Another Look at Relay and Distance-based Attacks in Contactless Payments

Relay attacks on contactless e-payments were demonstrated in 2015. Since, countermeasures have been proposed and Mastercard has recently adopted a variant of these in their specifications. These relay-counteractions are based on the payment-terminal checking that the card is close-by. To this end, several other EMV-adaptations have emerged, with the aim to impede dishonest cards cheating on their proximity-proofs. However, we argue that both the former and the latter measures are ineffective. We only sketch possible designs in the right directions, with the idea to pass on the message that these problems should be look at much more carefully. We shortly debate what should and should not be the case w.r.t. confirmation of EMV contactless payments. We also discuss alternative views onto making contactless payments secure against relay-attacks via proximity-checking

Fairness and Efficiency in DAG-based Cryptocurrencies

Bitcoin is a decentralised digital currency that serves as an alternative to existing transaction systems based on an external central authority for security. Although Bitcoin has many desirable properties, one of its fundamental shortcomings is its inability to process transactions at high rates. To address this challenge, many subsequent protocols either modify the rules of block acceptance (longest chain rule) and reward, or alter the graphical structure of the public ledger from a tree to a directed acyclic graph (DAG). Motivated by these approaches, we introduce a new general framework that captures ledger growth for a large class of DAG-based implementations. With this in hand, and by assuming honest miner behaviour, we (experimentally) explore how different DAG-based protocols perform in terms of fairness, i.e., if the block reward of a miner is proportional to their hash power, as well as efficiency, i.e. what proportion of user transactions a ledger deems valid after a certain length of time. Our results demonstrate fundamental structural limits on how well DAG-based ledger protocols cope with a high transaction load. More specifically, we show that even in a scenario where every miner on the system is honest in terms of when they publish blocks, what they point to, and what transactions each block contains, fairness and efficiency of the ledger can break down at specific hash rates if miners have differing levels of connectivity to the P2P network sustaining the protocol

Scather: programming with multi-party computation and MapReduce

We present a prototype of a distributed computational infrastructure, an associated high level programming language, and an underlying formal framework that allow multiple parties to leverage their own cloud-based computational resources (capable of supporting MapReduce [27] operations) in concert with multi-party computation (MPC) to execute statistical analysis algorithms that have privacy-preserving properties. Our architecture allows a data analyst unfamiliar with MPC to: (1) author an analysis algorithm that is agnostic with regard to data privacy policies, (2) to use an automated process to derive algorithm implementation variants that have different privacy and performance properties, and (3) to compile those implementation variants so that they can be deployed on an infrastructures that allows computations to take place locally within each participant’s MapReduce cluster as well as across all the participants’ clusters using an MPC protocol. We describe implementation details of the architecture, discuss and demonstrate how the formal framework enables the exploration of tradeoffs between the efficiency and privacy properties of an analysis algorithm, and present two example applications that illustrate how such an infrastructure can be utilized in practice.This work was supported in part by NSF Grants: #1430145, #1414119, #1347522, and #1012798

FruitChains: A Fair Blockchain

Nakamoto\u27s famous blockchain protocol enables achieving consensus in a so-called permissionless setting---anyone can join (or leave) the protocol execution, and the protocol instructions do not depend on the identities of the players. His ingenious protocol prevents ``sybil attacks\u27\u27 (where an adversary spawns any number of new players) by relying on computational puzzles (a.k.a. ``moderately hard functions\u27) introduced by Dwork and Naor (Crypto\u2792). Recent work by Garay et al (EuroCrypt\u2715) and Pass et al (manuscript, 2016) demonstrate that this protocol provably achieves consistency and liveness assuming a) honest players control a majority of the computational power in the network, b) the puzzle-hardness is appropriately set as a function of the maximum network delay and the total computational power of the network, and c) the computational puzzle is modeled as a random oracle. Assuming honest participation, however, is a strong assumption, especially in a setting where honest players are expected to perform a lot of work (to solve the computational puzzles). In Nakamoto\u27s Bitcoin application of the blockchain protocol, players are incentivized to solve these puzzles by receiving rewards for every ``blocks\u27\u27 (of transactions) they contribute to the blockchain. An elegant work by Eyal and Sirer (FinancialCrypt\u2714), strengthening and formalizing an earlier attack discussed on the Bitcoin forum, demonstrates that a coalition controlling even a minority fraction of the computational power in the network can gain (close to) 2 times its ``fair share\u27\u27 of the rewards (and transation fees) by deviating from the protocol instructions. In contrast, in a fair protocol, one would expect that players controlling a $\phi$ fraction of the computational resources to reap a $\phi$ fraction of the rewards. In this work, we present a new blockchain protocol---the FruitChain protocol---which satisfies the same consistency and liveness properties as Nakamoto\u27s protocol (assuming an honest majority of the computing power), and additionally is $\delta$-approximately fair: with overwhelming probability, any honest set of players controlling a $\phi$ fraction of computational power is guaranteed to get at least a fraction $(1 - \delta) \phi$ of the blocks (and thus rewards) in any $Omega( \kappa/\delta )$ length segment of the chain (where $\kappa$ is the security parameter). As a consequence, if this blockchain protocol is used as the ledger underlying a cryptocurrency system, where rewards and transaction fees are evenly distributed among the miners of blocks in a length kappa segment of the chain, no coalition controlling less than a majority of the computing power can gain more than a factor $(1 + 3\delta)$ by deviating from the protocol (i.e., honest participation is an $n/2$-coalition-safe $3\delta$-Nash equilibrium). Finally, the fruit chain protocol enables decreasing the variance of mining rewards and as such significantly lessens (or even obliterates) the need for mining pools