Catena: Preventing Lies with Bitcoin

We present Catena, an efficiently-verifiable Bitcoin witnessing scheme. Catena enables any number of thin clients, such as mobile phones, to efficiently agree on a log of applicationspecific statements managed by an adversarial server. Catena implements a log as an OP_RETURN transaction chain and prevents forks in the log by leveraging Bitcoin’s security against double spends. Specifically, if a log server wants to equivocate it has to double spend a Bitcoin transaction output. Thus, Catena logs are as hard to fork as the Bitcoin blockchain: an adversary without a large fraction of the network’s computational power cannot fork Bitcoin and thus cannot fork a Catena log either. However, different from previous Bitcoin-based work, Catena decreases the bandwidth requirements of log auditors from 90 GB to only tens of megabytes. More precisely, our clients only need to download all Bitcoin block headers (currently less than 35 MB) and a small, 600-byte proof for each statement in a block. We implemented Catena in Java using the bitcoinj library and used it to extend CONIKS, a recent key transparency scheme, to witness its public-key directory in the Bitcoin blockchain where it can be efficiently verified by auditors. We show that Catena can be used to secure many systems today such as public-key directories, Tor directory servers or software transparency schemes.

[1]  Justin Cappos,et al.  A look in the mirror: attacks on package managers , 2008, CCS.

[2]  John R. Douceur,et al.  The Sybil Attack , 2002, IPTPS.

[3]  M. Frans Kaashoek,et al.  VerSum: Verifiable Computations over Large Public Logs , 2014, CCS.

[4]  David Wolinsky,et al.  Keeping Authorities "Honest or Bust" with Decentralized Witness Cosigning , 2015, 2016 IEEE Symposium on Security and Privacy (SP).

[5]  Jason Teutsch,et al.  Demystifying Incentives in the Consensus Computer , 2015, CCS.

[6]  Aggelos Kiayias,et al.  The Bitcoin Backbone Protocol: Analysis and Applications , 2015, EUROCRYPT.

[7]  Jeremy Clark,et al.  CommitCoin: Carbon Dating Commitments with Bitcoin , 2011, IACR Cryptol. ePrint Arch..

[8]  Matthew Green,et al.  Decentralized Anonymous Credentials , 2014, NDSS.

[9]  Björn Scheuermann,et al.  Bitcoin and Beyond: A Technical Survey on Decentralized Digital Currencies , 2016, IEEE Communications Surveys & Tutorials.

[10]  E. Felten,et al.  Bitcoin and Cryptocurrency Technologies: a , 2022 .

[11]  Sid Stamm,et al.  Certified Lies: Detecting and Defeating Government Interception Attacks against SSL (Short Paper) , 2011, Financial Cryptography.

[12]  Iddo Bentov,et al.  How to Use Bitcoin to Design Fair Protocols , 2014, CRYPTO.

[13]  Aviv Zohar,et al.  Bitcoin's Security Model Revisited , 2016, ArXiv.

[14]  Mark Ryan,et al.  Enhanced Certificate Transparency and End-to-End Encrypted Mail , 2014, NDSS.

[15]  Joseph Bonneau,et al.  EthIKS: Using Ethereum to Audit a CONIKS Key Transparency Log , 2016, Financial Cryptography Workshops.

[16]  Christian Grothoff,et al.  Efficient and Secure Decentralized Network Size Estimation , 2012, Networking.

[17]  G. King Fibre , 2001, Medicina e historia.

[18]  Ethan Heilman,et al.  Eclipse Attacks on Bitcoin's Peer-to-Peer Network , 2015, USENIX Security Symposium.

[19]  Dan S. Wallach,et al.  Efficient Data Structures For Tamper-Evident Logging , 2009, USENIX Security Symposium.

[20]  Joseph J. LaViola,et al.  Byzantine Consensus from Moderately-Hard Puzzles : A Model for Bitcoin , 2014 .

[21]  Aggelos Kiayias,et al.  Speed-Security Tradeoffs in Blockchain Protocols , 2015, IACR Cryptol. ePrint Arch..

[22]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[23]  Dennis Shasha,et al.  Secure Untrusted Data Repository (SUNDR) , 2004, OSDI.

[24]  Jeremy Clark,et al.  SoK: Research Perspectives and Challenges for Bitcoin and Cryptocurrencies , 2015, 2015 IEEE Symposium on Security and Privacy.

[25]  Marcin Andrychowicz,et al.  Secure Multiparty Computations on Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[26]  Mark Ryan,et al.  DTKI: a new formalized PKI with no trusted parties , 2014, IACR Cryptol. ePrint Arch..

[27]  Abhi Shelat,et al.  Analysis of the Blockchain Protocol in Asynchronous Networks , 2017, EUROCRYPT.

[28]  Collin Jackson,et al.  Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure , 2013, WWW.

[29]  Kevin Fu,et al.  Secure Software Updates: Disappointments and New Challenges , 2006, HotSec.

[30]  Dan S. Wallach,et al.  Authenticated Dictionaries: Real-World Costs and Trade-Offs , 2011, TSEC.

[31]  Ralf Sasse,et al.  ARPKI: Attack Resilient Public-Key Infrastructure , 2014, CCS.

[32]  Michael J. Freedman,et al.  Bringing Deployable Key Transparency to End Users , 2015 .

[33]  Jude C. Nelson,et al.  Extending Existing Blockchains with Virtualchain , 2016 .

[34]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[35]  Adrian Perrig,et al.  Efficient gossip protocols for verifying the consistency of Certificate logs , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[36]  Joshua A. Kroll,et al.  On Decentralizing Prediction Markets and Order Books , 2014 .

[37]  Cristina Pérez-Solà,et al.  The Bitcoin P2P Network , 2014, Financial Cryptography Workshops.