This year EPFL hosted a Blockchain Summer School from the 21st to the 24th of June. UCL was well represented with Sarah Meiklejohn presenting two talks whilst Sarah Azouvi, Patrick McCorry, Mustafa Al-Bassam and Alexander Hicks also attended. This blog post is a joint effort from the four of us, aimed at highlighting the talks presented last week.
The Summer School featured talks on several aspects of blockchain technology ranging from classical distributed computing, security of smart contracts in Ethereum and proving the security of proof of work/stake. Here, we will provide a small summary for each of the talks. Slides can be found by clicking on each talk on the school’s program page.
TLS-N: Non-repudiation over TLS Enabling Ubiquitous Content Signing for Disintermediation by Arthur Gervais: Gervais’ talk highlights that a slight modification to TLS can allow a smart contract to verify the authenticity of data received from website. Essentially, at the end of the TLS session the server signs evidence of the TLS session if requested by the client. This evidence is verified and stored by the smart contract. It is also worth mentioning that the protocol relies on redactable signatures that ensures private data isn’t revealed.
Town Crier: An Authenticated Data Feed for Smart Contracts – Ari Juels: Juel’s talk highlights that trusted execution environments can be leveraged to build authenticated data feeds. This trusted hardware communicates with the website before sending the data to the smart contract. It is responsible for setting up a HTTPS session and fetching data from a website before sending the data to the smart contract. TownCrier is currently implemented using Intel SGX and is currently released for testing.
It is also worth mentioning that Juels beautifully provided a good definition for a smart contract:
“A smart contract is a trusted third party with public state.”
This is one of the reasons why cryptography and smart contracts are a great combination. The contract can ensure the cryptography is faithfully executed, whereas the cryptography can provide integrity and confidentiality for data used by the contract.
Protocols for Secure Distributed Computing – Christian Cachin: Cachin presented an overview of designing secure protocols for distributed computing. He touched upon methods applicable to Byzantine Fault Tolerance (BFT) protocols, which are used in permissioned blockchain systems such as Hyperledger Fabric.
Introduction to Ethereum – Joseph Bonneau: Bonneau gave two consecutive talks with the aim of introducing Ethereum. He began by introducing Bitcoin and the idea of writing smart contracts using bitcoin script. Basic examples include multi-signature (2 out of 3 parties sign a transaction), proof of burn (destroy coins in a meaningful way), and pay for a hash’s pre-image (useful for atomic cross-chain transfers). However, Bitcoin script lacks the necessary expressiveness needed to build more interesting smart contracts.
This led Bonneau to introduce Ethereum and smart contracts. He provides an in-depth description of ethereum accounts, transactions, the blockchain and how all three components are tied together in a publicly verifiable manner. The highlight of this talk was his comparison of NameCoin implementations in Bitcoin and Ethereum. This example demonstrates how building contracts using the Ethereum Virtual Machine and the Solidity language is made simpler than in the Bitcoin case.
Advanced Topics on Smart Contracts – Andrew Miller: Miller presented an overview of security flaws found in popular smart contracts. Two notable points worth highlighting include his warnings about re-entrancy attacks and how to perform buffer underflow attacks.
The re-entrancy attack allowed a thief to steal $50 million from TheDAO. Remarkably, Miller had a few “I told you so slides” that showed how he raised alarm bells for these style of attacks in two previous occasions (2014 forum post, and the ETH-commissioned EVM security report). The issue was that the community ignored his warnings as no practical attack had yet been demonstrated.
The buffer underflow attack allowed a remote attacker to trick a web form into sending more money than is allowed (i.e. withdraw 5,500 ether instead of 55 ether). Basically, the attacker creates an Ethereum account with trailing zeros, and omits the zeros upon entry into the web form. Next, the web form concatenates both the account and the value (i.e. account ‖ value) into a 64 byte buffer. If any bytes are missing (i.e. the omitted two zeros), then the web form automatically appends the missing bytes to the buffer (i.e. z ‖ 0’s).
Diving into The DAO – Emin Gün Sirer: Following Miller’s talk, Sirer presented an overview of what went wrong with “The DAO” (where DAO stands for Decentralised Autonomous Organisation) which was implemented as a smart contract on Ethereum. The contract’s focus was to allow decentralised investment in proposals and ultimately had over $150 million deposited.Unfortunately, a thief leveraged a subtle programming bug to perform a reentrancy attack (as described in Miller’s talk) and allowed the thief to steal $50M from the contract. The presentation highlighted that even ignoring this bug, The DAO was always doomed to fail as the contract was vulnerable to other potential attacks:
- Misaligned voting incentives: voters will not vote no as their coins will be locked until the proposal closes.
- Ambush attacks: large investors can send multiple yes votes just before the voting stage closes in order to fund self-serving proposals.
- Stalking attacks: potential to prevent another investor withdrawing their funds by following them into sub-contracts.
A good description of the above attacks can be found here. To finish the above story, the community (and the Ethereum Foundation) arranged for the activation of a hard-fork to reverse the theft. This hard-fork split the blockchain into Ethereum and Ethereum Classic.
Anonymity in Cryptocurrencies – Sarah Meiklejohn: Meiklejohn presented her research on how to track illicit transactions in Bitcoin before providing an overview of mixing protocols (TumbleBit, CoinJoin, etc) and introducing a new on-chain mixing protocol called Möbius, developed in collaboration with Rebekah Mercer).
Möbius is a smart contract that requires each party (i.e. senders) to deposit a fixed denomination of coins. After a sufficient number of deposits, each party (i.e. receivers) can withdraw their coins from the contract. The protocol obfuscates who is withdrawing coins using linkable ring signatures and the linkable property ensures each party can only withdraw once. On the other hand, stealth public keys are also used to allow the sender to compute a new public key for the receiver in a non-interactive manner.
Byzantine Vertical Paxos: A Foundational Approach to Reconfiguration – Dahlia Malkhi: Malkhi gave a short introduction on State Machine Replication (SMR) before presenting Vertical Paxos which is based on a re-configuration approach. This re-configuration means that the system can reach consensus on various settings such as electing a new leader or changing the entire set of replicas. Most importantly, Byzantine Vertical Paxos is designed for blockchain-like systems and more information can be found in her papers the Flexible Paxo and Byzantine Vertical Paxo.
The Hyperledger Fabric V1 – Marco Vukolic: Hyperledger is an open source blockchain project hosted by the Linux foundation with multiple partners from different industries. Fabric is IBM’s distributed ledger implementation. The talk focused on the architecture developed, which differs in many ways from the standard examples of Bitcoin and Ethereum. Unlike these two examples, Fabric does not rely on a native cryptocurrency or proof-of-work consensus (being modular instead) and is permissioned. Smart contracts, called chaincode and written in go, are another important tool to implement business logic.
Skipping over numerous other features, the main focus of the presentation was the transaction process. The current standard is based on “ORDER → EXECUTE” where nodes on the blockchain execute a transaction or smart contract after consensus. This is replaced by “EXECUTE → ORDER → VALIDATE” where transactions are first verified by endorsers executing chaincode before being ordered (where consensus takes place) and validated against the endorsement policy through validation code. The permissioned aspect also means that the roles above can be assigned to specific nodes rather than requiring the whole network to execute all computations.
Blockchain Design Choices: A Distributed Computing Perspective – Ittai Abraham: In this talk, Abraham presented different blockchain consensus protocols before highlighting the difference that these new protocols introduced compared to the traditional ones. He presented anew type of adversary, that stands in-between omission failure and Byzantine adversary. Abraham invited the researchers present in the room to investigate the intersection of the fields of distributed systems and game theory, as blockchain consensus protocols introduce new form of threat model that need different tools than traditional distributed systems.
Alternative Architectures for Distributed Ledgers – Sarah Meiklejohn: For her second talk, Meiklejohn focused on other obstacles facing blockchains. Regarding scalability and cost-efficiency, she presented some aspects of Elastico and some of her own work on RSCoin, a centrally banked cryptocurrency with a transaction ledger maintained by (distributed) mintettes. Although there are some drawbacks in terms of having centralized distribution of monetary supply, the system achieves great scalability as it scales infinitely with the number of mintettes. She also showcased parts of Transparency Overlays, Certificate Transparency, ARPKI and CONIKS, talking about the security and transparency properties that they achieve.
Proving the security of Blockchain Protocols: From Proof of Work to Proof of Stake I – Aggelos Kiayias: Kiayias presented a formal proof of security for blockchain-type protocols. He started with a proof for the traditional proof of work protocol used by Bitcoin, he then moved on to new blockchain protocols and presented Ouroboros, his proof-of-stake protocol. In proof-of-stake protocol, a miner for each block is chosen proportionally to their strake (amount of currency) instead of their amount of computational power (proof of work). He then presented the proof of security of the protocol.
Scaling Bitcoin, On- and Off-Chain – Emin Gün Sirer: Scaling is currently the most vocal issue in decentralised issues like Bitcoin. In this talk, Sirer presented Bitcoin-NG, an on-chain and alternative scaling approach for Bitcoin. The key insight is that Bitcoin has a batch-update approach where the leader is elected periodically (every ten minutes) and only has one opportunity and a single opportunity to append a list of transactions to the blockchain. Whereas, in Bitcoin-NG the leader is still elected periodically (in key-blocks), but this leader can append new transactions to the blockchain (in micro-blocks) until the next leader is elected. This better utilises the network’s bandwidth as several micro-blocks can be created before a new leader is elected.
Sirer also presented Teechan which supports off-chain transactions using trusted execution environments. Briefly, both parties lock coins into the payment channel by depositing coins in a single transaction. Next, the trusted hardware is responsible for attesting the other party’s trusted hardware before authorising new transactions. Of course, if the channel is closed, then only the most recently authorised off-chain transaction is broadcast to the blockchain. Sirer also highlighted a future version of Teechan will support routing payments across two or more channels.
The first three days also featured exercise sessions which provided some practice with the basics of Bitcoin, Ethereum and smart contracts. Saturday was made up of a case studies, looking at applications of blockchain technology to international banking, supply chain management, healthcare management, decentralized energy production and ransomware.
Talks were not the only events, the summer school also hosted the second Proof-of-Personhood (PoP) party. PoP is a new consensus mechanism that can be applied to cryptocurrencies, that allows a binding between physical entities and virtual identities in a verifiable but anonymous way (using linkable ring signatures). Users can participate in physical Proof-of-Personhood parties to receive PoP-tokens, which if used for a cryptocurrency application, can be used to create a new block. The idea is to allow for a democratic way to generate new blocks, and so each user receives one token each.
Outside of the school itself, we also took time to visit the beautiful Lake Geneva, one the largest in Europe. With temperatures in Lausanne reaching thirty degrees, it seemed like a good idea to test the waters on Friday evening.
Like any other event, the summer school was a great time to interact with people working on blockchain problems and discuss ideas. We were lucky to meet many interesting people with whom we might be lucky to work with in the future. Many thanks to the EPFL’s Decentralized and Distributed Systems Lab for organising and hosting us, in particular Eleftherios Kokoris-Kogias.