Research Statement

Andrew Miller

November 2015

Over the past several years, Bitcoin and other cryptocurrencies have been an empirical suc- cess [1]. These are decentralized systems that allow users to transmit money, compose financial instruments, and enforce contracts between mutually distrusting peers. They currently represent a market cap of almost $5B of users’ wealth, have precipitated almost $1B of venture capital in- vestment in related technology firms, and have evoked responses from policy makers and regulators the world over. Perhaps most surprisingly, they mostly operate independently of, and even in direct competition with, the traditional institutions that ordinarily provide such services. This competition holds great promise to yield a financial infrastructure that is more robust, efficient and equitable than ours today. Cryptocurrencies are a microcosm exhibiting many of the challenges faced in securing complex information systems more broadly. Without a rigorous and realistic security model, it is difficult to predict whether these systems will survive future attacks, and to evaluate whether potential protocol changes and performance tradeoffs are safe. Furthermore, the appeal of cryptocurrencies as an application platform has led to a large community of enthusiastic developers; but cryptographic expertise remains a bottleneck, so few systems are deployed with thorough validation. My goal is to build a research program that provides provable security for emergent decentralized systems, especially by combining techniques from programming languages and cryptography. In my dissertation, I developed (the first) formal models for Bitcoin’s security. Using this as a scaffolding, I invented novel constructions that preserve security while providing additional benefits, such as reducing waste and improving incentives. Adapting formal models to real-world systems provides a principled way to explore vast design spaces. In my dissertation I also created programming languages that safely encapsulate cryptographic protocols, so that even non-expert application developers can use them in cryptocurrency applications. Here, the methods of programming language design and cryptography fundamentally complement each other; cryptography provides powerful and general primitives, while programming language abstractions provide the means to safely compose with them.

Provable Security for Cryptocurrencies. Cryptocurrencies do not ﬁt neatly into existing theoretical frameworks for distributed computing and cryptography, but rather seem to rely on weaker (or at least incomparable) assumptions than those previously studied. In my dissertation I developed the “Scratch-Oﬀ Puzzles” (SOP) model, a formal network model more suited for Bitcoin, including the presence of anonymous communication channels with no pre-established PKI, as well as assumptions about the allocation of computational resources (i.e., “hashpower”) among the participants. The SOP model is useful for exploring and validating new cryptocurrency designs. To demon- strate this I invented several new constructions which can be proven secure in this model, yet also

1 achieve additional desirable eﬀects. First, with Permacoin, I show that the otherwise-“wasted” work of Bitcoin mining can be recycled to provide a global backup storage system for public datasets [8]. Second, most miners join large coalitions called mining pools; for the past several years, inﬂuence over the network has been largely consolidated by just a handful of such coalitions, which threat- ens the assumptions underlying Bitcoin’s security. My research shows these coalitions are only possible as a consequence of Bitcoin’s puzzle construction. I therefore developed a new approach, called “nonoutsourceable puzzles,” that use succinct zero-knowledge proofs [5] to enable coalition members to defect [9], thus discouraging coalitions from forming.

Programming Languages for Secure Protocols by Non-Experts

Cryptocurrencies provide a useful and general abstraction: a “world-wide database” instance that’s publicly accessible and globally consistent. The convenience of these systems as a platform has attracted a broad community of developers, enthusiastic to implement a wide variety of applications beyond just money transmission, ranging from prediction markets [2] to crowdsourced file storage services [8]. However, successful applications built atop this platform still demand the careful composition of cryptographic primitives. These compositions are typically prone to implementation error, often to catastrophic effect, especially when implemented by non-experts [3]. My research aims to shift the burden of secure cryptography composition from the programmer to the compiler, which generates “secure-by-construction” protocols from simple specifications written by non-specialist programmers.

A Programming Language for Authenticated Data Structures. In my dissertation, I developed a programming language, λ• (pronounced Lambda-Auth) for hash-based Authenticated Data Structures (ADS) [6]. ADS’s are a well known and widely applicable cryptographic technique that allow clients to offload their storage costs to an untrusted server. ADS protocols are used widely in many systems (including Git, Bittorrent, and Bitcoin). However, there remain many suitable applications that do not yet utilize these protocols (or fail to utilize them to their full benefit). This is partly because of the specialized effort needed to implement the authenticated version of each new data structure. In λ•, the programmer simply writes an ordinary data structure program in a functional language. This program serves as a specification, which our λ• compiler elaborates into a correct-by-construction ADS protocol for the clients and servers. As a case study, I used λ• to model the Bitcoin “blockchain” as an authenticated data structure. I then used λ• to prototype an alternative proposal for a blockchain-like data structure that offers a performance optimization: it yields a transaction validation client that requires only constant-size storage.

Privacy-preserving Smart Contracts. In another project, Hawk [4], I developed a programming language for privacy-preserving smart contracts. While several existing cryptocurrencies, such as Ethereum, provide a general purpose programming environment, my collaborators and I showed that used na¨ıvely, they leak significant amounts of information to to adversaries [3], and are thus unsuitable for many applications (e.g., involving business finances, health data, and other sensitive information). In Hawk, the programmer specifies an application (e.g., a private sealed-bid auction) as an arbitrary computable function, written in a subset of C. Our compiler generates a cryptographic protocol, combining zero-knowledge proofs and public key encryption. The protocol underlying Hawk is a novel composition of commitments and zero-knowledge proofs. It guarantees on-chain privacy, in the sense that input values are revealed to a semi-trusted “manager,” who learns the input values at the end of the protocol, but cannot interfere with the

2 correct computation of the contract. The role of manager can also be instantiated with trusted hardware or multi-party computation.

Future Work.

Security of cryptocurrencies under composition. So far, formal models of cryptocurrencies analyze only a single network in isolation. However, in reality, there are already hundreds of competing cryptocurrency networks. And, in fact, they already interact in surprising ways (for example, a well-known Bitcoin miner used its hashpower to launch a devastating attack against a weaker cryptocurrency). Can cryptocurrency designs be proved secure under composition, even when considering arbitrary interactions between them?

Universal Composability as a practical framework for modular protocols. The cryptography community has converged on a framework called “Universal Composability” (UC), which guarantees security even when arbitrary protocols are executed concurrently. In the UC framework, network models, primitive building blocks, and application speciﬁcations are all as “Ideal Function- alities:” i.e., as processes written in an ordinary programming language, and executed as though by an incorruptible server. Ideal functionalities therefore serve as simple models for more complicated cryptographic protocols. So far, this approach has been underappreciated outside of cryptography theory; and even in cryptography, proofs in this framework are unwieldy to write and verify. This is in part because the framework exists only as prose, without a concrete realization. After my experience formalizing Hawk in UC [4], I now believe this framework can serve as the basis for a practical library of modular protocols. My plan is to provide a concrete process calculus seman- tics for Universal Composability, and develop a modular, mechanically checkable system of proofs. This will be especially useful to reign in the complexity of cryptocurrency applications, which are diverse, built through concurrent composition of primitives, and whose interactions require care to analyze.

Outreach and visibility. Cryptocurrencies have piqued a common interest in industry, open source projects, and academia alike. They therefore provide an eﬀective avenue for the practical deployment of cryptography. Simply put, the cryptocurrency development industry is hungry for cryptography. Part of my research method is to embed myself in the development community surrounding the emergent systems I study. I adapt open source tools for use in my research and in teaching [3, 4]. I also release artifacts from my research as free software (e.g., the Shadow Bitcoin simulator framework [7]), and serve as an advisor to cryptocurrency companies or projects, such as Zcash and Ethereum. My research lab will therefore gain visibility and amplify its practical impact by building on my track record for building ties in these communities.

References

[1] Joseph Bonneau, Andrew Miller, Jeremy Clark, Arvind Narayanan, Joshua A Kroll, and Edward W Felten. Sok: Research perspectives and challenges for bitcoin and cryptocurrencies. IEEE Security & Privacy (Oakland), 2015.

[2] Jeremy Clark, Joseph Bonneau, Edward W Felten, Joshua A Kroll, Andrew Miller, and Arvind Narayanan. On decentralizing prediction markets and order books. In Workshop on the Economics of Information Security, State College, Pennsylvania, 2014.

3 [3] Kevin Delmolino, Mitchell Arnett, Ahmed Kosba, Andrew Miller, and Elaine Shi. Step by step towards creating a safe smart contract: Lessons and insights from a cryptocurrency lab. (in submission) https://eprint.iacr.org/2015/460.

[4] Ahmed Kosba, Andrew Miller, Elaine Shi, Zikai Wen, and Charalampos Papamanthou. Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. (in submission) https://eprint.iacr.org/2015/675, 2015.

[5] Ahmed Kosba, Zhichao Zhao, Andrew Miller, and Hubert Chan. How to use SNARKs in universally composable protocols. (in submission) http://eprint.iacr.org/2015/1093, 2015.

[6] Andrew Miller, Michael Hicks, Jonathan Katz, and Elaine Shi. Authenticated data structures, generically. In ACM SIGPLAN Notices, volume 49, pages 411–423. ACM, 2014.

[7] Andrew Miller and Rob Jansen. Shadow-bitcoin: Scalable simulation via direct execution of multi-threaded applications. 2015.

[8] Andrew Miller, Ari Juels, Elaine Shi, Bryan Parno, and Justin Katz. Permacoin: Repurposing bitcoin work for data preservation. In Security and Privacy (SP), 2014 IEEE Symposium on, pages 475–490. IEEE, 2014.

[9] Andrew Miller, Ahmed Kosba, Jonathan Katz, and Elaine Shi. Nonoutsourceable scratch- oﬀ puzzles to discourage bitcoin mining coalitions. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 680–691, 2015.