A Flexible Network Approach to Privacy of Blockchain Transactions

For preserving privacy, blockchains can be equipped with dedicated mechanisms to anonymize participants. However, these mechanism often take only the abstraction layer of blockchains into account whereas observations of the underlying network traffic can reveal the originator of a transaction request. Previous solutions either provide topological privacy that can be broken by attackers controlling a large number of nodes, or offer strong and cryptographic privacy but are inefficient up to practical unusability. Further, there is no flexible way to trade privacy against efficiency to adjust to practical needs. We propose a novel approach that combines existing mechanisms to have quantifiable and adjustable cryptographic privacy which is further improved by augmented statistical measures that prevent frequent attacks with lower resources. This approach achieves flexibility for privacy and efficency requirements of different blockchain use cases.Comment: 6 pages, 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS

A Peered Bulletin Board for Robust Use in Verifiable Voting Systems

The Web Bulletin Board (WBB) is a key component of verifiable election systems. It is used in the context of election verification to publish evidence of voting and tallying that voters and officials can check, and where challenges can be launched in the event of malfeasance. In practice, the election authority has responsibility for implementing the web bulletin board correctly and reliably, and will wish to ensure that it behaves correctly even in the presence of failures and attacks. To ensure robustness, an implementation will typically use a number of peers to be able to provide a correct service even when some peers go down or behave dishonestly. In this paper we propose a new protocol to implement such a Web Bulletin Board, motivated by the needs of the vVote verifiable voting system. Using a distributed algorithm increases the complexity of the protocol and requires careful reasoning in order to establish correctness. Here we use the Event-B modelling and refinement approach to establish correctness of the peered design against an idealised specification of the bulletin board behaviour. In particular we show that for n peers, a threshold of t > 2n/3 peers behaving correctly is sufficient to ensure correct behaviour of the bulletin board distributed design. The algorithm also behaves correctly even if honest or dishonest peers temporarily drop out of the protocol and then return. The verification approach also establishes that the protocols used within the bulletin board do not interfere with each other. This is the first time a peered web bulletin board suite of protocols has been formally verified.Comment: 49 page

On Secure Bulletin Boards for E-Voting

Peaaegu iga elektroonilise hääletamise protokolli esimeseks etapiks on häälte kogumine ning nende talletamine. Seda teenust pakub teadetetahvlisüsteem (bulletin board). Paljud teadusartiklid eeldavad turvalise teadetetahvlisüsteemi olemasolu, kuid konkreetseid süsteeme on välja pakutud vähe. Tihti eeldatakse, et teadetetahvlisüsteem on tsentraalne usaldatav osapool, kuid hiljutistes töödes on tähelepanu juhitud tõrkekindla hajustalletuse olulisusele. Käesolevas töös pakume välja formaalse mudeli teadetetahvlisüsteemi funktsionaalsuse ning turvalisuse analüüsimisseks. Meie mudeli aluseks on Culnane ja Schneideri poolt konverentsil Computer Security Foundations Symposium 2014 väljapakutud teadetetahvlisüsteemi omadused. Me käsitleme turvalist teadetetahvlisüsteemi kui Garay ja teiste poolt konverentsil Eurocrypt 2015 tutvustatud avalikku tehingute pearaamatut, mis õnnestunud hääle talletamise korral väljastab kviitungi. Täpsemalt, me defineerime omadused (tõendatav) püsivus ning tõendatav elusus.Me analüüsime Culnane ja Schneideri väljapakutud teadetetahvlisüsteemi turvalisust ning näitame, et nende protokolli korral ei ole elususe omadus täidetud, kui mõni kogumisneel (item collection peer) on ebaaus. Nende süsteem saavutab tõendatava püsivuse kasutades triviaalset lävisignatuuri juhul, kui ebaausaid kogumisneele on <N/3, vastasel korral on tõke <N/4. Culnane ja Schneideri teadetetahvlisüsteemist motiveeritult pakume välja uue süsteemi, mille korral on tagatud nii tõendatav püsivus kui ka tõendatav elusus, kui ebaausaid kogumisneele on vastavalt <N/3 ning <N/2. Lisaks on meie protokoll lihtne suhtluskeerukuselt. Antud töö põhineb konverentsile esitatud artiklil „A Cryptographic Approach to Bulletin Boards“ („Krüptograafiline lähenemine teadetetahvlisüsteemidele“), mille kaasautoriteks on Aggelos Kiayas, Helger Lipmaa, Janno Siim ja Thomas Zacharias.Vote collection together with storage of collected votes is the first phase of practically any electronic voting (e-voting) protocol. This functionality is provided by a bulletin board system. Many research papers in e-voting require the existence of a secure bulletin board, but there are only a few concrete systems. In the literature it is common to assume that bulletin board is a centralized trusted party, but in recent works the importance of a distributed fault-tolerant bulletin board has been raised. In this thesis, we propose a formal model for analysis of security and functionality of a bulletin board system motivated by the security requirements Culnane and Schneider introduced in Computer Security Foundations Symposium 2014. We consider a secure bulletin board as a robust public transaction ledger presented by Garay et al. in Eurocrypt 2015 that additionally provides receipts for successful postings. More precisely, we introduce two properties: (Confirmable) Persistence and Confirmable Liveness. We study a bulletin board system proposed by Culnane and Schneider in our model, and show that their protocol does not achieve Confirmable Liveness if there exist corrupted item collection peers, but achieves Confirmable Persistence for <N/3 corrupted item collection peers using only our trivial threshold signature scheme, otherwise the bound is <N/4. Motivated by the security analysis of Culnane-Schneider bulletin board system, we propose a fully secure bulletin board system and prove that it tolerates <N/3 corrupted item collection peers for Confirmable Persistence and <N/2 corrupted item collection peers for Confirmable Liveness. This thesis is based on a submitted paper "A Cryptographic Approach to Bulletin Boards" with co-authors Aggelos Kiayas, Helger Lipmaa, Janno Siim and Thomas Zacharias

Automatic Reconfiguration for Large-Scale Reliable Storage Systems

Byzantine-fault-tolerant replication enhances the availability and reliability of Internet services that store critical state and preserve it despite attacks or software errors. However, existing Byzantine-fault-tolerant storage systems either assume a static set of replicas, or have limitations in how they handle reconfigurations (e.g., in terms of the scalability of the solutions or the consistency levels they provide). This can be problematic in long-lived, large-scale systems where system membership is likely to change during the system lifetime. In this paper, we present a complete solution for dynamically changing system membership in a large-scale Byzantine-fault-tolerant system. We present a service that tracks system membership and periodically notifies other system nodes of membership changes. The membership service runs mostly automatically, to avoid human configuration errors; is itself Byzantine-fault-tolerant and reconfigurable; and provides applications with a sequence of consistent views of the system membership. We demonstrate the utility of this membership service by using it in a novel distributed hash table called dBQS that provides atomic semantics even across changes in replica sets. dBQS is interesting in its own right because its storage algorithms extend existing Byzantine quorum protocols to handle changes in the replica set, and because it differs from previous DHTs by providing Byzantine fault tolerance and offering strong semantics. We implemented the membership service and dBQS. Our results show that the approach works well, in practice: the membership service is able to manage a large system and the cost to change the system membership is low

Open Heterogeneous Quorum Systems

In contrast to proof-of-work replication, Byzantine replicated systems maintain consistency with higher throughput, modest energy consumption, and deterministic liveness guarantees. If complemented with open membership and heterogeneous trust, they have the potential to serve as a global financial infrastructure. This paper presents a general model of heterogeneous quorum systems, where each participant can declare its own quorums, and captures the consistency, availability, and inclusion properties of these systems. In order to support open membership, it then presents reconfiguration protocols for heterogeneous quorum systems: joining and leaving of a process, and adding and removing of a quorum. It presents trade-offs for the properties that reconfigurations can preserve, and accordingly, presents reconfiguration protocols and proves their correctness. It further presents a graph characterization of heterogeneous quorum systems, and its application for reconfiguration optimization

Byzantine Failures and Security: Arbitrary is not (always) Random

The Byzantine failure model allows arbitrary behavior of a certain fraction of network nodes in a distributed system. It was introduced to model and analyse the effects of very severe hardware faults in aircraft control systems. Lately, the Byzantine failure model has been used in the area of network security where Byzantine-tolerance is equated with resilience against malicious attackers. We discuss two reasons why one should be careful in doing so. Firstly, Byzantine-tolerance is not concerned with secrecy and so special means have to be employed if secrecy is a desired system property. Secondly, in contrast to the domain of hardware faults, in a security setting it is difficult to compute the assumption coverage of the Byzantine failure model, i.e., the probability that the failure assumption holds in practice. For this latter point we develop a methodology which allows to estimate the reliability of a Byzantine-tolerant solution exposed to attackers of different strengths