20 research outputs found
An empirical analysis of smart contracts: platforms, applications, and design patterns
Smart contracts are computer programs that can be consistently executed by a
network of mutually distrusting nodes, without the arbitration of a trusted
authority. Because of their resilience to tampering, smart contracts are
appealing in many scenarios, especially in those which require transfers of
money to respect certain agreed rules (like in financial services and in
games). Over the last few years many platforms for smart contracts have been
proposed, and some of them have been actually implemented and used. We study
how the notion of smart contract is interpreted in some of these platforms.
Focussing on the two most widespread ones, Bitcoin and Ethereum, we quantify
the usage of smart contracts in relation to their application domain. We also
analyse the most common programming patterns in Ethereum, where the source code
of smart contracts is available.Comment: WTSC 201
Renegotiation and recursion in Bitcoin contracts
BitML is a process calculus to express smart contracts that can be run on
Bitcoin. One of its current limitations is that, once a contract has been
stipulated, the participants cannot renegotiate its terms: this prevents
expressing common financial contracts, where funds have to be added by
participants at run-time. In this paper, we extend BitML with a new primitive
for contract renegotiation. At the same time, the new primitive can be used to
write recursive contracts, which was not possible in the original BitML. We
show that, despite the increased expressiveness, it is still possible to
execute BitML on standard Bitcoin, preserving the security guarantees of BitML.Comment: Full version of the paper presented at COORDINATION 202
Dragoon: Private Decentralized HITs Made Practical
With the rapid popularity of blockchain, decentralized human intelligence
tasks (HITs) are proposed to crowdsource human knowledge without relying on
vulnerable third-party platforms. However, the inherent limits of blockchain
cause decentralized HITs to face a few "new" challenges. For example, the
confidentiality of solicited data turns out to be the sine qua non, though it
was an arguably dispensable property in the centralized setting. To ensure the
"new" requirement of data privacy, existing decentralized HITs use generic
zero-knowledge proof frameworks (e.g. SNARK), but scarcely perform well in
practice, due to the inherently expensive cost of generality.
We present a practical decentralized protocol for HITs, which also achieves
the fairness between requesters and workers. At the core of our contributions,
we avoid the powerful yet highly-costly generic zk-proof tools and propose a
special-purpose scheme to prove the quality of encrypted data. By various
non-trivial statement reformations, proving the quality of encrypted data is
reduced to efficient verifiable decryption, thus making decentralized HITs
practical. Along the way, we rigorously define the ideal functionality of
decentralized HITs and then prove the security due to the ideal-real paradigm.
We further instantiate our protocol to implement a system called Dragoon, an
instance of which is deployed atop Ethereum to facilitate an image annotation
task used by ImageNet. Our evaluations demonstrate its practicality: the
on-chain handling cost of Dragoon is even less than the handling fee of
Amazon's Mechanical Turk for the same ImageNet HIT.Comment: small differences from a version accepted to appear in ICDCS 2020 (to
fix a minor bug
Analysis of a consensus protocol for extending consistent subchains on the bitcoin blockchain
Currently, an increasing number of third-party applications exploit the Bitcoin blockchain to store tamper-proof records of their executions, immutably. For this purpose, they leverage the few extra bytes available for encoding custom metadata in Bitcoin transactions. A sequence of records of the same application can thus be abstracted as a stand-alone subchain inside the Bitcoin blockchain. However, several existing approaches do not make any assumptions about the consistency of their subchains, either (i) neglecting the possibility that this sequence of messages can be altered, mainly due to unhandled concurrency, network malfunctions, application bugs, or malicious users, or (ii) giving weak guarantees about their security. To tackle this issue, in this paper, we propose an improved version of a consensus protocol formalized in our previous work, built on top of the Bitcoin protocol, to incentivize third-party nodes to consistently extend their subchains. Besides, we perform an extensive analysis of this protocol, both defining its properties and presenting some real-world attack scenarios, to show how its specific design choices and parameter configurations can be crucial to prevent malicious practices
Redactable Blockchain in the Permissionless Setting
Bitcoin is an immutable permissionless blockchain system that has been
extensively used as a public bulletin board by many different applications that
heavily relies on its immutability. However, Bitcoin's immutability is not
without its fair share of demerits. Interpol exposed the existence of harmful
and potentially illegal documents, images and links in the Bitcoin blockchain,
and since then there have been several qualitative and quantitative analysis on
the types of data currently residing in the Bitcoin blockchain.
Although there is a lot of attention on blockchains, surprisingly the
previous solutions proposed for data redaction in the permissionless setting
are far from feasible, and require additional trust assumptions. Hence, the
problem of harmful data still poses a huge challenge for law enforcement
agencies like Interpol (Tziakouris, IEEE S&P'18).
We propose the first efficient redactable blockchain for the permissionless
setting that is easily integrable into Bitcoin, and that does not rely on heavy
cryptographic tools or trust assumptions. Our protocol uses a consensus-based
voting and is parameterised by a policy that dictates the requirements and
constraints for the redactions; if a redaction gathers enough votes the
operation is performed on the chain. As an extra feature, our protocol offers
public verifiability and accountability for the redacted chain. Moreover, we
provide formal security definitions and proofs showing that our protocol is
secure against redactions that were not agreed by consensus. Additionally, we
show the viability of our approach with a proof-of-concept implementation that
shows only a tiny overhead in the chain validation of our protocol when
compared to an immutable one.Comment: 2019 IEEE Symposium on Security and Privacy (SP), San Fransisco, CA,
US, , pp. 645-65
Verifying liquidity of recursive Bitcoin contracts
Smart contracts - computer protocols that regulate the exchange of
crypto-assets in trustless environments - have become popular with the spread
of blockchain technologies. A landmark security property of smart contracts is
liquidity: in a non-liquid contract, it may happen that some assets remain
frozen, i.e. not redeemable by anyone. The relevance of this issue is witnessed
by recent liquidity attacks to Ethereum, which have frozen hundreds of USD
millions. We address the problem of verifying liquidity on BitML, a DSL for
smart contracts with a secure compiler to Bitcoin, featuring primitives for
currency transfers, contract renegotiation and consensual recursion. Our main
result is a verification technique for liquidity. We first transform the
infinite-state semantics of BitML into a finite-state one, which focusses on
the behaviour of a chosen set of contracts, abstracting from the moves of the
context. With respect to the chosen contracts, this abstraction is sound, i.e.
if the abstracted contract is liquid, then also the concrete one is such. We
then verify liquidity by model-checking the finite-state abstraction. We
implement a toolchain that automatically verifies liquidity of BitML contracts
and compiles them to Bitcoin, and we assess it through a benchmark of
representative contracts.Comment: arXiv admin note: text overlap with arXiv:2003.0029
Instantaneous Decentralized Poker
We present efficient protocols for amortized secure multiparty computation
with penalties and secure cash distribution, of which poker is a prime example.
Our protocols have an initial phase where the parties interact with a
cryptocurrency network, that then enables them to interact only among
themselves over the course of playing many poker games in which money changes
hands.
The high efficiency of our protocols is achieved by harnessing the power of
stateful contracts. Compared to the limited expressive power of Bitcoin
scripts, stateful contracts enable richer forms of interaction between standard
secure computation and a cryptocurrency.
We formalize the stateful contract model and the security notions that our
protocols accomplish, and provide proofs using the simulation paradigm.
Moreover, we provide a reference implementation in Ethereum/Solidity for the
stateful contracts that our protocols are based on.
We also adopt our off-chain cash distribution protocols to the special case
of stateful duplex micropayment channels, which are of independent interest. In
comparison to Bitcoin based payment channels, our duplex channel implementation
is more efficient and has additional features