REM: Resource-Efficient Mining for Blockchains
Total Page:16
File Type:pdf, Size:1020Kb
REM: Resource-Efficient Mining for Blockchains Fan Zhang, Ittay Eyal, and Robert Escriva, Cornell University; Ari Juels, Cornell Tech; Robbert van Renesse, Cornell University https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/zhang This paper is included in the Proceedings of the 26th USENIX Security Symposium August 16–18, 2017 • Vancouver, BC, Canada ISBN 978-1-931971-40-9 Open access to the Proceedings of the 26th USENIX Security Symposium is sponsored by USENIX REM: Resource-Efficient Mining for Blockchains Fan Zhang?;§ Ittay Eyal?;§ Robert Escriva? [email protected] [email protected] [email protected] Ari Juels†;§ Robbert van Renesse?;§ [email protected] [email protected] ?Cornell University †Cornell Tech, Jacobs Institute §Initiative for CryptoCurrencies & Contracts Abstract sionless” blockchains is that Proofs-of-Work (PoWs) in blockchains are wasteful. Blockchains show promise as potential infrastructure PoWs are nonetheless the most robust solution today for financial transaction systems. The security of to two fundamental problems in decentralized cryptocur- blockchains today, however, relies critically on Proof-of- rency design: How to select consensus leaders and how Work (PoW), which forces participants to waste compu- to apportion rewards fairly among participants. A partic- tational resources. ipant in a PoW system, known as a miner, can only lead We present REM (Resource-Efficient Mining), a new consensus rounds in proportion to the amount of compu- blockchain mining framework that uses trusted hardware tation she invests in the system. This prevents an attacker (Intel SGX). REM achieves security guarantees similar from gaining majority power by cheaply masquerading to PoW, but leverages the partially decentralized trust as multiple machines. The cost, however, is the above- model inherent in SGX to achieve a fraction of the waste mentioned waste. PoWs serve no useful purpose beyond of PoW. Its key idea, Proof-of-Useful-Work (PoUW), in- consensus and incur huge monetary and environmental volves miners providing trustworthy reporting on CPU costs. Today the Bitcoin network uses more electricity cycles they devote to inherently useful workloads. REM than produced by a nuclear reactor, and is projected to flexibly allows any entity to create a useful workload. consume as much as Denmark by 2020 [25]. REM ensures the trustworthiness of these workloads by means of a novel scheme of hierarchical attestations that We propose a solution to the problem of such waste in REM may be of independent interest. a novel block-mining system called . Nodes using REM replace PoW’s wasted effort with useful effort of To address the risk of compromised SGX CPUs, we a form that we call Proof of Useful Work (PoUW). In a develop a statistics-based formal security framework, PoUW system, users can utilize their CPUs for any de- also relevant to other trusted-hardware-based approaches sired workload, and can simultaneously contribute their such as Intel’s Proof of Elapsed Time (PoET). We show work towards securing a blockchain. through economic analysis that REM achieves less waste than PoET and variant schemes. There have been several attempts to construct cryp- We implement REM and, as an example application, tocurrencies that recycle PoW by creating a resource use- swap it into the consensus layer of Bitcoin core. The ful for an external goal, but they have serious limitations. result is the first full implementation of an SGX-based Existing schemes rely on esoteric resources [49], have blockchain. We experiment with four example appli- low recycling rates [58], or are centralized [36]. Other cations as useful workloads for our implementation of consensus approaches, e.g., BFT or Proof of Stake, are REM, and report a computational overhead of 5 − 15%. in principle waste-free, but restrict consensus participa- tion or have notable security limitations. Intel recently introduced a new approach [41] to elim- 1 Introduction inating waste in distributed consensus protocols that re- lies instead on trusted hardware, specifically a new in- Despite their imperfections [21, 31, 33, 61, 66], struction set architecture extension in Intel CPUs called blockchains [34, 60, 62] have attracted the interest of Software Guard Extensions (SGX). SGX permits the exe- the financial and technology industries [11, 20, 30, cution of trustworthy code in an isolated, tamper-free en- 41, 64, 69] as a way to build a transaction systems vironment, and can prove remotely that outputs represent with distributed trust. One fundamental impediments the result of such execution. Leveraging this capability, to the widespread adoption of decentralized or “permis- Intel’s proposed Proof of Elapsed Time (PoET) is an in- USENIX Association 26th USENIX Security Symposium 1427 novative system with an elegant and simple underlying given the volatility of mining populations in real-world idea. A miner runs a trustworthy piece of code that idles cryptocurrencies. Our results also apply to PoET. for a randomly determined interval of time. The miner A further challenge arises in REM due to the feature with the first code to awake leads the consensus round that miners may choose their own PoUWs workloads. It and receives a reward. PoET thus promises energy- is necessary to ensure that miner-specified mining appli- waste-free decentralized consensus with security predi- cations running in SGX accurately report their computa- cated on the tamper-proof features of SGX. PoET oper- tional effort. Unfortunately SGX lacks secure access to ates in a partially-decentralized model, involving limited performance counters. REM thus includes a hierarchical involvement of an authority (Intel), as we explain below. attestation mechanism that uses SGX to attest to com- Unfortunately, despite its promise, as we show in this pilation of workloads with valid instrumentation. Our paper, PoET presents two notable technical challenges. techniques, which combine static and dynamic program First, in the basic version of PoET, an attacker that can analysis techniques, are of independent interest. corrupt a single SGX-enabled node can win every con- We have implemented a complete version of REM, en- sensus round and break the system completely. We call compassing the toolchain that instruments tasks to pro- this the broken chip problem. Second, miners in PoET duce PoUWs, compliance checking code, and a REM have a financial incentive to power mining rigs with blockchain client. As an example use, we swap REM cheap, outmoded SGX-enabled CPUs used solely for in for the PoW in Bitcoin core. As far as we are mining. The result is exactly the waste that PoET seeks aware, ours is the first full implementation of an SGX- to avoid. We call this the stale chip problem. backed blockchain. (Intel’s Sawtooth Lake, which in- cludes PoET, is implemented only as a simulation.) Our REM addresses both the stale and broken chip prob- implementation supports trustworthy compilation of any lems. Like PoET, REM operates in a partially decentral- desired workload. As examples, we experiment with four ized model: It relies on SGX to prove that miners are REM workloads, including a commonly-used protein- generating valid PoUWs. REM, however, avoids PoET’s folding application and a machine learning application. stale chip problem by substituting PoUWs for idle CPU The resulting overhead is about 5 − 15%, confirming the time, disincentivizing the use of outmoded chips for min- practicality of REM’s methodology and implementation. ing. Miners in a PoUW system are thus entities that use or outsource SGX CPUs for computationally intensive workloads, such as scientific experiments, pharmaceuti- Paper organization cal discovery, etc. All miners can concurrently mine for The paper is organized as follows: Section2 provides a blockchain while REM gives them the flexibility to use background on proof-of-work and Intel SGX. We then their CPUs for any desired workload. proceed to describe the contributions of this work: We present a detailed financial analysis to show that • PoUW and REM, a low-waste alternative to PoW PoUW successfully addresses the stale chip problem. that maintains PoW’s security properties (§3). We provide a taxonomy of different schemes, including PoW, PoET, novel PoET variants, and PoUW. We ana- •A broken-chip countermeasure consisting of a rig- lyze these schemes in a model where agents choose how orous statistical testing framework that mitigates the to invest capital and operational funds in mining and how impact of broken chips (§4). much of such investment to make. We show that the •A methodology for trustworthy performance instru- PoUW in REM not only avoids the stale chip problem, mentation of SGX applications using a combination but yields the smallest overall amount of mining waste. of static and dynamic program analysis and SGX- Moreover, we describe how small changes to the SGX backed trusted compilation (§5). feature set could enable even more efficient solutions. • Design and full implementation of REM as a Unlike PoET, REM addresses the broken chip prob- resource-efficient PoUW mining system with auto- lem. Otherwise, compromised SGX-enabled CPUs matic tools for compiling arbitrary code to a PoUW- would allow an attacker to generate PoUWs at will, and compliant module. Ours is the first full implemen- both unfairly accrete revenue and disrupt the security of tation of an SGX-backed blockchain protocol (§5). the blockchain [24, 70, 73]. Intel has sought to address •A model of consensus-algorithm resource consump- the broken chip problem in PoET using a statistical- tion that we use to compare the waste associated testing approach, but published details are lacking, as with various mining schemes. We overview the appears to be a rigorous analytic framework. For REM, model and issues with previous schemes (§6) and we set forth a rigorous statistical testing framework for defer the details to the full version [76]. mitigating the damage of broken chips, provide analytic security bounds, and empirically assess its performance We discuss related work in §7 and conclude in §8.