Skip to main content
SpringerLink
Log in

ZLiTE: Lightweight Clients for Shielded Zcash Transactions Using Trusted Execution

  • Conference paper
  • First Online:
Financial Cryptography and Data Security (FC 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11598))

Included in the following conference series:

Abstract

Cryptocurrencies record transactions between parties in a blockchain maintained by a peer-to-peer network. In most cryptocurrencies, transactions explicitly identify the previous transaction providing the funds they are spending, revealing the amount and sender/recipient pseudonyms. This is a considerable privacy issue. Zerocash resolves this by using zero-knowledge proofs to hide both the source, destination and amount of the transacted funds. To receive payments in Zerocash, however, the recipient must scan the blockchain, testing if each transaction is destined for them. This is not practical for mobile and other bandwidth constrained devices. In this paper, we build ZLiTE, a system that can support the so called “light clients”, which can receive transactions aided by a server equipped with a Trusted Execution Environment. Even with the use of a TEE, this is not a trivial problem. First, we must ensure that server processing the blockchain does not leak sensitive information via side channels. Second, we need to design a bandwidth efficient mechanism for the client to keep an up-to-date version of the witness needed in order to spend the funds they previously received.

K. Wüst and S. Matetic—Equally contributing authors.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Sapling (2018). https://z.cash/upgrade/sapling.html

  2. Abraham, I., Malkhi, D., Nayak, K., Ren, L., Spiegelman, A.: Solidus: an incentive-compatible cryptocurrency based on permissionless byzantine consensus. CoRR, abs/1612.02916 (2016)

    Google Scholar 

  3. Ahmad, A., Kim, K., Sarfaraz, M.I., Lee, B.: OBLIVIATE: A Data Oblivious File System for Intel SGX (2018)

    Google Scholar 

  4. Androulaki, E., Karame, G.O., Roeschlin, M., Scherer, T., Capkun, S.: Evaluating user privacy in bitcoin. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 34–51. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_4

    Chapter  Google Scholar 

  5. Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: IEEE Symposium on Security and Privacy, pp. 459–474. IEEE Computer Society (2014)

    Google Scholar 

  6. Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(7), 422–426 (1970)

    Article  Google Scholar 

  7. Brasser, F., et al.: DR.SGX: hardening SGX enclaves against cache attacks with data location randomization (2017). http://arxiv.org/abs/1709.09917

  8. Brasser, F., Müller, U., Dmitrienko, A., Kostiainen, K., Capkun, S., Sadeghi, A.R.: Software grand exposure: SGX cache attacks are practical. In: 11th USENIX Workshop on Offensive Technologies, WOOT 2017. USENIX (2017)

    Google Scholar 

  9. Cecchetti, E., Zhang, F., Ji, Y., Kosba, A.E., Juels, A., Shi, E.: Solidus: confidential distributed ledger transactions via PVORM. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, 30 October–03 November 2017, pp. 701–717 (2017). https://doi.org/10.1145/3133956.3134010. http://doi.acm.org/10.1145/3133956.3134010

  10. Chen, G., Chen, S., Xiao, Y., Zhang, Y., Lin, Z., Lai, T.H.: Sgxpectre attacks: leaking enclave secrets via speculative execution. arXiv preprint arXiv:1802.09085 (2018)

  11. Chiesa, A., Green, M., Liu, J., Miao, P., Miers, I., Mishra, P.: Decentralized anonymous micropayments. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part II. LNCS, vol. 10211, pp. 609–642. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_21

    Chapter  Google Scholar 

  12. Costan, V., Devadas, S.: Intel SGX explained. In: Cryptology ePrint Archive (2016)

    Google Scholar 

  13. Gervais, A., Capkun, S., Karame, G.O., Gruber, D.: On the privacy provisions of bloom filters in lightweight bitcoin clients. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 326–335. ACM (2014)

    Google Scholar 

  14. Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious rams. J. ACM (JACM) 43(3), 431–473 (1996)

    Article  MathSciNet  Google Scholar 

  15. Götzfried, J., Eckert, M., Schinzel, S., Müller, T.: Cache attacks on Intel SGX. In: Proceedings of the 10th European Workshop on Systems Security, p. 2. ACM (2017)

    Google Scholar 

  16. Green, M., Miers, I.: Bolt: anonymous payment channels for decentralized currencies. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, 30 October–03 November 2017, pp. 473–489 (2017). https://doi.org/10.1145/3133956.3134093. http://doi.acm.org/10.1145/3133956.3134093

  17. Hearn, M., Corallo, M.: Connection bloom filtering. Bitcoin Improvement Proposal 37 (2012). https://github.com/bitcoin/bips/blob/master/bip-0037.mediawiki

  18. Heilman, E., Kendler, A., Zohar, A., Goldberg, S.: Eclipse attacks on bitcoin’s peer-to-peer network. In: USENIX Security Symposium, pp. 129–144 (2015)

    Google Scholar 

  19. Intel: Intel Software Guard Extensions. https://software.intel.com/en-us/sgx

  20. Intel: Software Guard Extensions Tutorial Series (2016). https://software.intel.com/en-us/articles/introducing-the-intel-software-guard-extensions-tutorial-series

  21. Kappos, G., Yousaf, H., Maller, M., Meiklejohn, S.: An empirical analysis of anonymity in zcash. In: 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, 15–17 August 2018, pp. 463–477 (2018). https://www.usenix.org/conference/usenixsecurity18/presentation/kappos

  22. Kumar, A., Fischer, C., Tople, S., Saxena, P.: A traceability analysis of monero’s blockchain. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 153–173. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66399-9_9

    Chapter  Google Scholar 

  23. Limited, A.: mbedTLS (formerly known as PolarSSL) (2015). https://tls.mbed.org/

  24. Matetic, S., Schneider, M., Miller, A., Juels, A., Capkun, S.: Delegatee: brokered delegation using trusted execution environments. In: 27th USENIX Security Symposium (USENIX Security 2018). USENIX Association (2018)

    Google Scholar 

  25. Matetic, S., Wúst, K., Schneider, M., Kostiainen, K., Karame, G., Capkun, S.: BITE: bitcoin lightweight client privacy using trusted execution. IACR Cryptology ePrint Archive 2018, XXXX (2018)

    Google Scholar 

  26. Meiklejohn, S., et al.: A fistful of bitcoins: characterizing payments among men with no names. In: Proceedings of the 2013 Conference on Internet Measurement Conference, pp. 127–140. ACM (2013)

    Google Scholar 

  27. Miers, I., Garman, C., Green, M., Rubin, A.D.: Zerocoin: anonymous distributed e-cash from bitcoin. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 397–411. IEEE (2013)

    Google Scholar 

  28. Moghimi, A., Irazoqui, G., Eisenbarth, T.: CacheZoom: how SGX amplifies the power of cache attacks. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 69–90. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_4

    Chapter  Google Scholar 

  29. Möser, M., Soska, K., Heilman, E., Lee, K., Heffan, H., Srivastava, S., Hogan, K., Hennessey, J., Miller, A., Narayanan, A., Christin, N.: An empirical analysis of traceability in the monero blockchain. PoPETs 2018(3), 143–163 (2018)

    Google Scholar 

  30. Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)

    Google Scholar 

  31. Osuntokun, O., Akselrod, A., Posen, J.: Client side block filtering. Bitcoin Improvement Proposal 157 (2017). https://github.com/bitcoin/bips/blob/master/bip-0157.mediawiki

  32. Rane, A., Lin, C., Tiwari, M.: Raccoon: closing digital side-channels through obfuscated execution. In: USENIX Security Symposium (2015)

    Google Scholar 

  33. Sasy, S., Gorbunov, S., Fletcher, C.: Zerotrace: Oblivious memory primitives from Intel SGX. In: Symposium on Network and Distributed System Security (NDSS) (2017)

    Google Scholar 

  34. Schwarz, M., Weiser, S., Gruss, D., Maurice, C., Mangard, S.: Malware Guard Extension: Using SGX to Conceal Cache Attacks (2017). http://arxiv.org/abs/1702.08719

    Chapter  Google Scholar 

  35. Stefanov, E., et al.: Path ORAM: an extremely simple oblivious ram protocol. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 299–310. ACM (2013)

    Google Scholar 

  36. Van Bulck, J., et al.: Foreshadow: extracting the keys to the Intel SGX kingdom with transient out-of-order execution. In: Proceedings of the 27th USENIX Security Symposium. USENIX Association (2018)

    Google Scholar 

  37. Van Saberhagen, N.: Cryptonote v 2.0 (2013). https://cryptonote.org/whitepaper.pdf

  38. Wüst, K., Gervais, A.: Ethereum eclipse attacks. Technical report, ETH Zurich (2016)

    Google Scholar 

  39. Xu, Y., Cui, W., Peinado, M.: Controlled-channel attacks: deterministic side channels for untrusted operating systems. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 640–656. IEEE (2015)

    Google Scholar 

  40. Zhang, F., Cecchetti, E., Croman, K., Juels, A., Shi, E.: Town crier: an authenticated data feed for smart contracts. In: CCS (2016)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, ETH Zurich, Zürich, Switzerland

    Karl Wüst, Sinisa Matetic, Moritz Schneider, Kari Kostiainen & Srdjan Čapkun

  2. Cornell Tech, New York, USA

    Ian Miers

Authors
  1. Karl Wüst
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sinisa Matetic
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Moritz Schneider
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ian Miers
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Kari Kostiainen
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Srdjan Čapkun
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Karl Wüst .

Editor information

Editors and Affiliations

  1. Cheriton School of Computer Science, University of Waterloo, Waterloo, ON, Canada

    Ian Goldberg

  2. Tandy School of Computer Science, University of Tulsa, Tulsa, USA

    Tyler Moore

A Commitment Tree Updates

A Commitment Tree Updates

As described in Sect. 4.3, the commitment tree update \(U_{ct}\) for the interval between time \(t_1\) and \(t_2\) consists of the right child of the path from \(\mathsf {cm}_i\) to the root at time \(t_2\), where \(\mathsf {cm}_i\) is the rightmost non-empty leaf at time \(t_1\).

Fig. 4.
figure 4

At a time \(t_1\) the note commitments Merkle tree is fully updated up to the latest block. A specific client holds a transaction with a note commitment c and knows the witness (i.e. the Merkle path) for it (d, N8, N5, and N3 nodes). After some time the blockchain is updated and new transactions added, thus, the Merkle Tree is updated accordingly (\(t_2\)). In order for the client to update the witness of her commitment c, she only needs the updated information from nodes (N11, N5, N3).

Full size image

In Fig. 4, we show an example for the commitment tree update. In this example, the leaf f is the rightmost non-empty leaf at \(t_1\), i.e. it corresponds to \(\mathsf {cm}_i\), which means that the commitment tree update consists of the values of the nodes N11, N5, N3 at time \(t_2\). In the example, the update is applied to the witness of the leaf c (consisting of the nodes d, N8, N5, and N3). In this case, the values of the leaf d and node N8 do not change between time \(t_1\) and \(t_2\), the values of N5 and N3 do, however, and thus the values are contained in the commitment tree update and updated from there.

We now show that given a witness at time \(t_1\) for a commitment \(\mathsf {cm}_j\) (where \(j<i\), i.e. \(\mathsf {cm}_j\) was added to the tree before \(\mathsf {cm}_i\)) and the commitment tree update \(U_{ct}\), a client can compute the witness for \(\mathsf {cm}_j\) at time \(t_2\).

Let \(A_{ji}\) be the lowest common ancestor node of \(\mathsf {cm}_j\) and \(\mathsf {cm}_i\) in the commitment tree, i.e. \(\mathsf {cm}_j\) is in the left subtree of \(A_{ji}\) and \(\mathsf {cm}_i\) is in the right subtree. Any node in the left subtree of \(A_{ji}\) remains unchanged between \(t_1\) and \(t_2\), i.e. any node from that subtree which is part of the witness for \(\mathsf {cm}_j\) also remains unchanged. Since none of these nodes changes through the update process, updating the witness with \(U_{ct}\) results in the correct values.

Similarly, any node of the witness for \(\mathsf {cm}_j\) that is a left child of a node on the path from \(A_{ji}\) to the root remains unchanged in the Merkle tree at time \(t_2\), since all leafs in any left subtree are already fixed at time \(t_1\) and thus all node values are already final. Since our update process does not change any left children in the tree, it also leaves these values unchanged and thus results in the correct values.

Finally, any node of the witness for \(\mathsf {cm}_j\) that is a left child of a node on the path from \(A_{ji}\) to the root may change in the Merkle tree at time \(t_2\). Since \(A_{ji}\) is an ancestor of \(\mathsf {cm}_i\), any such node is included in \(U_{ct}\), i.e. these nodes on the witness are updated in our update process. These values are therefore changed to the correct values from the note commitment tree at time \(t_2\).

It follows that the witness at time \(t_2\) for \(\mathsf {cm}_j\) can be constructed correctly given the witness at time \(t_1\) and the commitment tree update \(U_{ct}\).

Rights and permissions

Reprints and permissions

Copyright information

© 2019 International Financial Cryptography Association

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wüst, K., Matetic, S., Schneider, M., Miers, I., Kostiainen, K., Čapkun, S. (2019). ZLiTE: Lightweight Clients for Shielded Zcash Transactions Using Trusted Execution. In: Goldberg, I., Moore, T. (eds) Financial Cryptography and Data Security. FC 2019. Lecture Notes in Computer Science(), vol 11598. Springer, Cham. https://doi.org/10.1007/978-3-030-32101-7_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-32101-7_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-32100-0

  • Online ISBN: 978-3-030-32101-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation