Financial Cryptography and Data Security 2020
Layer1
Kevin Alarcón Negy (Cornell University), Peter R. Rizun (Bitcoin Unlimited), Emin Gün Sirer (Cornell University)
Background: "Critics" on selfish mining
1. Selfish mining is unprofitable because time spent on forking blocks only serves to reduce the speed at which the main chain grows. Hence, the argument goes, an increase in relative revenue is meaningless because profit per time-unit decreases.
2. Selfish mining must necessarily involve long-duration attacks that persist past a difficulty adjustment in order to be profitable.
Contribution: Falsify these claims by intermittent selfish mining strategy which consists of two phases
Phase 1: Normal selfsh mining. Profit per time-unit decreases due to the attacker's orphaned blocks.
→ This lowers mining difficulty
Phase 2: Switches to honest mining.
Result: Profits more relative to the honest miner and per time unit.
Q. Ethereum's rewarding for orphan blocks?
A. Favor the attacker more. However, to count oprhan blocks in the main chain might be useful in the difficulty adjustment.
Rainer Stütz (Austrian Institute of Technology), Peter Gaži (IOHK), Bernhard Haslhofer (Austrian Institute of Technology), Jacob Illium (Chainalysis)
Background: Stake distribution lag i.e., the gap between the present stake distribution and the one to select conesnsus nodes
E.g., Ouroboros (7 days), Ouroboros Praos/Genesis (10 days), Algorand (1 or 2 days)
Contribution: Empirical analysis
Use Chainanalysis's attribution data
Problem: No widely deployed PoS → Investigate PoW currencies (Bitcoin, Bitcoin Cash, Litecoin and Zcash)
Unusual stake-shift spikes due to hard forks trigger and exchange hacks
nrryuya.icon > An advantage of deposit-based PoS (e.g. Casper) is no concern like stake distribution lag!
Mingchao Yu, Saeid Sahraei, Songze Li, Salman Avestimehr (USC), Sreeram Kannan (University of Washington), Pramod Viswanath (UIUC)
Background: Erasure coding for data invalidity/unavailability attack in light client/sharding (Al-bassam et al.) Contribution: Propose SPAR protocol
A new hash accumulator named coded Merkle tree (CMT), which encodes every layer of the tree to protect the availability of the entire tree. This way, the Merkle proof of every coded symbol will be available, which will enable every parity equation to be committed and verified alone
https://gyazo.com/f8091adf49b284d61ae7de8bd9819e16
Drawback: Higher sampling cost
The cost of SPAR is about 10∼16 (resp. 2.5∼4) times of 2D-RS under strong (resp. weak) adversaries
Georgios Birmpas, Elias Koutsoupias (University of Oxford), Philip Lazos (Sapienza University of Rome), Francisco J. Marmolejo Cossío (University of Oxford)
Contribution: Theoretical framework that captures a large family of DAG-based protocols (Bitcoin and SPECTRE)
Fairness: Miners earn block reward proportional to the computational resources they spend
Efficiency: Higher throughput of transactions (original goal of DAG-based protocols)
PoW efficiency: is the fraction of globally valid transactions that are present within the valid sub DAG of the block DAG, over all published transactions.
Qin Wang (Swinburne University of Technology), Jiangshan Yu (Monash University), Zhiniang Peng (Qihoo 360 Core Security), Vancuong Bui (Swinburne University of Technology), Shiping Chen (Csiro, Data61), Yong Ding (Cyberspace Security Research Center), Yang Xiang (Swinburne University of Technology)
Background: NEO's dBFT: only 2-phase, no safety
Contribution: Fix dBFT like PBFT Privacy
Benedikt Bünz (Stanford University), Shashank Agrawal, Mahdi Zamani (Visa Research), Dan Boneh (Stanford University)
Video @2nd ZKProof Workshop Contribution: Account-based confidential payment on top of Ethereum
Confidentiality: Homomorphic encryption, not Pedersen commitment
ElGamal Encryption of the transfer amount
Rationale: To hide account balances w/ Pedersen commitment allows an attacker to withhold the blinding factor
ZK-proof to show that the ciphertexts are well-formed, they encrypt the same positive value, and the remaining balance associated with the sender
Propose a new ZK-proof system, called Σ-Bullets
Front-running prevention: Additional "temporal" account balance
Extension: 1 of k aononimty
Drawback 1: the size of ZK-proof for a transfer increases linearly with the size of the anonymity set
Drawback 2: Users would be able to do only one transfer or burn transaction per epoch (a few blocks)
Applications: sealed-bid auction, confidential payment channel, confidential stake-voting, and private proof-of-stake
Shengjiao Cao, Yuan Yuan (Ant Financial), Angelo De Caro, Karthik Nandakumar, Kaoutar Elkhiyaoui, Yanyan Hu (IBM Research)
Background: Netting in inter-bank payment systems, preventing gridlock due to the lack of liquidity
Correctness: (i) when the sender’s account is debited x dollars, the receiver’s account is credited x dollars; and (ii) participants will not pay more than their current balance plus their allowed credit.
Fairness: should not favor any participant in terms of payment settlement priority, rather it should reach an overall optimal netting strategy, i.e. either the maximum number of instructions settled, or the maximum amount of payments settled.
Contribution: The first netting protocol without any central party that guarantees correctness, fairness and confidentiality (of the payment amounts)
Pedersen commitment of the current balance & payment amount + ZK range proof
Q&A: MPC can also solve the same problem.
Riad S. Wahby (Stanford), Dan Boneh (Stanford), Christopher Jeffrey (Purse.io), Joseph Poon (Lightning Network)
Background: Privacy problem in airdrops (e.g., Bitcoin address, GitHub pubkey), which potentially disincentivizes paritipation
Contribution: Privacy-preserving airdrop protocol
A new ZKP of knowledge of the factorization of a committed secret integer (may be of independent interest) tailored to this application
Comparision
VS Group Sig: Anonymity set is all key owners
VS Ring Sig: Signing and verifying time & signature size are all logarithmic (VS linear) in the size of the anonymity set
VS Cryptonote (Monero): Generic i.e., applicable for any sig scheme
Monero
Tsz Hon Yuen (The University of Hong Kong), Shi-feng Sun, Joseph K. Liu (Monash University), Man Ho Au (Hong Kong Polytechnic University), Muhammed F. Esgin (Monash University), Qingzhao Zhang, Dawu Gu (Shanghai Jiao Tong University)
Background: RingCT (Monero) linkable ring signature + confidential transaction
The size of each signatures is the ring size$ O(n)($ nis the number of potential signers, hence$ n \le 20in practice)
$ O(Mn)for$ Mtransaction inputs
RingCT2.0: $ O(1)size signature w/ trusted public parameters Contribution: Propose RingCT3.0 w/ ring signature size of$ O(M + \log n)
Based on a new ring signature scheme; the shortest ring signature without trusted setup in the literature
Able to support larger anonymity set (e.g., 10^5 users with less than 1800 bytes for the signature size)
Give a stronger security model for anonymity by considering insider attack for RingCT3.0
Pedro Moreno-Sanchez (TU Wien), Arthur Blue, Duc Le (Purdue University), Sarang Noether, Brandon Goodell (Monero Research Lab), Aniket Kate (Purdue University)
Background: Monero's reduced expressiveness and interoperability, severe scalability issues
1. Restricted to coin exchanges among individual addresses and no further functionality is supported
2. Transactions are authorized by linkable ring signatures, hindering thereby the interoperability with the cryptocurrencies that support different digital signature schemes.
3. Transactions require an on-chain footprint larger than other cryptocurrencies, leading to a rapid ledger growth and thus scalability issues.
Contribution: Propose Dual Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups (DLSAG)
Enables non-interactive refund transactions
Application: Payment channels/networks, atomic swaps and interoperable payments
Layer2
Lewis Gudgeon (Imperial College London), Pedro Moreno-Sanchez (TU Wein), Stefanie Roos (TU Delft), Patrick McCorry (PISA Research), Arthur Gervais (Imperial College London)
Contribution: SoK of Layer2 protocols i.e. payment/state channels and commit chains (NOCUST, Plasma)
https://gyazo.com/639d8ce11847d47129023439ea56feb5
Cristina Pérez-Solà (Universitat Oberta de Catalunya), Alejandro Ranchal-Pedrosa (University of Sydney), Jordi Herrera-Joancomarti, Guillermo Navarro-Arribas (Universitat Autònoma de Barcelona), Joaquin Garcia-Alfaro (Institut Polytechnique de Paris)
Background: Lightning network (LN)
Contribution: Propose the Lockdown attack, which blocks LN middle nodes in multipath payments.
A successful attack gives the adversary a dominant position in the LN
Improve the cost and effectiveness of a naive strategy
Joachim Neu, Vivek Bagaria, David Tse (Stanford University)
Background: Multi-path routing in payment-channel networks
Split transfers into partial payments and routing them along multiple paths.
Delays and failures on some payment paths stall the whole transfer.
Contribution: Propose Boomerang to construct redundant payment paths to reduce the latency
Result: 40 % latency reduction and 2x throughput increase.
Incentives in Payment channels/networks
Oguzhan Ersoy, Stefanie Roos, Zekeriya Erkin (Delft University of Technology)
Background: Fee setting in Lightning Network hubs
Contribution: Propose profit maximization strategy
Formalization of the optimization problem (NP-hard)
Design a greedy algorithm to approximate the optimal solution.
In each step, it establishes a channel that maximizes the increase to A’s total reward, which corresponds to maximizing the number of shortest paths passing through A
Evaluation: Simulation with empirical data
Zeta Avarikioti, Lioba Heimbach, Yuyi Wang, and Roger Wattenhofer (ETH Zürich)
A player unilaterally creates links to minimize the sum of distances to other players in the network (closeness centrality)
Contribution: A game-theoretic approach to analyze the creation of blockchain payment networks and its topologies
Closeness centrality & betweenness centrality (for all the pair of players, how likely the player is in the shortest path)
Depending on the parameters, the nash equilibrium can be complete graph, star graph or biclique.
Study the price of anarchy (resp. stability), the ratio of the social costs of the worst (resp. best) Nash equilibrium and the social optimum
Q&A: Assuming a static set of participants.
Zeta Avarikioti (ETH Zurich), Orfeas Stefanos Thyfronitis Litos (University of Edinburgh), Roger Wattenhofer (ETH Zurich)
Background: Incentives of the watchtowers in payment channels
Pisa: Not secure against bribing since the watchtower’s collateral is not linked to the party or the channel on-chain, hence the watchtower can double-spend it & Not compatible with Bitcoin.
Contribution: Cerberus channels, incentivized watchtowers in Bitcoin payment channels
The watchtower is paid for every transaction executed on the channel and locks collateral on-chain as guarantee for its honest behavior. Penalized in case they do not act upon fraud.
Q&A: Watchtower can be replaced either off-chain or on-chain
Atomic swap
Ethan Heilman (Boston University/Arwen), Sebastien Lipmann (Arwen), Sharon Goldberg (Boston University/Arwen)
Background: Trading on blockchains
On-chain trading: High latency, front-running
Atomic swap (TierNolan): asset lockup griefing, free option (American call option)
Contribution: Propose atomic-swap-based trading protocol between a user and a centralized exchange
Disincentivize Lockup griefing (by a user): The user pay an escrow fee. The user receives a rebate of a portion of the escrow fee if she closes the exchange escrow cooperatively, before it expires.
Overcome free option: RFQs (Request For Quote), the exchange’s quote includes a spread around the current price compensating the exchange for price movements after the quote is given.
Cross-chain primitives
Aggelos Kiayias (University of Edinburgh and IOHK), Andrew Miller (UIUC), Dionysis Zindros (University of Athens and IOHK)
Nice explanation already exists in the website Kostis Karantias (IOHK), Aggelos Kiayias (University of Edinburgh and IOHK), Dionysis Zindros (University of Athens and IOHK)
Background: Proof-of-burn
Application: Bootstrapping new cryptocurrencies
Contribution: Formalization of proof-of-burn
Two functions: Burn address generator & Verification function
Properties: Unspendability, binding (associating metadata with a particular burn) and uncensorability (a burn address is
indistinguishable from a regular cryptocurrency address)
Proofs in Random oracle model
Comparision:
https://gyazo.com/ce71caa14fce570f6159abc1eb9ee518
Evaluation: Bitcoin & Ethereum (burn verification in Ethereum costs $0.28 per transaction)
Empirical Studies
Friedhelm Victor (Technical University of Berlin)
Contribution: The first clustering heuristics for Ethereum’s account
1. Exchanges' deposit address: Exhanges typically creates a deposit address per custormer to credit the assets
Multiple addresses that send funds to the same deposit address are highly likely to be controlled by the same entity
2. Airdrop multi-participation: Multiple addresses receives airdrops send them to the same address
3. ERC20 Self approval for test purposes or risk distribution over several addresses
Result: cluster 17.9% of all active externally owned account addresses
Drawback (of clustering in general): difficult to assess the quality of the clustering heuristics
Tong Cao (University of Luxembourg), Jiangshan Yu (Monash University), Jérémie Decouchant (University of Luxembourg), Xiapu Luo (The Hong Kong Polytechnic University), Paulo Esteves-Veríssimo (University of Luxembourg)
Contribution: The first step study on understanding Monero’s peerto-peer (P2P) network
Effective tool to Infer its topology, size, node distribution, and node connectivity
Result: Show that Monero’s network is highly centralized — 13.2% of the nodes collectively maintain 82.86% of the network connections
Blockchain Applications
Ghada Almashaqbeh (Columbia), Allison Bishop (Proof of Trading and Columbia), Justin Cappos (New York University)
Background: Probabilistic Micropayments to solve the "transaction fee > payment value" problem in micropayments
The total payment value is locked in an escrow and micropayments are issued as lottery tickets.
Each ticket has a probability$ pof winning a lottery, and when it wins, produces a transaction of$ \betacurrency units
Background 2: Probabilistic micropayments with cryptocurrencies
Problem: Require large number of escrows
Contribution: MicroCash, that supports concurrent micropayments w/ a single escrow
Federico Franzoni, Vanesa Daza (Universitat Pompeu Fabra), Iván Abellán (Universitat Pompeu Fabra)
Backgroud: Use Bitcoin for botnet Command & Control (C&C)
Zombiecoin (FC'15)
Contribution: Use Bitcoin testnet, instead of the mainnet, for cost-free, bidirectional, and encrypted C&C channel
Amani Moin, Kevin Sekniqi, Emin Gün Sirer (Cornell University)
Contribution: Classification Framework for Stablecoin
Peg, collateral, mechanism, and price information
Q. "Which one do you think is the best?"
A. "Saga, for scailability." Initially pegged to the IMF’s special drawing rights (SDR), later to the consumer price index (CPI)
Magnus Krogsbøll, Liv Hartoft Borre (IT University of Copenhagen), Tijs Slaats, and Søren Debois
Implement the processes of a municipal government in Dennmark on blockchain
"Risk clearly outweighed any benefits" (e.g. single point of failure the municipal government: losing blockchain private keys)
Non-blockchain papers
Pierrick Gaudry (CNRS, Inria, Université de Lorraine), Alexander Golovnev (Harvard University)
Background: E-voting for the election at the Parliament of the city of Moscow
Contribution: Show two successful attacks on the encryption scheme (ElGamal) and other various issues
Esteban Landerreche (CWI Amsterdam), Marc Stevens (CWI Amsterdam), Christian Schaffner (University of Amsterdam)
Background: Cryptographic Timestamping
w/ PoW (Bitcoin): wasteful
w/ PoS: Long-range attacks, requiring secure erasure (of keys) like Ouroboros Praos
Nils Wisiol, Niklas Pirnay (TU Berlin)
Background: Arbiter Physically Unclonable Functions (PUFs)
Contribution: Demonstrate XOR Arbiter PUFs with an even number of arbiter chains have inherently biased responses
Proposal: use XOR Arbiter PUFs with odd numbers of arbiter chains
Evaluation: Simulation
Nabil Alkeilani Alkadri (Technische Universität Darmstadt), Rachid El Bansarkhani (QuantiCor Security GmbH), Johannes Buchmann (Technische Universität Darmstadt)
Contribution: Propose BLAZE, a new practical blind signature scheme from lattice assumptions.
Secure Computation
Satsuya Ohata (AIST), Koji Nuida (The University of Tokyo / AIST)
Anselme Tueno (SAP SE), Florian Kerschbaum (University of Waterloo), Stefan Katzenbeisser (University of Passau), Yordan Boev (SAP SE), Mubashir Qureshi (SAP SE)
Carsten Baum (Aarhus University), Bernardo David (IT University of Copenhagen), Rafael Dowsley (Bar-Ilan University)
See also: a note by Ross Anderson