Security and Privacy of Blockchains

Bitcontracts: Adding Expressive Smart Contracts to Legacy Cryptocurrencies

In contrast to traditional contracts, cryptocurrency-based smart contracts can provide improved business automation and more transparency. However, not all cryptocurrencies support expressive contracts. For example, Bitcoin only supports a restricted scripting language that is not expressive enough to realize many contracts. Ethereum supports a Turing-complete programming language, but the types of contracts that can be implemented are still severely constrained due to gas limits. Recent research has explored ways to add contract support to legacy currencies like Bitcoin or enable more complex contracts on systems like Ethereum, but such previous solutions have significant security and functional limitations.

In this project we propose Bitcontracts, a novel solution to enable generic and expressive smart contracts on legacy cryptocurrencies. The starting point of our solution is a common off-chain execution model, where the contract's issuers appoints a set of service providers to execute the contract's code; the contract's execution results are accepted if a quorum of service providers reports the same result; and clients are free to choose which such contracts they trust and use. The main technical challenge of this paper is how to realize such a trust model securely and efficiently without modifying the underlying blockchain. Bitcontracts achieves this using two main techniques. First, the state of each contract is stored on the chain which avoids the need to run expensive consensus protocols between the service providers. Second, the validity of each execution result is bound to the latest state of the chain to prevent double-spending attacks. Bitcontracts can be used to retrofit contracts to currencies like Bitcoin or to extend the contract execution capabilities of systems like Ethereum. We also identify a set of generic properties that a blockchain system must support so that expressive smart contracts can be added safely and efficiently, and analyze existing blockchains based on these criteria.

Members of the project: Karl Wüst, Loris Diana, Kari Kostiainen, Sinisa Matetic, and Srdjan Capkun

Related publication

• Karl Wüst, Loris Diana, Kari Kostiainen, Ghassan Karame, Sinisa Matetic, and Srdjan Capkun
  Bitcontracts: Adding Expressive Smart Contracts to Legacy Cryptocurrencies [external pagepreprintcall_made]

ACE: Asynchronous and Concurrent Execution of Complex Smart Contracts

Smart contracts are programmable, decentralized and transparent financial applications. Because smart contract platforms typically support Turing-complete programming languages, such systems are often said to enable arbitrary applications. However, the current permissionless smart contract systems impose heavy restrictions on the types of computations that can be implemented. For example, the globally-replicated and sequential execution model of Ethereum requires low gas limits that make many computations infeasible. 

In this project, we propose a novel system called ACE whose main goal is to enable more complex smart contracts on permissionless blockchains. ACE is based on an off-chain execution model where the contract issuers appoint a set of service providers to execute the contract code independent from the consensus layer. The primary advantage of ACE over previous solutions is that it allows one contract to safely call another contract that is executed by a different set of service providers. Thus, ACE is the first solution to enable off-chain execution of interactive smart contracts with flexible trust assumptions. Our evaluation shows that ACE enables several orders of magnitude more complex smart contracts than standard Ethereum.

Members of the project: Karl Wüst, Sinisa Matetic, Silvan Egli, Kari Kostiainen and Srdjan Capkun

Related publication

• Karl Wüst, Sinisa Matetic, Silvan Egli, Kari Kostiainen and Srdjan Capkun
  ACE: Asynchronous and Concurrent Execution of Complex Smart Contracts [external pagepreprintcall_made]

Snappy: Fast On-chain Payments with Practical Collaterals

Permissionless blockchains offer many advantages but also have significant limitations including high latency. This prevents their use in important scenarios such as retail payments, where merchants should approve payments fast. Prior works have attempted to mitigate this problem by moving transactions off the chain. However, such Layer-2 solutions have their own problems: payment channels require a separate deposit towards each merchant and thus significant locked-in funds from customers; payment hubs require very large operator deposits that depend on the number of customers; and side-chains require trusted validators.

In this project, we propose Snappy, a novel solution that enables recipients, like merchants, to safely accept fast payments. In Snappy, all payments are on the chain, while small customer collaterals and moderate merchant collaterals act as payment guarantees. Besides receiving payments, merchants also act as statekeepers who collectively track and approve incoming payments using majority voting. In case of a double-spending attack, the victim merchant can recover lost funds either from the collateral of the malicious customer or a colluding statekeeper (merchant). Snappy overcomes the main problems of previous solutions: a single customer collateral can be used to shop with many merchants; merchant collaterals are independent of the number of customers; and validators do not have to be trusted. Our Ethereum prototype shows that safe, fast (<2 seconds) and cheap payments are possible on existing blockchains.

Members of the project: Vasilios Mavroudis, Karl Wüst, Aritra Dhar, Kari Kostiainen, Srdjan Capkun

Related publication

• Vasilios Mavroudis, Karl Wüst, Aritra Dhar, Kari Kostiainen, Srdjan Capkun
  Snappy: Fast On-​chain Payments with Practical Collaterals
  in Network and Distributed Systems Security (NDSS) Symposium 2020 (to appear) [PDF]

Lightweight Clients for Cryptocurrencies using Trusted Execution

Blockchains offer attractive advantages over traditional payments such as the ability to operate without a trusted authority and increased user privacy. However, the verification of blockchain payments requires the user to download and process the entire chain which can be infeasible for resource-constrained devices like mobile phones. To address this problem, most major blockchain systems support so called lightweight clients that outsource most of the computational and storage burden to full blockchain nodes. However, such verification leaks critical information about clients’ transactions, thus defeating user privacy that is often considered one of the main goals of decentralized cryptocurrencies.

In this project, we first propose a new approach to protect the privacy of light clients in Bitcoin. Our main idea is to leverage the trusted execution capabilities of commonly available SGX enclaves. We design and implement a system called BITE where enclaves on full nodes serve privacy-preserving requests from light clients. However, as we will show, naive processing of client requests from within SGX enclaves still leaks client’s addresses and transactions. BITE therefore integrates several private information retrieval and side-channel protection techniques at critical parts of the system. We show that BITE provides significantly improved privacy protection for light clients without compromising the performance of the assisting full nodes.

Zerocash fixes privacy issues present in Bitcoin by using zero-knowledge proofs to hide both the source, destination and amount of the transacted funds in so-called "shielded transactions". To receive payments in Zerocash, however, the recipient must scan the blockchain, testing if each transaction is destined for them. This is not practical for mobile and other bandwidth constrained devices. To enable use of shielded transactions on such devices, we build ZLiTE, a system that can support light clients, which can receive transactions aided by a server equipped with a Trusted Execution Environment. Even with the use of a TEE, this is not a trivial problem. First, we must ensure that server processing the blockchain does not leak sensitive information via side channels. Second, we need to design a bandwidth efficient mechanism for the client to keep an up-to-date version of the witness needed in order to spend the funds they previously received.

Members of the project: Sinisa Matetic, Karl Wüst, Moritz Schneider, Kari Kostiainen and Srdjan Capkun

Related publication

• Karl Wüst*, Sinisa Matetic*, Moritz Schneider, Ian Miers, Kari Kostiainen, Srdjan Capkun [*equally contributing authors]
  ZLiTE: Zcash Lightweight Clients using Trusted Execution
  in Proceedings of the International Conference on Financial Cryptography and Data Security (FC). 2019 [DownloadPDF (PDF, 454 KB)vertical_align_bottom]
• Sinisa Matetic, Karl Wuest, Moritz Schneider, Kari Kostiainen, Ghassan Karame, Srdjan Capkun
  BITE: Bitcoin Lightweight Client Privacy using Trusted Execution
  in Usenix Security Symposium, 2019 [external pagePDFcall_made]
  

PRCash: Fast, Private and Regulated Transactions for Digital Currencies

Decentralized cryptocurrencies based on blockchains provide attractive features, including user privacy and system transparency, but lack active control of money supply and capabilities for regulatory oversight, both existing features of modern monetary systems. These limitations are critical, especially if the cryptocurrency is to replace, or complement, existing fiat currencies. Centralized cryptocurrencies, on the other hand, provide controlled supply of money, but lack transparency and transferability. Finally, they provide only limited privacy guarantees, as they do not offer recipient anonymity or payment value secrecy.

In this project we created a novel digital currency, called PRCash, where the control of money supply is centralized, money is represented as transactions for transferability and improved privacy, and transactions are verified in a distributed manner and published to a public ledger for verifiability and transparency. Strong privacy and regulation are seemingly conflicting features, but we overcome this technical problem with a new regulation mechanism based on zero-knowledge proofs. Our implementation and evaluation shows that payments are fast and large-scale deployments practical. PRCash is the first digital currency to provide control of money supply, transparency, regulation, and privacy at the same time, and thus make its adoption as a fiat currency feasible.

Members of the project: Karl Wüst, Kari Kostiainen and Srdjan Capkun

Related publication

• Karl Wüst, Kari Kostiainen, Vedran Capkun and Srdjan Capkun
  PRCash: Fast, Private and Regulated Transactions for Digital Currencies
  In Proceedings of the International Conference on Financial Cryptography and Data Security (FC). 2019 [external pagePreprintcall_made]

TLS-N: Non-repudiation over TLS

An internet user wanting to share observed content is typically restricted to primitive techniques such as screenshots, web caches or share button-like solutions. These acclaimed proofs, however, are either trivial to falsify or require trust in centralized entities (e.g., search engine caches). This motivates the need for a seamless and standardized internet-wide non repudiation mechanism, allowing users to share data from news sources, social websites or financial data feeds in a provably secure manner.

Additionally, blockchain oracles that enable data-rich smart contracts typically rely on a trusted third party (e.g., TLSNotary or Intel SGX). A decentralized method to transfer web-based content into a permissionless blockchain without additional trusted third party would allow for smart contract applications to flourish.

In this project, we created TLS-N, the first TLS extension that provides secure non-repudiation and solves both of the mentioned challenges. TLS-N generates non-interactive proofs about the content of a TLS session that can be efficiently verified by third parties and blockchain based smart contracts. As such, TLS-N increases the accountability for content provided on the web and enables a practical and decentralized blockchain oracle for web content. TLS-N is compatible with TLS 1.3 and adds a minor overhead to a typical TLS session. When a proof is generated, parts of the TLS session (e.g., passwords, cookies) can be hidden for privacy reasons, while the remaining content can be verified.

Members of the project: Hubert Ritzdorf, Karl Wüst, Arthur Gervais and Srdjan Capkun

Related publication

• Hubert Ritzdorf, Karl Wüst, Arthur Gervais, Guillaume Felley and Srdjan Capkun
  TLS-N: Non-repudiation over TLS Enabling Ubiquitous Content Signing
  in NDSS Symposium, 2018 [external pagePapercall_made]

ROTE: Rollback Protection for Trusted Execution

Intel SGX isolates the runtime memory of protected applications (enclaves) from the OS and allows enclaves to encrypt and authenticate (seal) data for persistent storage. Sealing prevents an untrusted OS from reading or arbitrarily modifying stored data. However, rollback attacks, where the adversary replays an old seal, remain possible. Data integrity violations through rollback can have severe consequences, especially for enclaves that operate on financial data. The SGX architecture was recently updated to support monotonic counters that may be used for rollback prevention, but we show that these counters have significant performance and security limitations.

In this paper we propose a new approach for rollback protection on SGX. The intuition behind our approach is simple. A single platform cannot efficiently prevent rollback, but in many practical scenarios multiple processors can be enrolled to assist each other. We design and implement a rollback protection system called ROTE that realizes integrity protection as a distributed system among participating enclaves. We construct a model that captures the ability of the adversary to schedule the execution of protected applications, and show that our solution achieves a strong security property that we call all-or-nothing rollback: the only way to violate data integrity is to reset all participating platforms to their initial state. We implement ROTE and demonstrate that such a distributed rollback protection mechanism can be very fast. 

Members of the project: Sinisa Matetic, Kari Kostiainen and Srdjan Capkun

Related publication

• Sinisa Matetic, Ahmed Mansoor, Kari Kostiainen, Aritra Dhar, David Sommer, Ari Juels and Srdjan Capkun
  Rollback Protection for Trusted Execution
  in Usenix Security Symposium, 2017 [external pagePapercall_made]

On the Security and Performance of Proof of Work Blockchains

Proof of Work (PoW) powered blockchains currently account for more than 90% of the total market capitalization of existing digital currencies. Although the security provisions of Bitcoin have been thoroughly analysed, the security guarantees of variant (forked) PoW blockchains (which were instantiated with different parameters) have not received much attention in the literature.

In this project, we introduce a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains. Based on our framework, we devise optimal adversarial strategies for doublespending and selfish mining while taking into account real world constraints such as network propagation, different block sizes, block generation intervals, information propagation mechanism, and the impact of eclipse attacks. Our framework therefore allows us to capture existing PoW-based deployments as well as PoW blockchain variants that are instantiated with different parameters, and to objectively compare the tradeoffs between their performance and security provisions.

Members of the project: Arthur Gervais, Karl Wüst, Hubert Ritzdorf and Srdjan Capkun

Related publication

• Arthur Gervais, Ghassan O. Karame, Karl Wüst, Vasileios Glykantzis, Hubert Ritzdorf, Srdjan Capkun
  On the Security and Performance of Proof of Work Blockchains
  in ACM Conference on Computer and Communication Security (CCS), 2016 [external pagePreprintcall_made]

Tampering with the Delivery of Blocks and Transactions in Bitcoin

Given the increasing adoption of Bitcoin, the number of transactions and the block sizes within the system are only expected to increase. To sustain its correct operation in spite of its ever-increasing use, Bitcoin implements a number of necessary optimizations and scalability measures. These measures limit the amount of information broadcast in the system to the minimum necessary. In this paper, we show that current scalability measures adopted by Bitcoin come at odds with the security of the system. More specifically, we show that an adversary can exploit these measures in order to effectively delay the propagation of transactions and blocks to specific nodes—without causing a network partitioning in the system. We show that this allows the adversary to easily mount Denial-of-Service attacks, considerably increase its mining advantage in the network, and double-spend transactions in spite of the current countermeasures adopted by Bitcoin. Based on our results, we propose a number of countermeasures in order to enhance the security of Bitcoin without deteriorating its scalability.

Members of the project: Arthur Gervais, Hubert Ritzdorf, Ghassan O. Karame and Srdjan Capkun

Related publication

• Arthur Gervais, Hubert Ritzdorf, Ghassan O. Karame, Srdjan Capkun
  Tampering with the Delivery of Blocks and Transactions in Bitcoin
  in ACM Conference on Computer and Communication Security (CCS), 2015 [external pagePreprintcall_made]

Quantifying Location Privacy Leakage from Transaction Prices

Large-scale datasets of consumer behavior might revolutionize the way we gain competitive advantages and increase our knowledge in the respective domains. At the same time, valuable datasets pose potential privacy risks that are difficult to foresee. In this paper we study the impact that the prices from consumers’ purchase histories have on the consumers’ location privacy. We show that using a small set of low-priced product prices from the consumers’ purchase histories, an adversary can determine the country, city, and local retail store where the transaction occurred with high confidence. Our paper demonstrates that even when the product category, precise time of purchase, and currency are removed from the consumers’ purchase history (e.g., for privacy reasons), information about the consumers’ location is leaked. The results are based on three independent datasets containing thousands of low-priced and frequently-bought consumer products. In addition, we show how to identify the local currency, given only the total price of a consumer purchase in a global currency (e.g., in Bitcoin). The results show the existence of location privacy risks when releasing consumer purchase histories. As such, the results highlight the need for systems that hide transaction details in consumer purchase histories.

Members of the project: Arthur Gervais, Hubert Ritzdorf, Mario Lucic and Srdjan Capkun

Related publication

• Arthur Gervais, Hubert Ritzdorf, Mario Lucic, Srdjan Capkun
  Quantifying Location Privacy Leakage from Transaction Prices
  Cryptology ePrint Archive: Report 2015/496 [external pagePapercall_made]

Misbehavior in Bitcoin: A Study of Double-Spending and Accountability

Bitcoin is a decentralized payment system that relies on Proof-of-Work (PoW) to resist double-spending through a distributed time-stamping service. To ensure the operation and security of Bitcoin, it is essential that all transactions and their order of execution are available to all Bitcoin users.

Unavoidably, in such a setting, the security of transactions comes at odds with transaction privacy. Motivated by the fact that transaction confirmation in Bitcoin requires tens of minutes, we analyze the conditions for performing successful double-spending attacks against fast payments in Bitcoin, where the time between the exchange of currency and goods is short (in the order of a minute). We show that, unless new detection techniques are integrated in the Bitcoin implementation, double-spending attacks on fast payments succeed with considerable probability and can be mounted at low cost. We propose a new and lightweight countermeasure that enables the detection of double-spending attacks in fast transactions. In light of such misbehavior, accountability becomes crucial. We show that in the specific case of Bitcoin, accountability complements privacy. To illustrate this tension, we provide accountability and privacy definition for Bitcoin and we investigate analytically and empirically the privacy and accountability provisions in Bitcoin.

Members of the project: Ghassan O. Karame, Elli Androulaki, Marc Roeschlin, Arthur Gervais and Srdjan Capkun

Related publication

• Ghassan O. Karame, Elli Androulaki, Marc Roeschlin, Arthur Gervais,
  Srdjan Capkun
  Misbehavior in Bitcoin: A Study of Double-Spending and Accountability
  in ACM Transactions on Information and System Security (TISSEC), 2015 [PDF]

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients

Lightweight Bitcoin clients are gaining increasing adoption among Bitcoin users, owing to their reduced resource and bandwidth con- sumption. These clients support a simplified payment verification (SPV) mode as they are only required to download and verify a part of the block chain—thus supporting the usage of Bitcoin on con- strained devices, such as smartphones. SPV clients rely on Bloom filters to receive transactions that are relevant to their local wal- let. These filters embed all the Bitcoin addresses used by the SPV clients, and are outsourced to more powerful Bitcoin nodes which then only forward to those clients transactions relevant to their out- sourced Bloom filters.

We explore the privacy of existing SPV clients. We show analytically and empirically that the reliance on Bloom filters within existing SPV clients leaks considerable information about the addresses of Bitcoin users. Our results show that an SPV client who uses a modest number of Bitcoin addresses (e.g., < 20) risks revealing almost all of his addresses. We also show that this information leakage is further exacerbated when users restart their SPV clients and/or when the adversary has access to more than one Bloom filter pertaining to the same SPV client. Motivated by these findings, we propose an efficient countermeasure to enhance the privacy of users which rely on SPV clients; our proposal can be directly integrated within existing SPV client implementations. 

Members of the project: Arthur Gervais, Ghassan Karame, Damian Gruber, Srdjan Capkun

Related publication

• Arthur Gervais, Ghassan Karame, Damian Gruber, Srdjan Capkun
  On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients
  In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC), 2014 (Acceptance rate: ~19.9%)
  [Extended version DownloadPDF (PDF, 379 KB)vertical_align_bottom | DownloadBibTeX (BIB, 330 Bytes)vertical_align_bottom | DownloadSlides (PDF, 3.9 MB)vertical_align_bottom]

Is Bitcoin a Decentralized Currency?

Bitcoin has achieved large-scale acceptance and popularity by promising its users a fully decentralized and low-cost virtual currency system. However, recent incidents and observations are revealing the true limits of decentralization in the Bitcoin system. In this article, we show that the vital operations and decisions that Bitcoin is currently undertaking are not decentralized. More specifically, we show that a limited set of entities currently control the services, decision making, mining, and the incident resolution processes in Bitcoin. We also show that third-party entities can unilaterally decide to “devalue” any specific set of Bitcoin addresses pertaining to any entity participating in the system. Finally, we explore possible avenues to enhance the decentralization in the Bitcoin system.

Members of the project: Arthur Gervais, Ghassan Karame, Srdjan Capkun and Vedran Capkun

Related publication

• Arthur Gervais, Ghassan O. Karame, Srdjan Capkun, Vedran Capkun
  Is Bitcoin a Decentralized Currency?
  IEEE Security and Privacy Magazine, 2014
  [Preliminary version PDF | BibTeX]

Double-spending Attacks on Fast Payments in Bitcoin

Bitcoin is a decentralized payment system that is based on Proof-of-Work. Bitcoin is currently gaining popularity as a digital currency; several businesses are starting to accept Bitcoin transactions. An example case of the growing use of Bitcoin was recently reported in the media; here, Bitcoins were used as a form of fast payment in a local fast-food restaurant.

We analyze the security of using Bitcoin for fast payments, where the time between the exchange of currency and goods is short (i.e., in the order of few seconds). We focus on double-spending attacks on fast payments and demonstrate that these attacks can be mounted at low cost on currently deployed versions of Bitcoin. We further show that the measures recommended by Bitcoin developers for the use of Bitcoin in fast transactions are not always effective in resisting double-spending; we show that if those recommendations are integrated in future Bitcoin implementations, double-spending attacks on Bitcoin will still be possible. Finally, we leverage on our findings and propose a lightweight countermeasure that enables the detection of double-spending attacks in fast transactions.

Members of the project: Elli Androulaki, Ghassan Karame, Srdjan Capkun

Related publication

• Ghassan O. Karame, Elli Androulaki, Srdjan Capkun
  Two Bitcoins at the Price of One? Double-Spending Attacks on Fast Payments in Bitcoin
  In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2012
  Related technical report: Cryptology ePrint Archive Report 2012/248, 2012 [external pagePDFcall_made | external pageBibTeXcall_made]

Countermeasures

Our proposed countermeasure modifies the Bitcoin client in a way that it propagates information about Double-Spending Attacks faster and further through the network. Thereby the victim is more likely to observe the malicious activity and is enabled to respond accordingly. The victim also gets presented with a message either warning about malicious activities or notifying that no simple Double-Spending Attacks was observed.

We patched the Bitcoin client with version 0.5.0:

• Differences introduced by the patch