Cryptology ePrint Archive: Report 2016/1062

Catena: Efficient Non-equivocation via Bitcoin

Alin Tomescu and Srinivas Devadas

Abstract: We present Catena, an efficiently-verifiable Bitcoin witnessing scheme. Catena enables any number of thin clients, such as mobile phones, to efficiently agree on a log of application-specific statements managed by an adversarial server. Catena implements a log as an OP_RETURN transaction chain and prevents forks in the log by leveraging Bitcoin’s security against double spends. Specifically, if a log server wants to equivocate it has to double spend a Bitcoin transaction output. Thus, Catena logs are as hard to fork as the Bitcoin blockchain: an adversary without a large fraction of the network’s computational power cannot fork Bitcoin and thus cannot fork a Catena log either. However, different from previous Bitcoin-based work, Catena decreases the bandwidth requirements of log auditors from 90 GB to only tens of megabytes. More precisely, our clients only need to download all Bitcoin block headers (currently less than 35 MB) and a small, 600-byte proof for each statement in a block. We implement Catena in Java using the bitcoinj library and use it to extend CONIKS, a recent key transparency scheme, to witness its public-key directory in the Bitcoin blockchain where it can be efficiently verified by auditors. We show that Catena can secure many systems today, such as public-key directories, Tor directory servers and software transparency schemes.

Category / Keywords: cryptographic protocols / bitcoin; distributed cryptography; implementation;

Original Publication (with minor differences): IEEE Security & Privacy 2017

Date: received 13 Nov 2016, last revised 19 Mar 2017

Contact author: alinush at mit edu

Available format(s): PDF | BibTeX Citation

Note: Included additional related work and improved writing.

Version: 20170319:232151 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]