Bitcoin is a digital currency scheme that was created in response to the 2008 financial crisis. Its goal is to take control of the monetary system away from central banks. Anyone can create money using Bitcoin if he or she can do a complicated calculation rapidly enough. That computational barrier prohibits hostile hackers from gaining access to the system using a variety of smart protocols.
Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory are presenting a novel system that employs Bitcoin’s security mechanism to guard against online identity theft at the IEEE Symposium on Security and Privacy this week.
“Our study is about leveraging Bitcoin to prevent online services from getting away with lying,” says Alin Tomescu, the article’s primary author and a graduate student in electrical engineering and computer science. “When you design distributed systems and communicate each other digital signatures, for example, such systems might be hacked and lie.” They have the ability to say one thing to one person and another to another. And we want to avoid it.”
An attacker who has hacked a public-key encryption system, for example, may “certify” — or cryptographically declare the authenticity of — a bogus encryption key in order to deceive users into divulging confidential information. But it couldn’t decertify the genuine key without sending off alarms, so there would be two keys in circulation with the same authority’s certification. The novel approach, designed by Tomescu and his thesis adviser, Srini Devadas, the Edwin Sibley Webster Professor of Electrical Engineering and Computer Science at MIT, guards against such “ambiguity.”
Because Bitcoin is fully decentralized, the only thing that ensures its dependability is a vast public record — known as the blockchain — of every Bitcoin transaction made since the system’s inception in 2009. Earlier solutions employed Bitcoin machinery to prevent ambiguity, but verification required downloading the complete blockchain, which is 110 terabytes and expanding hourly. Tomescu and Devadas’ technology, on the other hand, needs just roughly 40 megabytes of data to be downloaded, making it suitable for use on a smartphone.
Extending the blockchain is essential to the process of minting — or “mining” — new bitcoins. The mining process is based on a mathematical function known as a one-way hash function, which accepts three inputs: the most recent log entry in the blockchain; a new blockchain record in which the miner awards himself or herself a set amount of new bitcoins (currently 12.5); and an integer. The method returns a string of 1s and 0s.
Mining is the process of attempting to discover a value for the input integer that results in an output string with a certain number of leading 0s — presently about 72. There is no other way to accomplish this except to experiment with a large number of choices, and even with a massive bank of computers churning away in the cloud, the process normally takes approximately 10 minutes. And it’s a race: Adding a new entry — or “block” — to the blockchain invalidates all previous miners’ work, forcing them to restart using the newly added block as an input.
A new block in the blockchain not only assigns the winning miner the current quota of bitcoins, but it also records recent transactions by Bitcoin users. Approximately 100,000 business merchants in the real world currently accept bitcoin payments. To authenticate a payment, the payer and seller simply broadcast a transaction record to the Bitcoin network. Miners include the transaction in the blocks they’re working on, and once the transaction appears on the blockchain, it becomes a public record.
An 80-character text commentary may also be added to the transaction record. Eighty characters are insufficient to record, say, all of the public keys validated by a public-key cryptography system. However, it is sufficient to record a cryptographic signature confirming the legitimacy of a certification obtained elsewhere on the Internet.
Previous approaches for avoiding equivocation merely placed such signatures in transaction record annotations. The present security mechanism of Bitcoin precludes tampering with signatures.
However, ensuring that a Web service employing such techniques was not equivocating required inspecting every transaction in every block of the blockchain — or, at the very least, every block added since the service first used the scheme to certify a public statement. Tomescu and Devadas have enhanced the verification method.
Audits that are effective
“Our concept is so basic — it’s embarrassingly easy,” adds Tomescu. The basic need of Bitcoin is that no one bitcoin be spent in more than one location, and the system has cryptographic procedures in place to prevent this from occurring.
So Tomescu and Devadas’ Catena system simply adds the condition that every Bitcoin transaction that records a public statement includes a real bitcoin transfer. Users may simply transfer bitcoin to themselves, but this prevents them from moving bitcoin to anybody else in the same block of the blockchain. As a result, it prevents ambiguity inside the block.
To avoid equivocation across blocks, the Catena user must still affirm that the bitcoin spent in one block is the same one spent the previous time it made a public declaration. However, since the ability to verify a bitcoin’s chain of custody is so critical to the overall health of the Bitcoin system, this is quite simple to do. People who wish to utilize Catena to audit all of a specific Web service’s public claims must still download data from every block of the blockchain. However, customers only need to download a short cryptographic proof — roughly 600 bytes — for each block, rather than the whole megabyte of data.
“The abstraction that the paper lays out is a really good idea — the idea of making it possible to create, say, smaller blockchains or linked lists within a blockchain specific to a specific account or a specific object,” says Bryan Ford, an associate professor of computer science at the Swiss Federal Institute of Technology in Lausanne. “It’s pretty cool, neat, clean, rustic, and well-explained.” It’s very synergistic with an idea we’ve been working on, which is to create an efficiently traversable timeline, which we call a skip chain, which means a timeline you can skip around on arbitrarily forward and back, where you can verify any other point in the timeline very efficiently from any point.”
“It becomes simpler to secure numerous algorithms if you can remove the risk of equivocation,” he says. “It’s a significant issue in general.”