REM - Resource-Efficient Mining for Blockchains

Blockchain is a promising technology that can solve many problems. Nowadays, many of blockchains rely on Proof-of-Work(PoW) to produce new blocks which really waste lots of computational resources. In order to solve this problem, this paper presents REM(Resource-Efficient Mining) which is a new mining framework that uses Intel SGX. Their consensus method is called Proof-of-Useful-Work(PoUW). In this system, miners can use their CPUs for desired workload and contribute their work towards securing a blockchain as well.

Proof Of Work

In a blockchain, miners collect signed transactions from users, validate the transactions’ signatures and generate new blocks that contains these transactions with a pointer to the parent block. The miner who wants to produce a new block has to solve a cryptopuzzle. The miner has to change an input(nonce) in the block until a cryptographic hash of the block is smaller than a predetermined threshold. This threshold is the difficulty which is set per a deterministic algorithm that seeks to enforce a static expected rate of block production by miners.

Intel Software Guard Extensions

Intel Software Guard Extensions (SGX) is a set of central processing unit (CPU) instruction codes from Intel that allows user-level code to allocate private regions of memory, called enclaves, that are protected from processes running at higher privilege levels. SGX permits the execution of trustworthy code in an isolated, tamper-free environment, and can prove remotely that outputs represent the result of such execution.

Attestation for SGX

One important property fir SGX is that a remote system can verify the software running in an enclave and communicate securely with it. First, the enclave will produce a measurement which is a hash of initial state produced by CPU. It will also generate the supplementary data which is provided by the process. And it uses the measurement and the supplementary data to generate the quote which is digitally signed using a hardware-protected key. Quote can only be verified by accessing Intel’s attestation Service (IAS) which is a public service maintained by intel.

Overview of PoUW/REM

The work flow for PoUW is like this. The useful work clients supply useful workloads to REM miners. The blockchain agent collect transactions and generate a block template. Then the miner take the block template and useful work to produce the PoUWs. Then the enclave randomly determines whether the work results in a block by treating each instruction as a Bernouli trial. If it generates a new block, the blockchain agent will produce a block and broadcast it. This whole process is really based on two assumptions. The first is Intel assigns a signing key only to a valid CPU. And the second is Intel doesn’t block valid nodes in the network.

Implementation Details

  1. How the miner determines whether it will produce a new block PoUW enclave generate a random number and check whether it’s smaller than the value target. In order to reduce overhead, It divide useful work into subtasks. Then the miner run each subtask and count its instructions. And it call SRNG to determine whether at least one instruction has won.If so, produces an attestation

  2. How the miner count the instruction numbers? The author provides a customized toolchain which is the PoUWruntime shared library. It serves as ¡°in-enclave¡± loader that launches useful work program with input and collects result which also count the instruction numbers.

  3. Hierarchical Attestation In order to prove the miner really does the useful work. In the block structure, there is a useful work program attestation on the mining process from work enclave. And there is also a static-analysis compliance checker from compliance enclave.

Tolerating Compromised SGX CPUs

We assume SGX chips are manufactured in a secure fashion, some number of individual instances could be broken by well-resourced adversaries. So the author gives a threat model that can tolerate these compromised SGX CPUs. The basic idea here is ¡°If a miner is way too lucky, her block shall not be accepted¡±.

Take-away

The paper introduces REM, which can be used to replace the POW and saves lots of computational power.

My thoughts on this project

  1. Miners must contact IAS to verify attestations. So this suffers from single point of failure. Once the IAS service is down, the whole blockchain is down.
  2. Intel has whole control of the blockchain because it provides the IAS service.
  3. I don’t think they need the threat model. Because as the author said, this can be used for those organizations having no interests in creating a new coin. Since there is no coin, then no hacker will be interested in producing more coins.

Get the presentation slides here

Written on October 5, 2018