-
Decentralized Reliability Estimation for Mixnets
Authors:
Claudia Diaz,
Harry Halpin,
Aggelos Kiayias
Abstract:
Continuous-time decryption mixnets can anonymously route data packets with end to end latency that can be as low as a second, making them usable for a variety of applications. Such mixnets however lack verifiable reliability properties that ensure the correct processing and delivery of packets, while existing verifiability mechanisms are incompatible with scalable low latency continuous-time mixne…
▽ More
Continuous-time decryption mixnets can anonymously route data packets with end to end latency that can be as low as a second, making them usable for a variety of applications. Such mixnets however lack verifiable reliability properties that ensure the correct processing and delivery of packets, while existing verifiability mechanisms are incompatible with scalable low latency continuous-time mixnets due to imposing overheads measuring in minutes to hours. This work addresses this gap by proposing a scheme that can estimate reliability scores for links and nodes forming a continuous-time mixnet where some form of credentials authorize clients to send traffic. The scores can be computed publicly by all participants from a set of measurement packets that are eventually revealed and act as a random sample of the traffic, without affecting mixnet transmission latency for client packets. Our scheme relies on VRF-based routing, a novel primitive that ensures that legitimate client packets follow the routing policy of the mixnet, as well as randomly generating unforgeable measurement packets. We experimentally validate our construction both in unreliable and adversarial settings, demonstrating its feasibility.
△ Less
Submitted 10 June, 2024;
originally announced June 2024.
-
Single-token vs Two-token Blockchain Tokenomics
Authors:
Aggelos Kiayias,
Philip Lazos,
Paolo Penna
Abstract:
We consider long-term equilibria that arise in the tokenomics design of proof-of-stake (PoS) blockchain systems that comprise of users and validators, both striving to maximize their own utilities. Validators are system maintainers who get rewarded with tokens for performing the work necessary for the system to function properly, while users compete and pay with such tokens for getting a desired p…
▽ More
We consider long-term equilibria that arise in the tokenomics design of proof-of-stake (PoS) blockchain systems that comprise of users and validators, both striving to maximize their own utilities. Validators are system maintainers who get rewarded with tokens for performing the work necessary for the system to function properly, while users compete and pay with such tokens for getting a desired portion of the system service.
We study how the system service provision and suitable rewards schemes together can lead to equilibria with desirable characteristics (1) viability: the system keeps parties engaged, (2) decentralization: multiple validators are participating, (3) stability: the price path of the underlying token used to transact with the system does not change widely over time, and (4) feasibility: the mechanism is easy to implement as a smart contract, i.e., it does not require fiat reserves on-chain for buy back of tokens or to perform bookkee** of exponentially growing token holdings. Our analysis enables to put forward a novel generic mechanism for blockchain ``monetary policy'' that we call {\em quantitative rewarding} (QR). We investigate how to implement QR in single-token and two-token proof of stake (PoS) blockchain systems. The latter are systems that utilize one token for the users to pay the transaction fees and a different token for the validators to participate in the PoS protocol and get rewarded. Our approach demonstrates a concrete advantage of the two-token setting in terms of the ability of the QR mechanism to be realized effectively and provide good equilibria. Our analysis also reveals an inherent limitation of the single token setting in terms of implementing an effective blockchain monetary policy - a distinction that is, to the best of our knowledge, highlighted for the first time.
△ Less
Submitted 12 June, 2024; v1 submitted 13 March, 2024;
originally announced March 2024.
-
Blockchain Bribing Attacks and the Efficacy of Counterincentives
Authors:
Dimitris Karakostas,
Aggelos Kiayias,
Thomas Zacharias
Abstract:
We analyze bribing attacks in Proof-of-Stake distributed ledgers from a game theoretic perspective. In bribing attacks, an adversary offers participants a reward in exchange for instructing them how to behave, with the goal of attacking the protocol's properties. Specifically, our work focuses on adversaries that target blockchain safety. We consider two types of bribing, depending on how the brib…
▽ More
We analyze bribing attacks in Proof-of-Stake distributed ledgers from a game theoretic perspective. In bribing attacks, an adversary offers participants a reward in exchange for instructing them how to behave, with the goal of attacking the protocol's properties. Specifically, our work focuses on adversaries that target blockchain safety. We consider two types of bribing, depending on how the bribes are awarded: i) guided bribing, where the bribe is given as long as the bribed party behaves as instructed; ii) effective bribing, where bribes are conditional on the attack's success, w.r.t. well-defined metrics. We analyze each type of attack in a game theoretic setting and identify relevant equilibria. In guided bribing, we show that the protocol is not an equilibrium and then describe good equilibria, where the attack is unsuccessful, and a negative one, where all parties are bribed such that the attack succeeds. In effective bribing, we show that both the protocol and the "all bribed" setting are equilibria. Using the identified equilibria, we then compute bounds on the Prices of Stability and Anarchy. Our results indicate that additional mitigations are needed for guided bribing, so our analysis concludes with incentive-based mitigation techniques, namely slashing and dilution. Here, we present two positive results, that both render the protocol an equilibrium and achieve maximal welfare for all parties, and a negative result, wherein an attack becomes more plausible if it severely affects the ledger's token's market price.
△ Less
Submitted 19 June, 2024; v1 submitted 9 February, 2024;
originally announced February 2024.
-
Blockchain Participation Games
Authors:
Pyrros Chaidos,
Aggelos Kiayias,
Evangelos Markakis
Abstract:
We study game-theoretic models for capturing participation in blockchain systems. Permissionless blockchains can be naturally viewed as games, where a set of potentially interested users is faced with the dilemma of whether to engage with the protocol or not. Engagement here implies that the user will be asked to complete certain tasks, whenever they are selected to contribute (typically according…
▽ More
We study game-theoretic models for capturing participation in blockchain systems. Permissionless blockchains can be naturally viewed as games, where a set of potentially interested users is faced with the dilemma of whether to engage with the protocol or not. Engagement here implies that the user will be asked to complete certain tasks, whenever they are selected to contribute (typically according to some stochastic process) and be rewarded if they choose to do so. Apart from the basic dilemma of engaging or not, even more strategic considerations arise in settings where users may be able to declare participation and then retract before completing their tasks (but are still able to receive rewards) or are rewarded independently of whether they contribute. Such variations occur naturally in the blockchain setting due to the complexity of tracking ``on-chain'' the behavior of the participants.
We capture these participation considerations offering a series of models that enable us to reason about the basic dilemma, the case where retraction effects influence the outcome and the case when payments are given universally irrespective of the stochastic process. In all cases we provide characterization results or necessary conditions on the structure of Nash equilibria. Our findings reveal that appropriate reward mechanisms can be used to stimulate participation and avoid negative effects of free riding, results that are in line but also can inform real world blockchain system deployments.
△ Less
Submitted 5 December, 2023;
originally announced December 2023.
-
Would Friedman Burn your Tokens?
Authors:
Aggelos Kiayias,
Philip Lazos,
Jan Christoph Schlegel
Abstract:
Cryptocurrencies come with a variety of tokenomic policies as well as aspirations of desirable monetary characteristics that have been described by proponents as 'sound money' or even 'ultra sound money.' These propositions are typically devoid of economic analysis so it is a pertinent question how such aspirations fit in the wider context of monetary economic theory. In this work, we develop a fr…
▽ More
Cryptocurrencies come with a variety of tokenomic policies as well as aspirations of desirable monetary characteristics that have been described by proponents as 'sound money' or even 'ultra sound money.' These propositions are typically devoid of economic analysis so it is a pertinent question how such aspirations fit in the wider context of monetary economic theory. In this work, we develop a framework that determines the optimal token supply policy of a cryptocurrency, as well as investigate how such policy may be algorithmically implemented. Our findings suggest that the optimal policy complies with the Friedman rule and it is dependent on the risk free rate, as well as the growth of the cryptocurrency platform. Furthermore, we demonstrate a wide set of conditions under which such policy can be implemented via contractions and expansions of token supply that can be realized algorithmically with block rewards, taxation of consumption and burning the proceeds, and blockchain oracles.
△ Less
Submitted 29 June, 2023;
originally announced June 2023.
-
Tiered Mechanisms for Blockchain Transaction Fees
Authors:
Aggelos Kiayias,
Elias Koutsoupias,
Philip Lazos,
Giorgos Panagiotakos
Abstract:
Blockchain systems come with the promise of being inclusive for a variety of decentralized applications (DApps) that can serve different purposes and have different urgency requirements. Despite this, the transaction fee mechanisms currently deployed in popular platforms as well as previous modeling attempts for the associated mechanism design problem focus on an approach that favors increasing pr…
▽ More
Blockchain systems come with the promise of being inclusive for a variety of decentralized applications (DApps) that can serve different purposes and have different urgency requirements. Despite this, the transaction fee mechanisms currently deployed in popular platforms as well as previous modeling attempts for the associated mechanism design problem focus on an approach that favors increasing prices in favor of those clients who value immediate service during periods of congestion. To address this issue, we introduce a model that captures the traffic diversity of blockchain systems and a tiered pricing mechanism that is capable of implementing more inclusive transaction policies. In this model, we demonstrate formally that EIP-1559, the transaction fee mechanism currently used in Ethereum, is not inclusive and demonstrate experimentally that its prices surge horizontally during periods of congestion. On the other hand, we prove formally that our mechanism achieves stable prices in expectation and we provide experimental results that establish that prices for transactions can be kept low for low urgency transactions, resulting in a diverse set of transaction types entering the blockchain. At the same time, perhaps surprisingly, our mechanism does not necessarily sacrifice revenue since the lowering of the prices for low urgency transactions can be covered from high urgency ones due to the price discrimination ability of the mechanism.
△ Less
Submitted 12 April, 2023;
originally announced April 2023.
-
SoK: A Stratified Approach to Blockchain Decentralization
Authors:
Christina Ovezik,
Dimitris Karakostas,
Aggelos Kiayias
Abstract:
Decentralization has been touted as the principal security advantage which propelled blockchain systems at the forefront of developments in the financial technology space. Its exact semantics nevertheless remain highly contested and ambiguous, with proponents and critics disagreeing widely on the level of decentralization offered by existing systems. To address this, we put forth a systematization…
▽ More
Decentralization has been touted as the principal security advantage which propelled blockchain systems at the forefront of developments in the financial technology space. Its exact semantics nevertheless remain highly contested and ambiguous, with proponents and critics disagreeing widely on the level of decentralization offered by existing systems. To address this, we put forth a systematization of the current landscape with respect to decentralization and we derive a methodology that can help direct future research towards defining and measuring decentralization. Our approach dissects blockchain systems into multiple layers, or strata, each possibly encapsulating multiple categories, and it enables a unified method for measuring decentralization in each one. Our layers are (1) hardware, (2) software, (3) network, (4) consensus, (5) economics ("tokenomics"), (6) client API, (7) governance, and (8) geography. Armed with this stratification, we examine for each layer which pertinent properties of distributed ledgers (safety, liveness, privacy, stability) can be at risk due to centralization and in what way. We also introduce a practical test, the "Minimum Decentralization Test" which can provide quick insights about the decentralization state of a blockchain system. To demonstrate how our stratified methodology can be used in practice, we apply it fully (layer by layer) to Bitcoin, and we provide examples of systems which comprise one or more "problematic" layers that cause them to fail the MDT. Our work highlights the challenges in measuring and achieving decentralization, and suggests various potential directions where future research is needed.
△ Less
Submitted 15 April, 2024; v1 submitted 2 November, 2022;
originally announced November 2022.
-
Optimal Bootstrap** of PoW Blockchains
Authors:
Ranvir Rana,
Dimitris Karakostas,
Sreeram Kannan,
Aggelos Kiayias,
Pramod Viswanath
Abstract:
Proof of Work (PoW) blockchains are susceptible to adversarial majority mining attacks in the early stages due to incipient participation and corresponding low net hash power. Bootstrap** ensures safety and liveness during the transient stage by protecting against a majority mining attack, allowing a PoW chain to grow the participation base and corresponding mining hash power. Liveness is especi…
▽ More
Proof of Work (PoW) blockchains are susceptible to adversarial majority mining attacks in the early stages due to incipient participation and corresponding low net hash power. Bootstrap** ensures safety and liveness during the transient stage by protecting against a majority mining attack, allowing a PoW chain to grow the participation base and corresponding mining hash power. Liveness is especially important since a loss of liveness will lead to loss of honest mining rewards, decreasing honest participation, hence creating an undesired spiral; indeed existing bootstrap** mechanisms offer especially weak liveness guarantees.
In this paper, we propose Advocate, a new bootstrap** methodology, which achieves two main results: (a) optimal liveness and low latency under a super-majority adversary for the Nakamoto longest chain protocol and (b) immediate black-box generalization to a variety of parallel-chain based scaling architectures, including OHIE and Prism. We demonstrate via a full-stack implementation the robustness of Advocate under a 90% adversarial majority.
△ Less
Submitted 22 August, 2022;
originally announced August 2022.
-
Minotaur: Multi-Resource Blockchain Consensus
Authors:
Matthias Fitzi,
Xuechao Wang,
Sreeram Kannan,
Aggelos Kiayias,
Nikos Leonardos,
Pramod Viswanath,
Gerui Wang
Abstract:
Resource-based consensus is the backbone of permissionless distributed ledger systems. The security of such protocols relies fundamentally on the level of resources actively engaged in the system. The variety of different resources (and related proof protocols, some times referred to as PoX in the literature) raises the fundamental question whether it is possible to utilize many of them in tandem…
▽ More
Resource-based consensus is the backbone of permissionless distributed ledger systems. The security of such protocols relies fundamentally on the level of resources actively engaged in the system. The variety of different resources (and related proof protocols, some times referred to as PoX in the literature) raises the fundamental question whether it is possible to utilize many of them in tandem and build multi-resource consensus protocols. The challenge in combining different resources is to achieve fungibility between them, in the sense that security would hold as long as the cumulative adversarial power across all resources is bounded.
In this work, we put forth Minotaur, a multi-resource blockchain consensus protocol that combines proof-of-work (PoW) and proof-of-stake (PoS), and we prove it optimally fungible. At the core of our design, Minotaur operates in epochs while continuously sampling the active computational power to provide a fair exchange between the two resources, work and stake. Further, we demonstrate the ability of Minotaur to handle a higher degree of work fluctuation as compared to the Bitcoin blockchain; we also generalize Minotaur to any number of resources.
We demonstrate the simplicity of Minotaur via implementing a full stack client in Rust (available open source). We use the client to test the robustness of Minotaur to variable mining power and combined work/stake attacks and demonstrate concrete empirical evidence towards the suitability of Minotaur to serve as the consensus layer of a real-world blockchain.
△ Less
Submitted 7 September, 2022; v1 submitted 27 January, 2022;
originally announced January 2022.
-
SoK: Blockchain Governance
Authors:
Aggelos Kiayias,
Philip Lazos
Abstract:
Blockchain systems come with a promise of decentralization that often stumbles on a roadblock when key decisions about modifying the software codebase need to be made. This is attested by the fact that both of the two major cryptocurrencies, Bitcoin and Ethereum, have undergone hard forks that resulted in the creation of alternative systems, creating confusion and opportunities for fraudulent acti…
▽ More
Blockchain systems come with a promise of decentralization that often stumbles on a roadblock when key decisions about modifying the software codebase need to be made. This is attested by the fact that both of the two major cryptocurrencies, Bitcoin and Ethereum, have undergone hard forks that resulted in the creation of alternative systems, creating confusion and opportunities for fraudulent activities. These events, and numerous others, underscore the importance of Blockchain governance, namely the set of processes that blockchain platforms utilize in order to perform decision-making and converge to a widely accepted direction for the system to evolve. While a rich topic of study in other areas, governance of blockchain platforms is lacking a well established set of methods and practices that are adopted industry wide. This makes the topic of blockchain governance a fertile domain for a thorough systematization that we undertake in this work.
We start by distilling a comprehensive array of properties for sound governance systems drawn from academic sources as well as grey literature of election systems and blockchain white papers. These are divided into seven categories, confidentiality, verifiability, accountability, sustainability, Pareto efficiency, suffrage and liveness that capture the whole spectrum of desiderata of governance systems. We proceed to classify ten well-documented blockchain systems. While all properties are satisfied, even partially, by at least one system, no system that satisfies most of them. Our work lays out a foundation for assessing blockchain governance processes. While it highlights shortcomings and deficiencies in currently deployed systems, it can also be a catalyst for improving these processes to the highest possible standard with appropriate trade-offs, something direly needed for blockchain platforms to operate effectively in the long term.
△ Less
Submitted 18 January, 2023; v1 submitted 18 January, 2022;
originally announced January 2022.
-
Blockchain Nash Dynamics and the Pursuit of Compliance
Authors:
Dimitris Karakostas,
Aggelos Kiayias,
Thomas Zacharias
Abstract:
We study Nash-dynamics in the context of blockchain protocols. We introduce a formal model, within which one can assess whether the Nash dynamics can lead utility-maximizing participants to defect from the "honest" protocol operation, towards variations that exhibit one or more undesirable infractions, such as abstaining from participation and producing conflicting protocol histories. Blockchain p…
▽ More
We study Nash-dynamics in the context of blockchain protocols. We introduce a formal model, within which one can assess whether the Nash dynamics can lead utility-maximizing participants to defect from the "honest" protocol operation, towards variations that exhibit one or more undesirable infractions, such as abstaining from participation and producing conflicting protocol histories. Blockchain protocols that do not lead to such infraction states are said to be compliant. Armed with this model, we evaluate the compliance of various Proof-of-Work (PoW) and Proof-of-Stake (PoS) protocol families, with respect to different utility functions and reward schemes, leading to the following results: i) PoS ledgers under resource-proportional rewards can be compliant if costs are negligible, but non-compliant if costs are significant; ii) PoW and PoS under block-proportional rewards exhibit different compliance behavior, depending on the lossiness of the network; iii) PoS ledgers can be compliant w.r.t. one infraction, i.e., producing conflicting messages, but non-compliant (and non-equilibria) w.r.t. abstaining or an attack we call selfish signing; iv) taking externalities, such as exchange rate fluctuations, into account, we quantify the benefit of economic penalties, in the context of PoS protocols, in disincentivizing particular infractions.
△ Less
Submitted 23 March, 2022; v1 submitted 3 January, 2022;
originally announced January 2022.
-
Decentralizing Information Technology: The Advent of Resource Based Systems
Authors:
Aggelos Kiayias
Abstract:
The growth of the Bitcoin network during the first decade of its operation to a global scale system is a singular event in the deployment of Information Technology systems. Can this approach serve as a wider paradigm for Information Technology services beyond the use case of digital currencies? We investigate this question by introducing the concept of resource based systems and their four fundame…
▽ More
The growth of the Bitcoin network during the first decade of its operation to a global scale system is a singular event in the deployment of Information Technology systems. Can this approach serve as a wider paradigm for Information Technology services beyond the use case of digital currencies? We investigate this question by introducing the concept of resource based systems and their four fundamental characteristics: (i) resource-based operation, (ii) tokenomics, (iii) decentralized service provision, and (iv) rewards sharing. We explore these characteristics, identify design goals and challenges and investigate some crucial game theoretic aspects of reward sharing that can be decisive for their effective operation.
△ Less
Submitted 26 December, 2021; v1 submitted 18 December, 2021;
originally announced December 2021.
-
Incentives Against Power Grabs or How to Engineer the Revolution in a Pooled Proof of Stake System
Authors:
Aggelos Kiayias,
Elias Koutsoupias,
Aikaterini-Panagiota Stouka
Abstract:
Proof-of-Stake (PoS) blockchain systems, especially those that allow stakeholders to organize themselves in ``stake-pools'', have emerged as a compelling paradigm for the deployment of large scale distributed ledgers. A stake-pool operates a node that engages in the PoS protocol and potentially represents a large number of smaller stakeholders. While such pooled PoS operation is attractive from va…
▽ More
Proof-of-Stake (PoS) blockchain systems, especially those that allow stakeholders to organize themselves in ``stake-pools'', have emerged as a compelling paradigm for the deployment of large scale distributed ledgers. A stake-pool operates a node that engages in the PoS protocol and potentially represents a large number of smaller stakeholders. While such pooled PoS operation is attractive from various angles, it also exhibits a significant shortcoming that, so far and to the best of our knowledge, has not been sufficiently understood or investigated. Pooled PoS operation, to be effective and not lead to sub-optimal dictatorial or cartel-like configurations, should enable the stakeholders to revoke and re-delegate their stake in a way that is aligned with their incentives. However, given that stake-pool operators are exactly those entities who determine what transactions are to be recorded in the ledger, they are quite likely to form a cartel and censor any transaction they want, such as those that attempt to adjust the current stake-pool lineup. In this way, a power grab takes place, where the stake-pool cartel perpetuates its control over the PoS system. We first model and observe formally the emergence of the above problem in pooled PoS systems, and then we describe an anti-censorship mechanism that takes advantage of the underlying cryptographic functions of the ledger and the nature of peer-to-peer networks to diffuse information without suppression. We provide a thorough game-theoretic analysis of this mechanism discovering various types of Nash equilibria which demonstrate that the ``revolution'', i.e., the strategic decision of pool members to withdraw support from a censoring cartel as well as the pool operators to step down, can be incentivized, under suitable and plausible conditions in the utility functions of the involved participants.
△ Less
Submitted 16 November, 2021;
originally announced November 2021.
-
Filling the Tax Gap via Programmable Money
Authors:
Dimitris Karakostas,
Aggelos Kiayias
Abstract:
We discuss the problem of facilitating tax auditing assuming "programmable money", i.e., digital monetary instruments that are managed by an underlying distributed ledger. We explore how a taxation authority can verify the declared returns of its citizens and create a counter-incentive to tax evasion by two distinct mechanisms. First, we describe a design which enables auditing it as a built-in fe…
▽ More
We discuss the problem of facilitating tax auditing assuming "programmable money", i.e., digital monetary instruments that are managed by an underlying distributed ledger. We explore how a taxation authority can verify the declared returns of its citizens and create a counter-incentive to tax evasion by two distinct mechanisms. First, we describe a design which enables auditing it as a built-in feature with minimal changes on the underlying ledger's consensus protocol. Second, we offer an application-layer extension, which requires no modification in the underlying ledger's design. Both solutions provide a high level of privacy, ensuring that, apart from specific limited data given to the taxation authority, no additional information - beyond the information already published on the underlying ledger - is leaked.
△ Less
Submitted 26 July, 2021;
originally announced July 2021.
-
Babel Fees via Limited Liabilities
Authors:
Manuel M. T. Chakravarty,
Nikos Karayannidis,
Aggelos Kiayias,
Michael Peyton Jones,
Polina Vinogradova
Abstract:
Custom currencies (ERC-20) on Ethereum are wildly popular, but they are second class to the primary currency Ether. Custom currencies are more complex and more expensive to handle than the primary currency as their accounting is not natively performed by the underlying ledger, but instead in user-defined contract code. Furthermore, and quite importantly, transaction fees can only be paid in Ether.…
▽ More
Custom currencies (ERC-20) on Ethereum are wildly popular, but they are second class to the primary currency Ether. Custom currencies are more complex and more expensive to handle than the primary currency as their accounting is not natively performed by the underlying ledger, but instead in user-defined contract code. Furthermore, and quite importantly, transaction fees can only be paid in Ether.
In this paper, we focus on being able to pay transaction fees in custom currencies. We achieve this by way of a mechanism permitting short term liabilities to pay transaction fees in conjunction with offers of custom currencies to compensate for those liabilities. This enables block producers to accept custom currencies in exchange for settling liabilities of transactions that they process.
We present formal ledger rules to handle liabilities together with the concept of babel fees to pay transaction fees in custom currencies. We also discuss how clients can determine what fees they have to pay, and we present a solution to the knapsack problem variant that block producers have to solve in the presence of babel fees to optimise their profits.
△ Less
Submitted 8 April, 2022; v1 submitted 2 June, 2021;
originally announced June 2021.
-
Quantum Multi-Solution Bernoulli Search with Applications to Bitcoin's Post-Quantum Security
Authors:
Alexandru Cojocaru,
Juan Garay,
Aggelos Kiayias,
Fang Song,
Petros Wallden
Abstract:
A proof of work (PoW) is an important cryptographic construct enabling a party to convince others that they invested some effort in solving a computational task. Arguably, its main impact has been in the setting of cryptocurrencies such as Bitcoin and its underlying blockchain protocol, which received significant attention in recent years due to its potential for various applications as well as fo…
▽ More
A proof of work (PoW) is an important cryptographic construct enabling a party to convince others that they invested some effort in solving a computational task. Arguably, its main impact has been in the setting of cryptocurrencies such as Bitcoin and its underlying blockchain protocol, which received significant attention in recent years due to its potential for various applications as well as for solving fundamental distributed computing questions in novel threat models. PoWs enable the linking of blocks in the blockchain data structure and thus the problem of interest is the feasibility of obtaining a sequence (chain) of such proofs. In this work, we examine the hardness of finding such chain of PoWs against quantum strategies. We prove that the chain of PoWs problem reduces to a problem we call multi-solution Bernoulli search, for which we establish its quantum query complexity. Effectively, this is an extension of a threshold direct product theorem to an average-case unstructured search problem. Our proof, adding to active recent efforts, simplifies and generalizes the recording technique of Zhandry (Crypto'19). As an application, we revisit the formal treatment of security of the core of the Bitcoin consensus protocol, the Bitcoin backbone (Eurocrypt'15), against quantum adversaries, while honest parties are classical and show that protocol's security holds under a quantum analogue of the classical ``honest majority'' assumption. Our analysis indicates that the security of Bitcoin backbone is guaranteed provided the number of adversarial quantum queries is bounded so that each quantum query is worth $O(p^{-1/2})$ classical ones, where $p$ is the success probability of a single classical query to the protocol's underlying hash function. Somewhat surprisingly, the wait time for safe settlement in the case of quantum adversaries matches the safe settlement time in the classical case.
△ Less
Submitted 6 March, 2023; v1 submitted 30 December, 2020;
originally announced December 2020.
-
Consistency of Proof-of-Stake Blockchains with Concurrent Honest Slot Leaders
Authors:
Aggelos Kiayias,
Saad Quader,
Alexander Russell
Abstract:
We improve the fundamental security threshold of eventual consensus Proof-of-Stake (PoS) blockchain protocols under the longest-chain rule by showing, for the first time, the positive effect of rounds with concurrent honest leaders.
Current security analyses reduce consistency to the dynamics of an abstract, round-based block creation process that is determined by three events associated with a…
▽ More
We improve the fundamental security threshold of eventual consensus Proof-of-Stake (PoS) blockchain protocols under the longest-chain rule by showing, for the first time, the positive effect of rounds with concurrent honest leaders.
Current security analyses reduce consistency to the dynamics of an abstract, round-based block creation process that is determined by three events associated with a round: (i) event $A$: at least one adversarial leader, (ii) event $S$: a single honest leader, and (iii) event $M$: multiple, but honest, leaders. We present an asymptotically optimal consistency analysis assuming that an honest round is more likely than an adversarial round (i.e., $\Pr[S] + \Pr[M] > \Pr[A]$); this threshold is optimal. This is a first in the literature and can be applied to both the simple synchronous communication as well as communication with bounded delays.
In all existing consistency analyses, event $M$ is either penalized or treated neutrally. Specifically, the consistency analyses in Ouroboros Praos (Eurocrypt 2018) and Genesis (CCS 2018) assume that $\Pr[S] - \Pr[M] > \Pr[A]$; the analyses in Sleepy Consensus (Asiacrypt 2017) and Snow White (Fin. Crypto 2019) assume that $\Pr[S] > \Pr[A]$. Moreover, all existing analyses completely break down when $\Pr[S] < \Pr[A]$. These thresholds determine the critical trade-off between the honest majority, network delays, and consistency error.
Our new results can be directly applied to improve the security guarantees of the existing protocols. We also provide an efficient algorithm to explicitly calculate these error probabilities in the synchronous setting. Furthermore, we complement these results by analyzing the setting where $S$ is rare, even allowing $\Pr[S] = 0$, under the added assumption that honest players adopt a consistent chain selection rule.
△ Less
Submitted 28 July, 2020; v1 submitted 14 January, 2020;
originally announced January 2020.
-
Coalition-Safe Equilibria with Virtual Payoffs
Authors:
Aggelos Kiayias,
Aikaterini-Panagiota Stouka
Abstract:
Consider a set of parties invited to execute a protocol $Π$. The protocol will incur some cost to run while in the end (or at regular intervals), it will populate and update local tables that assign (virtual) rewards to participants. Each participant aspires to offset the costs of participation by these virtual payoffs that are provided in the course of the protocol. In this setting, we introduce…
▽ More
Consider a set of parties invited to execute a protocol $Π$. The protocol will incur some cost to run while in the end (or at regular intervals), it will populate and update local tables that assign (virtual) rewards to participants. Each participant aspires to offset the costs of participation by these virtual payoffs that are provided in the course of the protocol. In this setting, we introduce and study a notion of coalition-safe equilibrium. In particular, we consider a strategic coalition of participants that is centrally coordinated and potentially deviates from $Π$ with the objective to increase its utility with respect to the view of {\em at least one} of the other participants. The protocol $Π$ is called a coalition-safe equilibrium with virtual payoffs (EVP) if no such protocol deviation exists. We apply our notion to study incentives in blockchain protocols. We proceed to use our framework to provide a unified picture of incentives in the Bitcoin blockchain, for absolute and relative rewards based utility functions, as well as prove novel results regarding incentives of the Fruitchain blockchain protocol [PODC 2017] showing that the equilibrium condition holds for collusions up to $n-1$ players for absolute rewards based utility functions and less than $n/2$ for relative rewards based utility functions, with the latter result holding for any "weakly fair" blockchain protocol, a new property that we introduce and may be of independent interest.
△ Less
Submitted 31 December, 2019;
originally announced January 2020.
-
Linear Consistency for Proof-of-Stake Blockchains
Authors:
Erica Blum,
Aggelos Kiayias,
Cristopher Moore,
Saad Quader,
Alexander Russell
Abstract:
The blockchain data structure maintained via the longest-chain rule---popularized by Bitcoin---is a powerful algorithmic tool for consensus algorithms. Such algorithms achieve consistency for blocks in the chain as a function of their depth from the end of the chain. While the analysis of Bitcoin guarantees consistency with error $2^{-k}$ for blocks of depth $O(k)$, the state-of-the-art of proof-o…
▽ More
The blockchain data structure maintained via the longest-chain rule---popularized by Bitcoin---is a powerful algorithmic tool for consensus algorithms. Such algorithms achieve consistency for blocks in the chain as a function of their depth from the end of the chain. While the analysis of Bitcoin guarantees consistency with error $2^{-k}$ for blocks of depth $O(k)$, the state-of-the-art of proof-of-stake (PoS) blockchains suffers from a quadratic dependence on $k$: these protocols, exemplified by Ouroboros (Crypto 2017), Ouroboros Praos (Eurocrypt 2018) and Sleepy Consensus (Asiacrypt 2017), can only establish that depth $Θ(k^2)$ is sufficient. Whether this quadratic gap is an intrinsic limitation of PoS---due to issues such as the nothing-at-stake problem---has been an urgent open question, as deployed PoS blockchains further rely on consistency for protocol correctness.
We give an axiomatic theory of blockchain dynamics that permits rigorous reasoning about the longest-chain rule and achieve, in broad generality, $Θ(k)$ dependence on depth in order to achieve consistency error $2^{-k}$. In particular, for the first time, we show that PoS protocols can match proof-of-work protocols for linear consistency. We analyze the associated stochastic process, give a recursive relation for the critical functionals of this process, and derive tail bounds in both i.i.d. and martingale settings via associated generating functions.
△ Less
Submitted 22 November, 2019;
originally announced November 2019.
-
Cryptocurrency Egalitarianism: A Quantitative Approach
Authors:
Dimitris Karakostas,
Aggelos Kiayias,
Christos Nasikas,
Dionysis Zindros
Abstract:
Since the invention of Bitcoin one decade ago, numerous cryptocurrencies have sprung into existence. Among these, proof-of-work is the most common mechanism for achieving consensus, whilst a number of coins have adopted "ASIC-resistance" as a desirable property, claiming to be more "egalitarian,"S where egalitarianism refers to the power of each coin to participate in the creation of new coins. Wh…
▽ More
Since the invention of Bitcoin one decade ago, numerous cryptocurrencies have sprung into existence. Among these, proof-of-work is the most common mechanism for achieving consensus, whilst a number of coins have adopted "ASIC-resistance" as a desirable property, claiming to be more "egalitarian,"S where egalitarianism refers to the power of each coin to participate in the creation of new coins. While proof-of-work consensus dominates the space, several new cryptocurrencies employ alternative consensus, such as proof-of-stake in which block minting opportunities are based on monetary ownership. A core criticism of proof-of-stake revolves around it being less egalitarian by making the rich richer, as opposed to proof-of-work in which everyone can contribute equally according to their computational power. In this paper, we give the first quantitative definition of a cryptocurrency's \emph{egalitarianism}. Based on our definition, we measure the egalitarianism of popular cryptocurrencies that (may or may not) employ ASIC-resistance, among them Bitcoin, Ethereum, Litecoin, and Monero. Our simulations show, as expected, that ASIC-resistance increases a cryptocurrency's egalitarianism. We also measure the egalitarianism of a stake-based protocol, Ouroboros, and a hybrid proof-of-stake/proof-of-work cryptocurrency, Decred. We show that stake-based cryptocurrencies, under correctly selected parameters, can be perfectly egalitarian, perhaps contradicting folklore belief.
△ Less
Submitted 4 July, 2019;
originally announced July 2019.
-
On the Practicality of Smart Contract PKI
Authors:
Christos Patsonakis,
Katerina Samari,
Aggelos Kiayias,
Mema Roussopoulos
Abstract:
Public key infrastructures (PKIs) are one of the main building blocks for securing communications over the Internet. Currently, PKIs are under the control of centralized authorities, which is problematic as evidenced by numerous incidents where they have been compromised. The distributed, fault tolerant log of transactions provided by blockchains and more recently, smart contract platforms, consti…
▽ More
Public key infrastructures (PKIs) are one of the main building blocks for securing communications over the Internet. Currently, PKIs are under the control of centralized authorities, which is problematic as evidenced by numerous incidents where they have been compromised. The distributed, fault tolerant log of transactions provided by blockchains and more recently, smart contract platforms, constitutes a powerful tool for the decentralization of PKIs. To verify the validity of identity records, blockchain-based identity systems store on chain either all identity records, or, a small (or even constant) sized amount of data to verify identity records stored off chain. However, as most of these systems have never been implemented, there is little information regarding the practical implications of each design's tradeoffs.
In this work, we first implement and evaluate the only provably secure, smart contract based PKI of [1] on top of Ethereum. This construction incurs constant-sized storage at the expense of computational complexity. To explore this tradeoff, we propose and implement a second construction which, eliminates the need for trusted setup, preserves the security properties of [1] and, as illustrated through our evaluation, is the only version with constant-sized state that can be deployed on the live chain of Ethereum. Furthermore, we compare these two systems with the simple approach of most prior works, e.g., the Ethereum Name Service, where all identity records are stored on the smart contract's state, to illustrate several shortcomings of Ethereum and its cost model. We propose several modifications for fine tuning the model, which would be useful to be considered for any smart contract platform like Ethereum so that it reaches its full potential to support arbitrary distributed applications.
△ Less
Submitted 3 February, 2019;
originally announced February 2019.
-
Structure and Content of the Visible Darknet
Authors:
Georgia Avarikioti,
Roman Brunner,
Aggelos Kiayias,
Roger Wattenhofer,
Dionysis Zindros
Abstract:
In this paper, we analyze the topology and the content found on the "darknet", the set of websites accessible via Tor. We created a darknet spider and crawled the darknet starting from a bootstrap list by recursively following links. We explored the whole connected component of more than 34,000 hidden services, of which we found 10,000 to be online. Contrary to folklore belief, the visible part of…
▽ More
In this paper, we analyze the topology and the content found on the "darknet", the set of websites accessible via Tor. We created a darknet spider and crawled the darknet starting from a bootstrap list by recursively following links. We explored the whole connected component of more than 34,000 hidden services, of which we found 10,000 to be online. Contrary to folklore belief, the visible part of the darknet is surprisingly well-connected through hub websites such as wikis and forums. We performed a comprehensive categorization of the content using supervised machine learning. We observe that about half of the visible dark web content is related to apparently licit activities based on our classifier. A significant amount of content pertains to software repositories, blogs, and activism-related websites. Among unlawful hidden services, most pertain to fraudulent websites, services selling counterfeit goods, and drug markets.
△ Less
Submitted 7 November, 2018; v1 submitted 4 November, 2018;
originally announced November 2018.
-
A Puff of Steem: Security Analysis of Decentralized Content Curation
Authors:
Aggelos Kiayias,
Benjamin Livshits,
Andrés Monteoliva Mosteiro,
Orfeas Stefanos Thyfronitis Litos
Abstract:
Decentralized content curation is the process through which uploaded posts are ranked and filtered based exclusively on users' feedback. Platforms such as the blockchain-based Steemit employ this type of curation while providing monetary incentives to promote the visibility of high quality posts according to the perception of the participants. Despite the wide adoption of the platform very little…
▽ More
Decentralized content curation is the process through which uploaded posts are ranked and filtered based exclusively on users' feedback. Platforms such as the blockchain-based Steemit employ this type of curation while providing monetary incentives to promote the visibility of high quality posts according to the perception of the participants. Despite the wide adoption of the platform very little is known regarding its performance and resilience characteristics. In this work, we provide a formal model for decentralized content curation that identifies salient complexity and game-theoretic measures of performance and resilience to selfish participants. Armed with our model, we provide a first analysis of Steemit identifying the conditions under which the system can be expected to correctly converge to curation while we demonstrate its susceptibility to selfish participant behaviour. We validate our theoretical results with system simulations in various scenarios.
△ Less
Submitted 2 January, 2019; v1 submitted 3 October, 2018;
originally announced October 2018.
-
Reward Sharing Schemes for Stake Pools
Authors:
Lars Brünjes,
Aggelos Kiayias,
Elias Koutsoupias,
Aikaterini-Panagiota Stouka
Abstract:
We introduce and study reward sharing schemes (RSS) that promote the fair formation of {\em stake pools}\ in collaborative projects that involve a large number of stakeholders such as the maintenance of a proof-of-stake (PoS) blockchain. Our mechanisms are parameterized by a target value for the desired number of pools. We show that by properly incentivizing participants, the desired number of sta…
▽ More
We introduce and study reward sharing schemes (RSS) that promote the fair formation of {\em stake pools}\ in collaborative projects that involve a large number of stakeholders such as the maintenance of a proof-of-stake (PoS) blockchain. Our mechanisms are parameterized by a target value for the desired number of pools. We show that by properly incentivizing participants, the desired number of stake pools is a Nash equilibrium arising from rational play. Our equilibria also exhibit an efficiency / security tradeoff via a parameter that calibrates between including pools with the smallest cost and providing protection against Sybil attacks, the setting where a single stakeholder creates a large number of pools in the hopes to dominate the collaborative project. We then describe how RSS can be deployed in the PoS setting, mitigating a number of potential deployment attacks and protocol deviations that include censoring transactions, performing Sybil attacks with the objective to control the majority of stake, lying about the actual cost and others. Finally, we experimentally demonstrate fast convergence to equilibria in dynamic environments where players react to each other's strategic moves over an indefinite period of interactive play. We also show how simple reward sharing schemes that are seemingly more "fair", perhaps counterintuitively, converge to centralized equilibria.
△ Less
Submitted 6 June, 2020; v1 submitted 30 July, 2018;
originally announced July 2018.
-
Distributed, End-to-end Verifiable, and Privacy-Preserving Internet Voting Systems
Authors:
Nikos Chondros,
Bingsheng Zhang,
Thomas Zacharias,
Panos Diamantopoulos,
Stathis Maneas,
Christos Patsonakis,
Alex Delis,
Aggelos Kiayias,
Mema Roussopoulos
Abstract:
E-voting systems are a powerful technology for improving democracy. Unfortunately, prior voting systems have single points-of-failure, which may compromise availability, privacy, or integrity of the election results.
We present the design, implementation, security analysis, and evaluation of the D-DEMOS suite of distributed, privacy-preserving, and end-to-end verifiable e-voting systems. We pres…
▽ More
E-voting systems are a powerful technology for improving democracy. Unfortunately, prior voting systems have single points-of-failure, which may compromise availability, privacy, or integrity of the election results.
We present the design, implementation, security analysis, and evaluation of the D-DEMOS suite of distributed, privacy-preserving, and end-to-end verifiable e-voting systems. We present two systems: one asynchronous and one with minimal timing assumptions but better performance. Our systems include a distributed vote collection subsystem that does not require cryptographic operations on behalf of the voter. We also include a distributed, replicated and fault-tolerant Bulletin Board component, that stores all necessary election-related information, and allows any party to read and verify the complete election process. Finally, we incorporate trustees, who control result production while guaranteeing privacy and end-to-end-verifiability as long as their strong majority is honest.
Our suite of e-voting systems are the first whose voting operation is human verifiable, i.e., a voter can vote over the web, even when her web client stack is potentially unsafe, without sacrificing her privacy, and still be assured her vote was recorded as cast. Additionally, a voter can outsource election auditing to third parties, still without sacrificing privacy.
We provide a model and security analysis of the systems, implement complete prototypes, measure their performance experimentally, and demonstrate their ability to handle large-scale elections. Finally, we demonstrate the performance trade-offs between the two versions of the system. A preliminary version of our system was used to conduct exit-polls at three voting sites for two national-level elections and is being adopted for use by the largest civil union of workers in Greece, consisting of over a half million members.
△ Less
Submitted 2 August, 2016;
originally announced August 2016.
-
Blockchain Mining Games
Authors:
Aggelos Kiayias,
Elias Koutsoupias,
Maria Kyropoulou,
Yiannis Tselekounis
Abstract:
We study the strategic considerations of miners participating in the bitcoin's protocol. We formulate and study the stochastic game that underlies these strategic considerations. The miners collectively build a tree of blocks, and they are paid when they create a node (mine a block) which will end up in the path of the tree that is adopted by all. Since the miners can hide newly mined nodes, they…
▽ More
We study the strategic considerations of miners participating in the bitcoin's protocol. We formulate and study the stochastic game that underlies these strategic considerations. The miners collectively build a tree of blocks, and they are paid when they create a node (mine a block) which will end up in the path of the tree that is adopted by all. Since the miners can hide newly mined nodes, they play a game with incomplete information. Here we consider two simplified forms of this game in which the miners have complete information. In the simplest game the miners release every mined block immediately, but are strategic on which blocks to mine. In the second more complicated game, when a block is mined it is announced immediately, but it may not be released so that other miners cannot continue mining from it. A miner not only decides which blocks to mine, but also when to release blocks to other miners. In both games, we show that when the computational power of each miner is relatively small, their best response matches the expected behavior of the bitcoin designer. However, when the computational power of a miner is large, he deviates from the expected behavior, and other Nash equilibria arise.
△ Less
Submitted 8 July, 2016;
originally announced July 2016.
-
D-DEMOS: A distributed, end-to-end verifiable, internet voting system
Authors:
Nikos Chondros,
Bingsheng Zhang,
Thomas Zacharias,
Panos Diamantopoulos,
Stathis Maneas,
Christos Patsonakis,
Alex Delis,
Aggelos Kiayias,
Mema Roussopoulos
Abstract:
E-voting systems have emerged as a powerful technology for improving democracy by reducing election cost, increasing voter participation, and even allowing voters to directly verify the entire election procedure. Prior internet voting systems have single points of failure, which may result in the compromise of availability, voter secrecy, or integrity of the election results. In this paper, we pre…
▽ More
E-voting systems have emerged as a powerful technology for improving democracy by reducing election cost, increasing voter participation, and even allowing voters to directly verify the entire election procedure. Prior internet voting systems have single points of failure, which may result in the compromise of availability, voter secrecy, or integrity of the election results. In this paper, we present the design, implementation, security analysis, and evaluation of D-DEMOS, a complete e-voting system that is distributed, privacy-preserving and end-to-end verifiable. Our system includes a fully asynchronous vote collection subsystem that provides immediate assurance to the voter her vote was recorded as cast, without requiring cryptographic operations on behalf of the voter. We also include a distributed, replicated and fault-tolerant Bulletin Board component, that stores all necessary election-related information, and allows any party to read and verify the complete election process. Finally, we also incorporate trustees, i.e., individuals who control election result production while guaranteeing privacy and end-to-end-verifiability as long as their strong majority is honest. Our system is the first e-voting system whose voting operation is human verifiable, i.e., a voter can vote over the web, even when her web client stack is potentially unsafe, without sacrificing her privacy, and still be assured her vote was recorded as cast. Additionally, a voter can outsource election auditing to third parties, still without sacrificing privacy. Finally, as the number of auditors increases, the probability of election fraud going undetected is diminished exponentially. We provide a model and security analysis of the system. We implement a prototype of the complete system, we measure its performance experimentally, and we demonstrate its ability to handle large-scale elections.
△ Less
Submitted 18 December, 2015; v1 submitted 24 July, 2015;
originally announced July 2015.
-
On the Security of Key Extraction from Measuring Physical Quantities
Authors:
Matt Edman,
Aggelos Kiayias,
Qiang Tang,
Bulent Yener
Abstract:
Key extraction via measuring a physical quantity is a class of information theoretic key exchange protocols that rely on the physical characteristics of the communication channel to enable the computation of a shared key by two (or more) parties that share no prior secret information. The key is supposed to be information theoretically hidden to an eavesdropper. Despite the recent surge of researc…
▽ More
Key extraction via measuring a physical quantity is a class of information theoretic key exchange protocols that rely on the physical characteristics of the communication channel to enable the computation of a shared key by two (or more) parties that share no prior secret information. The key is supposed to be information theoretically hidden to an eavesdropper. Despite the recent surge of research activity in the area, concrete claims about the security of the protocols typically rely on channel abstractions that are not fully experimentally substantiated. In this work, we propose a novel methodology for the {\em experimental} security analysis of these protocols. The crux of our methodology is a falsifiable channel abstraction that is accompanied by an efficient experimental approximation algorithm of the {\em conditional min-entropy} available to the two parties given the view of the eavesdropper.
We focus on the signal strength between two wirelessly communicating transceivers as the measured quantity and we use an experimental setup to compute the conditional min-entropy of the channel given the view of the attacker which we find to be linearly increasing. Armed with this understanding of the channel, we showcase the methodology by providing a general protocol for key extraction in this setting that is shown to be secure for a concrete parameter selection. In this way we provide a first comprehensively analyzed wireless key extraction protocol that is demonstrably secure against passive adversaries. Our methodology uses hidden Markov models as the channel model and a dynamic programming approach to approximate conditional min-entropy but other possible instantiations of the methodology can be motivated by our work.
△ Less
Submitted 16 December, 2015; v1 submitted 18 November, 2013;
originally announced November 2013.
-
Solving the At-Most-Once Problem with Nearly Optimal Effectiveness
Authors:
Sotirios Kentros,
Aggelos Kiayias
Abstract:
We present and analyze a wait-free deterministic algorithm for solving the at-most-once problem: how m shared-memory fail-prone processes perform asynchronously n jobs at most once. Our algorithmic strategy provides for the first time nearly optimal effectiveness, which is a measure that expresses the total number of jobs completed in the worst case. The effectiveness of our algorithm equals n-2m+…
▽ More
We present and analyze a wait-free deterministic algorithm for solving the at-most-once problem: how m shared-memory fail-prone processes perform asynchronously n jobs at most once. Our algorithmic strategy provides for the first time nearly optimal effectiveness, which is a measure that expresses the total number of jobs completed in the worst case. The effectiveness of our algorithm equals n-2m+2. This is up to an additive factor of m close to the known effectiveness upper bound n-m+1 over all possible algorithms and improves on the previously best known deterministic solutions that have effectiveness only n-log m o(n). We also present an iterative version of our algorithm that for any $m = O\left(\sqrt[3+ε]{n/\log n}\right)$ is both effectiveness-optimal and work-optimal, for any constant $ε> 0$. We then employ this algorithm to provide a new algorithmic solution for the Write-All problem which is work optimal for any $m=O\left(\sqrt[3+ε]{n/\log n}\right)$.
△ Less
Submitted 2 December, 2013; v1 submitted 15 July, 2011;
originally announced July 2011.
-
Randomness Efficient Steganography
Authors:
Aggelos Kiayias,
Alexander Russell,
Narasimha Shashidhar
Abstract:
Steganographic protocols enable one to embed covert messages into inconspicuous data over a public communication channel in such a way that no one, aside from the sender and the intended receiver, can even detect the presence of the secret message. In this paper, we provide a new provably-secure, private-key steganographic encryption protocol secure in the framework of Hopper et al. We first prese…
▽ More
Steganographic protocols enable one to embed covert messages into inconspicuous data over a public communication channel in such a way that no one, aside from the sender and the intended receiver, can even detect the presence of the secret message. In this paper, we provide a new provably-secure, private-key steganographic encryption protocol secure in the framework of Hopper et al. We first present a "one-time stegosystem" that allows two parties to transmit messages of length at most that of the shared key with information-theoretic security guarantees. The employment of a pseudorandom generator (PRG) permits secure transmission of longer messages in the same way that such a generator allows the use of one-time pad encryption for messages longer than the key in symmetric encryption. The advantage of our construction, compared to all previous work is randomness efficiency: in the information theoretic setting our protocol embeds a message of length n bits using a shared secret key of length (1+o(1))n bits while achieving security 2^{-n/log^{O(1)}n}; simply put this gives a rate of key over message that is 1 as n tends to infinity (the previous best result achieved a constant rate greater than 1 regardless of the security offered). In this sense, our protocol is the first truly randomness efficient steganographic system. Furthermore, in our protocol, we can permit a portion of the shared secret key to be public while retaining precisely n private key bits. In this setting, by separating the public and the private randomness of the shared key, we achieve security of 2^{-n}. Our result comes as an effect of the application of randomness extractors to stegosystem design. To the best of our knowledge this is the first time extractors have been applied in steganography.
△ Less
Submitted 3 February, 2012; v1 submitted 24 September, 2009;
originally announced September 2009.
-
Efficient Steganography with Provable Security Guarantees
Authors:
Aggelos Kiayias,
Yona Raekow,
Alexander Russell,
Narasimha Shashidhar
Abstract:
We provide a new provably-secure steganographic encryption protocol that is proven secure in the complexity-theoretic framework of Hopper et al. The fundamental building block of our steganographic encryption protocol is a "one-time stegosystem" that allows two parties to transmit messages of length shorter than the shared key with information-theoretic security guarantees. The employment of a p…
▽ More
We provide a new provably-secure steganographic encryption protocol that is proven secure in the complexity-theoretic framework of Hopper et al. The fundamental building block of our steganographic encryption protocol is a "one-time stegosystem" that allows two parties to transmit messages of length shorter than the shared key with information-theoretic security guarantees. The employment of a pseudorandom generator (PRG) permits secure transmission of longer messages in the same way that such a generator allows the use of one-time pad encryption for messages longer than the key in symmetric encryption. The advantage of our construction, compared to that of Hopper et al., is that it avoids the use of a pseudorandom function family and instead relies (directly) on a pseudorandom generator in a way that provides linear improvement in the number of applications of the underlying one-way permutation per transmitted bit. This advantageous trade-off is achieved by substituting the pseudorandom function family employed in the previous construction with an appropriate combinatorial construction that has been used extensively in derandomization, namely almost t-wise independent function families.
△ Less
Submitted 20 September, 2009;
originally announced September 2009.