proof of luck
play

Proof of Luck: an Efficient Blockchain Consensus Protocol Mitar - PowerPoint PPT Presentation

May 18, 2023 •27 likes •527 views

Proof of Luck: an Efficient Blockchain Consensus Protocol Mitar Milutinovic, Warren He, Howard Wu, Maxinder Kanwal Outline Background: blockchains, consensus, and SGX Existing consensus mechanisms Our paper: 3 basic consensus primitives Proof

  1. Proof of Luck: an Efficient Blockchain Consensus Protocol Mitar Milutinovic, Warren He, Howard Wu, Maxinder Kanwal

  2. Outline Background: blockchains, consensus, and SGX Existing consensus mechanisms Our paper: 3 basic consensus primitives Proof of Luck Conclusion

  3. Outline Background : blockchains , consensus, and SGX Existing consensus mechanisms Our paper: 3 basic consensus primitives Proof of Luck Conclusion

  4. Background: blockchains block = (data, H(previous block)) 1 hash protects integrity of entire chain data data Efficient to append ... hash hash Efficient to verify recent blocks H Use case: append-only log H H h

  5. Background: blockchains Use case: append-only transaction log Remember previous payments to know who has how much money Still something missing: What if you know multiple valid blockchains?

  6. Outline Background : blockchains, consensus , and SGX Existing consensus mechanisms Our paper: 3 basic consensus primitives Proof of Luck Conclusion

  7. Background: consensus Two valid chains, same ancestry Whom has A paid? Has A even paid anyone? A pays B A pays C ...

  8. Background: consensus One approach: proof of work Each block must contain a proof of work Bitcoin uses a partial hash preimage problem Prefer the chain with the most work +3 work +2 work

  9. Background: consensus Issues with Bitcoin’s consensus mechanism: ● To prevent ties, it’s slow—10 minutes per block on average ● Time per block varies by chance ● Takes a lot of energy to do the work Motivation: could do better with trusted execution SGX is available in consumer CPUs

  10. Outline Background : blockchains, consensus, and SGX Existing consensus mechanisms Our paper: 3 basic consensus primitives Proof of Luck Conclusion

  11. Background: SGX A trusted execution environment Remote attestation : one can verify* that a specific computation ran on suitable hardware and produced a specific result . *Provided they trust in the platform vendor, Intel in the case of SGX

  12. Outline Background: blockchains, consensus, and SGX Existing consensus mechanisms Our paper: 3 basic consensus primitives Proof of Luck Conclusion

  13. Existing consensus mechanisms Proof of work - variations for useful work Proof of Stake / Proof of Burn - depends on specific incentives Byzantine fault tolerance - fast, participants known, adversary < ⅓ Intel Sawtooth Lake - developed concurrently, simulates Bitcoin mining, more mature analysis of compromised CPUs

  14. Outline Background: blockchains, consensus, and SGX Existing consensus mechanisms Our paper: 3 basic consensus primitives Proof of Luck Conclusion

  15. TEE Proof of Work = inside TEE Nonce to prevent replay, as usual Start PoW Null name base : anonymous proof (more later) Do original proof of work Restricts ASIC use (nonce, difficulty) Can do work that doesn’t have Attestation efficient verification algorithm (nonce, difficulty), name base=null Guaranteed to get a proof after doing work Still uses lots of energy End

  16. TEE Proof of Work Time A busy-wait loop can be used Start PoT in TEE-Proof-of-Work Check time Even better: Yield ... just check time from the TEE and yield Check time Concurrent invocations? Attestation (nonce, duration), name base=null = provided by TEE End

  17. Init TEE Proof of Work Time Increment MC Concurrent invocations? Start PoT Prototype in SGX: Check time monotonic counters (MC) shared Yield ... across instances of same enclave Check time Implement a mutex. Check MC Assumption: Attestation TEE supports this use case (nonce, duration), name base=null End

  18. TEE Proof of Work Time Related: Sawtooth Lake distributed ledger, Proof of Elapsed Time Wait for a randomized amount of time—simulates partial preimage search efc9a5df... 33bf7353... 31a75a03... 598fc24b... c052d575... d824325d... fd3f6615... X ~ geometric distribution f2c4d943... d9799954... fb2eb5e0... 439696f5... c7882894... 00000000... https://github.com/intelledger

  19. TEE Proof of Work Time Ownership Everyone has same amount of time Start PoO Boils down to owning capable CPUs Attestation Don’t bother waiting (nonce, difficulty), name base=nonce Name base: attestation pseudonym = F(name base, CPU’s key) End CPUs vote with attestations Scalability issue: need to collect all votes

  20. Basic consensus primitives ASIC Energy Time Scalable resistant efficient efficient Bitcoin no no no yes TEE Proof of work yes no no yes TEE Proof of time yes yes no yes TEE Proof of ownership yes yes yes no

  21. Outline Background: blockchains, consensus, and SGX Existing consensus mechanisms Our paper: 3 basic consensus primitives Proof of Luck Conclusion

  22. Proof of Luck Idea: generate random number for each block (assumption: that a TEE can) Extend block with highest number, prefer chain with highest total During network split, larger network will likely generate higher max block +1.1 luck 0.5 0.6 +1.7 luck 0.9 0.8

  23. PoL Proof of Luck Strawman design: generate random number, generate attestation Random l Attestation (nonce, l ) End

  24. PoL Proof of Luck Problem 1: becomes proof of work Low number? Restart Random l Attestation (nonce, l ) End

  25. PoL Proof of Luck Problem 1: Wait ROUND_TIME becomes proof of work Solution: must wait for some time, a “round time” Random l Attestation (nonce, l ) End

  26. Proof of Luck Problem 2: unsynchronized clocks waste luck time 0.7 ... 0.8 waiting period for block creation

  27. Proof of Luck Problem 2: unsynchronized clocks waste luck time 0.7 ... 0.8 ? waiting period for block creation

  28. Proof of Luck Problem 2: unsynchronized clocks waste luck time 0.7 ... 0.8 ? 0.9 waiting period for block creation

  29. Proof of Luck Problem 2: unsynchronized clocks waste luck time 0.7 ... 0.8 0.5 0.9 waiting period for block creation

  30. Proof of Luck Problem 2: unsynchronized clocks waste luck time 0.7 ... 0.8 0.5 0.9 waiting period for block creation

  31. PoL Proof of Luck Problem 2: Wait ROUND_TIME unsynchronized clocks waste luck Random l Attestation (nonce, l ) End

  32. PoLRound Proof of Luck Receive blocks Problem 2: Wait ROUND_TIME unsynchronized clocks waste luck Solution: ● Continue to receive competing blocks during ROUND_TIME Random l Attestation (nonce, l ) End

  33. PoLRound Proof of Luck Receive blocks Problem 2: Wait ROUND_TIME unsynchronized clocks waste luck PoLMine Solution: ● Continue to receive competing blocks during ROUND_TIME Random l ● After waiting, have a chance to switch Attestation (nonce, l ) End

  34. PoLRound Proof of Luck Save roundBlock = parent Receive blocks Problem 2: Wait ROUND_TIME unsynchronized clocks waste luck PoLMine Solution: Check parent = roundBlock ● Continue to receive competing blocks during ROUND_TIME Random l ● After waiting, have a chance to switch ● Must have same parent as Attestation (nonce, l ) block chosen at beginning End

  35. PoLRound Proof of Luck Save roundBlock = parent Receive blocks Optimization: Wait ROUND_TIME slightly delay less-lucky blocks PoLMine Don’t broadcast if you’ve already received a luckier block Check parent = roundBlock Random l Sleep f ( l ) Attestation (nonce, l ) End

  36. Analysis Luck values: l ~ Uniform(0, 1) Scenario: attacker ( m ) splits itself from rest of network ( M ) Threat model: attacker cannot compromise TEE, cannot split honest participants h blocks after the fork, we have two chains with luck values: l M ( t ) ~ max of M Uniform(0, 1) 1 ≤ t ≤ h l m ( t ) ~ max of m Uniform(0, 1) All independent

  37. Analysis Scenario: attacker ( m ) splits itself from rest of network ( M ) h blocks after the fork ? Attacker’s chain preferred

  38. Analysis Chernoff bound Expectation of product of independent variables Identically distributed

  39. Analysis Scenario: attacker ( m ) splits itself from rest of network ( M ) Threat model: attacker cannot compromise TEE, cannot split honest participants After the fork, exponentially small probability that minority wins < 1 for optimal s if M > m

  40. Compromised TEE Scenario: attacker can compromise a few CPUs, not the whole platform Approach: save top m luckiest numbers in each block, only m th place (least lucky) one counts From compromised CPUs Example ( m = 5): 0.98 0.96 0.94 0.92 0.90 1.00 1.00 0.98 0.96 0.94 If attacker compromises fewer than m CPUs, they can’t fully control block’s luck Needs further analysis

  41. Outline Background: blockchains, consensus, and SGX Existing consensus mechanisms Our paper: 3 basic consensus primitives Proof of Luck Conclusion

  42. Conclusion Properties of Proof of Luck: ● ASIC resistant ● Energy efficient ● Time efficient ● Permissionless and scalable Summary of assumptions: ● Participants have access to suitable TEE hardware ● TEE programs can detect concurrent invocations ● TEE programs can generate unbiased random numbers

  43. End of presentation.

  44. Proof of time - Implementation Question: Which monotonic counter? Monotonic counters accessed by random ID Storage and communication must be done outside TEE

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 8: Luck. David Aldous February 29, 2016 In the context of everyday minor events just

Lecture 8: Luck. David Aldous February 29, 2016 In the context of everyday minor events just

Lecture 8: Luck. David Aldous February 29, 2016 In the context of everyday minor events just catching or just missing an elevator we talk about good luck or bad luck and everyone understands what we mean. Luck is probability taken

568 views • 28 slides
Luck versus Skill. How do we measure them? How should we use them? There is too much luck in this

Luck versus Skill. How do we measure them? How should we use them? There is too much luck in this

Luck versus Skill. How do we measure them? How should we use them? There is too much luck in this game, not enough skill. There is no luck at all in this game, it is entirely skill. Virtually every definition of game will state that indeterminacy

575 views • 44 slides
3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

Griffith University 3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof by construction 2. Proof by equivalence 3. Proof by contradiction 4. Proof by case analysis 5. Proof by induction

549 views • 11 slides
Interaction among agents that plan Felipe Meneguzzi felipe.meneguzzi@kcl.ac.uk Michael Luck

Interaction among agents that plan Felipe Meneguzzi felipe.meneguzzi@kcl.ac.uk Michael Luck

Interaction among agents that plan Felipe Meneguzzi felipe.meneguzzi@kcl.ac.uk Michael Luck michael.luck@kcl.ac.uk 1 Department of Computer Science Kings College London From Agent Theory to Agent Implementation AAMAS 2008 Estoril,

320 views • 11 slides
Milenko Fadic June 9th, 2018 Letting Luck Decide: Government Procurement and the Growth Milenko

Milenko Fadic June 9th, 2018 Letting Luck Decide: Government Procurement and the Growth Milenko

Introduction Literature Background Identification Data Empirical strategy Results Letting Luck Decide: Government Procurement and the Growth of Small Firms Milenko Fadic June 9th, 2018 Letting Luck Decide: Government Procurement and the

356 views • 23 slides
Engineering your luck Be fit to fundraise Fit to fundraise: What does it mean? To be ready

Engineering your luck Be fit to fundraise Fit to fundraise: What does it mean? To be ready

Engineering your luck Be fit to fundraise Fit to fundraise: What does it mean? To be ready Why does it matter? Confidence 1. Mission / Purpose Knowing who you are 2. Strategic plan What are you going to do, why and how? 3. Track

355 views • 10 slides
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. 3. Each statement is derived via the derivation rules. Zero Knowledge Protocols 4. The proof is fixed, i.e, in any time,

642 views • 14 slides
Acting on Norm Constrained Plans Nir Oren, Wamberto Vasconcelos, Felipe Menguzzi, Michael Luck

Acting on Norm Constrained Plans Nir Oren, Wamberto Vasconcelos, Felipe Menguzzi, Michael Luck

Acting on Norm Constrained Plans Nir Oren, Wamberto Vasconcelos, Felipe Menguzzi, Michael Luck n.oren@abdn.ac.uk, wvasconcelos@acm.org, meneguzz@cs.cmu.edu, michael.luck@kcl.ac.uk University of Aberdeen Carnegie Mellon University Kings

593 views • 21 slides
Dealing the Interference By bad luck or pathological happenstance a particular line in the

Dealing the Interference By bad luck or pathological happenstance a particular line in the

Dealing the Interference By bad luck or pathological happenstance a particular line in the cache may be highly contended. How can we deal with this? 24 Interfering Code. int foo[129]; // 4*129 = 516 bytes int bar[129]; // Assume the

361 views • 12 slides
An Argumentation Inspired Heuristic for Resolving Normative Conflict Nir Oren, Michael Luck,

An Argumentation Inspired Heuristic for Resolving Normative Conflict Nir Oren, Michael Luck,

Introduction Norms Heuristics for Normative Conflict Resolution An Argumentation Inspired Heuristic for Resolving Normative Conflict Nir Oren, Michael Luck, Simon Miles, Timothy J. Norman nir.oren, michael.luck, simon.miles@kcl.ac.uk,

585 views • 43 slides
------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the

------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the

------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the following registers gets overwritten with return address of the exploit code? A. EIP B. ESP C. EAP D. EEP Ans: A 2)Which type of scan does not

431 views • 18 slides
CS 671 Automated Reasoning Proof Automation in First Order Logic 1. Tactic-based proof search 2.

CS 671 Automated Reasoning Proof Automation in First Order Logic 1. Tactic-based proof search 2.

CS 671 Automated Reasoning Proof Automation in First Order Logic 1. Tactic-based proof search 2. Complete proof search with JProver Tactic-based proof search Sort rule applications by cost of induced proof search let simple prover = Repeat (

562 views • 9 slides
PROOF installation/usage Attila Krasznahorkay for the Tier3 PROOF WG Wednesday, June 9, 2010

PROOF installation/usage Attila Krasznahorkay for the Tier3 PROOF WG Wednesday, June 9, 2010

PROOF installation/usage Attila Krasznahorkay for the Tier3 PROOF WG Wednesday, June 9, 2010 Overview PROOF recap The work done in the WG WG Recommendations PROOF installation/configuration Using PROOF efficiently Usage

773 views • 28 slides
KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems Safety-critical Verification Proof assistance Proof assistants Proof experience 2/10 Proof Experience Issues High iteration cost

339 views • 10 slides
Bad behaviour or bad luck? Policy approach = define problems and tackle them Belief in

Bad behaviour or bad luck? Policy approach = define problems and tackle them Belief in

Introduction Bad behaviour or bad luck? Policy approach = define problems and tackle them Belief in mono-causality is widespread The role of extreme behaviour in the occurrence of severe crashes Crash causation theories:

292 views • 3 slides
Recruitment &amp; Executive Search Who is Benedicite? Benedicite is Latin for Good luck,

Recruitment &amp; Executive Search Who is Benedicite? Benedicite is Latin for Good luck,

Recruitment &amp; Executive Search Who is Benedicite? Benedicite is Latin for Good luck, Wish you well, Bless you! Our vision is to find the best and most suitable talent Our team has in-depth Our mission is to be

546 views • 10 slides
Lecture 3: Randomization Maarten Voors and EGAP Learning Days Instructors 9 April 2019

Lecture 3: Randomization Maarten Voors and EGAP Learning Days Instructors 9 April 2019

Lecture 3: Randomization Maarten Voors and EGAP Learning Days Instructors 9 April 2019 Bogot Learning Days X Today Exercise Three core assumptions Review: Random Sampling vs. Random Assignment Different designs Access

779 views • 51 slides
tr r r trs

tr r r trs

tr r r trs rs r rst s r

1.54k views • 114 slides
Erds Rnyi Graphs Grant Schoenebeck, Fang-Yi Yu Interacting Particle Systems A perfect

Erds Rnyi Graphs Grant Schoenebeck, Fang-Yi Yu Interacting Particle Systems A perfect

Consensus of Interacting Particle Systems on Erds Rnyi Graphs Grant Schoenebeck, Fang-Yi Yu Interacting Particle Systems A perfect toy model of opinion dynamics Agents on a graph G with opinions/types Opinions update locally

470 views • 45 slides
Colouring random geometric graphs Colin McDiarmid (based on joint work with Tobias M uller )

Colouring random geometric graphs Colin McDiarmid (based on joint work with Tobias M uller )

Colouring random geometric graphs Colin McDiarmid (based on joint work with Tobias M uller ) Probabilistic methods in wireless networks Ottawa, 24 August 2011 random geometric graph (RGG) in R 2 Construct a random graph G ( n , r ) as

625 views • 41 slides
Concepts of Higher Programming Languages Chapter 11: Random Numbers Jonathan Thaler Department

Concepts of Higher Programming Languages Chapter 11: Random Numbers Jonathan Thaler Department

Concepts of Higher Programming Languages Chapter 11: Random Numbers Jonathan Thaler Department of Computer Science 1 / 22 Introduction What is the first random number? 2 / 22 Introduction 3 / 22 Introduction 4 / 22 Introduction 5 / 22

357 views • 22 slides
Supplemental Problem 2 due Friday Testing Clicker Questions Random number generation Clicker

Supplemental Problem 2 due Friday Testing Clicker Questions Random number generation Clicker

Announcements Thursday Extra 4:00 in CS Commons/Science 3821 Topic: Lisong Xu, University of Nebraska, Lincoln Internet bandwidth allocation Office hours: Back to normal for the rest of this week Mentor sessions Sun, Thurs. 8-9 (pm) Commons

210 views • 4 slides
Building Java Programs Chapter 5 Lecture 5-2: Random Numbers reading: 5.1, 5.6 1

Building Java Programs Chapter 5 Lecture 5-2: Random Numbers reading: 5.1, 5.6 1

Building Java Programs Chapter 5 Lecture 5-2: Random Numbers reading: 5.1, 5.6 1 http://xkcd.com/221/ 2 Randomness Lack of predictability: don't know what's coming next Random process: outcomes do not follow a deterministic

263 views • 24 slides
Continuous Expectation and Variance, and the Law of Large Numbers 18.05 Spring 2018 0.5 0.4

Continuous Expectation and Variance, and the Law of Large Numbers 18.05 Spring 2018 0.5 0.4

Continuous Expectation and Variance, and the Law of Large Numbers 18.05 Spring 2018 0.5 0.4 0.3 0.2 0.1 0 -4 -3 -2 -1 0 1 2 3 4 Recall Exponential Random Variables Parameter: (called the rate parameter). Range: [0 , ).

666 views • 22 slides

More recommend