silentwhispers: enforcing security and privacy in ...€¦ · silentwhispers: a decentralized...
TRANSCRIPT
SilentWhispers: Enforcing Security and Privacy in Decentralized Credit Networks
NDSS 2017
Pedro Moreno-Sanchez Purdue University
Giulio Malavolta Saarland University
Aniket Kate Purdue University
Matteo Maffei TU Vienna
$
Yet Another Talk about Cryptocurrencies?✦ TumbleBit and CoinShuffle++ are excellent ideas to provide
privacy in Bitcoin
✦ Bitcoin (as any other cryptocurrency) relies on a blockchain: ✦ High storage requirement (>100 GB) ✦ High power consumption for proof-of-work
2
Yet Another Talk about Cryptocurrencies?✦ TumbleBit and CoinShuffle++ are excellent ideas to provide
privacy in Bitcoin
✦ Bitcoin (as any other cryptocurrency) relies on a blockchain: ✦ High storage requirement (>100 GB) ✦ High power consumption for proof-of-work
2
Is it possible to have a decentralized payment system without a blockchain?
Credit (or IOU Settlement) Networks: Basics
3
Credit (or IOU Settlement) Networks: Basics
pay $100
Transactions in the real world
Bob Alice
IOweYou $100
Bob Alice
3
Credit (or IOU Settlement) Networks: Basics
pay $100 AliceBob
Transactions in the real world A credit network representation
Bob Alice
IOweYou $100
Bob Alice
100
3
IOweYou $10
Credit (or IOU Settlement) Networks: Basics
pay $100 AliceBob
Transactions in the real world A credit network representation
Bob Alice
IOweYou $100
Bob Alice
pay $10
Dave Carol
Dave Carol
100
During a hike with Alice & Bob
3
IOweYou $10
Credit (or IOU Settlement) Networks: Basics
pay $100 AliceBob
Carol
Transactions in the real world A credit network representation
Bob Alice
IOweYou $100
Bob Alice
pay $10
Dave Carol
Dave Carol
100
Dave
During a hike with Alice & Bob
3
IOweYou $10
Credit (or IOU Settlement) Networks: Basics
pay $100 Alice
10
Bob
Carol
Transactions in the real world A credit network representation
Bob Alice
IOweYou $100
Bob Alice
pay $10
Dave Carol
Dave Carol
100
Dave
During a hike with Alice & Bob
3
IOweYou $10
Credit (or IOU Settlement) Networks: Basics
pay $100 Alice
10
Bob
Carol
Transactions in the real world A credit network representation
Bob Alice
IOweYou $100
Bob Alice
pay $10
Dave Carol
Dave Carol
100
Dave
110
During a hike with Alice & Bob
3
IOweYou $10
Credit (or IOU Settlement) Networks: Basics
pay $100 Alice
10
Bob
Carol
Transactions in the real world A credit network representation
Bob Alice
IOweYou $100
Bob Alice
pay $10
Dave Carol
Dave Carol
100
Dave10
110
During a hike with Alice & Bob
3
Credit Network Examples
4
Credit Network Examples
✦ Academic proposals: ✦ Ostra: preventing e-mail spam [NSDI’08]
✦ Bazaar: strengthening e-commerce [NSDI’11]
✦ SumUp: Sybil-resilient content voting [NSDI’09]
✦ Industry deployments: ✦ Ripple: A real-life online payment network
✦ Stellar: Another real-life online payment network
4
Credit Network Examples
✦ Academic proposals: ✦ Ostra: preventing e-mail spam [NSDI’08]
✦ Bazaar: strengthening e-commerce [NSDI’11]
✦ SumUp: Sybil-resilient content voting [NSDI’09]
✦ Industry deployments: ✦ Ripple: A real-life online payment network
✦ Stellar: Another real-life online payment network
4
Ripple Credit Network
5
Ripple Credit Network
5
Ripple Credit Network
5
£ 70
CAD 100
$ 60
€ 45€ 30
Ripple Credit Network
5
AED 10
£ 70
CAD 100
$ 60
€ 45€ 30
Ripple Credit Network
5
BTC 5 BTC 10
AED 10
£ 70
CAD 100
$ 60
€ 45€ 30
Ripple Credit Network
5
BTC 5 BTC 10
XYZ 40
GD
W 10
XID 100FMM 280
AED 10
£ 70
CAD 100
$ 60
€ 45€ 30
Ripple Credit Network
5
BTC 5 BTC 10
XYZ 40
GD
W 10
XID 100FMM 280
Tx time Worldwide, inter-currency tx Integrity
AED 10
£ 70
CAD 100
$ 60
€ 45€ 30
Ripple Credit Network
5
BTC 5 BTC 10
XYZ 40
GD
W 10
XID 100FMM 280
~ 1 day
~ 5 seconds
Tx time Worldwide, inter-currency tx Integrity
AED 10
£ 70
CAD 100
$ 60
€ 45€ 30
Ripple Credit Network
5
BTC 5 BTC 10
XYZ 40
GD
W 10
XID 100FMM 280
~ 1 day
~ 5 seconds
High fees
Tiny fees
Tx time Worldwide, inter-currency tx Integrity
AED 10
£ 70
CAD 100
$ 60
€ 45€ 30
Ripple Credit Network
5
BTC 5 BTC 10
XYZ 40
GD
W 10
XID 100FMM 280
~ 1 day
~ 5 seconds
High fees
Tiny fees
Tx time Worldwide, inter-currency tx Integrity
Bank only
Public verifiability
AED 10
£ 70
CAD 100
$ 60
€ 45€ 30
Ripple Credit Network
5
BTC 5 BTC 10
XYZ 40
GD
W 10
XID 100FMM 280
~ 1 day
~ 5 seconds
High fees
Tiny fees
Tx time Worldwide, inter-currency tx Integrity
Bank only
Public verifiability
AED 10
Ripple can significantly
improve cross-currency
remittance and settlements
Public Verifiability & Privacy Problem
6
Credit Graph
Transaction Details
The Ripple Ledger
Public Verifiability & Privacy Problem
6
Credit Graph
Transaction Details
The Ripple Ledger
Listening to Whispers of Ripple: Linking Wallets and Deanonymizing Transactions
in the Ripple Network
Pedro Moreno-Sanchez, Muhammad Bilal Zafar, Aniket Kate.
PETS ‘16
Public Verifiability & Privacy Problem
6
Credit Graph
Transaction Details
Current credit networks use a global ledger
The Ripple Ledger
Listening to Whispers of Ripple: Linking Wallets and Deanonymizing Transactions
in the Ripple Network
Pedro Moreno-Sanchez, Muhammad Bilal Zafar, Aniket Kate.
PETS ‘16
Our Contributions
7
Our Contributions
7
✦ We question the need for a global ledger and global consensus
Our Contributions
7
✦ We question the need for a global ledger and global consensus
✦ SilentWhispers: Decentralized credit network with security and privacy guarantees
Privacy Preserving Payments in Credit Networks
Pedro Moreno-Sanchez, Aniket Kate, Matteo Maffei and Kim Pecina
[NDSS ’15]
In this work, security and privacy properties defined in the UC framework
Our Contributions
7
✦ We question the need for a global ledger and global consensus
✦ SilentWhispers: Decentralized credit network with security and privacy guarantees
✦ SilentWhispers overcomes several challenges: existence of a path, credit on a path and integrity of transactions
Privacy Preserving Payments in Credit Networks
Pedro Moreno-Sanchez, Aniket Kate, Matteo Maffei and Kim Pecina
[NDSS ’15]
In this work, security and privacy properties defined in the UC framework
Our Contributions
7
✦ We question the need for a global ledger and global consensus
✦ SilentWhispers: Decentralized credit network with security and privacy guarantees
✦ SilentWhispers overcomes several challenges: existence of a path, credit on a path and integrity of transactions
✦ SilentWhispers is feasible in practice and it has attracted attention from industry
Privacy Preserving Payments in Credit Networks
Pedro Moreno-Sanchez, Aniket Kate, Matteo Maffei and Kim Pecina
[NDSS ’15]
In this work, security and privacy properties defined in the UC framework
SilentWhispers: A Decentralized Credit Network
8
SilentWhispers: A Decentralized Credit Network
✦ Local Information suffices: Credit links of a user determine his credit in the network
8
SilentWhispers: A Decentralized Credit Network
✦ Local Information suffices: Credit links of a user determine his credit in the network
8
45015
25
In-flow = 450 Out-flow = 40
Net-flow = 410Alice
Bob
Charles
SilentWhispers: A Decentralized Credit Network
✦ Local Information suffices: Credit links of a user determine his credit in the network
8
✦ Net-flow is what matters: Net-flow of a user must not change without the user’s consent
45015
25
In-flow = 450 Out-flow = 40
Net-flow = 410Alice
Bob
Charles
SilentWhispers: A Decentralized Credit Network
✦ Local Information suffices: Credit links of a user determine his credit in the network
8
✦ Net-flow is what matters: Net-flow of a user must not change without the user’s consent
45015
25
In-flow = 450 Out-flow = 40
Net-flow = 410
15
25
In-flow = 450 Out-flow = 40
Net-flow = 410
5
450
Alice
Bob
Charles
Alice
Bob
Charles
Charles
SilentWhispers: A Decentralized Credit Network
✦ Local Information suffices: Credit links of a user determine his credit in the network
8
✦ Net-flow is what matters: Net-flow of a user must not change without the user’s consent
45015
25
In-flow = 450 Out-flow = 40
Net-flow = 410
25
10 In-flow = 450 Out-flow = 40
Net-flow = 410
5
450
Alice
Bob
Charles
Alice
Bob
Charles
Charles
SilentWhispers: A Decentralized Credit Network
✦ Local Information suffices: Credit links of a user determine his credit in the network
8
✦ Net-flow is what matters: Net-flow of a user must not change without the user’s consent
45015
25
In-flow = 450 Out-flow = 40
Net-flow = 410
25
10 In-flow = 450 Out-flow = 40
Net-flow = 410
5
445
Alice
Bob
Charles
Alice
Bob
Charles
Charles
SilentWhispers: A Decentralized Credit Network
✦ Local Information suffices: Credit links of a user determine his credit in the network
8
✦ Net-flow is what matters: Net-flow of a user must not change without the user’s consent
45015
25
In-flow = 450 Out-flow = 40
Net-flow = 410
25
10 In-flow = 450 Out-flow = 40
Net-flow = 410
5
44544535
Alice
Bob
Charles
Alice
Bob
Charles
Charles
Challenges
✦ Find paths between users?
✦ Credit available in the path?
✦ Integrity of transactions?
✦ And more …
9
The routing challenge
10
Routing Challenge: Landmark Routing
11
Routing Challenge: Landmark Routing
✦ Determine credit path from sender to receiver
11
Routing Challenge: Landmark Routing
✦ Determine credit path from sender to receiver
✦ Common problem in standard networks and ad-hoc networks
11
Routing Challenge: Landmark Routing
✦ Determine credit path from sender to receiver
✦ Common problem in standard networks and ad-hoc networks
✦ The max-flow approach:✦ Not scalable enough: O(V3) or O(V2log(E))
11
Routing Challenge: Landmark Routing
✦ Determine credit path from sender to receiver
✦ Common problem in standard networks and ad-hoc networks
✦ The max-flow approach:✦ Not scalable enough: O(V3) or O(V2log(E))
✦ Landmark routing [Tschusiya ’89]✦ Calculate subset of all paths
11
Routing Challenge: Landmark Routing
✦ Determine credit path from sender to receiver
✦ Common problem in standard networks and ad-hoc networks
✦ The max-flow approach:✦ Not scalable enough: O(V3) or O(V2log(E))
✦ Landmark routing [Tschusiya ’89]✦ Calculate subset of all paths
11
Routing Challenge: Landmark Routing
✦ Determine credit path from sender to receiver
✦ Common problem in standard networks and ad-hoc networks
✦ The max-flow approach:✦ Not scalable enough: O(V3) or O(V2log(E))
✦ Landmark routing [Tschusiya ’89]✦ Calculate subset of all paths
11
U2 U3
Routing Challenge: Landmark Routing
✦ Determine credit path from sender to receiver
✦ Common problem in standard networks and ad-hoc networks
✦ The max-flow approach:✦ Not scalable enough: O(V3) or O(V2log(E))
✦ Landmark routing [Tschusiya ’89]✦ Calculate subset of all paths
11
U2 U3
U1 U4
Routing Challenge: Landmark Routing
✦ Determine credit path from sender to receiver
✦ Common problem in standard networks and ad-hoc networks
✦ The max-flow approach:✦ Not scalable enough: O(V3) or O(V2log(E))
✦ Landmark routing [Tschusiya ’89]✦ Calculate subset of all paths
11
U2 U3
U1 U4
Routing Challenge: Landmark Routing
✦ Determine credit path from sender to receiver
✦ Common problem in standard networks and ad-hoc networks
✦ The max-flow approach:✦ Not scalable enough: O(V3) or O(V2log(E))
✦ Landmark routing [Tschusiya ’89]✦ Calculate subset of all paths
11
U2 U3
…
U1 U4
Routing Challenge: Landmark Routing
✦ Determine credit path from sender to receiver
✦ Common problem in standard networks and ad-hoc networks
✦ The max-flow approach:✦ Not scalable enough: O(V3) or O(V2log(E))
✦ Landmark routing [Tschusiya ’89]✦ Calculate subset of all paths✦ Enough in practice1,2
✦ More efficient than max-flow1,2
11
U2 U3
…
U1 U4 1[Moreno-Sanchez et al. NDSS ’15] 2[Viswanath et al. EUROSYS ’12]
Calculation of credit available in a path
12
Credit in a Path: SMPC
30 15 25 10
13
Credit in a Path: SMPC
30 15 25 10
13
Credit in a Path: SMPC
30 15 25 10
[30]
[30]
[30]
13
[x]: Secret share of x
Credit in a Path: SMPC
30 15 25 10
[30]
[30]
[30]
✦ Given [x] it is not possible to know x
13
[x]: Secret share of x
Credit in a Path: SMPC
30 15 25 10
[30]
[30]
[30]
✦ Given [x] it is not possible to know x
13
[x]: Secret share of x
[15]
[15]
Credit in a Path: SMPC
30 15 25 10
[30]
[30]
[30]
✦ Given [x] it is not possible to know x
13
[x]: Secret share of x
[15]
[15]
[25]
[25]
[25]
Credit in a Path: SMPC
30 15 25 10
[30]
[30]
[30]
✦ Given [x] it is not possible to know x
13
[x]: Secret share of x
[15]
[15]
[25]
[25]
[25]
[10]
[10]
[10]
Credit in a Path: SMPC
30 15 25 10
[30]
[30]
[30]
✦ Given [x] it is not possible to know x
13
[x]: Secret share of x
[15]
[15]
[25]
[25]
[25]
[10]
[10]
[10]
[credit on path]
[credit on path]
[credit on path]
Credit in a Path: SMPC
30 15 25 10
[30]
[30]
[30]
✦ Given [x] it is not possible to know x✦ Given “enough” copies of [x] one can reconstruct x
13
[x]: Secret share of x
[15]
[15]
[25]
[25]
[25]
[10]
[10]
[10]
[credit on path]
[credit on path]
[credit on path]
Credit in a Path: SMPC
30 15 25 10
[30]
[30]
[30]
✦ Given [x] it is not possible to know x✦ Given “enough” copies of [x] one can reconstruct x
✦ Landmarks cannot force credit losses to honest users13
[x]: Secret share of x
[15]
[15]
[25]
[25]
[25]
[10]
[10]
[10]
[credit on path]
[credit on path]
[credit on path]
Integrity of the transactions
14
Transaction Integrity: 2-Step Transactions
15
Transaction Integrity: 2-Step Transactions
✦ 2-step transaction: on hold and settle✦ Example:
15
15 20
5
Transaction Integrity: 2-Step Transactions
✦ 2-step transaction: on hold and settle✦ Example:
15
1510
20
(5)
5
Transaction Integrity: 2-Step Transactions
✦ 2-step transaction: on hold and settle✦ Example:
15
15251020
(5) (5)
5
Transaction Integrity: 2-Step Transactions
✦ 2-step transaction: on hold and settle✦ Example:
15
15251020
Ok, received!
(5) (5)
5
Transaction Integrity: 2-Step Transactions
✦ 2-step transaction: on hold and settle✦ Example:
15
152510 Ok, received!
(5)
5
Transaction Integrity: 2-Step Transactions
✦ 2-step transaction: on hold and settle✦ Example:
15
152510
Incentive
Ok, received!
(5)
5
Transaction Integrity: 2-Step Transactions
✦ 2-step transaction: on hold and settle✦ Example:
15
2510
Incentive
Ok, received!
5
Transaction Integrity: 2-Step Transactions
✦ 2-step transaction: on hold and settle✦ Example:
15
2510
Incentive
Ok, received!
5
No! our credit is 15!
Transaction Integrity: 2-Step Transactions
✦ 2-step transaction: on hold and settle✦ Example:
15
2510
Incentive
Ok, received!
5
No! our credit is 15!
time1: Init value 15 time1: Init value 15
Transaction Integrity: 2-Step Transactions
✦ 2-step transaction: on hold and settle✦ Example:
15
2510
Incentive
Ok, received!
5
No! our credit is 15!
time1: Init value 15
time2: Hold 5 for tx
time1: Init value 15
time2: Hold 5 for tx
Transaction Integrity: 2-Step Transactions
✦ 2-step transaction: on hold and settle✦ Example:
15
2510
Incentive
Ok, received!
5
No! our credit is 15!
time1: Init value 15
time2: Hold 5 for tx
time1: Init value 15
time2: Hold 5 for tx
time3: Confirmation tx
Transaction Integrity: 2-Step Transactions
✦ 2-step transaction: on hold and settle✦ Example:
15
2510
Incentive
Ok, received!
5
No! our credit is 15!
time1: Init value 15
time2: Hold 5 for tx
time1: Init value 15
time2: Hold 5 for tx
time3: Confirmation tx WrongRight
Transaction Integrity: 2-Step Transactions
✦ 2-step transaction: on hold and settle✦ Example:
15
2510
Incentive
Ok, received!
5
No! our credit is 15!
time1: Init value 15
time2: Hold 5 for tx
time1: Init value 15
time2: Hold 5 for tx
time3: Confirmation tx
✦ In case of dispute, users must prove the link values ✦ Reputation of users is at stake
WrongRight
Evaluation
16
Evaluation
17
Evaluation
✦ C++ prototype implementation ✦ MPC-Shared library: https://github.com/Zayat/MPC-Shared
17
Evaluation
✦ C++ prototype implementation ✦ MPC-Shared library: https://github.com/Zayat/MPC-Shared
✦ Setup using Ripple transactions: ✦ Maximum path length: 10 links ✦ Maximum number of paths: 7 landmarks (Ripple Gateways)
17
Evaluation
✦ C++ prototype implementation ✦ MPC-Shared library: https://github.com/Zayat/MPC-Shared
✦ Setup using Ripple transactions: ✦ Maximum path length: 10 links ✦ Maximum number of paths: 7 landmarks (Ripple Gateways)
✦ Computing available credit on a path in ~1.3 seconds ✦ Different paths in parallel
17
Evaluation
✦ C++ prototype implementation ✦ MPC-Shared library: https://github.com/Zayat/MPC-Shared
✦ Setup using Ripple transactions: ✦ Maximum path length: 10 links ✦ Maximum number of paths: 7 landmarks (Ripple Gateways)
✦ Computing available credit on a path in ~1.3 seconds ✦ Different paths in parallel
17
Feasible to run in practice current Ripple transactions
Evaluation
✦ C++ prototype implementation ✦ MPC-Shared library: https://github.com/Zayat/MPC-Shared
✦ Setup using Ripple transactions: ✦ Maximum path length: 10 links ✦ Maximum number of paths: 7 landmarks (Ripple Gateways)
✦ Computing available credit on a path in ~1.3 seconds ✦ Different paths in parallel
✦ SilentWhispers has attracted the attention from industry: ✦ KOINA: A credit network with market-specific currencies
https://koina.cc/
17
Feasible to run in practice current Ripple transactions
(Crypto)currencies vs SilentWhispers
18
(Crypto)currencies vs SilentWhispers
(Crypto)Currencies SilentWhispersSilentWhispers
Transfer of funds:
Direct transactions between any two wallets
Transactions only via a path with enough credit
Transactions only via a path with enough credit
18
(Crypto)currencies vs SilentWhispers
(Crypto)Currencies SilentWhispersSilentWhispers
Transfer of funds:
Direct transactions between any two wallets
Transactions only via a path with enough credit
Transactions only via a path with enough credit
Transaction flexibility
Fixed currency agreed between sender and receiver
Support for cross-currency transactions
Support for cross-currency transactions
18
(Crypto)currencies vs SilentWhispers
(Crypto)Currencies SilentWhispersSilentWhispers
Transfer of funds:
Direct transactions between any two wallets
Transactions only via a path with enough credit
Transactions only via a path with enough credit
Transaction flexibility
Fixed currency agreed between sender and receiver
Support for cross-currency transactions
Support for cross-currency transactions
Transaction verification Globally verified
Locally verified by users in the path
Locally verified by users in the path
18
(Crypto)currencies vs SilentWhispers
(Crypto)Currencies SilentWhispersSilentWhispers
Transfer of funds:
Direct transactions between any two wallets
Transactions only via a path with enough credit
Transactions only via a path with enough credit
Transaction flexibility
Fixed currency agreed between sender and receiver
Support for cross-currency transactions
Support for cross-currency transactions
Transaction verification Globally verified
Locally verified by users in the path
Locally verified by users in the path
Scalability:Limited transaction rate
(< 100 tps)Highly scalableHighly scalable
18
Take Home Message
19
Take Home Message
19
✦ A credit network does not require a ledger or global consensus
Take Home Message
19
✦ A credit network does not require a ledger or global consensus
✦ SilentWhispers: A decentralized credit network that addresses several challenges
Take Home Message
19
✦ A credit network does not require a ledger or global consensus
✦ SilentWhispers: A decentralized credit network that addresses several challenges
✦ SilentWhispers is feasible in practice and it has attracted attention from industry
Take Home Message
19
✦ A credit network does not require a ledger or global consensus
✦ SilentWhispers: A decentralized credit network that addresses several challenges
✦ SilentWhispers is feasible in practice and it has attracted attention from industry
✦ SilentWhispers greatly differs from cryptocurrencies currently available
Take Home Message
19
✦ A credit network does not require a ledger or global consensus
✦ SilentWhispers: A decentralized credit network that addresses several challenges
✦ SilentWhispers is feasible in practice and it has attracted attention from industry
✦ SilentWhispers greatly differs from cryptocurrencies currently available
Thanks! @pedrorechez