(Source: Christine Daniloff/MIT)Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory have devised a new system to defend against online identity theft, using the security machinery of peer-to-peer digital-currency network Bitcoin.

Along with his thesis adviser Srini Devadas, electrical engineering and computer science graduate student Alin Tomescu focused his research on the problem of equivocation — the creation of false security keys designed to trick users into revealing secret information.

“Our paper is about using Bitcoin to prevent online services from getting away with lying,” says Tomescu, who presented his work at the 2017 IEEE Symposium on Security & Privacy. “When you build systems that are distributed and send each other digital signatures, for instance, those systems can be compromised, and they can lie. They can say one thing to one person and one thing to another. And we want to prevent that.”

Earlier systems also have used the Bitcoin machinery to guard against equivocation, but for verification, they required the download of the entire blockchain — the massive public log (110 gigabytes and growing hourly) of every Bitcoin transaction made since the system launched in 2009. The new system, called Catena, requires the download of only about 40 megabytes of data, so it could run on a smartphone.

“Our idea is so simple — it’s embarrassingly simple,” Tomescu says. The central requirement of Bitcoin is that no one can spend the same bitcoin in more than one place; cryptographic protocols in place within the system prevent that from happening. Catena precludes equivocation simply by adding the requirement that every Bitcoin transaction that logs a public assertion must involve an actual bitcoin transfer; auditing those public assertions then becomes a matter of downloading only a portion of data as a cryptographic proof.

Most importantly, Catena has implications that go beyond Bitcoin. It can be used to secure other types of systems, such as public-key directories for HTTPS and secure messaging, Tor directory servers and software transparency schemes.