
The Bitcoin network has offered a new way of securely performing financial transactions over the insecure network. Nevertheless, this ability comes with the cost of storing a large (distributed) ledger, which has become unsuitable for personal devices of any kind. Although the simplified payment verification (SPV) clients can address this storage issue, a Bitcoin SPV client has to rely on other Bitcoin nodes to obtain its transaction history and the current approaches offer no privacy guarantees to the SPV clients.
This work presents $T^3$, a trusted hardware-secured Bitcoin full client that supports efficient oblivious search/update for Bitcoin SPV clients without sacrificing the privacy of the clients. In this design, we leverage the trusted execution and attestation capabilities of a trusted execution environment (TEE) and the ability to hide access patterns of oblivious random access memory (ORAM) to protect SPV clients' requests from a potentially malicious server. The key novelty of $T^3$ lies in the optimizations introduced to conventional ORAM, tailored for expected SPV client usages. In particular, by making a natural assumption about the access patterns of SPV clients, we are able to propose a two-tree ORAM construction that overcomes the concurrency limitation associated with traditional ORAMs. We have implemented and tested our system using the current Bitcoin Unspent Transaction Output database. Our experiment shows that the system is feasible to be deployed in practice while providing strong privacy and security guarantees to Bitcoin SPV clients.
△ Less
Submitted 16 September, 2019; v1 submitted 3 September, 2019;
originally announced September 2019.
-
Brief Note: Asynchronous Verifiable Secret Sharing with Optimal Resilience and Linear Amortized Overhead
Authors:
Aniket Kate,
Andrew Miller,
Tom Yurek
Abstract:
In this work we present hbAVSS, the Honey Badger of Asynchronous Verifiable Secret Sharing (AVSS) protocols - an AVSS protocol that guarantees linear amortized communication overhead even in the worst case. The best prior work can achieve linear overhead only at a suboptimal resilience level (t < n/4) or by relying on optimism (falling back to quadratic overhead in case of network asynchrony or By…
▽ More
In this work we present hbAVSS, the Honey Badger of Asynchronous Verifiable Secret Sharing (AVSS) protocols - an AVSS protocol that guarantees linear amortized communication overhead even in the worst case. The best prior work can achieve linear overhead only at a suboptimal resilience level (t < n/4) or by relying on optimism (falling back to quadratic overhead in case of network asynchrony or Byzantine faults). Our protocol therefore closes this gap, showing that linear communication overhead is possible without these compromises. The main idea behind our protocol is what we call the encrypt-and-disperse paradigm: by first applying ordinary public key encryption to the secret shares, we can make use of highly efficient (but not confidentiality preserving) information dispersal primitives. We prove our protocol is secure under a static computationally bounded Byzantine adversary model.
△ Less
Submitted 16 February, 2019;
originally announced February 2019.
-
Finding Safety in Numbers with Secure Allegation Escrows
Authors:
Venkat Arun,
Aniket Kate,
Deepak Garg,
Peter Druschel,
Bobby Bhattacharjee
Abstract:
For fear of retribution, the victim of a crime may be willing to report it only if other victims of the same perpetrator also step forward. Common examples include 1) identifying oneself as the victim of sexual harassment, especially by a person in a position of authority or 2) accusing an influential politician, an authoritarian government, or ones own employer of corruption. To handle such situa…
▽ More
For fear of retribution, the victim of a crime may be willing to report it only if other victims of the same perpetrator also step forward. Common examples include 1) identifying oneself as the victim of sexual harassment, especially by a person in a position of authority or 2) accusing an influential politician, an authoritarian government, or ones own employer of corruption. To handle such situations, legal literature has proposed the concept of an allegation escrow: a neutral third-party that collects allegations anonymously, matches them against each other, and de-anonymizes allegers only after de-anonymity thresholds (in terms of number of co-allegers), pre-specified by the allegers, are reached.
An allegation escrow can be realized as a single trusted third party; however, this party must be trusted to keep the identity of the alleger and content of the allegation private. To address this problem, this paper introduces Secure Allegation Escrows (SAE, pronounced "say"). A SAE is a group of parties with independent interests and motives, acting jointly as an escrow for collecting allegations from individuals, matching the allegations, and de-anonymizing the allegations when designated thresholds are reached. By design, SAEs provide a very strong property: No less than a majority of parties constituting a SAE can de-anonymize or disclose the content of an allegation without a sufficient number of matching allegations (even in collusion with any number of other allegers). Once a sufficient number of matching allegations exist, the join escrow discloses the allegation with the allegers' identities. We describe how SAEs can be constructed using a novel authentication protocol and a novel allegation matching and bucketing algorithm, provide formal proofs of the security of our constructions, and evaluate a prototype implementation, demonstrating feasibility in practice.
△ Less
Submitted 29 December, 2019; v1 submitted 23 October, 2018;
originally announced October 2018.
-
Forgetting the Forgotten with Letheia, Concealing Content Deletion from Persistent Observers
Authors:
Mohsen Minaei,
Mainack Mondal,
Patrick Loiseau,
Krishna Gummadi,
Aniket Kate
Abstract:
Most social platforms offer mechanisms allowing users to delete their posts, and a significant fraction of users exercise this right to be forgotten. However, ironically, users' attempt to reduce attention to sensitive posts via deletion, in practice, attracts unwanted attention from stalkers specifically to those posts. Thus, deletions may leave users more vulnerable to attacks on their privacy i…
▽ More
Most social platforms offer mechanisms allowing users to delete their posts, and a significant fraction of users exercise this right to be forgotten. However, ironically, users' attempt to reduce attention to sensitive posts via deletion, in practice, attracts unwanted attention from stalkers specifically to those posts. Thus, deletions may leave users more vulnerable to attacks on their privacy in general. Users ho** to make their posts forgotten face a "damned if I do, damned if I don't" dilemma. Many are shifting towards ephemeral social platform like Snapchat, which will deprive us of important user-data archival. In the form of intermittent withdrawals, we present, Lethe, a novel solution to this problem of forgetting the forgotten. If the next-generation social platforms are willing to give up the uninterrupted availability of non-deleted posts by a very small fraction, Lethe provides privacy to the deleted posts over long durations. In presence of Lethe, an adversarial observer becomes unsure if some posts are permanently deleted or just temporarily withdrawn by Lethe; at the same time, the adversarial observer is overwhelmed by a large number of falsely flagged undeleted posts. To demonstrate the feasibility and performance of Lethe, we analyze large-scale real data about users' deletion over Twitter and thoroughly investigate how to choose time duration distributions for alternating between temporary withdrawals and resurrections of non-deleted posts. We find a favorable trade-off between privacy, availability and adversarial overhead in different settings for users exercising their right to delete. We show that, even against an ultimate adversary with an uninterrupted access to the entire platform, Lethe offers deletion privacy for up to 3 months from the time of deletion, while maintaining content availability as high as 95% and kee** the adversarial precision to 20%.
△ Less
Submitted 25 September, 2018; v1 submitted 30 October, 2017;
originally announced October 2017.
-
Settling Payments Fast and Private: Efficient Decentralized Routing for Path-Based Transactions
Authors:
Stefanie Roos,
Pedro Moreno-Sanchez,
Aniket Kate,
Ian Goldberg
Abstract:
Path-based transaction (PBT) networks, which settle payments from one user to another via a path of intermediaries, are a growing area of research. They overcome the scalability and privacy issues in cryptocurrencies like Bitcoin and Ethereum by replacing expensive and slow on-chain blockchain operations with inexpensive and fast off-chain transfers. In the form of credit networks such as Ripple a…
▽ More
Path-based transaction (PBT) networks, which settle payments from one user to another via a path of intermediaries, are a growing area of research. They overcome the scalability and privacy issues in cryptocurrencies like Bitcoin and Ethereum by replacing expensive and slow on-chain blockchain operations with inexpensive and fast off-chain transfers. In the form of credit networks such as Ripple and Stellar, they also enable low-price real-time gross settlements across different currencies. For example, SilentWhsipers is a recently proposed fully distributed credit network relying on path-based transactions for secure and in particular private payments without a public ledger. At the core of a decentralized PBT network is a routing algorithm that discovers transaction paths between payer and payee. During the last year, a number of routing algorithms have been proposed. However, the existing ad hoc efforts lack either efficiency or privacy. In this work, we first identify several efficiency concerns in SilentWhsipers. Armed with this knowledge, we design and evaluate SpeedyMurmurs, a novel routing algorithm for decentralized PBT networks using efficient and flexible embedding-based path discovery and on-demand efficient stabilization to handle the dynamics of a PBT network. Our simulation study, based on real-world data from the currently deployed Ripple credit network, indicates that SpeedyMurmurs reduces the overhead of stabilization by up to two orders of magnitude and the overhead of routing a transaction by more than a factor of two. Furthermore, using SpeedyMurmurs maintains at least the same success ratio as decentralized landmark routing, while providing lower delays. Finally, SpeedyMurmurs achieves key privacy goals for routing in PBT networks.
△ Less
Submitted 13 December, 2017; v1 submitted 17 September, 2017;
originally announced September 2017.
-
Mind Your Credit: Assessing the Health of the Ripple Credit Network
Authors:
Pedro Moreno-Sanchez,
Navin Modi,
Raghuvir Songhela,
Aniket Kate,
Sonia Fahmy
Abstract:
The Ripple credit network has emerged as a payment backbone with key advantages for financial institutions and the remittance industry. Its path-based IOweYou (IOU) settlements across different (crypto)currencies conceptually distinguishes the Ripple blockchain from cryptocurrencies, and makes it highly suitable to an orthogonal yet vast set of applications in the remittance world for cross-border…
▽ More
The Ripple credit network has emerged as a payment backbone with key advantages for financial institutions and the remittance industry. Its path-based IOweYou (IOU) settlements across different (crypto)currencies conceptually distinguishes the Ripple blockchain from cryptocurrencies, and makes it highly suitable to an orthogonal yet vast set of applications in the remittance world for cross-border transactions and beyond.
This work studies the structure and evolution of the Ripple network since its inception, and investigates its vulnerability to devilry attacks that affect the credit of linnet users' wallets. We find that about 13M USD are at risk in the current Ripple network due to inappropriate configuration of the rippling flag on credit links, facilitating undesired redistribution of credit across those links. Although the Ripple network has grown around a few highly connected hub (gateway) wallets that constitute the network's core and provide high liquidity to users, such a credit link distribution results in a user base of around 112,000 wallets that can be financially isolated by as few as 10 highly connected gateway wallets. Indeed, today about 4.9M USD cannot be withdrawn by their owners from the Ripple network due to PayRoutes, a gateway tagged as faulty by the Ripple community. Finally, we observe that stale exchange offers pose a real problem, and exchanges (market makers) have not always been vigilant about periodically updating their exchange offers according to current real-world exchange rates. For example, stale offers were used by 84 Ripple wallets to gain more than 4.5M USD from mid-July to mid-August 2017. Our findings should prompt the Ripple community to improve the health of the network by educating its users on increasing their connectivity, and by appropriately maintaining the credit limits, rippling flags, and exchange offers on their credit links.
△ Less
Submitted 11 March, 2018; v1 submitted 7 June, 2017;
originally announced June 2017.
-
Lime: Data Lineage in the Malicious Environment
Authors:
Michael Backes,
Niklas Grimm,
Aniket Kate
Abstract:
Intentional or unintentional leakage of confidential data is undoubtedly one of the most severe security threats that organizations face in the digital era. The threat now extends to our personal lives: a plethora of personal information is available to social networks and smartphone providers and is indirectly transferred to untrustworthy third party and fourth party applications.
In this work,…
▽ More
Intentional or unintentional leakage of confidential data is undoubtedly one of the most severe security threats that organizations face in the digital era. The threat now extends to our personal lives: a plethora of personal information is available to social networks and smartphone providers and is indirectly transferred to untrustworthy third party and fourth party applications.
In this work, we present a generic data lineage framework LIME for data flow across multiple entities that take two characteristic, principal roles (i.e., owner and consumer). We define the exact security guarantees required by such a data lineage mechanism toward identification of a guilty entity, and identify the simplifying non repudiation and honesty assumptions. We then develop and analyze a novel accountable data transfer protocol between two entities within a malicious environment by building upon oblivious transfer, robust watermarking, and signature primitives. Finally, we perform an experimental evaluation to demonstrate the practicality of our protocol.
△ Less
Submitted 5 August, 2014;
originally announced August 2014.
-
Introducing Accountability to Anonymity Networks
Authors:
Michael Backes,
Jeremy Clark,
Peter Druschel,
Aniket Kate,
Milivoj Simeonovski
Abstract:
Many anonymous communication (AC) networks rely on routing traffic through proxy nodes to obfuscate the originator of the traffic. Without an accountability mechanism, exit proxy nodes risk sanctions by law enforcement if users commit illegal actions through the AC network. We present BackRef, a generic mechanism for AC networks that provides practical repudiation for the proxy nodes by tracing ba…
▽ More
Many anonymous communication (AC) networks rely on routing traffic through proxy nodes to obfuscate the originator of the traffic. Without an accountability mechanism, exit proxy nodes risk sanctions by law enforcement if users commit illegal actions through the AC network. We present BackRef, a generic mechanism for AC networks that provides practical repudiation for the proxy nodes by tracing back the selected outbound traffic to the predecessor node (but not in the forward direction) through a cryptographically verifiable chain. It also provides an option for full (or partial) traceability back to the entry node or even to the corresponding user when all intermediate nodes are cooperating. Moreover, to maintain a good balance between anonymity and accountability, the protocol incorporates whitelist directories at exit proxy nodes. BackRef offers improved deployability over the related work, and introduces a novel concept of pseudonymous signatures that may be of independent interest.
We exemplify the utility of BackRef by integrating it into the onion routing (OR) protocol, and examine its deployability by considering several system-level aspects. We also present the security definitions for the BackRef system (namely, anonymity, backward traceability, no forward traceability, and no false accusation) and conduct a formal security analysis of the OR protocol with BackRef using ProVerif, an automated cryptographic protocol verifier, establishing the aforementioned security properties against a strong adversarial model.
△ Less
Submitted 13 November, 2013;
originally announced November 2013.
-
Adding Query Privacy to Robust DHTs
Authors:
Michael Backes,
Ian Goldberg,
Aniket Kate,
Tomas Toft
Abstract:
Interest in anonymous communication over distributed hash tables (DHTs) has increased in recent years. However, almost all known solutions solely aim at achieving sender or requestor anonymity in DHT queries. In many application scenarios, it is crucial that the queried key remains secret from intermediate peers that (help to) route the queries towards their destinations. In this paper, we satisfy…
▽ More
Interest in anonymous communication over distributed hash tables (DHTs) has increased in recent years. However, almost all known solutions solely aim at achieving sender or requestor anonymity in DHT queries. In many application scenarios, it is crucial that the queried key remains secret from intermediate peers that (help to) route the queries towards their destinations. In this paper, we satisfy this requirement by presenting an approach for providing privacy for the keys in DHT queries.
We use the concept of oblivious transfer (OT) in communication over DHTs to preserve query privacy without compromising spam resistance. Although our OT-based approach can work over any DHT, we concentrate on communication over robust DHTs that can tolerate Byzantine faults and resist spam. We choose the best-known robust DHT construction, and employ an efficient OT protocol well-suited for achieving our goal of obtaining query privacy over robust DHTs. Finally, we compare the performance of our privacy-preserving protocols with their more privacy-invasive counterparts. We observe that there is no increase in the message complexity and only a small overhead in the computational complexity.
△ Less
Submitted 3 April, 2012; v1 submitted 6 July, 2011;
originally announced July 2011.
