smart contracts and applications part ii
TRANSCRIPT
![Page 1: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/1.jpg)
Smart Contracts and Applications(part II)
Stefan DziembowskiUniversity of Warsaw
Workshop on Bitcoin, Introduction to Cryptocurrencies,Kfar Maccabiah, Ramat Gan, Israel, June 6-7, 2016
![Page 2: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/2.jpg)
Plan
1. Secure multiparty computations + Bitcoin contracts
2. Criminal use of smart contract
(“How to order a murder using cryptocurrencies?”)
3. Formal modelling of contracts
![Page 3: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/3.jpg)
This part
Based on• Andrychowicz, D., Malinowski, Mazurek: Secure Multiparty
Computations on Bitcoin. IEEE Symposium on Security and Privacy 2014• Andrychowicz, D., Malinowski, Mazurek : Secure
Multiparty Computations on Bitcoin. BITCOIN Workshop 2014• Andrychowicz, D., Malinowski, Mazurek : Secure
multiparty computations on Bitcoin. Commun. ACM 59(4) 2016
Independent work by: Adam Back, Iddo Bentov, Ranjit Kumaresan, Tal Moran.
![Page 4: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/4.jpg)
Multiparty Computation (MPC) protocols
Protocols where the users of the protocol don’t trust each other, but nevertheless
they want to achieve a common goal
bfa1406343bb49
ga63w234349aa
bfa144534555d9
Alice Bob
I don’t trust Bob I don’t trust Alice
common goal achieved!
![Page 5: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/5.jpg)
Example 1: coin tossing
bfa1406343bb49
ga63w234349aa
bfa144534555d9
output: Y Y
where Y =
with probability 1/2
with probability 1/2
![Page 6: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/6.jpg)
Example 2: marriage proposal
bfa1406343bb49
ga63w234349aa
bfa144534555d9
output: Y Y
input: A =1 if Alice loves Bob0 otherwise
B =1 if Bob loves Alice0 otherwise
where: Y = A B
![Page 7: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/7.jpg)
Example 3: set operations
bfa1406343bb49
ga63w234349aa
bfa144534555d9
output: Y Y
input: A = a set of Alice’s friends B = a set of Bob’s friends
where: Y = A B (or Y = A B )
![Page 8: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/8.jpg)
Possible applications
• cloud computing
• online auctions
• e-voting
But is it possible to construct such protocols?
![Page 9: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/9.jpg)
With a “trusted third party” – it’s easy
A B
Y Y
bfa1406343bb49
ga63w234349aa
bfa144534555d9
But can we do it without a trusted third party?
In other words: can we “simulate” the ideal world in the real world?
ideal world:
real world:
![Page 10: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/10.jpg)
Every can be “simulated” in a secure way.
So, can we construct such protocols?
Manuel Blum
Andrew Yao
Oded Goldreich
Silvio Micali
Avi Widgerson
Answer: Yes! (under some assumptions and with certain limitations)
![Page 11: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/11.jpg)
The limitations
• lack of fairness when there is no honest majority(we will explain it in a moment),
• no way to force the parties to provide true input,
• and to respect the outcome.
partial remedies
exist
beyond the
scope of crypto
![Page 12: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/12.jpg)
Our idea
Deal with these problems using
Bitcoin
![Page 13: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/13.jpg)
Example: Two party lotteries
• a random party earns 1 BTC
• the other one looses 1 BTC
bfa1406343bb49
ga63w234349aa
bfa144534555d9
![Page 14: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/14.jpg)
Looks similar to the “coin-tossing problem”.
bfa1406343bb49
ga63w234349aa
bfa144534555d9
output: Y Y
where Y =
with probability 1/2
with probability 1/2
![Page 15: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/15.jpg)
How to solve the coin-tossing problem?
Idea
Remember the old game:
rock-paper-scissors?
![Page 16: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/16.jpg)
drawAlicewins
Bobwins
Bobwins
drawAlicewins
Alicewins
Bobwins
draw
Alice
Bob
![Page 17: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/17.jpg)
Let’s simplify this game
In other words: Alice wins iff A xor B = 0.
A=0 A=1
B=0Alicewins
Bobwins
B=1Bobwins
Alicewins
Alice
Bob
![Page 18: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/18.jpg)
Another way to look at it
Alicehas an input B
Bobhas an input A
they should jointly compute x = A xor B
(in a secure way)
![Page 19: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/19.jpg)
What to do?
Problem:A and B should be sent at the same time (e.g. if A is sent before B then a malicious Bob can
set B := x xor A, where x is chosen by him).
x = A xor B x = A xor B
random bit A
random bit B
![Page 20: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/20.jpg)
How to guarantee this?
Seems hard:
the internet is not synchronous...
A solution:
bit commitments
![Page 21: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/21.jpg)
Commitment schemes – an intuition
Alice sends a locked box to Bob
a bit A
A
Alice can later send the key to Bob
A
[binding] from now Alice cannot change A,[hiding] but Bob doesn’t know A
Alice “commits herself to A”
Alice “opens the commitment”
![Page 22: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/22.jpg)
Hash-based commitments
hash-based (in the random oracle model):H – hash function (eg. SHA256)• to commit to A{0,1} take random R {0,1}k and send
H(A,R)• to open A send (A,R).
A R
H
H(A,R)
H(A,R)
(A,R)
![Page 23: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/23.jpg)
How does it solve the coin-flipping problem?
chooses a random bit A
commits to A
sends B chooses a random bit B
opens A
outputA xor B
outputA xor B
A
![Page 24: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/24.jpg)
Problem 1
How to force Alice to open the commitment?
commits to A
sends B
opens A
This is precisely the lack of fairness problem.
It’s inherent to most of the interesting MPC protocols...
![Page 25: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/25.jpg)
Problem 2
commits to A
sends B
opens A
You lost So what?
This is the problem of forcing the parties to respect the output.
Even more inherent (it is present also in the “ideal world” solution)
![Page 26: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/26.jpg)
Idea: force the parties to open their commitments using the “deposits”
commits to bit A
transaction commit
• has value 1 BTC• can be redeemed by Alice• claiming the transaction requires revealing A
if Alice didn’t redeem commit, then Bob can do it after 1 day
deposit:
![Page 27: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/27.jpg)
How to implement it?
We use the Bitcoin scripting language.
Remember the hash-locked transactions from the last lecture?
H – hash functionLet Y := H(X)A Y-hash-locked transaction from A to B can be redeemed only by publishing X:
T2 = can be spent using B’s
signature and X such that Y = H(X)
A’s signature
T11
BTC
![Page 28: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/28.jpg)
This is exactly what we need for our hash-based commitments
A R
H
H(A,R)
X = (A,R)
![Page 29: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/29.jpg)
How can Alice commit to A?
can be spent using Alice’s signature and (A,X) such
that Y = H(A,X)or
both signatures of Alice and Bob
Alice’s signature
T1
BTC
post on the blockchain:
send to Bob a Refund transaction:
Commit =
some earlier transaction of Alice
can be spent using Bob’s signature after 1 day
Alice’s signatureCommit
1 BTCRefund =
![Page 30: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/30.jpg)
This solves the problem of the lack of fairness!
commits with a Bitcoin-based commitment to A
sends B
opens A
If Alice does not open her commitment within 1 day then Bob can get her 1 BTC by posting the Refund transaction with his signature
Otherwise she gets her 1 BTC back.
![Page 31: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/31.jpg)
What about the problem of respecting the outcome?
This can also be solved. Main idea:
commits with a Bitcoin-based commitment to A
commits with a Bitcoin-based commitment to B
a transaction that takes the opening of the committed values
and “decides” who won
prob. 1/2
![Page 32: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/32.jpg)
The results of [Andrychowicz et al]
Any two-party non-reactive functionality can be “simulated” in this way.
The simulation can enforce the financial consequences.
Generalized to multiparty reactive functionalities in [Kumaresan, Moran, Bentov].
![Page 33: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/33.jpg)
An example: selling secret information
“set-sum with rewards for each record”
bfa1406343bb49
ga63w234349aa
bfa144534555d9
output: A B A B
plus a money transfer between Alice and Bob depending on the number of new records that the parties learned
![Page 34: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/34.jpg)
Plan
1. Secure multiparty computations + Bitcoin contracts
2. Criminal use of smart contract
(“How to order a murder using cryptocurrencies?”)
3. Formal modelling of contracts
![Page 35: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/35.jpg)
This part
We show that cryptographic currencies (like Bitcoin) have features that allow to make such
“crime contracts”
Partly based on: Ari Juels, Ahmed E. Kosba, Elaine ShiThe Ring of Gyges: Using Smart Contracts for Crime
![Page 36: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/36.jpg)
How to order a murder?
I want murdered.
I can do it for 1,000,000 USD.
So do it, and then I will pay you.
No, pay first.
No, kill first.
. . .
Alice
Bob
Carol
![Page 37: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/37.jpg)
Possible solution
use a trusted third party.(for example: a judge)
in case of disagreement
judge
![Page 38: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/38.jpg)
Problem
They cannot go to a judge with such a contract!
judge
![Page 39: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/39.jpg)
IdeaMaybe we could use
some modern technology?
What if we make a payment in
Bitcoin?
But Bitcoin is just another currency… How can it make any difference?Answer: use smart contracts!
![Page 40: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/40.jpg)
So: how can Alice order a murder of Carol by Bob using smart
contracts?
![Page 41: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/41.jpg)
“Murder contract”
1,000 BTCif Bob provides
a proof that Carol is murdered during the
next hourAlice
Bob
Question: what if Bob is just lucky and Carol was murdered by someone else?
![Page 42: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/42.jpg)
Solution: add some details
1,000 BTCif Bob provides
a proof that Carol is murdered during the next hour using a .44 Remington Magnum
gun
AliceBob
![Page 43: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/43.jpg)
How a such a “proof” can look like?
Examples:
• signed article from some press agency,
• “authenticated data feed”,
• several sources combined
![Page 44: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/44.jpg)
Example
1,000 BTC
if Bob provides an article containing texts:• “Carol was murdered”• “.44 Remington Magnum
gun”
signed by Associated Press
AliceBob
![Page 45: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/45.jpg)
Two technical problems
1. such conditions are impossible to express using Bitcoin syntax
2. a separate “contract” is needed for every potential hitman
Solution:
a currency designed for doing contracts.
![Page 46: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/46.jpg)
Features
• has a concept of a “contract’’ that can be posted on the public register, and give money to anyone who provides some “solution”
• allows to create arbitrarily complicated contracts.
![Page 47: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/47.jpg)
Some “crime contracts” do not require “authenticated data feeds”
Example: stealing secrets
In particular: cryptographic keys.(remember the
“𝑝 and 𝑞 such that 𝑝⋅𝑞=1591“ contract?)
Another example: selling zero day exploits.
![Page 48: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/48.jpg)
How to prevent it?
Banning Ethereum? Probably a bad idea.
Banning Authenticated Data Feeds? Maybe…
![Page 49: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/49.jpg)
Plan
1. Secure multiparty computations + Bitcoin contracts
2. Criminal use of smart contract
(“How to order a murder using cryptocurrencies?”)
3. Formal modelling of contracts
![Page 50: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/50.jpg)
Complicated contracts become tricky to analyze.
A formal model for contracts is needed.
A recent proposal:
A. Kosba, A. Miller, E. Shi, Z. Wen, and C. Papamanthou. Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts. 2015.
![Page 51: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/51.jpg)
Can we do it automatically?
[Andrychowicz, D., Malinowski, Mazurek, Modeling Bitcoin Contracts by Timed Automata, 2014]:
Yes! (to a certain extent)
The general idea:
model a contract as a timed automaton
use the UPPAAL tool to verify its properties
yes/no
![Page 52: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/52.jpg)
Example: an automaton modelling one party in the timed commitment scheme:
![Page 53: Smart contracts and applications part II](https://reader034.vdocument.in/reader034/viewer/2022042723/587ebc921a28abbb688b6f69/html5/thumbnails/53.jpg)
©2016 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.