Blogs

by Marwa Mouallem, Ittay Eyal, and Ittai Abraham on August 09, 2024
Public key cryptography (PKC) is a fundamental technology that is a key enabler to the Internet and the whole client-server paradigm. Without public key cryptography there would be no cryptocurrencies, no online bank accounts, no online retail, etc.
by Surya Bakshi (UIUC, IC3, Offchain Labs), Sarah Allen (IC3, Flashbots), Lorenz Breidenbach (IC3, Chainlink Labs), Jim Ballingall (IC3), Haaroon Yousaf (IC3), Patrick McCorry (IC3, Arbitrum Foundation), Giannis Kaklamanis (Yale University), Vivian Jeng (Ethereum Foundation), Jayamine Alupotha (IC3, University of Bern), Mariarosaria Barbaraci (IC3, University of Bern), Abhimanyu Rawat (UPF Barcelona) on June 20, 2024
The team behind Boquila, a proof of concept to obscure identifiable information from third-party websites, took the top spot at this year’s hackathon. We sat down with Mariarosaria Barbaraci and Jayamine Alupotha, two members of the winning team, to talk about what they built and their experience at this year’s IC3 Blockchain Camp.
by Philipp Schneider (University of Bern, IC3) with contributions by Ignacio Amores-Sesar (University of Bern, IC3), and Christian Cachin (University of Bern, IC3) on May 17, 2024
In a three part series, we look at the “Snow” protocols that address the fundamental consensus problem and were introduced in a whitepaper by a group associated with AvaLabs that pioneered the Avalanche blockchain infrastructure. This is a post that consists of three parts. Part 1 appears here, part 2 and part 3 appear on the Crypto@Bern blog. This first part gives an overview of these Snow protocols and a summary of our findings.
by Orestis Alpos (University of Bern), Ignacio Amores-Sesar (University of Bern, IC3), Christian Cachin (University of Bern, IC3), Michelle Yeo (National University of Singapore) on May 10, 2024
The problems of maximal-extractable value (MEV) and front-running attacks have plagued decentralized finance (DeFi) in the recent years. We tackle the problem of sandwich attacks in general and introduce a protocol to transform any blockchain consensus algorithm into a new one that has the same security, but in which sandwich attacks are no longer profitable. Our protocol is fully decentralized with no trusted third parties or heavy cryptographic primitives. It makes existing blockchains resilient to such attacks in exchange for increased latency until consensus becomes final and by adding a small computational overhead.
by James Austgen, Andrés Fábrega, Sarah Allen, Kushal Babel, Mahimna Kelkar, and Ari Juels on January 16, 2024
Decentralized Autonomous Organizations (DAOs) are increasingly popular, and already managing many billions of dollars in treasuries. Their decentralized governance is a transformative new way of organizing communities. But as they grow, DAOs will face a new and potent threat to their decentralization - Dark DAOs. A Dark DAO is a private smart contract that targets a legitimate DAO, attacking its voting integrity by enabling vote-buying among its users. First considered in 2018, Dark DAOs haven’t yet appeared in the wild — but only because DAOs are not very decentralized today. As DAOs continue on a path to higher decentralization, Dark DAOs will inevitably surface. Vote-buying may be illegal in political elections, but in DAOs it’s probably legal. It’s legal in shareholder voting and there’s even a marketplace to facilitate it. Vote-buying in DAOs would follow the trend in Web3 of monetizing everything from people’s friends to maximal-extractable value (MEV).
by James Austgen, Andrés Fábrega, Sarah Allen, Kushal Babel, Mahimna Kelkar, and Ari Juels on December 04, 2023
Decentralized Autonomous Organizations, or DAOs, promise to revolutionize the ways that communities collaborate. The ‘D’ in DAO — the decentralization — is the critical ingredient. But the way most people in the Web3 community reason about DAO decentralization today is flawed. It fails to point the way toward sound DAO governance. Today, people commonly view decentralization in DAOs — and other Web3 projects — entirely in terms of how tokens are distributed among addresses. The Gini coefficient and similar measures of wealth inequality — such as entropy of token holdings — are popular metrics for this purpose. A high Gini coefficient over addresses in a DAO is “bad” - it means high concentration — dominant control by whales and other large holders. A low Gini coefficient, on the other hand, is “good,” indicating even distribution of tokens. Our new research shows that there are gaping blind spots in this view of DAO decentralization. Happily, we also show that it’s possible to do better.
by Haoqian Zhang on October 03, 2023
The name “front-running” came from when a broker needs to deliver the clients’ orders to the trading desk physically. The term vividly describes how it works - an attacker who knows a large order could run ahead to execute a trade before the client’s order goes through. What is the incentive for someone to do that? Here is an example that explains why. Suppose a broker receives a large order from a client, say, buy 500,000 shares of a company’s stock. The order is big enough to drive up the share’s price. Knowing this information, an attacker can place his small order, say 10,000 shares of the same stock, before the large order. The attacker can sell his shares at a higher price when the price goes up after the large order went through. The formal definition of front-running is a practice of benefiting from the advanced knowledge of pending transactions. Although benefiting some entities involved, this practice puts others at a significant financial disadvantage, making this behavior illegal in traditional markets with established securities regulations.
by Andrew Miller, Nerla Jean-Louis, Yunqi Li, and James Austgen on August 25, 2023
Enhancing smart contract privacy is a critical stride towards the development of more useful blockchain applications. Trusted execution environments (TEEs) or secure enclaves are being used in multiple networks (Secret Network, Oasis Network, Obscuro, etc) to enable privacy without significantly increasing computational costs. However, the utilization of TEEs also brings forth challenges, specifically in designing secure network architectures that fully capitalize on the strengths of TEEs while mitigating potential risks. Our recent paper detailing several attacks on these TEE based blockchain networks that broke user privacy guarantees without doing the hard work of breaking into the TEE hardware.
by Kushal Babel, Nerla Jean-Louis, Mahimna Kelkar, Yunqi Li, Carolina Ortega Perez, Aditya Asgoankar, Sylvain Bellemare, Ari Juels, and Andrew Miller on June 12, 2023
TLDR - The Sting Framework (SF) is a new idea for bolstering the security of systems at risk of information leakage. SF addresses the case where a corrupt service (called a Subversion Service) arises that enables adversaries to exploit such leakage. SF presumes a player, called an informer, that wishes to alert the community to the presence of the corrupt service — either as a public service or to claim a bounty. SF enables the informer to generate a publicly verifiable proof that the corrupt service exists.
by Kushal Babel, Yan Ji, Ari Juels, and Mahimna Kelkar on April 17, 2023
In today’s blockchain landscape, the life of a transaction is nasty, brutish, and short. Or, as some put it, a blockchain like Ethereum is a “dark forest” — a reference to a popular sci-fi novel in which the universe is filled with predatory civilizations.
by Patrick McCorry on March 15, 2023
A very interesting talk by Kelvin Fichter argues that zk rollups do not exist and how rollups actually work. Let’s take a fun snippet from it.
by Ariah Klages-Mundt on March 14, 2023
7 of the largest 10 stablecoins depegged as a massive bank run effect rippled across crypto. What happened and what the lessons are for the space. Starting Friday, March 11, and persisting through the weekend, most major stablecoins lost their peg and stablecoin liquidity virtually evaporated.
by Phil Daian on March 07, 2023
In this post, we take a look at trends in MEV that we believe have the opportunity to centralize and weaken the core mission and value proposition of cryptocurrency. We argue that the most important only exit from a future where power dynamics in cryptocurrency become centralized and predatory is through geographic decentralization. We then explore the relationship between geographic decentralization and privacy, which in our opinion will be a dominant economic phenomenon in the next decade of MEV evolution.
by Ari Juels on January 26, 2023
Independence from centralized institutions is among the most important of the revolutionary ideas at the heart of crypto. If you keep your crypto assets in a centralized exchange, the exchange holds them on your behalf. That means complete dependence on the integrity of the exchange. If it’s hacked or collapses, your funds can disappear.
by James Austgen, Kushal Babel, Vitalik Buterin, Phil Daian, Ari Juels, and Mahimna Kelkar on January 16, 2023
In a paper we've released today, we introduce a new cryptographic notion that we call proofs of complete knowledge (CK). We also report on a prototype that offers a path to making CK practical for use with smartphones.
by Andrew Miller on December 13, 2022
Last week the rest of the sgx.fail team and I posted a research preprint that included a vulnerability disclosure affecting Secret Network. Secret Network is the first smart contract system based on Trusted Execution Environments (TEEs) to go live in production. However, there are several rival projects with closely related tech that have launched public testnets, namely Oasis, Phala, and Obscuro. Our disclosure kicked off a broader discussion, with all these projects reaching out and/or making public statements (Phala’s), (Oasis’s), (Secret’s) explaining to what degree they would have been affected and about the mitigations they have in development. The four projects have been building most independently of each other, but TEE/SGX compromise presents a common threat to all of them, suggesting an opportunity to work together.
by James Austgen, Kushal Babel, Phil Daian, Ari Juels, and Mahimna Kelkar on September 30, 2022
Atomic NFTs introduce new cryptographic techniques in order to enable NFT creators to prevent fractionalization of their NFTs. Our work promises to give creators stronger control over how their NFTs are bought and sold. We stress that Atomic NFTs are a preliminary research concept. More research needs to be done to make them truly practical. We believe, however, that practicality is on the horizon and that Atomic NFTs could someday become a standard option in NFT creation.
by Ari Juels on September 26, 2022
Museums exist not just to house original works of art, but as shrines to be visited by art lovers. Physical works of art — oil paintings, for instance — look very different in person than in posters or digital images. I've spent twenty minutes staring at this Vermeer in person. I can assure you that the sacred hush magically rendered by the artist in the original painting is all but obliterated in reproduction. There’s another facet to appreciation of art, though, one that’s not just about brushstrokes or esthetic nuance. Why, after all, do people flock to see the Mona Lisa when they can barely make it out through the ten-foot thick protective barrier of tourists?
by Florian Suri-Payer and Natacha Crooks on August 27, 2022
Applications want to retain database functionality when decentralizing their systems. Unfortunately, straightforward designs atop today's blockchain system fall short of this task. The current separation between the ordering layer and the application materialization layer in blockchain based designs precludes the design of expressive, and high performance transactional systems. In our recent work Basil - Breaking up BFT with ACID (transactions) we explore how to merge these layers for improved scalability and usability.
by Ari Juels on July 20, 2022
Bitcoin and blockchains - the technology that makes cryptocurrencies such as Bitcoin possible - have become inescapable phenomena in finance and even popular culture. Despite their rise in popularity, though, there is considerable bewilderment around blockchains and their capabilities. In this talk, Ari Juels, the Weill Family Foundation and Joan and Stanford I. Weill Professor at Cornell Tech and Co-Director of the Initiative for CryptoCurrencies and Contracts (IC3), will aim to demistify this intriguing technology. He will explain how blockchains mean much more than Bitcoin and indeed how blockchain-based digital apes may be harbingers of our future in leisure and the arts. We hope to see you at this virtual event.
by Youer Pu, Lorenzo Alvisi and Ittay Eyal on June 21, 2022
The Nakamoto consensus protocol works in a permissionless model, where nodes can join and leave without notice. However, it guarantees agreement only probabilistically. Is this weaker guarantee a necessary concession to the severe demands of supporting a permissionless model? We show that, at least in a benign failure model, it is not. We present Sandglass, the first permissionless consensus algorithm that guarantees deterministic agreement and termination with probability 1 under general omission failures. Like Nakamoto, Sandglass adopts a hybrid synchronous communication model, where, at all times, a majority of nodes (though their number is unknown) are correct and synchronously connected, and allows nodes to join and leave at any time.
by Weizhao Tang, Lucianna Kiffer, Giulia Fanti and Ari Juels on May 25, 2022
In traditional financial systems, time equals money and network latency - i.e., the time for messages to travel in a network - has an outsized impact. Recently, network latency has become critical in blockchain peer-to-peer (P2P) networks as well. Among other impacts, low-latency connections in P2P networks can advantage arbitrageurs by giving them the ability to exploit the trades of other users for financial gain. In this blog post, we summarize a recent paper of ours that explores P2P network latency. We present Peri, a practical strategy that selects peers with low latencies from a local view of the P2P network. we demonstrate how startegic agents, i.e., self-interested P2P network actors, can use Peri to manipulate network latency to their advantage.
by Sarah Allen, Ari Juels, Mukti Khaire, Tyler Kell and Siddhant Shrivastava on April 25, 2022
Fine artists exercising unprecedented control of their own markets, high tech art, cartoon images of rocks selling for millions of dollars, scams, cult-like followings - the NFT market has it all! In this post, we will briefly survey the traditional art market abd the NFT fine art market. The convergence of these things - NFT technology and the traditional art market - leads us to make predictions for the future of the market and technology.
by James Grimmelmann, Yan Ji and Tyler Kell on March 21, 2022
Many NFT and DAOs are designed to provide new or more convenient ways to own and sell creative works. Beeple's EVERYDAYS - The First 5000 Days sold at auction for $69 million. Some observers think that the Bored Ape Yacht Club's spectacular rise is due to its permissive copyright approach. Some artists and developers are diving in head-first.
by Ittay Eyal and Ittai Abraham on March 07, 2022
The Selfish mining attack against blockchain protocols was discovered and formalized in 2013 by Eyal and Sirer (also see our blog post). The Bitcoin community has mentioned similar types of attacks in 2010. This attack remains a vulnerability of all operational blockchains we are aware of. For Bitcoin's blockchain algorithm (under reasonable network assumptions), a coalition controlling over 1/4 of the mining power can improve its revenue using this attack.
by Itay Tsabary, Alex Manuskin, and Ittay Eyal on February 03, 2022
Prominent smart contracts, e.g., roll-ups, critically rely on timely confirmations of their transactions. Sadly, that's not how blockchain works, as confirmation times depend on transactions fees, where the required fee is determined by the volatile fee market. We present LedgerHedger, the first smart contract that facilitates a reservation for a future transaction confirmation. LedgerHedger is secure, incentive-compatible, and has low overhead for practical future-transaction parameters.
by Mahimna Kelkar on November 16, 2021
In current blockchain consensus protocols, a single miner or validator unilaterally controls the inclusion and ordering of transactions in a block. This form of temporary centralization is entirely at odds with the goals of decentralization. It also poses an acute problem for decentralized finance (DeFi). Arbitrageurs today are engaged in rampant collusion with miners to reorder transactions and extract profit at the expense of ordinary DeFi users. In the process of doing so, arbitrageurs are also participating in systemic bribery and even threatening the consensus stability of blockchains. So far in 2021, the impact of opportunistic transaction recording - often called MEV or miner/maximum extractable value - has exceeded $550 million by one conservative estimate.
by Ittay Eyal on November 16, 2021
Securing digital assets like cryptocurrencies and NFTs is a tricky business, as demonstrated by numerous losses and heists. The challenge of storing digital assets applies equally to individuals and to larger actors - from companies to cryptocurrency exchanges to the largest financial services corporates. Digital assets are secured (almost exclusively) with cryptographic signing keys. But from the early days of Bitcoin it was clear that our mechanisms, which worked perfectly well in the olden days, are inadequate. Our mobile devices are (maybe) secure enough for our emails, but not for cash. Plastic cards work for authorizing transactions if we can cancel them with a phone call, but that's not the case with digital cash that has no 'undo'. Indeed, for securing digital assets it is not uncommon to use multiple keys.
by Tyler Kell, Haaroon Yousaf, Sarah Allen, Sarah Meiklejohn, and Ari Juels on September 22, 2021
Have you been offered the chance to earn unlimited passive income in cryptocurrency for life with no risks using a new technology called a smart contract? Congradulations! You may have just encountered a smart contract pyramid scheme.
by Yunqi Li, Sylvain Bellemare, Mikerah Quintyne-Collins, and Andrew Miller on April 21, 2021
In this post, we show how to provide pivacy for smart contracts in a general purpose way by using "Multiparty Computation (MPC) as a Sidechain". In this model, smart contract developers can label any of their member fields as "secret".
by Ari Juels, Ittay Eyal, and Mahimna Kelkar on March 07, 2021
There's a simple word for projects that seek to advantage miners while systematically exploiting blockchain users, say three researchers.
by Jun-You Liu, Surya Bakshi, Shreyas Gandlur, Ankush Das, and Andrew Miller on February 15, 2021
Payment channels are one of the fundamental approaches for scaling cryptocurrency networks. In the academic cryptography literature on payment channels, it has been effective to use universal composability (UC) framework as a way of rigorously modeling and giving security definitions. However, there's been a big gap between the UC model and the actual software implementations of payment channels that have been designed and maintained by cryptocurrency developers, not getting as much benefit from the UC as we could. SaUCy is a project that aims to bridge the world of cryptocurrency developers with the UC framework.
by Deepak Maram and Harjasleen Malvai on January 12, 2021
Decentralized identity systems allow users to gather and amnage their own credentials under the banner of self-created decentralized identifiers (DIDs). The key focus of DIDs is on shifting the control of a credential into users' hands. Existing decentralized identity proposals, however, suffer from several problems. First and foremost, how do you bootstrap an ecosystem of credential issuers? It is unlikely that most existing legacy providers suddenly switch and issue such credentials. Second, like with cryptocurrencies, DID systems burden users with managing their own keys creating a significant risk of key loss. They also omit essential functionality, like resistance to Sybil attacks and the ability to detect misbehaving or sanctioned users. We address these problems by introducing CanDID in our new paper.
by Patrick McCorry on December 08, 2020
We have focused on building a non-custodial relayer, Infura Transaction Service (ITX), that takes a pre-signed message (e.g. meta-transaction), packs it into an Ethereum transaction and then gradually bumps the fee until it is mined in the blockchain.
by Scott Bigelow, Phil Daian, Stephane Gosselin, Alex Obadia, and Tina Zhen on November 23, 2020
Flashbots is a research and development organization formed to mitigate the negative externalities and existential risks posed by miner-extractable value (MEV) to smart-contract blockchains. We propose a permissionless, transparent, and fair ecosystem for MEV extraction to reinforce the Ethereum ideals.
by Scott Bigelow, Phil Daian, Stephane Gosselin, Alex Obadia, and Tina Zhen on November 23, 2020
Flashbots is a research and development organization formed to mitigate the negative externalities and existential risks posed by miner-extractable value (MEV) to smart-contract blockchains. We propose a permissionless, transparent, and fair ecosystem for MEV extraction to reinforce the Ethereum ideals.
by Sarah Allen, Srdjan Capkun, Ittay Eyal, Giulia Fanti, Bryan Ford, James Grimmelmann, Ari Juels, Kari Kostiainen, Sarah Meiklejohn, Andrew Miller, Eswar Prasad, Karl Wust, and Fan Zhang on September 04, 2020
Many central banks are considering, and some are even piloting, central bank digital currency. This column provides an overview of important considerations for central bank digital currency design. While central banks already provide wholesale digital currency to financial institutions, a retail central bank digital currency would expand access to more users and provide opportunities for innovative central banking. The design must balance these benefits with the potential risks created by retail central bank currency deployment.
by Sarah Allen, Srdjan Capkun, Ittay Eyal, Giulia Fanti, Bryan Ford, James Grimmelmann, Ari Juels, Kari Kostiainen, Sarah Meiklejohn, Andrew Miller, Eswar Prasad, Karl Wust, and Fan Zhang on July 23, 2020
In this paper, we enumerate the fundamental technical design challenges facing CBDC designers, with a particular focus on performance, privacy, and security. Through a survey of relevant academic and industry research and deployed systems, we discuss the state of the art in technologies that can address the challenges involved in successful CBDC deployment. We also present a vision of the rich range of functionalities and use cases that a well-designed CBDC platform could ultimately offer users.
by Itay Tsabary, Matan Yechieli, and Ittay Eyal on June 22, 2020
In this post, we outline the attack and its analysis, and the MAD-HTLC solution.
by Benjamin Chan and Elaine Shi on May 14, 2020
In this post, we described an extraordinarily simple blockchain protocol called Streamlet. Consensus is a complex problem and has been studied since the 1980s. More recently, blockchain research has spawned many new works aiming for performance and ease-of-implementation. However, simple, understandable protocols remain elusive, and that's where Streamlet comes in.
by Ittay Eyal on February 26, 2020
Proof of Work (PoW) Blockchains implement a form of State Machine Replication (SMR). Unlike classical SMR protocols, they are open, i.e., anyone can join the system, and the system incentivizes participants, called miners, to follow the protocol. Therefore, unlike classical SMR protocols, reasoning about blockchain security relies not only on bounding the number of malicious participants. One should crucially ask whether miners are indeed incentivized to follow the prescribed protocol. This is the topic of this post.
by Michael Mirkin, Yan Ji, Jonathan Pang, Ariah Klages-Mundt, Ittay Eyal, and Ari Juels on December 17, 2019
We have discovered a denial-of-service attack on Bitcoin-like blockchains that is much cheaper than previously described attacks. Such blockchains rely on incentives to provide security. We show how an attacker can disrupt those incentives to cause rational miners to stop mining.
by Itay Tsabary, Alexander Spiegelman, and Ittay Eyal on December 04, 2019
Proof-of-work (PoW) mechanisms secure about 80% of the $250B cryptocurrency market. PoW requires system participants to expend computational resources, and protects the system from attackers who cannot expend resources at an equivalent rate. These systems operate in the permissionless setting and compensate their users with cryptocurrency, having a monetary value. As cryptocurrency prices sore so do the invested resources, and Bitcoin expenditures alone are 0.24% of the global electricity consumption. Arguably, this is superfluous, and lowering the ecological footprint justifies settling for a lower attack threshold.
by Yujin Kwon, Jian Liu, Minjeong Kim, Dawn Song, and Yongdae Kim on September 30, 2019
Decentralization is an essential factor the should be inherently considered in the design of blockchain systems. Even though people design systems for good decentralization, in practice, we often observe that blockchain systems are highly centralized. Bitcoin and Ethereum, as representative examples, are already well known to be highly centralized in terms of network and mining. In fact, poor decentralization appears not only in PoW-based coins but also in coins adopting other mechanisms such as proof-of-stake (PoS) and delegated proof-of-stake (DPoS).
by Bryan Ford and Rainer Böhme on September 23, 2019
If you think you have designed a permissionless decentralized system that is cleverly secured based on rationality assumptions, you haven't. This blog post, based partly on ideas from Rainer Böhme's talk at the recent BDLT Summer School in Vienna, sketches an argument that rationality assumptions are self-defeating in open permissionless systems with weak identities.
by Aman Ladia and Andrew Miller on July 17, 2019
ZeroWallet is a new protocol that uses zero knowledge proofs to secure private keys with low-entropy passwords. It provides the convenience of brain wallets with a security guarantee comparable to third party multi-sig setups.