1,932 Hits in 3.9 sec

Foundations of Transaction Fee Mechanism Design [article]

Hao Chung, Elaine Shi
2021 arXiv   pre-print
In blockchains such as Bitcoin and Ethereum, users compete in a transaction fee auction to get their transactions confirmed in the next block. A line of recent works set forth the desiderata for a "dream" transaction fee mechanism (TFM), and explored whether such a mechanism existed. A dream TFM should satisfy 1) user incentive compatibility (UIC), i.e., truthful bidding should be a user's dominant strategy; 2) miner incentive compatibility (MIC), i.e., the miner's dominant strategy is to
more » ... trategy is to faithfully implement the prescribed mechanism; and 3) miner-user side contract proofness (SCP), i.e., no coalition of the miner and one or more user(s) can increase their joint utility by deviating from the honest behavior. The weakest form of SCP is called 1-SCP, where we only aim to provide resilience against the collusion of the miner and a single user. Sadly, despite the various attempts, to the best of knowledge, no existing mechanism can satisfy all three properties in all situations. Since the TFM departs from classical mechanism design in modeling and assumptions, to date, our understanding of the design space is relatively little. In this paper, we further unravel the mathematical structure of transaction fee mechanism design by proving the following results: - Can we have a dream TFM? - Rethinking the incentive compatibility notions. - Do the new design elements make a difference?
arXiv:2111.03151v1 fatcat:zvfqkdo2ujcblfsephtjd5zx4e

Data Oblivious Algorithms for Multicores [article]

Vijaya Ramachandran, Elaine Shi
2021 arXiv   pre-print
m · W bmerge ( √ m) + O(n) for m > M : Q bmerge (m) = 2 √ m · Q bmerge ( √ m) + O(m/B) for m > 2 : T bmerge (m) = 2 · T bmerge ( √ m) + O(log m) E Background on OPRAM Simulation In Chan, Chung, and Shi  ... 
arXiv:2008.00332v2 fatcat:fpj5e7tqjfbe7audobaqj7xv3y

Designing Secure Sensor Networks

Elaine Shi, A. Perrig
2004 IEEE wireless communications  
ELAINE SHI AND ADRIAN PERRIG, CARNEGIE MELLON UNIVERSITY ABSTRACT Sensor networks are expected to play an essential role in the upcoming age of pervasive computing.  ... 
doi:10.1109/mwc.2004.1368895 fatcat:f5b57ubqojhxrn5puy55bdiv54

Signatures of Reputation [chapter]

John Bethencourt, Elaine Shi, Dawn Song
2010 Lecture Notes in Computer Science  
Reputation systems have become an increasingly important tool for highlighting quality information and filtering spam within online forums. However, the dependence of a user's reputation on their history of activities seems to preclude any possibility of anonymity. We show that useful reputation information can, in fact, coexist with strong privacy guarantees. We introduce and formalize a novel cryptographic primitive we call signatures of reputation which supports monotonic measures of
more » ... measures of reputation in a completely anonymous setting. In our system, a user can express trust in others by voting for them, collect votes to build up her own reputation, and attach a proof of her reputation to any data she publishes, all while maintaining the unlinkability of her actions.
doi:10.1007/978-3-642-14577-3_35 fatcat:2t2qdc3aojboxfd4szn64oqtcy


Chang Liu, Austin Harris, Martin Maas, Michael Hicks, Mohit Tiwari, Elaine Shi
2015 SIGPLAN notices  
This paper presents a new, co-designed compiler and architecture called GhostRider for supporting privacy preserving computation in the cloud. GhostRider ensures all programs satisfy a property called memory-trace obliviousness (MTO): Even an adversary that observes memory, bus traffic, and access times while the program executes can learn nothing about the program's sensitive inputs and outputs. One way to achieve MTO is to employ Oblivious RAM (ORAM), allocating all code and data in a single
more » ... d data in a single ORAM bank, and to also disable caches or fix the rate of memory traffic. This baseline approach can be inefficient, and so GhostRider's compiler uses a program analysis to do better, allocating data to non-oblivious, encrypted RAM (ERAM) and employing a scratchpad when doing so will not compromise MTO. The compiler can also allocate to multiple ORAM banks, which sometimes significantly reduces access times. We have formalized our approach and proved it enjoys MTO. Our FPGA-based hardware prototype and simulation results show that GhostRider significantly outperforms the baseline strategy.
doi:10.1145/2775054.2694385 fatcat:zj6ukiorybaohajnsooue3ie7u

Optimal Sorting Circuits for Short Keys [article]

Wei-Kai Lin, Elaine Shi
2021 arXiv   pre-print
A recent work by Asharov, Lin, and Shi (SODA'21) showed that if the elements to be sorted have short keys whose length k = o(log n), then one can indeed overcome the nlog n barrier for sorting circuits  ...  Elaine Shi would like to thank Bruce Maggs for explaining the AKS algorithm, Pippenger's self-routing super-concentrator, the Wallace-tree trick, and the elegant work by Arora, Leighton, and Maggs [ALM90  ...  However, shortly afterwards, Asharov, Lin, and Shi [ALS21] showed that we can indeed overcome the n log n barrier for short keys, specifically, when k = o(log n).  ... 
arXiv:2102.11489v2 fatcat:ui3fp5tiibeodorpujo2djxari

The Sleepy Model of Consensus [chapter]

Rafael Pass, Elaine Shi
2017 Lecture Notes in Computer Science  
This lemma was proved in the Hybrid Consensus paper by Pass and Shi [35] .  ...  We point out that a blockchain abstraction implies the classical state machine replication abstraction as shown by Pass and Shi [35] .  ... 
doi:10.1007/978-3-319-70697-9_14 fatcat:pjlkbcazkjbt3l3ts6qi33f2py


Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, Yih-Chun Hu
2007 Computer communication review  
Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based
more » ... hment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker's resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internetscale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness. capability-based systems treat prioritized traffic (i.e., packets with a valid capability) preferentially over non-prioritized traffic. However, capability-based systems still suffer from a critical weakness: they cannot protect the initial capability request, because that request is sent unprotected as non-prioritized traffic. An attacker can flood the capability-setup channel, thus preventing a legitimate sender from establishing a new capability-protected channel. This attack, referred to as Denial-of-Capability (DoC) by Argyraki and Cheriton [4], is the Achilles heel of current capability proposals. Agryraki and Cheriton show that several thousand attackers can easily saturate the request channel of a typical network service, preventing legitimate senders from acquiring capabilities. When describing the DoC vulnerability, Argyraki and Cheriton argue that the same mechanism that protects the request channel could be used to protect all traffic [4]. We strongly disagree: since only a single capability request packet is needed to set up capability-protected communication, a simple and highly efficient network-based defense suffices. As long as the mechanism provides a predictable and non-negligible probability that the sender's request packet reaches the receiver, it can prevent DoC attacks. For example, if the capability request channel suffers a 50% packet-loss rate, a legitimate sender only needs to send about two packets to set up a capability-protected communication channel. Alas, a 50% loss rate would be far too high for efficient communication using TCP, and thus such a mechanism would not be appropriate for protecting subsequent packets. Previously proposed capability-based systems offer few, if any, defenses against a DoC attack. Early systems simply treat capability request packets as best-effort packets [3, 22, 31] . The most recent capability architecture, TVA [32], attempts to achieve DoC robustness by tagging each packet with an identifier indicating the packet's ingress point to the autonomous system (AS) and then fairqueuing packets at each router based on this identifier. However, our evaluation in Section 6 indicates that this heuristic is insufficient to thwart DDoS attacks on Internet-scale topologies. In this work, we present Portcullis, 1 a system that uses computational proofs of work (puzzles) to enforce fair sharing of the request channel. As a result, Portcullis strictly bounds the delay any adversary can impose on a legitimate sender's capability establishment. Why Puzzles? While we explore the design space of DoC solutions in Section 2.3, we now provide a high-level explanation of why puzzles are particularly well-suited for solving the DoC problem. We argue that approaches like TVA that attempt to use a packet identifier to group and prioritize aggregates of traffic are inadequate for networks as large and diverse as the Internet. A major reason is that, short of trusting all routers on the Internet, network 1 A portcullis is a grille or gate that restricts entry into a castle.
doi:10.1145/1282427.1282413 fatcat:2kfcn2t4wjgc5pii5vwqgkcfc4

Verifiable Oblivious Storage [chapter]

Daniel Apon, Jonathan Katz, Elaine Shi, Aishwarya Thiruvengadam
2014 Lecture Notes in Computer Science  
For a practical implementation, the recent schemes by Shi et al. [32] and Chandran et al. [10] are recommended. Recently Cash et al.  ... 
doi:10.1007/978-3-642-54631-0_8 fatcat:i36n6hbozjhztacet4yxn42mte

Signatures of Correct Computation [chapter]

Charalampos Papamanthou, Elaine Shi, Roberto Tamassia
2013 Lecture Notes in Computer Science  
We introduce Signatures of Correct Computation (SCC), a new model for verifying dynamic computations in cloud settings. In the SCC model, a trusted source outsources a function f to an untrusted server, along with a public key for that function (to be used during verification). The server can then produce a succinct signature σ vouching for the correctness of the computation of f , i.e., that some result v is indeed the correct outcome of the function f evaluated on some point a. There are two
more » ... t a. There are two crucial performance properties that we want to guarantee in an SCC construction: (1) verifying the signature should take asymptotically less time than evaluating the function f ; and (2) the public key should be efficiently updated whenever the function changes. We construct SCC schemes (satisfying the above two properties) supporting expressive manipulations over multivariate polynomials, such as polynomial evaluation and differentiation. Our constructions are adaptively secure in the random oracle model and achieve optimal updates, i.e., the function's public key can be updated in time proportional to the number of updated coefficients, without performing a linear-time computation (in the size of the polynomial). We also show that signatures of correct computation imply Publicly Verifiable Computation (PVC), a model recently introduced in several concurrent and independent works. Roughly speaking, in the SCC model, any client can verify the signature σ and be convinced of some computation result, whereas in the PVC model only the client that issued a query (or anyone who trusts this client) can verify that the server returned a valid signature (proof) for the answer to the query. Our techniques can be readily adapted to construct PVC schemes with adaptive security, efficient updates and without the random oracle model.
doi:10.1007/978-3-642-36594-2_13 fatcat:7pplqm6pkjgytgbqomhnnsq4xq

Understanding Craigslist Rental Scams [chapter]

Youngsam Park, Damon McCoy, Elaine Shi
2017 Lecture Notes in Computer Science  
Fraudulently posted online rental listings, rental scams, have been frequently reported by users. However, our understanding of the structure of rental scams is limited. In this paper, we conduct the first systematic empirical study of online rental scams on Craigslist. This study is enabled by a suite of techniques that allowed us to identify scam campaigns and our automated system that is able to collect additional information by conversing with scammers. Our measurement study sheds new light
more » ... udy sheds new light on the broad range of strategies different scam campaigns employ and the infrastructure they depend on to profit. We find that many of these strategies, such as credit report scams, are structurally different from the traditional advanced fee fraud found in previous studies. In addition, we find that Craigslist remove less than half of the suspicious listings we detected. Finally, we find that many of the larger-scale campaigns we detected depend on credit card payments, suggesting that a payment level intervention might effectively demonetize them.
doi:10.1007/978-3-662-54970-4_1 fatcat:7utkzrmbebew5jlvtfskrbu3qa

Authenticated data structures, generically

Andrew Miller, Michael Hicks, Jonathan Katz, Elaine Shi
2014 SIGPLAN notices  
An authenticated data structure (ADS) is a data structure whose operations can be carried out by an untrusted prover, the results of which a verifier can efficiently check as authentic. This is done by having the prover produce a compact proof that the verifier can check along with each operation's result. ADSs thus support outsourcing data maintenance and processing tasks to untrusted servers without loss of integrity. Past work on ADSs has focused on particular data structures (or limited
more » ... res (or limited classes of data structures), one at a time, often with support only for particular operations. This paper presents a generic method, using a simple extension to a ML-like functional programming language we call λ• (lambda-auth), with which one can program authenticated operations over any data structure defined by standard type constructors, including recursive types, sums, and products. The programmer writes the data structure largely as usual and it is compiled to code to be run by the prover and verifier. Using a formalization of λ• we prove that all well-typed λ• programs result in code that is secure under the standard cryptographic assumption of collisionresistant hash functions. We have implemented λ• as an extension to the OCaml compiler, and have used it to produce authenticated versions of many interesting data structures including binary search trees, red-black+ trees, skip lists, and more. Performance experiments show that our approach is efficient, giving up little compared to the hand-optimized data structures developed previously.
doi:10.1145/2578855.2535851 fatcat:feqxrapgyfh2dd72e7cguf2ege

Streaming Authenticated Data Structures [chapter]

Charalampos Papamanthou, Elaine Shi, Roberto Tamassia, Ke Yi
2013 Lecture Notes in Computer Science  
We consider the problem of streaming verifiable computation, where both a verifier and a prover observe a stream of n elements x1, x2, . . . , xn and the verifier can later delegate some computation over the stream to the prover. The prover must return the output of the computation, along with a cryptographic proof to be used for verifying the correctness of the output. Due to the nature of the streaming setting, the verifier can only keep small local state (e.g., logarithmic) which must be
more » ... ) which must be updatable in a streaming manner and with no interaction with the prover. Such constraints make the problem particularly challenging and rule out applying existing verifiable computation schemes. We propose streaming authenticated data structures, a model that enables efficient verification of data structure queries on a stream. Compared to previous work, we achieve an exponential improvement in the prover's running time: While previous solutions have linear prover complexity (in the size of the stream), even for queries executing in sublinear time (e.g., set membership), we propose a scheme with O(log M log n) prover complexity, where n is the size of the stream and M is the size of the universe of elements. Our schemes support a series of expressive queries, such as (non-)membership, successor, range search and frequency queries, over an ordered universe and even in higher dimensions. The central idea of our construction is a new authentication tree, called generalized hash tree. We instantiate our generalized hash tree with a hash function based on lattices assumptions, showing that it enjoys suitable algebraic properties that traditional Merkle trees lack. We exploit such properties to achieve our results. 354 C. Papamanthou et al. updatable). Many prior verifiable computation schemes are unsuitable in the streaming setting: Some schemes require that the verifier (client) has access to all the data ahead of time, and performs some preprocessing (e.g., [17, 40] ) before outsourcing it to the prover (server). Other existing schemes allow a client to update the dataset through an interactive protocol between the client and the server (e.g., [35] ). Particularly, since the client does not have sufficient local storage to store all the data, the client needs the server's help to update its local state. Unfortunately, requiring an interactive protocol for every update may be too expensive in a streaming setting. For example, consider a network traffic accounting application [14] , where an ISP charges a customer based on the type and duration of its network flows. To enforce that the ISP is performing the accounting correctly, the ISP logs a customer's network flows such that the customer can later make queries to the logs to perform auditing (typically the customer does not have sufficient local storage to log all the flows). In such high link-speed settings, performing an interactive protocol with every packet or flow sent is very expensive. Our Contributions. We introduce streaming authenticated data structures, and design expressive and efficient schemes that do not require any interaction between the client and server while the stream is observed. In our scenario, streaming elements x 1 , x 2 , . . . , x n are inserted into a data structure that is stored by the prover and the verifier stores and updates small local state of size O(log n). At any point of time, the verifier can send a data structure query to the prover, e.g., "return the predecessor of y" or "return the elements in the range [a, b]". Subsequently the prover can compute an answer and a proof in time O(log M log n), where n is the size of the stream and M is the size of the ordered universe from where the elements are drawn. Our protocols are based on the difficulty of solving the small integer solution problem [30] , and are the first ones to achieve the following properties simultaneously:
doi:10.1007/978-3-642-38348-9_22 fatcat:rczt6k3fqrgshphpmxysfpttku

Cloud Data Protection for the Masses

Dawn Song, Elaine Shi, Ian Fischer, Umesh Shankar
2012 Computer  
Dawn Song, Elaine Shi, and Ian Fischer, University of California, BerkeleyUmesh Shankar, Google IEEE Computer Graphics and Applicationsis indispensable reading for people who want to  ... 
doi:10.1109/mc.2012.1 fatcat:otw4a6qqdbdjhdzaylc72u5gim

Thunderella: Blockchains with Optimistic Instant Confirmation [chapter]

Rafael Pass, Elaine Shi
2018 Lecture Notes in Computer Science  
Such a "sleepy" model was first considered in a recent work by Pass and Shi [43] . 2.  ...  The recent work by Pass and Shi [43] point out one fundamental difference between classical style and blockchain-style consensus.  ... 
doi:10.1007/978-3-319-78375-8_1 fatcat:5hftaljhjbatldxtbvyvssqln4
« Previous Showing results 1 — 15 out of 1,932 results