Merkle2: A Low-Latency Transparency Log System

Transparency logs are designed to help users audit untrusted servers. For example, Certificate Transparency (CT) enables users to detect when a compromised Certificate Authority (CA) has issued a fake certificate. Practical state-of-the-art transparency log systems, however, suffer from high monitoring costs when used for low-latency applications. To reduce monitoring costs, such systems often require users to wait an hour or more for their updates to take effect, inhibiting low-latency applications. We propose Merkle2, a transparency log system that supports both efficient monitoring and low-latency updates. To achieve this goal, we construct a new multi-dimensional, authenticated data structure that nests two types of Merkle trees, hence the name of our system, Merkle2. Using this data structure, we then design a transparency log system with efficient monitoring and lookup protocols that enables low-latency updates. In particular, all the operations in Merkle2 are independent of update intervals and are (poly)logarithmic to the number of entries in the log. Merkle2 not only has excellent asymptotics when compared to prior work, but is also efficient in practice. Our evaluation shows that Merkle2 propagates updates in as little as 1 second and can support 100× more users than state-of-the-art transparency logs.

[1]  Ítalo S. Cunha,et al.  AoT: Authentication and Access Control for the Entire IoT Device Life-Cycle , 2016, SenSys.

[2]  Dennis Shasha,et al.  Secure Untrusted Data Repository (SUNDR) , 2004, OSDI.

[3]  Shaveta Bhatia,et al.  Ethereum , 2021, Blockchain for Business.

[4]  Ralf Sasse,et al.  ARPKI: Attack Resilient Public-Key Infrastructure , 2014, CCS.

[5]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[6]  Warren He,et al.  Proof of Luck: an Efficient Blockchain Consensus Protocol , 2016, SysTEX@Middleware.

[7]  Fiona Fui-Hoon Nah,et al.  A study on tolerable waiting time: how long are Web users willing to wait? , 2004, AMCIS.

[8]  Eli Ben-Sasson,et al.  Scalable Zero Knowledge Via Cycles of Elliptic Curves , 2014, Algorithmica.

[9]  Raluca Ada Popa,et al.  Ghostor: Toward a Secure Data-Sharing System from Decentralized Trust , 2020, NSDI.

[10]  Lan Nguyen,et al.  Accumulators from Bilinear Pairings and Applications , 2005, CT-RSA.

[11]  Sarah Meiklejohn,et al.  Contour: A Practical System for Binary Transparency , 2017, DPM/CBT@ESORICS.

[12]  Morris J. Dworkin,et al.  SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions , 2015 .

[13]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[14]  David Wolinsky,et al.  Keeping Authorities "Honest or Bust" with Decentralized Witness Cosigning , 2015, 2016 IEEE Symposium on Security and Privacy (SP).

[15]  Muneeb Ali,et al.  Blockstack: A Global Naming and Storage System Secured by Blockchains , 2016, USENIX Annual Technical Conference.

[16]  Primavera De Filippi,et al.  Bitcoin , 2019 .

[17]  Salvatore J. Stolfo,et al.  Real time data mining-based intrusion detection , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[18]  Mark Ryan,et al.  DTKI: A New Formalized PKI with Verifiable Trusted Parties , 2014, Comput. J..

[19]  R. Perlman,et al.  An overview of PKI trust models , 1999, IEEE Netw..

[20]  Toke Høiland-Jørgensen,et al.  Aggregation-Based Gossip for Certificate Transparency , 2018, ArXiv.

[21]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[22]  Arno Fiedler,et al.  Certificate transparency , 2014, Commun. ACM.

[23]  Fan Zhang,et al.  REM: Resource-Efficient Mining for Blockchains , 2017, IACR Cryptol. ePrint Arch..

[24]  David E. Culler,et al.  JEDI: Many-to-Many End-to-End Encryption and Key Delegation for IoT , 2019, USENIX Security Symposium.

[25]  Michael J. Freedman,et al.  CONIKS: Bringing Key Transparency to End Users , 2015, USENIX Security Symposium.

[26]  Idit Keidar,et al.  Venus: verification for untrusted cloud storage , 2010, CCSW '10.

[27]  P. Balamuralidhar,et al.  Secure MQTT for Internet of Things (IoT) , 2015, 2015 Fifth International Conference on Communication Systems and Network Technologies.

[28]  Thiemo Voigt,et al.  SVELTE: Real-time intrusion detection in the Internet of Things , 2013, Ad Hoc Networks.

[29]  Collin Jackson,et al.  Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure , 2013, WWW.

[30]  Charles Adams,et al.  Understanding Public-Key Infra-structure: Concepts, Standards, and Deployment Con-siderations , 1999 .

[31]  Matthew Smith,et al.  Hey, NSA: Stay Away from my Market! Future Proofing App Markets against Powerful Attackers , 2014, CCS.

[32]  Fengjun Li,et al.  Certificate Transparency in the Wild: Exploring the Reliability of Monitors , 2019, CCS.

[33]  Srdjan Capkun,et al.  Verena: End-to-End Integrity Protection for Web Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[34]  David Mazières,et al.  Fast and secure global payments with Stellar , 2019, SOSP.

[35]  Justin Cappos,et al.  CHAINIAC: Proactive Software-Update Transparency via Collectively Signed Skipchains and Verified Builds , 2017, USENIX Security Symposium.

[36]  Adrian Perrig,et al.  Efficient gossip protocols for verifying the consistency of Certificate logs , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[38]  Srinivas Devadas,et al.  Transparency Logs via Append-Only Authenticated Dictionaries , 2019, IACR Cryptol. ePrint Arch..

[39]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[40]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[41]  Silvio Micali,et al.  Verifiable random functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[42]  Melissa Chase,et al.  Transparency Overlays and Applications , 2016, IACR Cryptol. ePrint Arch..

[43]  Mary Maller,et al.  Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS , 2020, IACR Cryptol. ePrint Arch..

[44]  Nicholas Spooner,et al.  Fractal: Post-Quantum and Transparent Recursive Proofs from Holography , 2020, IACR Cryptol. ePrint Arch..

[45]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 1, Basic Tools , 2001 .

[46]  Fan Zhang,et al.  Ekiden: A Platform for Confidentiality-Preserving, Trustworthy, and Performant Smart Contracts , 2018, 2019 IEEE European Symposium on Security and Privacy (EuroS&P).

[47]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[48]  Dan Boneh,et al.  Batching Techniques for Accumulators with Applications to IOPs and Stateless Blockchains , 2019, IACR Cryptol. ePrint Arch..

[49]  Douglas Stebila,et al.  Secure Logging Schemes and Certificate Transparency , 2016, ESORICS.

[50]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[51]  Rene De La Briandais File searching using variable length keys , 1959, IRE-AIEE-ACM Computer Conference.

[52]  Raphael M. Reischuk,et al.  IKP: Turning a PKI Around with Decentralized Automated Incentives , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[53]  David E. Culler,et al.  WAVE: A Decentralized Authorization Framework with Transitive Delegation , 2019, USENIX Security Symposium.

[54]  Srinivas Devadas,et al.  Catena: Efficient Non-equivocation via Bitcoin , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[55]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[56]  Nir Bitansky,et al.  Recursive composition and bootstrapping for SNARKS and proof-carrying data , 2013, STOC '13.

[57]  Elaine Shi,et al.  Thunderella: Blockchains with Optimistic Instant Confirmation , 2018, IACR Cryptol. ePrint Arch..

[58]  Adrian Perrig,et al.  PoliCert: Secure and Flexible TLS Certificate Management , 2014, CCS.

[59]  Ueli Maurer,et al.  Modelling a Public-Key Infrastructure , 1996, ESORICS.

[60]  Ze Wang,et al.  Blockchain-Based Certificate Transparency and Revocation Transparency , 2018, IEEE Transactions on Dependable and Secure Computing.

[61]  Georg Carle,et al.  Software Distribution Transparency and Auditability , 2017, ArXiv.

[62]  Mark Ryan,et al.  Enhanced Certificate Transparency and End-to-End Encrypted Mail , 2014, NDSS.

[63]  Robert E. Tarjan,et al.  Making data structures persistent , 1986, STOC '86.

[64]  Joseph Bonneau,et al.  EthIKS: Using Ethereum to Audit a CONIKS Key Transparency Log , 2016, Financial Cryptography Workshops.

[65]  Frank Wang,et al.  Sieve: Cryptographically Enforced Access Control for User Data in Untrusted Clouds , 2016, NSDI.

[66]  Apoorvaa Deshpande,et al.  SEEMless: Secure End-to-End Encrypted Messaging with less Trust , 2019, CCS.

[67]  S. Sitharama Iyengar,et al.  Multidimensional Data Structures: Review and Outlook , 1988, Adv. Comput..

[68]  Ittai Abraham,et al.  HotStuff: BFT Consensus with Linearity and Responsiveness , 2019, PODC.