The Seven Grand Challenges

IC3 has many projects underway to address what we identify as seven “Grand Challenges” to widespread blockchain adoption. A number of examples are given below.

The seven Grand Challenges outlined above serve as a motivation and a project map for the following IC3 projects.

Projects

NFTs for Art and Collectables: Primer and Outlook
Support Grand Challenges:
Social Good
Sound Migration

Non-fungible tokens (NFTs) are digital objects that reside on blockchains and are tipically associated with unique digital media, such as images or music. A recent frenzy of popular interest has given rise seemingly overnight to a multi-billion NFT market. Individual NFTs can sell for millions or tens of millions of dollars, shile creators ranging from traditional artists such as Damien Hirst and Grimes to mainstream consumer-goods companies such as Coca-Cola and Nike are producing their own NFT collections. This primer's focus is on NFTs for art and collectables. Our aim is to give non-technical readers a basic familiarity with the technology behind NFTs, the history of their development, the current state of the NFT community and marketplace, and a notion of how NFTs might evolve in the future. We also offer a brief overview of the dynamics of traditional art markets and discuss the similarities, differences, and points of intersection in NFT markets. We hope that readers will come away from this primer with a basic understanding of how blockchains, smart contracts, and cryptographic keys work, an appreciation of some of the novel ways in which NFTs are empowering artists, a picture of the variety of dynamism of NFTs projects and communities, and possibly a hankering to own at least a fractional Bored Ape. For further information, please see our paper.

Efficient MDP Analysis for Selfish-Mining in Blockchains
Support Grand Challenges:
Correctness by Design and Construction
Safety and Compliance

A proof of work (PoW) blockchain protocol distributes rewards to its participants, called miners, according to their share of the total computational power. Sufficiently large miners can perform selfish mining - deviate from the protocol to gain more than their fair share. Such systems are thus secure if all miners are smaller than a threshold size so their best response following the protocol. To find the threshold, one has to identify the optimal strategy for miners of different sizes, i.e., solve a Markov Decision Process (MDP). However, because of the PoW difficulty adjustment mechanism, the miners' utility is a non-linear ratio function. We therefore call this an Average Reward Ratio (ARR) MDP. Sapishtein et al. were the first to solve ARR MDPs by solving a series of standard MDPs that converge to ARR MDP solution. In this work, we present a novel technique for solving an ARR MDP by solving a single standard MDP. The crux of our approach is to argument the MDP such that it terminates randomly, within an expected number of rounds. We call this Probabilistic Termination Optimization (PTO), and the technique applies to any MDP whose utility is a ratio function. We bound the approximation error of PTO - it is inversely proportional to the expected number of rounds before termination, a parameter that we control. Empirically, PTO's complexity is an order of magnitude lower than the state of the art. PTO can be easily applied to different blockchains. We use it to tighten the bound on the threshold for selfish mining in Ethereum. Link to our paper.

Colordag: An Incentive-Compatible Blockchain
Support Grand Challenges:
Safety and Compliance
Correctness by Design and Construction

Proof-of-work blockchain protocols rely on incentive compatibility. System participants, called miners, generate blocks that form a directed acyclic graph (blockdag). The protocols aim to compensate miners based on their mining power, that is, the fraction of computational resources they control. The protocol designates rewards, striving to make the prescribed protocol be the miners best response. The Nakamoto Bitcoin protocol achieves this for miners controlling up to almost 1/4 of the total mining power, and the Ethereum protocol does about the same. The state of the art in increasing this bound is Fruitchain, which works with a bound of 1/2. Fruitchain guarantees that miners can increase their revenue by only a negligible amount if they deviate. It is thus an e-Nash equilibrium, for a small e. However, the Fruitchain mechanism allows a rational miner to deviate without penalty. We show that a simple practical deviation guarantees a miner a small increase in expected utility without any risk. This deviation results in a violation of the protocol desiderata. We conclude that, in our context, e-Nash equilibrium is a rather fragile solution concept. We propose a more robust approach that we call e-sure Nash equilibrium, in which each miner behavior is almost always a strict best response, and present Colordag, the first blockchain protocol that is an e-sure Nash equilibrium for miners with less than 1/2 of the mining power. To achieve this, Colordag utilizes three techniques. First, it assigns blocks colors - rewards are assigned based on each color separately. By choosing sufficiently many colors, we make sensitivity to network latency negligible. Second, Colordag penalizes forking - intentional bifurcation of the blockdag. Third, Colordag prevents miners from retroactively changing rewards. All this results in an e-sure Nash equilibrium. Even when playing an extremely strong adversary with perfect knowledge of the future (specifically, when agents will generate blocks and when messages will arrive), correct behavior is a strict best response with high probability. Link to our paper.

Generalized Proof of Liabilities
Support Grand Challenges:
Confidentiality
Safety and Compliance
Social Good

Proof of Liabilities (PoL) allows a prover to prove his/her liabilities to a group of verifiers. This is a cryptographic primitive once used only for proving financial solvency but is also applicable to domains outside finance, including transparent and private donations, new algorithms for disapproval voting and publicly verifiable official reports such as COVID-19 daily cases. These applications share a common nature in incentives, it's not in the prover's interest to increase his/her total liabilities. We generalize PoL for these applications by attempting for the first time to standardize the goals it should achieve from security, privacy and efficiency perspectives. We also propose DAPOL+, a concrete PoL scheme extending the state-of-the-art DAPOL protocol but providing provable security and privacy, with benchmark results demonstrating its practicality. In addition, we explore techniques to provide additional features that might be desired in different applications of PoL and measure the asymptotic probability of failure. Link to our paper.

Copyright Vulnerabilities in NFTs
Support Grand Challenges:
Safety and Compliance

NFTs for creative works depend on copyright law to give owners the set of rights they need but community expectations and NFT licenses are often not aligned with the actual legal rights owning an NFT conveys. We describe some of the issues, using well-known NFT projects as examples, and call for NFT developers to pay more attention to copyright licensing.

WeRLman: To Tackle Whale (Transactions), Go Deep (RL)
Support Grand Challenges:
Secure Scaling and Performance
Safety and Compliance

The security of proof-of-work blockchain protocols critically rellies on incentives. Their operators, called miners, receive rewards for creating blocks containing user-generated transactions. Each block rewards its creator with newly minted tokens and with transactions fees paid by the users. The protocol stability is violated if any of the miners surpasses a threshold ratio of the computanional power-she is motivated to deviate with selfish mining and increase her rewards. Previous analyses of selfish mining strategies assumed constant rewards. But with statistics from operational systems, we show that there are occasional whales~--blocks with exceptional rewards. Modeling this behavior implies a state-space that grows exponentially with the parameters, becoming prohibitively large for existing analysis tools. We present the WeRLman framework to analyze such models. WeRLman uses deep Reinforcement Learning (RL), inspired by the state-of-the-art AlphaGo Zero algorithm. Directly extending AlphaGo Zero to a stochastic model leads to high sampling noise, which is detrimental to the learning process. Therefore, WeRLman employs novel variance reduction techniques by exploiting the recurrent nature of the system and prior knowledge of transition probabilities. Evaluating WeRLman against models we can accurately solve demonstrates it achieves unprecedented accuracy in deep RL for blockchain. We use WeRLman to analyze the incentives of a rational miner in various settings and upper-bound the security threshold of Bitcoin-like blockchains. The previoulsy known bound, with constant rewards, stands at ~0.25. We show that considering whale transactions reduces this threshold considerably. In particular, with Bitcoin historical fees and its future minting policy, its threshold for deviation will drop to ~0.2 in 10 years, ~0.17 in 20 years, ~0.12 in 30 years. With recent fees from the Ethereum smart-contract platform, the threshold drops to ~0.17. These are below the common sizes of large miners. For more information, please see our paper.

LedgerHedger: Gas Reservation for Smart-Contract Security
Support Grand Challenges:
Safety and Compliance
Correctness by Design and Construction

Smart-contract ledger platforms, like Ethereum, rate-limit their workload with incentives. Users issue orders, called transactions, with assigned fees, and system operators, called miners, confirm them and receive the fees. The combination of limited throughput and varying demand results in a volatile fee market, where underpaying transactions are not confirmed. However, the security of prominent smart contracts, securring billions of dollars, critically relies on their transactions being confirmed in specific, future time frames. Despite theoretical and practical active efforts, guaranteeing timely confirmation remained an open problem. We present LedgerHedger, a mechanism for assuring that a miner will confirm the transactions a user makes in a target time frame. As the name implies, LedgerHedger employs hedging - the user pays for the transaction in advance and the miner commits to confirm it even if the required fee rises. But unlike regulated markets, there are no external enforcers, and miners unilaterally choose which transactions to confirm. Due to the amounts at stake, relying on miner altruism does not suffice. Therefore, LedgerHedger uses a combination of collateral deposits to incentivize correct behavior. The contract requires the issuer to deposit her payment and the miner to deposit a collateral. During the target time frame, the miner is incentivized to confirm the transactions the issuer made if it exists, but is also capable of withdrawing the payment and the collateral if not. LedgerHedger gives rise to a game, where the parties can only take specific actions. For a wide range of parameter values theres is a subgame perfect equilibrium where both parties act as desired. We implement LedgerHedger and deploy it on an Ethereum test network, showing its efficacy and minor overhead. Link to our paper.

Themis: Fast, Strong Order-Fairness in Byzantine Consensus
Support Grand Challenges:
Correctness by Design and Construction

We introduce Themis, a scheme for introducing fair ordering of transactions into (permissioned) Byzantine consensus protocols with at most f faulty nodes among n>_4f+1. Themis is the first such scheme to achieve (optimistic) linear communication complexity. At the same time, it enforces the strongest notion of fair ordering proposed to date. Themis also achieves standard liveness, rather than the weaker notion of previous work. We show experimentally that Themis, can be integrated into state-of-the-art consensus protocols with minimal modification or performance overhead. Additionally, we introduce a suite of experiments of general interest for evaluating the practical strength of various notions of fair ordering and the resilience of fair-ordering protocols to adversarial manipulation. We use this suite of experiments to show that the notion of fair ordering enforced by Themis is significantly stronger in theory and for realistic workloads than those of competing systems. We believe Themis offers strong practical protection against many types of transactions-ordering attacks---such as front-running and back-running---that are currently impacting commonly used smart contract systems. For more information, please see our paper.

Platypus: A Central Bank Digital Currency with Unlinkable Transactions and Privacy Preserving Regulations
Support Grand Challenges:
Correctness by Design and Construction
Safety and Compliance

Due to the popularity of blockchain-based cryptocurrencies, the increasing digitalizations of payments, and the constantly reducing role of cash in society, central banks have shown an increased interest in deploying central bank digital currencies (CBDCs) that could serve as a replacement of cash. While most recent research on CBDCs focuses on blockchain technology, it is not clear that this choice of technology provides the optimal solution. In particular, the centralized trust model of a CBDC offers opportunities for different designs. In this paper, we depart from blockchain designs and instead build on ideas from traditional e-cash schemes. We propose a new style of building digital currencies that combines the transaction processing model of e-cash with the account model of managing funds that is commonly used in blockchain solutions. We argue that such a style of building digital currencies in especially well-suited to CBDCs. We also design the first such digital currency system, called Platypus, that provides strong privacy, massive scalability, and expressive but simple regulation, which are all critical features for a CBDC. Platypus achieves these properties by adapting techniques from previous anonymous blockchain cryptocurrencies like Zcash and prior research on accountable private payments and applying them to the e-cash context. For more information, please see our paper.

Clockwork Finance: Automated Analysis of Economic Security in Smart Contracts
Support Grand Challenges:
Correctness by Design and Construction

Clockwork Finance Framework is a general purpose, formal verification framework for mechanized reasoning about the economic security properties of composed decentralized-finance (DeFi) smart contracts. CFF features three key properties. It is contract complete, meaning that it can model any smart contract platform and all its contracts---Turing complete or otherwise. I does so with asymptotically optimal model size. It is also attacj-exhaustive by construction, meaning that it can automatically and mechanically extract all possible economic attacks on cryptocurrency across modeled contracts. Thanks to these properties, CFF can support multiple goals-economic security analysis of contracts by developers, analysis of DeFi trading risks by users, and optimization of arbitrage opportunities by bots or miners. Because CFF offers composability, it can support these goals with reasoning over any desired set of potentially interacting smart contract models. We instantiate CFF as an executable model for Ethereum contracts that incorporates a state-of-the-art deductive verifier. Building on previous work, we introduce extractable value (EV), a new formal notion of economic security in composed DeFi contracts that is both a basis for CFF analyses and of general interest. We construct modular, human-readable, composable CFF models of four popular, deployed DeFi protocols in Ethereum - Uniswa, Uniswap V2, Sushiswap, and MakerDAO, representing a combined 17 billion USD in value as of August 2021. We used these models to show experimentally that CFF is practical and can drive useful, data-based insights from real world transaction activity. Without any explicitly programmed attack strategies, CFF uncovers on average an expected 56 million USD of EV per month in the recent years. For more information, please see our paper.

HEB: Hybrid-Expenditure Blockchains
Support Grand Challenges:
Safety and Compliance
Social Good

Proof of Work (PoW) is a Sybil-deterrence security mechanism. It introduces an external cost to a system by requiring computational effort to perform actions. However, since its inception, a central challenge was to tune this cost. Initial designs for deterring spam email and DoS attacks applied overhead equally to honest participants and attackers. Requiring too little effort did not deter attacks, whereas too much, encumbered honest participation. This might be the reason it was never widely adopted. Nakamoto overcame this trade-off in Bitcoin by distinguishing desired from malicious behavior and introducing internal rewards for the former. This solution gained popularity in securing cryptocurrencies and using the virtual internally-minted tokens for rewards. However, in existing blockchain protocols the internal rewards fund (almost) the same value of external expenses. Thus, as the token value soars, so does the PoW expenditure. Bitcoin PoW, for example, already expends as much electricity as Columbia or Switzerland. This amount of resource-guzzling is unsustainable and hinders even wider adoption of these systems. In this work we present Hybrid Expenditure Blockchain (HEB), a novel PoW mechanism. HEB is a generalization of the Nakamoto protocol that enables tuning the external expenditure by introducing a complementary internal-expenditure mechanism. Thus, for the first time, HEB decouples external expenditure from the reward value. We show a practical parameter choice by which HEB requires significantly less external consumption compared to the Nakamoto protocol, its resilience against rational attackers is similar, and it retains the decentralized and permissionless nature of the system. Taking the Bitcoin ecosystem as an example, HEB cuts the electricity consumption by half. For more information, please see our paper.

Publicly Auditable MPC-as-a-Service with succinct verification and universal setup
Support Grand Challenges:
Confidentiality
Correctness by Design and Construction

In recent years, multiparty computation as a service (MPCaaS) has gained popularity as a way to build distributed privacy-preserving systems. We argue that for many such applications, we should also require that the MPC protocol is publicly auditable, meaning that anyone can check the given computation is carried out corectly -- even if the server nodes carrying out the computation are all corrupt. In a nutshell, the way to make an MPC protocol auditable is to combine an underlying MPC protocol with verifiable computing proof (in particular, a SNARK). Building a general-purpose MPCaaS from existing constructions would require us to perform a costly "trusted setup" every time we wish to run a new or modified application. To address this, we provide the first efficient construction for auditable MPC that has a one-time universal setup. Despite improving the trusted setup, we match the state-of-the-art in asymptotic performance--the server nodes incur a linear computation overhead and constant round communication overhead compared to the underlying MPC, and the audit size and verification are logarithmic in the application circuit size. We also provide an implementation and benchmarks that support our asymptotic analysis in example applications. Furthermore, compared with existing auditable MPC protocols, besides offering a universal setup our construction also has a 3x smaller proof, 3x faster verification time and comparable prover time. For further information, please see our paper.

Saber
Support Grand Challenges:
Correctness by Design and Construction
Secure Scaling and Performance

This project proposes the paradigm for parallel and asynchronous smart contract execution. Our paradigm distinguishes between consensus nodes and execution nodes. It allows different groups of execution nodes to execute transactions in parallel, and meanwhile, consensus nodes can continue ordering transactions and processing execution results in a non-blocking way. Due to our new dispute resolution strategy, it (empirically) only requires 10 execution nodes in each group. Moreover, it requires no coordination among execution nodes and can effectively prevent livelocks. For more information, please see our paper.

GoAT: File Geolocation via Anchor Timestamping
Support Grand Challenges:
Correctness by Design and Construction

Blockchain systems are rapidly gaining traction. Decentralized storage systems like Filecoin are a crucial component of this ecosystem that aim to provide robust file storage through a Proof of Replication (PoRep) or its variants. However, a PoRep actually offers limited robustness. Indeed if all the file replicas are stored on a single hard disk, a single catastrophic event is enough to lose the file. We introduce a new primitive, Proof of Geo-Retrievability or in short "GeoPoRet", that enables proving that a file is located within a strict geographic boundary. Using GeoPoRet, one can trivially construct a PoRep by proving that a file is in several distinct geographic regions. We define what it means for a GeoPoRet scheme to be complete and sound, in the process making important extensions to prior formalism. We propose GoAT, a practical GeoPoRet scheme to prove file geolocation. Unlike previous geolocation systems that rely on trusted-verifiers, GoAT bootstraps using public timestamping servers on the internet that serve as geolocation anchors, tolerating a local threshold of dishonest anchors. GoAT internally uses a communication-efficient Proof-of-Retrievability (PoRet) scheme in a novel way to achieve constant-size PoRet-component in its proofs. We validate GoAT's practicality by conducting an initial measurement study to find usable anchors and also perform a real-world experiment. The results show that a significant fraction of the internet can be used as GoAT anchors. Furthermore, GoAT achieves geolocation radii as little as 1000km. Link to our paper.

Forsage: Anatomy of a Smart-Contract Pyramid Scheme
Support Grand Challenges:
Confidentiality
Correctness by Design and Construction
Safety and Compliance

Pyramid schemes are investment scams in which top-level participants in a hierarchical network recruit and profit from an expanding base of defrauded newer participants. Pyramid schemes have existed for over a century, but there have been no in-depth studies of their dynamics and communities because of the opacity of participants' transactions. In this paper, we present an empirical study of Forsage, a pyramid scheme implemented as a smart contract and at its peak, one of the largest consumers of resources in Ethereum. As a smart contract, Forsage makes its (byte)code and all of its transactions visible on the blockchain. We take advantage of this unprecedented transparency to gain insight into the mechanics, impact on participants, and evolution of Forsage. We quantify the (multi-million-dollar) gains of top-level participants as well as the losses of the vast majority (around 88%) of users. We analyze Forsage code both manually and using a purpose-built transaction simulator to uncover the complex mechanics of the scheme. Through complementary study of promotional videos and social media, we show how Forsage promoters have leveraged the unique features of smart contracts to lure users with false claims of trustworthiness and profitability, and how Forsage activity is concentrated within a small number of national communities. Link to our paper.

VyperFlow
Support Grand Challenges:
Correctness by Design and Construction

VyperFlow is a new programming language for blockchain-based smart contracts based on Vyper. It incorporates information flow control into its type system to maintain the integrity of date within a contract and avoid performing dangerous operations as a result of untrustworthy inputs. These techniques allow for static analysis that provably eliminates large classes of vulnerabilites, including the bugs that allowed attackers to extract and freeze tens of millions of dollars in two Parity Wallets incidents, as well as some reentrancy bugs like those that doomed the DAO. For further information, please see our paper.

AIRS: Automated Incentives for Reforestation Stewardship
Support Grand Challenges:
Social Good

The accelerating effect of global climate change is a major challenge for humanity. One critical component of any comprehensive solution is reforestation. As large and effective carbon sinks, forests are important to both conserve and expand. Not all types of forest, though, are equally effective at carbon sequestration. To create, monitor, and manage effective reforestation programs, it is essential that we be able to measure forest carbon accurately and with high geospatial precision. Our project will build infrastructure that, (1) Provides an accurate and trustworthy source of data on forest carbon and (2) Implements a system of automated monetary rewards for local inhabitants to conserve and/or increase forests that effectively reduce carbon emissions. By combining the two capabilities of reliable quantification and targeted rewards, we believe we can provide powerful support for climate change programs that aim to realize the value of forests as a part of the global economy. For instance, the REDD+ program, under development by parties to the United Nations Framework Convention on Climate Change, aims to incentivize developing countries to reduce emissions resulting from deforestation and forest degradation, thus conserving and enhancing forest carbon sticks. We will build a public performance-based payment system using two blockchain technologies. The first is an *oracle*, a trustworthy source of data for blockchain applications, it obtains and analyzes satellite data to relay trustworthy statistics on forest carbon. The second key component is a *smart contract*, a blockchain application that consumes data from the oracle and sends cryptocurrency rewards to forest stewards. Our system will also automatically identify the legitimate stakeholders/stewards of forested land by combining local land registry records, geolocation via smartphones, and fraud/anomaly detection.

Early Evidence of Effectiveness of Digital Contact Tracing for SARS-CoV-2 in Switzerland
Support Grand Challenges:
Authenticated Data Feeds
Safety and Compliance
Correctness by Design and Construction

In the wake of the pandemic of coronavirus disease 2019 (COVID-19), contact tracing has become a key element of strategies to control the spread of severe acute respiratory syndrome coronavirus 2019 (SARS-CoV-2). Given the rapid and intense spread of SARS-CoV-2, digital contact tracing has emerged as a potential complementary tool to support containment and mitigation efforts. Early modelling studies highlighted the potential of digital contact tracing to break transmission chains, and Google and Apple subsequently developed the Exposure Notification (EN) framework, making it available to the vast majority of smartphones. a growing number of governments have launched or announced EN-based contact tracing apps, but their effectiveness remains unknown. Here, we report early findings of the digital contact tracing app deployment in Switzerland. We demonstrate proof-of-principle that contact tracing reaches exposed contacts, who then test positive for SARS-CoV-2. This indicates that digital contact tracing is an effective complementary tool for controlling the spread of SARS-CoV-2. Continued technical improvement and international compatibility can further increase the efficacy, particularly also across country borders. For more information, please see our work.

SquiRL: Automatic Attack Analysis on Blockchain Incentive Mechanisms with Deep Reinforcement Learning
Support Grand Challenges:
Secure Scaling and Performance

Incentive mechanisms are central to the functionality of permissionless blockchains-they incentivize participants to run and secure the underlying consensus protocol. However, designing incentive-compatible incentive mechanisms is notoriously challenging. As a result, most public blockchains today use incentive mechanisms whose security properties are poorly understood and largely untested. In this work, we propose SquiRL, a framework for using deep reinforcement learning to analyze attacks on blockchain incentive mechanisms. We demonstrate SquiRL's power by first recovering known attacks, (1) the optimal selfish mining attack on Bitcoin [52], and (2) the Nash equilibrium in block withholding attacks [16]. We also use SquiRL to obtain several novel empirical results. First, we discover a counterintuitive flaw in the widely used rushing adversary model when applied to multi-agent Markov games with incomplete information. Second, we demonstrate that the optimal selfish mining strategy identified in [52] is actually not a Nash equilibrium in the multi-agent selfish mining setting. In fact, our results suggest (but do not prove) that when more than two competing agents engage in selfish mining, there is no profitable Nash equilibrium. This is consistent with the lack of observed selfish mining in the wild. Third, we find a novel attack on simplified version of the Ethereum finalization mechanism, Casper the Friendly Finality Gadget (FFG) that allows a strategic agent to amplify her rewards by up to 30%. Notably, [10] shows that honest voting is a Nash equilibrium in Casper FFG - our attack shows that when Casper FFG is composed with selfish mining, this is no longer the case. Altogether, our experiments demonstrate that SquiRL shows flexibility and promise as a framework for studying attack settings that have thus far eluded theoretical and empirical understanding. For more information, please see our paper.

CanDID: Can-Do Decentralized Identity with Legacy Compatibility, Sybil-Resistance, and Accountability
Support Grand Challenges:
Confidentiality
Safety and Compliance

CanDID is a platform for practical, user-friendly realization of decentralized identity, the idea of empowering end users with management of their own credentials. While decentralized identity promises to give users greater control over their private data, it burdens users with management of private keys, creating a significant risk of key loss. Existing and proposed approaches also presume the spontaneous availability of a credential-issuance ecosystem, creating a bootstrapping problem. They also omit essential functionality, like resistance to Sybil attacks and the ability to detect misbehaving or sanctioned users while preserving user privacy. CanDID addresses these challenges by issuing credentials in a user-friendly way that draws securely and privately on data from existing, unmodified web service providers. Such legacy compatibility similarly enables CanDID users to leverage their existing online accounts for recovery of lost keys. Using a decentralized commitee of nodes, CanDID provides strong confidentiality for user's keys, real-world identities, and data, yet prevents users from spawning multiple identites and allows identification (and blacklisting) of sanctioned users. To read more, see our paper.

MAD-HTCL - Because HTCL is Crazy-Cheap to Attack
Support Grand Challenges:
Correctness by Design and Construction
Safety and Compliance

Smart contracts and transactions allow users to implement elaborate constructions on cryptocurrency blockchains like Bitcoin, Ethereum, and Libra. Many of these, including operational payment channels, use a building block called Hased Time-Locked Contract (HTLC). In this work, we distill from HTLC a specification (HTLCSpec), and present an implementation called Mutual-Assured-Distruction Hashed Time-Locked Contract (MAD-HTCL). MAD-HTLC employs a novel approach of utilizing the existing blockchain operators, called miners, as part of the design. If a user misbehaves, MAD-HTLC incentivizes the miners to confiscate all their funds. We prove that MAD-HTLC satisfies HTLC-Spec with game-theoretic analysis and instantiate it on Bitcoin's operational blockchain. Notably, current miner software makes only little effort to optimize revenue, since the advantage is relatively small. However, as the demand grows and other revenue components shrink, miners are motivated to fully optimize their fund intake. By patching the standard Bitcoin client, we demonstrate such an optimization is easy to implement, making the miners natural enforcers of MAD-HTLC. Finally, we show how vulerable HTLC is to bribery attacks. An attacker can incentivize miners to prefer their transactions by offering high transaction fees. We demonstrate this can be easily implemented by patching Bitcoin client, and use game theoretic tools to qualitatively tighten the known cost bound of such bribery attacks. For the technical paper, see here.

HoneyBadgerMPC
Support Grand Challenges:
Secure Scaling and Performance
Confidentiality
Safety and Compliance

Multi-Party Computation (MPC) is a flexible paradigm for computing on confidential data. HoneyBadgerMPC is an asynchronous MPC protocol and implementation that scales to large networks and provides blockchain-grade fault tolerance and availability guarantees. For more info, please see HoneyBadgerMPC.

SCIF: Smart Contract Information Flow
Support Grand Challenges:
Safety and Compliance
Sound Migration

SCIF is a more secure programming language for building smart contracts. It automatically detects use of untrusted information, including vulnerabilities arising from reentrancy nd confused deputies. It provides a strong and decentralized security guarantee, supporting the secure construction of complex, interacting contracts. Link to our paper.

One Round Threshold ECDSA with Identifiable Abort
Support Grand Challenges:
Correctness by Design and Construction

Threshold ECDSA signatures have received much attention in recent years due to the widespread use of ECDSA in cryptocurrencies. While various protocols now exist that admit efficient distributed key generation and signing, these protocols have two main drawbacks. Firstly, if a player misbehaves, the protocol will abort, but all current protocols give no way to detect which player is responsible for the abort. In distributed settings, this can be catastrophic as any player can cause the protocol to fail without any consequence. General techniques to realize dishonest-majority MPC with identifiable abort add a prohibitive overhead, but we show how to build a tailored protocol for threshold ECDSA with minimal overhead. Secondly, current threshold ECDSA protocols (that do not rely on generic MPC) have numerous rounds of interaction. We present a highly efficient protocol with a non-interactive online phase allowing for players to asynchronously participate in the protocol without the need to be online simultaneously. We benchmark our protocols and find that our protocol simultaneously reduces the rounds and computations of current protocols, while adding significant functionality--identifiable abort and noninteractivity. For more information, please see our paper.

Confidence Clustering
Support Grand Challenges:
Correctness by Design and Construction

This project is focused on developing a set of metrics that can increase confidence in the results of cryptocurrency clustering heuristics. These new techniques, which will output a probability of two addresses belonging to the same cluster rather than a binary yes/no answer, will enable more informed decisions and strengthen the use of exisiting heuristics by providing more evidence that their results are correct.

Selfish Mining Re-examined
Support Grand Challenges:
Safety and Compliance

This project revisits the selfish mining (SM) strategy in two ways. First, we present a modified SM strategy, convert selfish mining, that, perplexingly, is more profitable than Nakamoto even when the attacker performs no selfish mining after a difficulty adjustment. This strategy has the added benefit that it is even harder to detect than pure SM, and may additionally increase token value through deflation. Second, we analyze the profitability of SM under several difficulty adjustment schemes. For further information, please see our paper.

Virgo
Support Grand Challenges:
Secure Scaling and Performance
Confidentiality

Virgo is a new zero knowledge proofs scheme for layered arithmetic circuits without trusted setup. It takes only 50 seconds to generate a proof for a circuit with 2^26 gates. And it has succinct prrof size and short verification time. It's based on a prior work Libra and a new transparent zero knowledge verifiable polynomial delegation scheme. The scheme is in the initeractive oracle proof model and based on the univeriate sumcheck. To read more, please see our paper.

BDoS: Blockchain Denial of Service
Support Grand Challenges:
Correctness by Design and Construction
Safety and Compliance

We have discovered a denial-of-service attack on Bitcoin-like blockchains that is much cheaper than previously described attacks. Such blockchains rely on incentives to provide security. We show how an attacker can disrupt those incentives to cause rational miners to stop mining. Read the technical report here.

Bone Crusher 2.0
Support Grand Challenges:
Safety and Compliance

The late legal scholar Greg Lastowka wrote about law, property, and self-government in virtual worlds like Ultima Online. His observations are relevant to blockchains and their communities of users. For more information, please read my paper.

All Smart Contracts Are Ambiguous
Support Grand Challenges:
Safety and Compliance

Legal contracts are written in natural language, which can introduce ambiguity as to their meaning. Blockchain-based smart contracts are written in programming languages, which seems to give them precise, objective meanings. But because the semantics of a smart contract can change if participants fork the underlying blockchain or revise its protocol, the meaning of a smart contract is always subject to this latent ambiguity. For more information, please read my paper.

I Can't Believe It's Not Stake
Support Grand Challenges:
Secure Scaling and Performance
Correctness by Design and Construction

Dozens of Proof-of-Stake cryptocurrencies are vulnerable to resource exhaustion attacks due to incomplete validation of blocks prior to allocating storage resources (disk, memory) to data from untrusted peers. For further details, please see our paper.

DECO
Support Grand Challenges:
Confidentiality
Safety and Compliance

DECO is a privacy-preserving oracle protocol. Using cryptographic techniques, it lets users prove facts about thier web (TLS) sessions to oracles while hiding privacy-sensitive data. For more information, see deco.works.

Teechain: A Secure Payment Network with Asynchronous Blockchain Access
Support Grand Challenges:
Secure Scaling and Performance

Teechain is the first asynchronous second layer payment network that allows users to execute immediate payments while not requiring parties to constantly monitor the blockchain. Teechain leverages trusted execution environments (TEEs) and uses a new variant of chain replication to ensure security against TEE compromise and side-channel attacks. Teechain achieves at least 33x better throughput than other existing payment networks. For more info, please see our paper.

Ostraka
Support Grand Challenges:
Secure Scaling and Performance

Currently, the capacity of a blockchain node can only scale by replacing hardware. For better performance, one must obtain newer hardware. Node capacity effects both initial sync time and block propagation time in the network. We utilize the parallel nature of the UTXO set to build a scalable node architecture. For more info, please see our paper.

Pay To Win: Cheap, Crowdfundable, Cross-chain Algorithmic Incentive Manipulation Attacks on PoW Cryptocurrencies
Support Grand Challenges:
Correctness by Design and Construction
Safety and Compliance

In this paper we extend the attack landscape of bribing attacks on cryptocurrencies by presenting a new method, which we call Pay-To-Win (P2W). To the best of our knowledge, it is the first approach capable of facilitating double-spend collusion across different blockchains. Moreover, our technique can also be used to specifically incentivize transaction exclusion or (re)ordering. For our construction we rely on smart contracts to render the payment and receipt of bribes trustless for the briber as well as the bribee. Attacks using our approach are operated and financed out-of-band i.e., on a funding cryptocurrency, while the consequences are induced in a different target cryptocurrency. Hereby, the main requirement is that smart contracts on the funding cryptocurrency are able to verify consensus rules of the target. For a concrete instantiation of our P2W method, we choose Bitcoin as a target and Ethereum as a funding cryptocurrency. Our P2W method is designed in a way that reimburses collaborators even in the case of an unsuccessful attack. Interestingly, this actually renders our approach approximately one order of magnitude cheaper than comparable bribing techniques (e.g., the whale attack). We demonstrate the technical feasibility of P2W attacks through publishing all relevant artifacts of this paper, ranging from calculations of success probabilities to a fully functional proof-of-concept implementation, consisting of an Ethereum smart contract and a Python client. For more information, please see our paper.

Avalanche
Support Grand Challenges:
Secure Scaling and Performance

BFT consensus used by cryptocurrencies consists of two families, traditional consensus and Nakamoto's consensus. The former is usually leader-based, quadratic in message complexity. It requires precise membership knowledge, and suffers from leader bottleneck as it scales up in size. While the latter does not require membership, it is poor in performance and wasteful in energy due to PoW. This project proposes the third, new category of consensus protocols that is PoW-free, leader-less, committee-less, permission-less. It exerts the powerful meta-stability inspired by epidemic protocols, and operators as fast as the network propagates. For more info, please see our avalabs.org.

Charlotte
Support Grand Challenges:
Secure Scaling and Performance

Charlotte is a new open framework for building parallel, interoperable blockchain systems. It supports a variety of consensus machanisms including proof of work as well as more classic distributed consensus protocols. For more information, please see our paper.

Libra
Support Grand Challenges:
Secure Scaling and Performance
Confidentiality

We present Libra, the first zero-knowledge proof system that has both optimal prover time and succinct proof size/verification time. In particular, if C is the size of the circuit being proved (i) the prover time is O(C) irrespective of the circuit type, (ii) the proof size and verification time are both O(d log C) for d-depth log-space uniform circuits (such as RAM programs). In addition Libra features an one-time trusted setup that depends only on the size of the input to the circuit and not the circuit logic. Underlying Libra is a new linear-time algorithm for the prover of the interactive proof protocol by Goldwasser, Kalai and Rothblum (also known as GKR protocol), as well as an efficient approach to turn the GKR protocol to zero-knowledge using small masking polynomials. Not only does Libra have excellent asymptotics, but it is also efficient in practice. For example, our implementation shows that it takes 200 seconds to generate a proof for constructing a SHA2-based Merkle tree root on 256 leaves, outperforming all existing zero-knowledge proof systems. Proof size and verification time of Libra are also competitive. For more information, please see our paper.

CHURP (CHUrn-Robust Proactive secret sharing)
Support Grand Challenges:
Secure Scaling and Performance
Confidentiality

CHURP enables secure secret-sharing in dynamic settings where the committee of nodes storing a secret may change over time. Designed for blockchain settings, CHURP has communication complexity much lower than previous schemes; O(n) on-chain and O(n^2) off-chain in the optimistic case of no node failures. For more information, please see our paper.

TxProbe
Support Grand Challenges:
Secure Scaling and Performance

TxProbe is a mechanism for inferring the topology of the Bitcoin P2P network, making use of how nodes process out-of-order (or ("orphan")) transactions. It can be used to take snapshots of the network over a period of minutes. For more info, please see our paper.

Public Incompressible Encodings (PIEs)
Support Grand Challenges:
Authenticated Data Feeds

We present a provably secure approach to proving file replication (or other erasure coding) in distributed storage networks (DSNs). Storing multiple copies of a file F is essential in DSNs to ensure against file loss in the event of faulty servers or corrupt data. The public nature of DSNs, however, makes this goal challenging. Files must be encoded and decoded using public coins - i.e., without encryption or other secret-key operations - and retention of files by servers in the network must be verifiable. For more info, please see our paper.

The Gap Game
Support Grand Challenges:
Safety and Compliance

Incentive analysis in a PoW cryptocurrency, where transaction fees play a dominant role. We analyze suck systems as a game and show ("mining gaps") occur - periods of time where miners are incentivized to be idle instead of actively mining. We also show in such systems, miners are better off forming coalitions, which leads to a centralized system. For more info, please see our paper.

Project Chicago
Support Grand Challenges:
Secure Scaling and Performance

Project Chicago is a new research initiative aiming to explore a question fundamental to all cryptocurrencies - what resources are being exchanged in blockchain markets, and how can we accurately price these resources? Read more at projectchicago.io.

PISA Outsourcing
Support Grand Challenges:
Secure Scaling and Performance
Safety and Compliance

The security guarantees of Payment Channel Networks (PCNs) rely on the availability of an online party to defend honest nodes in cases of a spurious disputes. PISA is a protocol for outsourcing this task to a limited third party while receiving a fair exchange receipt. For more info, please see our paper.

Ironwood
Support Grand Challenges:
Correctness by Design and Construction

Ironwood is a formal verification framework for Byzantine-fault tolerant consensus protocols implemented in Coq. Its goal is to produce formally verified implementations of consensus protocols with competitive performance while being flexible and compositional to support a wide range of protocols, including blockchain-style protocols such as Hotstuff. Ironwood utilizes domain-specific features of distributed systems through novel programming language constructs to reduce the verification effort of protocol implementation and enables verification of more practical, optimized protocols.

Ekiden
Support Grand Challenges:
Confidentiality

Ekiden is a system that addresses these critical confidentiality and performance gaps in smart contracts by combining blockchains with Trusted Execution Environments (TEEs). Ekiden leverages a novel architecture that separates consensus from execution, enabling efficient TEE-backed confidentiality-preserving smart-contracts and high scalability. Our prototype (with Tendermint as the consensus layer) achieves example performance of 600x more throughput and 400x less latency at 1000x less cost than the Ethereum mainnet. For more information, please see our paper.

CALYPSO: Private Data Management for Decentralized Ledgers
Support Grand Challenges:
Confidentiality
Authenticated Data Feeds

CALYPSO introduces on-chain secrets, a novel abstraction that enforces atomic deposition of an auditable trace whenever users access confidential data. CALYPSO provides user-controlled consent management that ensures revocation atomicity and account anonymity. For further information, please see our paper.

Paralysis Proofs
Support Grand Challenges:
Confidentiality

A (3, 3)-multisignature cryptocurrency wallet experiences access-control paralysis upon loss of a single key, but a (2, 3)-multisig allows any two players to collude and steal funds from the third. Paralysis Proofs address this conundrum and others by allowing multisig parameters to be changed *securely* if users become unavailable. For more info, please see our paper.

Tesseract
Support Grand Challenges:
Confidentiality

We propose Tesseract, a secure real-time cryptocurrency exchange service. Existing centralized exchnge designs are vulnerable to theft of funds, while decentralized exchanges cannot offer real-time crrosschain trades. All currently deployed exchanges are also vulnerable to frontrunning attacks. Tesseract overcomes these flaws and achieves a best-of-bothworlds design by using Intel SGX as a trusted execution environment. For more info, please see our paper.

The Hydra Project
Support Grand Challenges:
Correctness by Design and Construction

Hydra is a cutting-edge Ethereum contract development framework for decentralized security and bug bounties rigorous cryptoeconomic security guarantees mitigating programmer and compiler error.

PriFi: Low-Latency Anonymity for Organizational Networks
Support Grand Challenges:
Confidentiality

Organizational networks are vulnerable to traffic analysis attacks that enable adversaries to infer sensitive information from network traffic - even if encryption is used. Typical anonymous communication networks are tailored to the Internet and are poorly suited for organizational networks. We present PriFi, an anonymous communication protocol for LANs, which protects users against eavesdroppers and provides high-performance traffic-analysis resistance. PriFi builds on Dining Cryptographers networks (DC-nets), but reduces the high communication latency of prior designs via a new client/relay/server architecture, in which the client packets remain on their usual network path without additional hops, and in which a set of remote servers assist the anonymization process without adding latency. PriFi also solves the challenge of equivocation attacks, which are not addressed by related work, by encrypting traffic based on communication history. Our evaluation shows that PriFi introduces modest latency overhead (~100ms for 100 clienrs) and is compatible with delay-sensitive applications such as Voice-over-IP. For more information, please see our paper.

CHAINIAC: Proactive Software-Update Transparency via Collectively Signed Skipchains and Verified Builds
Support Grand Challenges:
Correctness by Design and Construction

CHAINIAC is a decentralized software update framework that aliminates single points of failure, enforces transparency, and provides efficient verifiability of integrity and authenticity for software-release processes. Independent witness servers collectively verify conformance of software updates to release policies, build verifiers validate the source-to-binary correspondence, and a tamper-proof release log stores collectively signed updates, thus ensuring that no release in accepted by clients before being widely disclosed and validated. The release log embodies a skipchain, a novel data structure, enabling arbitrarily out-of-date clients to efficiently validate updates and signing keys. Link to paper.

OmniLedger: A Secure, Scale-Out, Decentralized Ledger via Sharding
Support Grand Challenges:
Secure Scaling and Performance

OmniLedger is a novel scale-out decentralized ledger framework that preserves longterm security under permissionless operation by using bias-resistant public-randomness for choosing large, statistically representative shards that process transactions, and by introducing Atomix, an efficient cross-shard commit protocol, that atomically handles transactions affecting multiple shards. OmniLedger's throughput scales linearly in the number of active validators, supporting Visa-level workloads and beyond, while confirming typical transactions in under two seconds thanks to its low-latency "trust-but-verify" transaction validation mechanism. Link to our paper.

Proof-of-Personhood: Redemocratizing Permissionless Cryptocurrencies
Support Grand Challenges:
Safety and Compliance

Proof-of-personhood (PoP) is a mechanism that binds physical entities to virtual identities in a way that enables accountability while preserving anonymity. Proof-of-personhood can be used as a democratic alternative to the commonly used proof-of-work or proof-of-stake approaches to create secure identities in permissionless cryptocurrencies. The prototype cryptocurrency to PoPCoin utilizes PoP in its consensus layer showing how a continuously fair and democratic wealth creation process could look like which paves the way for experimental basic income infrastructure. Please see our paper.

Sprites and State Channels
Support Grand Challenges:
Safety and Compliance
Secure Scaling and Performance

Off-chain payment channel networks (PCNs) are a leading approach for improving the scalability of blockchains. Sprites is an innovative construction that reduces the worst-case lockup time during which, funds must be held in escrow for a PCN payment. For more info, please see our paper.

Miniature World: A Test Bed for Simulating Real World Blockchain
Support Grand Challenges:
Secure Scaling and Performance

Miniature World is a large blockchain emulation test bed at Cornell University consisting of ~1000 nodes. This test bed enables us to run experiments on different blockchains, and a variety of use cases, using realistic internet latencies to evaluate real world scenarios (as referenced above for Bitcoin-NG). We make Miniature World available for our Industry Sponsors to evaluate various block chains and their use cases. For more info about becoming an IC3 Industry Sponsor, please see our website.

Town Crier: Authenticated Data Feeds for Smart Contracts
Support Grand Challenges:
Confidentiality
Authenticated Data Feeds
Sound Migration

In order to reason about the real world, smart contracts in cryptocurrency systems will rely on informational input from what we call authenticated data feeds (ADFs); such information can include stock prices, meteorological reports, news, and other current events. It is therefore important that an ADF be trustworthy, in the sense of providing security against manipulation by an attacker attempting to influence the outcome of a contract. By utilizing trusted hardware to provide reliable, digitally signed attestations on data to client contracts, the Town Crier system can serve as a trustworthy ADF under minimal trust assumptions about its operator. For further details, please see our paper.

Gyges: Crime in Decentralized Smart Contracts
Support Grand Challenges:
Safety and Compliance

Two of the most widely desired goals for "Bitcoin 2.0" are privacy and more expressive smart contracts. Many uses of cryptocurrency have a clear and legitimate need for privacy (e.g., financial service companies are expected to protect the privacy of their clients' transactions). General purpose smart contract programming frameworks make it easy to tinker, prototype, and search for the next "killer application" for cryptocurrencies. These two directions seem to be at odds with each other; however, through the use of sophisticated cryptography (like zero knowledge proofs and multi-party computation), we explore how to achieve both goals at once. For further details, please see our paper.

ByzCoin: Enhancing Bitcoin Security and Performance with Strong Consistency via Collective Signing
Support Grand Challenges:
Secure Scaling and Performance

ByzCoin is a novel Byzantine consensus protocol that leverages scalable collective signing to commit Bitcoin transactions irreversibly within seconds while preserving Bitcoin's open membership by dynamically forming hash power-proportionate consensus groups that represent recently-successful block miners. ByzCoin mitigates double spending and selfish mining attacks by producing collectively signed transaction blocks within one minute of transaction submission. ByzCoin achieves a throughput higher than Paypal currently handles (>700 tx/s), with a confirmation latency of 15-20 seconds. Learn more at USENIX 2016.

Hawk: Privacy-Preserving Blockchain & Smart Contracts
Support Grand Challenges:
Correctness by Design and Construction
Confidentiality

Existing blockchain-based cryptocurrencies such as Bitcoin and Ethereum store all financial transactions in the clear on the blockchain. This compromises the privacy of financial transactions, which is essential in numerous applications. Hawk is a blockchain-based smart contract system that stores encrypted transactions on the blockchain, and relies on cryptography to retain the security of the cryptocurrency. For more info, please see our paper.

Solidus: Confidential Financial Transaction Settlement on a Distributed Ledgers
Support Grand Challenges:
Secure Scaling and Performance
Confidentiality

Solidus is a cryptocurrency ("blockchain") that can be run by a confederation or consortium of trustworthy entities--banks, governments, auditors, etc. While it retains some of the benefits of decentralization, Solidus offers higher performance and tighter governance and control than existing cryptocurrencies such as Bitcoin. Many successful peer-to- peer technologies have historically been eclipsed or supplanted by centralized or commercial systems (e.g., in the online music industry). Solidus addresses the possibility and desire by many financial institutions that cryptocurrencies and contracts will follow a similar path. For more info, please see the Solidus presentation at our 2016 IC3 Retreat in NYC.

Fruitchain: A new Approach for Incentive Compatible Blockchains
Support Grand Challenges:
Secure Scaling and Performance

Most of today's blockchains, such as Bitcoin, are not "incentive compatible", meaning they are quite vulnerable to strategic gaming by dishonest adversaries. For example, IC3 has proven that the Bitcoin blockchain can be compromised by miners or mining pools with much less than 50% of the mining hash power. Fruitchain is an innovative blockchain methodology that discourages dishonest gaming, by making it extremely unprofitable for an adversary with less than 50% of the hash power, achieving an epsilon-equilibrium or near-Nash equilibrium. For more info, please see the Fruitchain presentation by IC3 co-director Professor Elaine Shi at our 2016 IC3 Retreat in NYC.

FLAC: A Calculus for Flow-Limited Authorization
Support Grand Challenges:
Correctness by Design and Construction

Real-world applications routinely make authorization decisions based on dynamic computation. Integrity of the system might be compromised if attackers can improperly influence the authorizing computation. Confidentiality can also be compromised by authorization, since authorization decisions are often based on sensitive data such as membership lists and passwords. Flow-Limited Authorization Calculus (FLAC) is both a simple, expressive model for reasoning about dynamic authorization and also a language for securely implementing various authorization mechanisms. FLAC provides strong end-to- end information security guarantees even for programs that incorporate and implement rich dynamic authorization mechanisms. For more info, please see the presentation by Professor Andrew Myers “Verifying Information Security of Code in Dynamic Systems” at our 2016 IC3 Retreat in NYC.

HoneyBadgerBFT: The Honey Badger of BFT Protocols
Support Grand Challenges:
Secure Scaling and Performance

HoneyBadgerBFT is the first practical asynchronous BFT protocol, which guarantees liveness without making any timing assumptions. We base our solution on a novel atomic broadcast protocol that achieves optimal asymptotic efficiency. We present an implementation and experimental results to show our system can achieve throughput of tens of thousands of transactions per second, and scales to over a hundred nodes on a wide area network. We even conduct BFT experiments over Tor, without needing to tune any parameters. Unlike the alternatives, HoneyBadgerBFT simply does not care about the underlying network. For more info, please see our paper.

Bitcoin-NG: A Next-generation Blockchain Protocol
Support Grand Challenges:
Secure Scaling and Performance

Bitcoin-NG is a new protocol pioneered by IC3. It addresses the scalability bottleneck of Bitcoin by enabling the Bitcoin network to achieve the highest throughput allowed by the network conditions. Paradoxically, not only does it improve transaction throughput, it also reduces transaction latencies -- it is possible to get an initial transaction confirmation in seconds rather than in minutes. And it does so without changing Bitcoin’s open architecture and trust model. Our blockchain test bed Miniature World simulated Bitcoin-NG at 15% the size of the operational Bitcoin system, where we showed that Bitcoin–NG is only limited by the network. For more info, please see our paper.