CrudiTEE: A Stick-and-Carrot Approach to Building Trustworthy Cryptocurrency Wallets with TEEs

TL;DR

CrudiTEE introduces an economic incentive model using penalties and rewards to discourage side-channel attacks on TEE-based cryptocurrency wallets, enhancing security without sacrificing usability.

Contribution

This paper presents a novel approach combining economic incentives with TEE technology to mitigate side-channel attacks in cryptocurrency wallets.

Findings

Modeling attacker behavior with MDP to optimize incentives

Designing a penalty and reward system to dissuade attacks

Demonstrating potential effectiveness of economic incentives in security

Abstract

Cryptocurrency introduces usability challenges by requiring users to manage signing keys. Popular signing key management services (e.g., custodial wallets), however, either introduce a trusted party or burden users with managing signing key shares, posing the same usability challenges. TEEs (Trusted Execution Environments) are a promising technology to avoid both, but practical implementations of TEEs suffer from various side-channel attacks that have proven hard to eliminate. This paper explores a new approach to side-channel mitigation through economic incentives for TEE-based cryptocurrency wallet solutions. By taking the cost and profit of side-channel attacks into consideration, we designed a Stick-and-Carrot-based cryptocurrency wallet, CrudiTEE, that leverages penalties (the stick) and rewards (the carrot) to disincentivize attackers from exfiltrating signing keys in the first place. We model the attacker's behavior using a Markov Decision Process (MDP) to evaluate the effectiveness of the bounty and enable the service provider to adjust the parameters of the bounty's reward function accordingly.