BitML Stefano Lande Nicola Atzei Roberto Zunino Massimo - - PowerPoint PPT Presentation

bitml
SMART_READER_LITE
LIVE PREVIEW

BitML Stefano Lande Nicola Atzei Roberto Zunino Massimo - - PowerPoint PPT Presentation

Jan 16, 2024 270 likes •629 views

Design and verification of Bitcoin smart contracts with BitML Stefano Lande Nicola Atzei Roberto Zunino Massimo Bartoletti University of Cagliari University of Trento Why smart contracts on Bitcoin? well-understood security of the

slide-1
SLIDE 1

Design and verification of Bitcoin smart contracts with

BitML

Stefano Lande Nicola Atzei Massimo Bartoletti

University of Cagliari

Roberto Zunino

University of Trento

slide-2
SLIDE 2

Why smart contracts on Bitcoin?

■ well-understood security of the blockchain ▫ Garay, Kiayias, Leonardos, EUROCRYPT’15 ▫ Kosba, Miller, et al., IEEE S&P’16 ▫ ... ■ simpler model of computation ▫ Bitcoin: transactions (with minimal scripting) ▫ Ethereum: EVM/Solidity (⇒ subtle bugs) ■ basis for other blockchains (e.g. Litecoin)

2

slide-3
SLIDE 3

T1

Bitcoin in a nutshell

3

T1

Alice owns 1 BTC

Satoshi

Bob Alice

slide-4
SLIDE 4

Bitcoin in a nutshell

4

Bob Alice

T2

Bob owns 1 BTC

Alice

T1

Alice owns 1 BTC

Satoshi

T1 T2

slide-5
SLIDE 5

Bitcoin transactions

in: (T1,1); (T2,3) T

5

T1 T2

slide-6
SLIDE 6

Bitcoin transactions

in: (T1,1); (T2,3)

  • ut:

1 BTC: fun(x) . e1 2 BTC: fun(y) . e2 T

6

T1 T2

k x e + e e - e e < e e = e H(e) |e| versigk(e) if e then e else e absAfter t:e relAfter t:e

slide-7
SLIDE 7

Bitcoin transactions

in: (T1,1); (T2,3)

  • ut:

1 BTC: fun(x) . e1 2 BTC: fun(y) . e2 absLock: after 2018.12.17 relLock: 2 days after T1 T

7

T1 T2

k x e + e e - e e < e e = e H(e) |e| versigk(e) if e then e else e absAfter t:e relAfter t:e

slide-8
SLIDE 8

Bitcoin scripts: limitations

8

■ no loops ■ versig ○ only verify signature of the redeeming tx ○ no signatures on arbitrary messages! ■ arithmetic ○ no multiplication / shift (!?) ○ no ops on long numbers (only equality check) ■ no concatenation of bitstrings ■ no checks on the redeeming tx (only versig)

slide-9
SLIDE 9

◎ Smart contracts allow to specify “programmable” rules to transfer currency ◎ They are implemented in Bitcoin as cryptographic protocols, exploiting the advanced features

  • f transactions

Smart contracts in Bitcoin

cond

9

slide-10
SLIDE 10

A sample of Bitcoin contracts

■ Oracles ■ Escrow and arbitration ■ Fair multi-player lotteries ■ Gambling games (Poker, ...) ■ Crowdfunding ■ Micropayments channels (“Lighting network”) ■ Contingent payments (via ZK proofs) ■ …

10

slide-11
SLIDE 11

Example: timed commitment

Problem: when playing a game, if A makes public her move first, then B can choose a countermove which makes him always win ◎ A wants to commit a secret s, but reveal it some time later ◎ B wants to be assured that he will either:

○ learn A’s secret within time t ○ or be economically compensated

[Andrychowicz et al. 2014]

11

slide-12
SLIDE 12

Example: timed commitment

◎ A chooses secret s and broadcasts h=H(s)

  • ut: 1 BTC: fun x σ .

( H(x)=h and verA(σ) ) or afterAbs t: verB(σ)

Commit

12

slide-13
SLIDE 13

Example: timed commitment

◎ A chooses secret s and broadcasts h=H(s) ◎ A can get 1 BTC by revealing s before time t

  • ut: 1 BTC: fun x σ .

( H(x)=h and verA(σ) ) or afterAbs t: verB(σ)

Commit

13

wit: s sigA(Reveal)

Reveal

slide-14
SLIDE 14

Example: timed commitment

◎ A chooses secret s and broadcasts h=H(s) ◎ A can get 1 BTC by revealing s before time t ◎ B can get 1BTC if A does not reveal s by time t

  • ut: 1 BTC: fun x σ .

( H(x)=h and verA(σ) ) or afterAbs t: verB(σ)

Commit

14 14

wit: * sigB(Timeout) absLock: t

Timeout

slide-15
SLIDE 15

Problems

15

■ writing Bitcoin contracts is hard

▫ no programming language ▫ contracts usually described as “endpoint” protocols: ▫ send / receive messages ▫ scan blockchain / append transactions ▫ low-level & poorly documented features ▫ scripts, SegWit, signature modifiers, ...

■ no formal specification

⇒ no automatic verification

slide-16
SLIDE 16

16

slide-17
SLIDE 17

Bitcoin contracts in prose

17

slide-18
SLIDE 18

BitML: Bitcoin Modelling Language [B. & Zunino, ACM CCS’18]

18

■ contracts are programs ○ high-level specification of global behaviour ○ abstract from low-level details (e.g. transactions) ■ 3-phases workflow: ○ advertisement: someone broadcasts the contract and the required preconditions (deposits, secrets) ○ stipulation: participants decide whether to accept the contract, by satisfying its preconditions ○ execution: participants perform actions, which must respect the contract logic ■ compiler : BitML → standard Bitcoin transactions

slide-19
SLIDE 19

BitML syntax

C ::= D1 + ⋯ + Dn D ::= withdraw A split v1→C1|⋯|vn→Cn A : D after t : D put x . C reveal a if p . C

19

contract guarded contract transfer bal to A split balance wait for A’s auth wait until time t collect deposits x reveal secrets a

slide-20
SLIDE 20

A basic example

Precondition: A must put a 1฿:

{A:!1฿}

Contract:

PayOrRefund = A:withdraw B + B:withdraw A

Problem: if neither A nor B give their authorization, the 1฿ deposit is frozen

20

slide-21
SLIDE 21

Mediating disputes (with oracles)

Resolve disputes via a mediator M (paid 0.2฿)

Escrow = PayOrRefund + A:Resolve + B:Resolve Resolve = split 0.2฿ → withdraw M | 0.8฿ → M:withdraw A + M:withdraw B

21

slide-22
SLIDE 22

Timed commitment

{A:!1฿ | A:secret a} TimedC = reveal a. withdraw A + after t : withdraw B

22

slide-23
SLIDE 23

A 2-players lottery (wrong version)

reveal a b if |a|=|b|. withdraw A + reveal a b if |a|≠|b|. withdraw B

23

{A:!1฿ | A:secret a | B:!1฿ | B:secret b}

slide-24
SLIDE 24

A 2-players lottery (almost there…)

split 2฿ → reveal b . withdraw B + after t : withdraw A |2฿ → reveal a . withdraw A + after t : withdraw B |2฿ → reveal a b if |a|=|b|. withdraw A + reveal a b if |a|≠|b|. withdraw B

24

{A:!3฿ | A:secret a | B:!3฿ | B:secret b}

slide-25
SLIDE 25

A 2-players lottery (fair version)

split 2฿ → reveal b if 0≤|b|≤1 . withdraw B + after t : withdraw A |2฿ → reveal a . withdraw A + after t : withdraw B |2฿ → reveal a b if |a|=|b|. withdraw A + reveal a b if |a|≠|b|. withdraw B

25

{A:!3฿ | A:secret a | B:!3฿ | B:secret b}

slide-26
SLIDE 26

Symbolic vs computational model

26

Bitcoin smart contracts

Computational

BitML smart contracts

Symbolic

slide-27
SLIDE 27

Preserving security upon compilation

Theorem (Computational soundness): For each computational run, there exists a corresponding symbolic run (with overwhelming probability) ◎ Computational attacks are also observable at the symbolic level. ◎ A tool can be used to verify security properties at the symbolic level

27

slide-28
SLIDE 28

Liquidity of contracts

A:B:withdraw C + A:B:withdraw D

Problem: A and B must agree on the recipient of the donation, otherwise the funds are frozen

⇒ not liquid

28

slide-29
SLIDE 29

Liquidity of contracts

{A:!1฿ | A:secret a} reveal a. withdraw A + after t : withdraw B

◎ A can reveal her secret ⇒ liquid ◎ B can delay until time t ⇒ liquid

29

slide-30
SLIDE 30

Verifying liquidity

for all finite runs R1 (conforming to A’s strategy) there exists some extension R2 of R1

(conforming to A’s strategy) such that R2:

  • 1. has no authorizations/reveals of any B ≠ A
  • 2. has no active contracts

Th: liquidity is decidable in BitML

30

slide-31
SLIDE 31

WIP: A toolchain for design and verification

31

BitML compiler Model checker Execution client

Contract + Strategy Contract model Bitcoin transactions + Strategy

Liquidity

slide-32
SLIDE 32

Thank you

32

slide-33
SLIDE 33

A formal ecosystem for Bitcoin smart contracts

33

Contracts as endpoint protocols

[POST18]

Formal model of Bitcoin transactions

[FC18]

Balzac Computational BitML

[CCS18]

BitML compiler Symbolic BitML verification

[Submitted]

slide-34
SLIDE 34

Timed commitment (output of the BitML compiler)

34