TC Ccs16

Town Crier:
An Authenticated Data Feed

for Smart Contracts
Fan Zhang*, Ethan Cecchetti,

Kyle Croman, Elaine Shi, and
Ari Juels
*fanz@cs.cornell.edu
October 25, 2016 CCS’16, Vienna Town Crier: An Authenticated Data Feed for Smart Contracts
What’s a (decentralized) smart
contract?
• Executable object on blockchain
• Programed in Turing-complete
languages Contract
Abstraction: Smart contract
• Code can define arbitrarily rich
is virtual
trusted third party with *public* state.
functionalities
• Decentralized ➜ autonomous:
Execution enforced by network
Running example:
Self-enforcing flight delay insurance
Gimme a policy for

Flight #1234 on
Flight 17 May for a
policy price $1.
Insurance
$1
$100
Virtual Trusted Third Party
Gimme a policy for

Flight #1234 on
Flight 17 May for a
Only this doesn’t work.
Insurance
policy price $1.
$100
Smart contracts are data-
hungry, but…
Gimme a policy for
Flight #1234 on
Flight 17 May for a
policy price $1.
Insurance
x $100
Interesting smart contracts
need trustworthy data
Webpage
Stock quotes contents
Smart
Contract
Commodity Current
prices events
Weather
Sports
data
results
Today there are no good sources.

Proposed data-delivery approaches
• Prediction markets (e.g.,
Gnosis)
• Oracles, e.g., Oraclize.it
Blockchain
• Strong trust assumption
• Raw data format
• No Confidentiality
• Big data brokers serve
data Smart
Contract
Town Crier
Fan Zhang, Ethan Cecchetti, Kyle Croman,

Elaine Shi, and Ari Juels. Town Crier: An Authenticated
Data Feed for Smart Contracts. ACM CCS. 2016.
Town Crier (TC): Basic
Blockchain
Idea
Trusted Website
Is DL 2777
delayed?
XYZ.com
Flight
Insurance
Town
Crier
Authenticity property: Data delivered by TC is

exactly as served on source site XYZ.com
How to ensure authenticity?
Blockchain
Trusted Website
XYZ.com
Flight
Insurance
Town
Crier
SGX
Intel SGX: Isolation
Integrity Confidentiality
SGX
Program X
Other processes Other processes

and even OS and even OS can
cannot tamper with Enclave learn nothing* about
control flow of X the state of X
* Side-channels like page faults excepted
Intel SGX: Remote
attestation
SGX HW
Secret Flight
Key Insurance
SGX
attestation att =
𝚺intel[ X || User data]
Program X Program
Image
Remote Platform  X is running on a genuine SGX platform
*Signature 𝚺 (EPID) can be anonymous (group) or pseudonymous

Intel SGX: Secure Channel
SGX HW
Secret Flight
Key Certificate Insurance
SGX
attestation att =
𝚺intel[ X || User data]
Program X Program
Image
Remote Platform SKX PKX
*Signature 𝚺 (EPID) can be anonymous (group) or pseudonymous

TC goal / adversarial model
• Relying contract sends query Q = (XYZ, params, T) to TC
• Goal: TC returns correct answer A to query Q
• Adversary controls the OS of TC server and the network
• Simpler view: adversary controls network outside enclave
Blockchain
Trusted Website
XYZ.com
Flight
Insurance
Town
Crier
SGX
Tripartite trust model
• Smart contract • TC enclave • Trusted website
• Trustworthy execution Trustworthy
• • Source
• No confidentiality execution authentication

• Cheap • No digital
• Expensive computation
computation signatures on
Key Challenge: How does one stitch
• No network stack
together
content
disparate trust domains with different properties into
Blockchai
n effective system?
a secure,
Flight TC
Insurance Contract
Town
Crier
SGX
Compound Program
Blockchain
Trusted Website
XYZ.com
Flight
Insurance
Town
Crier
SGX
Blockchain
Trusted Website
XYZ.com
Flight
Insurance
Town
Crier
SGX
• Solution: use attestations to establish

secure channel
Blockchain
Trusted Website
XYZ.com
Flight
Insurance
Town
Crier
SGX
• Creator of Flight Insurance checks
• Contract Flight insurance: Free!

• Hardwired with PKTC
• On receiving flight data, checks signature 𝚺SKTC[flight data]
Blockchain
Trusted Website
XYZ.com
Flight
Insurance
Town
Crier
SGX
Blockchain
Flight A'
TC Contract A'
Insurance
Town
Q' Crier
Q
• Problem: Q' may be corrupted version of Q—or

altogether fake!
• Could run blockchain client (Ethereum) in enclave
• Could verify Q from blockchain
• Would bloat TC code (TCB)!
Blockchain
Flight A'
TC Contract A' ,Q'
Insurance Q'
Town
Q' Crier
Q
• Our approach: Leverage hybrid trust model

• Potentially corrupted query Q' processed by TC
• TC digitally signs (A', Q') using SKTC
• TC contract verifies Q = Q'
Blockchain
Trusted Website
XYZ.com
Flight
Insurance
Town
Crier
SGX
Blockchain Trusted Website
XYZ.com
Flight
Insurance
Town TLS ?
Crier TCP
SGX
Problem: network is controlled by OS

• HTTPS doesn't sign data (MAC is not
transferrable).
• TC can not verified data delivered by OS
Solution:
• Put TLS stack in the enclave
Another problem:
Gas depletion
• Recall: Ethereum uses currency called "gas"
• Prevents DoS
• Charges fairly for computation costs
Blockchain
Smart Smart
TC msg, Contract msg' Contract'
Account $gas $gas'
Another problem:
Gas depletion
• TC service needs to initiate call to return data A
• TC must pay gas cost for this return call… yet avoid
malicious gas-depletion calls from other contracts
Blockchai
n
Flight TC
Insurance Contract
Town
Crier
SGX
Gas sustainability
• Informally: service never runs out of gas
• Formal definition in paper
• TC requires up-front deposit of gas (ether) from relying contract
• Formal proof of gas sustainability for TC in paper
Gas sustainability is a fundamental and

general availability property for compound
smart contracts!
Blockchain
Flight TC
Insurance Contract
Town
Crier
SG
X
Challenge of Confidentiality
Blockchain
Smart
contract
How to provide confidentiality for data processed by a

smart contract with no confidential state?
Running example:
Self-enforcing flight delay insurance
Gimme a policy for

Flight #1234 on
Flight 17 May for a
policy price $1.
Insurance
$100
Idea: Leverage enclave
Flight delayed /
confidentiality not delayed
Blockchain
Flight TC
Insurance Contract
Town
$$$ Crier
SGX
• Private datagram!
• Additional steps needed
• E.g., delay response / payment to noise timing side-channel
Applications: TC for sale of
online goods
• Steam Community Marketplace (SCM): buy and sell
items with community members
• Alice wants to sell a game for Ether, but SCM doesn’t
support.
Online game Ether

license
Community
Marketplace
Smart contract for fair exchange
Blockchain
Town
Steam Crier
Trader
SGX
Blockchain
Town
Steam Crier
Trader
SGX
as a gift ($0)
through
Community market
Has Alice
delivered the
game?
Blockchain
Delivered!
Town
Steam Crier
Trader
SGX
Challenges
Blockchain • Confidentiality: This requires

Steam Alice's (or Bob's) Steam
Trader marketplace credentials
• Customization: Sending raw
data to SteamTrader incurs
high overhead.
Again, we can leverage SGX
HTML
Blockchain
Steam Town
D
Trader Crier
=Extract(HTML)
SGX
Again, we can leverage enclave
confidentiality
✓ A game has
been delivered Alice’s
toTC
Bob.enables
Abstraction: confidential Account
smart contracts
Smart contract for
simulates
Blockchain
nearly any digitally represented asset
✓
trusted third party with public Astate.
game has
Steam Town been delivered to
($, cryptocurrency,
Trader online accounts,
Bob.
etc.)
Crier
What if node or source is
compromised?
✘ Town
Crier ✔︎
We can have
redundant sources
✔︎
✔︎ Town
Crier
✔︎
Majority vote!
October 25, 2016 CCS’16, Vienna

✘
Town Crier: An Authenticated Data Feed for Smart Contracts
+ redundant nodes
Majority vote!
Town
Crier
Contract
Majority vote! Majority vote!
Town
Crier
Majority vote!
Town
Crier
Town Crier
TC provides authenticated data
feeds for smart contracts:
• Has strong security & weak trust
assumption
• Preserves confidentiality
• Supports customized data feed
Free version in Ethereum will be launched on Jan 1,
2017!

TC Ccs16

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

TC Ccs16

Transféré par

Droits d'auteur :

Formats disponibles

Town Crier:

An Authenticated Data Feed

Fan Zhang*, Ethan Cecchetti,

Gimme a policy for

Gimme a policy for

Today there are no good sources.

Fan Zhang, Ethan Cecchetti, Kyle Croman,

Authenticity property: Data delivered by TC is

Other processes Other processes

Remote Platform  X is running on a genuine SGX platform

*Signature 𝚺 (EPID) can be anonymous (group) or pseudonymous

Remote Platform SKX PKX

*Signature 𝚺 (EPID) can be anonymous (group) or pseudonymous

• No confidentiality execution authentication

• Solution: use attestations to establish

• Creator of Flight Insurance checks

• Contract Flight insurance: Free!

• Problem: Q' may be corrupted version of Q—or

• Our approach: Leverage hybrid trust model

Problem: network is controlled by OS

Gas sustainability is a fundamental and

How to provide confidentiality for data processed by a

Gimme a policy for

Online game Ether

Blockchain • Confidentiality: This requires

October 25, 2016 CCS’16, Vienna

Vous aimerez peut-être aussi