Smart Contracts and Applications(part II)

Stefan DziembowskiUniversity of Warsaw

Workshop on Bitcoin, Introduction to Cryptocurrencies,Kfar Maccabiah, Ramat Gan, Israel, June 6-7, 2016

Plan

1. Secure multiparty computations + Bitcoin contracts

2. Criminal use of smart contract

(“How to order a murder using cryptocurrencies?”)

3. Formal modelling of contracts

This part

Based on• Andrychowicz, D., Malinowski, Mazurek: Secure Multiparty

Computations on Bitcoin. IEEE Symposium on Security and Privacy 2014• Andrychowicz, D., Malinowski, Mazurek : Secure

Multiparty Computations on Bitcoin. BITCOIN Workshop 2014• Andrychowicz, D., Malinowski, Mazurek : Secure

multiparty computations on Bitcoin. Commun. ACM 59(4) 2016

Independent work by: Adam Back, Iddo Bentov, Ranjit Kumaresan, Tal Moran.

Multiparty Computation (MPC) protocols

Protocols where the users of the protocol don’t trust each other, but nevertheless

they want to achieve a common goal

bfa1406343bb49

ga63w234349aa

bfa144534555d9

Alice Bob

I don’t trust Bob I don’t trust Alice

common goal achieved!

Example 1: coin tossing

bfa1406343bb49

ga63w234349aa

bfa144534555d9

output: Y Y

where Y =

with probability 1/2

with probability 1/2

Example 2: marriage proposal

bfa1406343bb49

ga63w234349aa

bfa144534555d9

output: Y Y

input: A =1 if Alice loves Bob0 otherwise

B =1 if Bob loves Alice0 otherwise

where: Y = A B

Example 3: set operations

bfa1406343bb49

ga63w234349aa

bfa144534555d9

output: Y Y

input: A = a set of Alice’s friends B = a set of Bob’s friends

where: Y = A B (or Y = A B )

Possible applications

• cloud computing

• online auctions

• e-voting

But is it possible to construct such protocols?

With a “trusted third party” – it’s easy

A B

Y Y

bfa1406343bb49

ga63w234349aa

bfa144534555d9

But can we do it without a trusted third party?

In other words: can we “simulate” the ideal world in the real world?

ideal world:

real world:

Every can be “simulated” in a secure way.

So, can we construct such protocols?

Manuel Blum

Andrew Yao

Oded Goldreich

Silvio Micali

Avi Widgerson

Answer: Yes! (under some assumptions and with certain limitations)

The limitations

• lack of fairness when there is no honest majority(we will explain it in a moment),

• no way to force the parties to provide true input,

• and to respect the outcome.

partial remedies

exist

beyond the

scope of crypto

Our idea

Deal with these problems using

Bitcoin

Example: Two party lotteries

• a random party earns 1 BTC

• the other one looses 1 BTC

bfa1406343bb49

ga63w234349aa

bfa144534555d9

Looks similar to the “coin-tossing problem”.

bfa1406343bb49

ga63w234349aa

bfa144534555d9

output: Y Y

where Y =

with probability 1/2

with probability 1/2

How to solve the coin-tossing problem?

Idea

Remember the old game:

rock-paper-scissors?

drawAlicewins

Bobwins

Bobwins

drawAlicewins

Alicewins

Bobwins

draw

Alice

Bob

Let’s simplify this game

In other words: Alice wins iff A xor B = 0.

A=0 A=1

B=0Alicewins

Bobwins

B=1Bobwins

Alicewins

Alice

Bob

Another way to look at it

Alicehas an input B

Bobhas an input A

they should jointly compute x = A xor B

(in a secure way)

What to do?

Problem:A and B should be sent at the same time (e.g. if A is sent before B then a malicious Bob can

set B := x xor A, where x is chosen by him).

x = A xor B x = A xor B

random bit A

random bit B

How to guarantee this?

Seems hard:

the internet is not synchronous...

A solution:

bit commitments

Commitment schemes – an intuition

Alice sends a locked box to Bob

a bit A

A

Alice can later send the key to Bob

A

[binding] from now Alice cannot change A,[hiding] but Bob doesn’t know A

Alice “commits herself to A”

Alice “opens the commitment”

Hash-based commitments

hash-based (in the random oracle model):H – hash function (eg. SHA256)• to commit to A{0,1} take random R {0,1}k and send

H(A,R)• to open A send (A,R).

A R

H

H(A,R)

H(A,R)

(A,R)

How does it solve the coin-flipping problem?

chooses a random bit A

commits to A

sends B chooses a random bit B

opens A

outputA xor B

outputA xor B

A

Problem 1

How to force Alice to open the commitment?

commits to A

sends B

opens A

This is precisely the lack of fairness problem.

It’s inherent to most of the interesting MPC protocols...

Problem 2

commits to A

sends B

opens A

You lost So what?

This is the problem of forcing the parties to respect the output.

Even more inherent (it is present also in the “ideal world” solution)

Idea: force the parties to open their commitments using the “deposits”

commits to bit A

transaction commit

• has value 1 BTC• can be redeemed by Alice• claiming the transaction requires revealing A

if Alice didn’t redeem commit, then Bob can do it after 1 day

deposit:

How to implement it?

We use the Bitcoin scripting language.

Remember the hash-locked transactions from the last lecture?

H – hash functionLet Y := H(X)A Y-hash-locked transaction from A to B can be redeemed only by publishing X:

T2 = can be spent using B’s

signature and X such that Y = H(X)

A’s signature

T11

BTC

This is exactly what we need for our hash-based commitments

A R

H

H(A,R)

X = (A,R)

How can Alice commit to A?

can be spent using Alice’s signature and (A,X) such

that Y = H(A,X)or

both signatures of Alice and Bob

Alice’s signature

T1

BTC

post on the blockchain:

send to Bob a Refund transaction:

Commit =

some earlier transaction of Alice

can be spent using Bob’s signature after 1 day

Alice’s signatureCommit

1 BTCRefund =

This solves the problem of the lack of fairness!

commits with a Bitcoin-based commitment to A

sends B

opens A

If Alice does not open her commitment within 1 day then Bob can get her 1 BTC by posting the Refund transaction with his signature

Otherwise she gets her 1 BTC back.

What about the problem of respecting the outcome?

This can also be solved. Main idea:

commits with a Bitcoin-based commitment to A

commits with a Bitcoin-based commitment to B

a transaction that takes the opening of the committed values

and “decides” who won

prob. 1/2

The results of [Andrychowicz et al]

Any two-party non-reactive functionality can be “simulated” in this way.

The simulation can enforce the financial consequences.

Generalized to multiparty reactive functionalities in [Kumaresan, Moran, Bentov].

An example: selling secret information

“set-sum with rewards for each record”

bfa1406343bb49

ga63w234349aa

bfa144534555d9

output: A B A B

plus a money transfer between Alice and Bob depending on the number of new records that the parties learned

Plan

1. Secure multiparty computations + Bitcoin contracts

2. Criminal use of smart contract

(“How to order a murder using cryptocurrencies?”)

3. Formal modelling of contracts

This part

We show that cryptographic currencies (like Bitcoin) have features that allow to make such

“crime contracts”

Partly based on: Ari Juels, Ahmed E. Kosba, Elaine ShiThe Ring of Gyges: Using Smart Contracts for Crime 

How to order a murder?

I want murdered.

I can do it for 1,000,000 USD.

So do it, and then I will pay you.

No, pay first.

No, kill first.

. . .

Alice

Bob

Carol

Possible solution

use a trusted third party.(for example: a judge)

in case of disagreement

judge

Problem

They cannot go to a judge with such a contract!

judge

IdeaMaybe we could use

some modern technology?

What if we make a payment in

Bitcoin?

But Bitcoin is just another currency… How can it make any difference?Answer: use smart contracts!

So: how can Alice order a murder of Carol by Bob using smart

contracts?

“Murder contract”

1,000 BTCif Bob provides

a proof that Carol is murdered during the

next hourAlice

Bob

Question: what if Bob is just lucky and Carol was murdered by someone else?

Solution: add some details

1,000 BTCif Bob provides

a proof that Carol is murdered during the next hour using a .44 Remington Magnum

gun

AliceBob

How a such a “proof” can look like?

Examples:

• signed article from some press agency,

• “authenticated data feed”,

• several sources combined

Example

1,000 BTC

if Bob provides an article containing texts:• “Carol was murdered”• “.44 Remington Magnum

gun”

signed by Associated Press

AliceBob

Two technical problems

1. such conditions are impossible to express using Bitcoin syntax

2. a separate “contract” is needed for every potential hitman

Solution:

a currency designed for doing contracts.

Features

• has a concept of a “contract’’ that can be posted on the public register, and give money to anyone who provides some “solution”

• allows to create arbitrarily complicated contracts.

Some “crime contracts” do not require “authenticated data feeds”

Example: stealing secrets

In particular: cryptographic keys.(remember the

“𝑝 and 𝑞 such that 𝑝⋅𝑞=1591“ contract?)

Another example: selling zero day exploits.

How to prevent it?

Banning Ethereum? Probably a bad idea.

Banning Authenticated Data Feeds? Maybe…

Plan

1. Secure multiparty computations + Bitcoin contracts

2. Criminal use of smart contract

(“How to order a murder using cryptocurrencies?”)

3. Formal modelling of contracts

Complicated contracts become tricky to analyze.

A formal model for contracts is needed.

A recent proposal:

A. Kosba, A. Miller, E. Shi, Z. Wen, and C. Papamanthou. Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts. 2015.

Can we do it automatically?

[Andrychowicz, D., Malinowski, Mazurek, Modeling Bitcoin Contracts by Timed Automata, 2014]:

Yes! (to a certain extent)

The general idea:

model a contract as a timed automaton

use the UPPAAL tool to verify its properties

yes/no

Example: an automaton modelling one party in the timed commitment scheme:

©2016 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.