No file available
To read the file of this research,
you can request a copy directly from the authors.
POSE: Practical Off-chain Smart Contract Execution
Preprints and early-stage research may not have been peer reviewed yet.
Abstract
Smart contracts enable users to execute payments depending on complex program logic. Ethereum is the most notable example of a blockchain that supports smart contracts leveraged for countless applications including games, auctions and financial products. Unfortunately, the traditional method of running contract code on-chain is very expensive, for instance, on the Ethereum platform, fees have dramatically increased, rendering the system unsuitable for complex applications. A prominent solution to address this problem is to execute code off-chain and only use the blockchain as a trust anchor. While there has been significant progress in developing off-chain systems over the last years, current off-chain solutions suffer from various drawbacks including costly blockchain interactions, lack of data privacy, huge capital costs from locked collateral, or supporting only a restricted set of applications. In this paper, we present POSE -- a practical off-chain protocol for smart contracts that addresses the aforementioned shortcomings of existing solutions. POSE leverages a pool of Trusted Execution Environments (TEEs) to execute the computation efficiently and to swiftly recover from accidental or malicious failures. We show that POSE provides strong security guarantees even if a large subset of parties is corrupted. We evaluate our proof-of-concept implementation with respect to its efficiency and effectiveness.
ResearchGate has not been able to resolve any citations for this publication.
Ethereum is a blockchain platform that supports smart contracts. Smart contracts are pieces of code that perform general-purpose computations. For instance, smart contracts have been used to implement crowdfunding initiatives that raised a total of US$6.2 billion from January to June of 2018. In this paper, we conduct an exploratory study of smart contracts. Differently from prior studies that focused on particular aspects of a subset of smart contracts, our goal is to have a broader understanding of all contracts that are currently deployed in Ethereum. In particular, we elucidate how frequently used the contracts are (activity level), what they do (category), and how complex they are (source code complexity). To conduct this study, we mined and cross-linked data from four sources: Ethereum dataset on the Google BigData platform, Etherscan, State of the DApps, and CoinMarketCap. Our study period runs from July 2015 (inception of Ethereum) until September 2018. With regards to activity level, we notice that it is concentrated on a very small subset of the contracts. More specifically, only 0.05% of the smart contracts are the target of 80% of the transactions that are sent to contracts. New solutions to cope with Ethereum's limited scalability should take such an activity imbalance into consideration. With regards to categories, we highlight that the new and widely advertised rich programming model of smart contracts is currently being used to develop very simple applications that tend to be token-centric (e.g., ICOs, Crowdsales, etc). Finally, with regards to code complexity, we observe that the source code of high-activity verified contracts is small, with at most 211 instructions in 80% of the cases. These contracts also commonly include at least two subcontracts and libraries in their source code. The comment ratio of these contracts is also significantly higher than that of GitHub top-starred projects written in Java, C++, and C#. Hence, the source code of high-activity verified smart contracts exhibit particular complexity characteristics compared to other popular programming languages. Further studies are necessary to uncover the actual reasons behind such differences. Finally, based on our findings, we propose an open research agenda to drive and foster future studies in the area.
We propose Tesseract, a secure real-time cryptocurrency exchange service. Existing centralized exchange designs are vulnerable to theft of funds, while decentralized exchanges cannot offer real-time cross-chain trades. All currently deployed exchanges are also vulnerable to frontrunning attacks. Tesseract overcomes these flaws and achieves a best-of-both-worlds design by using a trusted execution environment. The task of committing the recent trade data to independent cryptocurrency systems presents an all-or-nothing fairness problem, to which we present ideal theoretical solutions, as well as practical solutions. Tesseract supports not only real-time cross-chain cryptocurrency trades, but also secure tokenization of assets pegged to cryptocurrencies. For instance, Tesseract-tokenized bitcoins can circulate on the Ethereum blockchain for use in smart contracts. We provide a demo implementation of Tesseract that supports Bitcoin, Ethereum, and similar cryptocurrencies.
Smart contracts are programs that execute autonomously on blockchains. Their key envisioned uses (e.g. financial instruments) require them to consume data from outside the blockchain (e.g. stock quotes). Trustworthy data feeds that support a broad range of data requests will thus be critical to smart contract ecosystems.
We present an authenticated data feed system called Town Crier (TC). TC acts as a bridge between smart contracts and existing web sites, which are already commonly trusted for non-blockchain applications. It combines a blockchain front end with a trusted hardware back end to scrape HTTPS-enabled websites and serve source-authenticated data to relying smart contracts.
TC also supports confidentiality. It enables private data requests with encrypted parameters. Additionally, in a generalization that executes smart-contract logic within TC, the system permits secure use of user credentials to scrape access-controlled online data sources.
We describe TC's design principles and architecture and report on an implementation that uses Intel's recently introduced Software Guard Extensions (SGX) to furnish data to the Ethereum smart contract system. We formally model TC and define and prove its basic security properties in the Universal Composibility (UC) framework. Our results include definitions and techniques of general interest relating to resource consumption (Ethereum's "gas" fee system) and TCB minimization. We also report on experiments with three example applications.
We plan to launch TC soon as an online public service.
One of the fundamental challenges that hinder further adaption of decentralized cryptocurrencies is scalability. Because current cryptocurrencies require that all transactions are processed and stored on a distributed ledger -- the so-called blockchain -- transaction throughput is inherently limited. An important proposal to significantly improve scalability are off-chain protocols, where the massive amount of transactions is executed without requiring the costly interaction with the blockchain. Examples of off-chain protocols include payment channels and networks, which are currently deployed by popular cryptocurrencies such as Bitcoin and Ethereum. A further extension of payment networks envisioned for cryptocurrencies are so-called state channel networks. In contrast to payment networks that only support off-chain payments between users, state channel networks allow execution of arbitrary complex smart contracts. The main contribution of this work is to give the first full specification for general state channel networks. Moreover, we provide formal security definitions and prove the security of our construction against powerful adversaries. An additional benefit of our construction is the use of channel virtualization, which further reduces latency and costs in complex channel networks.
Realistic secure processors, including those built for academic and commercial purposes, commonly realize an “attested execution” abstraction. Despite being the de facto standard for modern secure processors, the “attested execution” abstraction has not received adequate formal treatment. We provide formal abstractions for “attested execution” secure processors and rigorously explore its expressive power. Our explorations show both the expected and the surprising. On one hand, we show that just like the common belief, attested execution is extremely powerful, and allows one to realize powerful cryptographic abstractions such as stateful obfuscation whose existence is otherwise impossible even when assuming virtual blackbox obfuscation and stateless hardware tokens. On the other hand, we show that surprisingly, realizing composable two-party computation with attested execution processors is not as straightforward as one might anticipate. Specifically, only when both parties are equipped with a secure processor can we realize composable two-party computation. If one of the parties does not have a secure processor, we show that composable two-party computation is impossible. In practice, however, it would be desirable to allow multiple legacy clients (without secure processors) to leverage a server’s secure processor to perform a multi-party computation task. We show how to introduce minimal additional setup assumptions to enable this. Finally, we show that fair multi-party computation for general functionalities is impossible if secure processors do not have trusted clocks. When secure processors have trusted clocks, we can realize fair two-party computation if both parties are equipped with a secure processor; but if only one party has a secure processor (with a trusted clock), then fairness is still impossible for general functionalities.
It is well known that Bitcoin, Ethereum, and other blockchain-based cryptocurrencies are facing hurdles in scaling to meet user demand. One of the most promising approaches is to form a network of "off-chain payment channels," which are backed by on-chain currency but support rapid, optimistic transactions and use the blockchain only in case of disputes. We develop a novel construction for payment channels that reduces the worst-case "collateral cost" for off- chain payments. In existing proposals, particularly the Lightning Network, a payment across a path of channels requires locking up collateral for time, where is the time to commit a on-chain transaction. Our construction reduces this cost to . We formalize our construction in the simulation-based security model, and provide an implementation as an Ethereum smart contract. Our construction relies on a general purpose primitive called a "state channel," which is of independent interest.
Motivated by the impossibility of achieving fairness in secure computation [Cleve, STOC 1986], recent works study a model of fairness in which an adversarial party that aborts on receiving output is forced to pay a mutually predefined monetary penalty to every other party that did not receive the output. These works show how to design protocols for secure computation with penalties that guarantees that either fairness is guaranteed or that each honest party obtains a monetary penalty from the adversary. Protocols for this task are typically designed in an hybrid model where parties have access to a "claim-or-refund" transaction functionality denote FCR*.
In this work, we obtain improvements on the efficiency of these constructions by amortizing the cost over multiple executions of secure computation with penalties. More precisely, for computational security parameter λ, we design a protocol that implements l = poly}(λ) instances of secure computation with penalties where the total number of calls to FCR* is independent of l.
Motivated by the impossibility of achieving fairness in secure computation [Cleve, STOC 1986], recent works study a model of fairness in which an adversarial party that aborts on receiving output is forced to pay a mutually predefined monetary penalty to every other party that did not receive the output. These works show how to design protocols for secure computation with penalties that tolerate an arbitrary number of corruptions.
In this work, we improve the efficiency of protocols for secure computation with penalties in a hybrid model where parties have access to the "claim-or-refund" transaction functionality. Our first improvement is for the ladder protocol of Bentov and Kumaresan (Crypto 2014) where we improve the dependence of the script complexity of the protocol (which corresponds to miner verification load and also space on the blockchain) on the number of parties from quadratic to linear (and in particular, is completely independent of the underlying function). Our second improvement is for the see-saw protocol of Kumaresan et al. (CCS 2015) where we reduce the total number of claim-or-refund transactions and also the script complexity from quadratic to linear in the number of parties.
We also present a 'dual-mode' protocol that offers different guarantees depending on the number of corrupt parties: (1) when s
Back and Bentov (arXiv 2014) and Andrychowicz et al. (Security and Privacy 2014) introduced techniques to perform secure multiparty computations on Bitcoin. Among other things, these works constructed lottery protocols that ensure that any party that aborts after learning the outcome pays a monetary penalty to all other parties. Following this, Andrychowicz et al. (Bitcoin Workshop 2014) and concurrently Bentov and Kumaresan (Crypto 2014) extended the solution to arbitrary secure function evaluation while guaranteeing fairness in the following sense: any party that aborts after learning the output pays a monetary penalty to all parties that did not learn the output. Andrychowicz et al. (Bitcoin Workshop 2014) also suggested extending to scenarios where parties receive a payoff according to the output of a secure function evaluation, and outlined a 2-party protocol for the same that in addition satisfies the notion of fairness described above. In this work, we formalize, generalize, and construct multiparty protocols for the primitive suggested by Andrychowicz et al. We call this primitive secure cash distribution with penalties. Our formulation of secure cash distribution with penalties poses it as a multistage reactive functionality (i.e., more general than secure function evaluation) that provides a way to securely implement smart contracts in a decentralized setting, and consequently suffices to capture a wide variety of stateful computations involving data and/or money, such as decentralized auctions, market, and games such as poker, etc. Our protocol realizing secure cash distribution with penalties works in a hybrid model where parties have access to a claim-or-refund transaction functionality FCR}* which can be efficiently realized in (a variant of) Bitcoin, and is otherwise independent of the Bitcoin ecosystem. We emphasize that our protocol is dropout-tolerant in the sense that any party that drops out during the protocol is forced to pay a monetary penalty to all other parties. Our formalization and construction generalize both secure computation with penalties of Bentov and Kumaresan (Crypto 2014), and secure lottery with penalties of Andrychowicz et al. (Security and Privacy 2014).
A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.
CFI: Principles, implementations, and applications
- Martın Abadi
- Mihai Budiu
- Ulfar Erlingsson
- Jay Ligatti
Martın Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. CFI:
Principles, implementations, and applications. In Proc. ACM Conference and Computer and Communications Security (CCS), 2005.
Embedded Ethereum wallet library GitHub
- Anyledger
AnyLedger. Embedded Ethereum wallet library GitHub. https://github.
com/Anylsite/embedded-ethereum-wallet, 2020.
CURE: A security architecture with CUstomizable and Resilient Enclaves
- Raad Bahmani
- Ferdinand Brasser
- Ghada Dessouky
- Patrick Jauernig
- Matthias Klimmek
- Ahmad-Reza Sadeghi
- Emmanuel Stapf
Raad Bahmani, Ferdinand Brasser, Ghada Dessouky, Patrick Jauernig,
Matthias Klimmek, Ahmad-Reza Sadeghi, and Emmanuel Stapf.
CURE: A security architecture with CUstomizable and Resilient Enclaves. In 30th USENIX Security Symposium (USENIX Security 21),
2021.
Private data objects: an overview. CoRR
- Mic Bowman
- Andrea Miele
- Michael Steiner
- Bruno Vavala
Mic Bowman, Andrea Miele, Michael Steiner, and Bruno Vavala.
Private data objects: an overview. CoRR, abs/1807.05686, 2018.
Counterfactual: Generalized state channels
- Jeff Coleman
- Liam Horne
- Li Xuanji
Jeff Coleman, Liam Horne, and Li Xuanji. Counterfactual: Generalized
state channels, Jun 2018. https://l4.ventures/papers/statechannels.pdf.
Ampere Altra Max 64-Bit Multi-Core Processor Features
- Ampere Computing
Ampere Computing. Ampere Altra Max 64-Bit Multi-Core Processor
Features. https://amperecomputing.com/processors/ampere-altra/, 2022.
Sanctum: Minimal hardware extensions for strong software isolation
- Ilia Victor Costan
- Srinivas Lebedev
- Devadas
Victor Costan, Ilia Lebedev, and Srinivas Devadas. Sanctum: Minimal
hardware extensions for strong software isolation. In 25th USENIX
Security Symposium (USENIX Security 16), 2016.
Fastkitten: practical smart contracts on bitcoin
- Poulami Das
- Lisa Eckey
- Tommaso Frassetto
- David Gens
- Kristina Hostáková
- Patrick Jauernig
- Sebastian Faust
- Ahmad-Reza Sadeghi
Poulami Das, Lisa Eckey, Tommaso Frassetto, David Gens, Kristina
Hostáková, Patrick Jauernig, Sebastian Faust, and Ahmad-Reza
Sadeghi. Fastkitten: practical smart contracts on bitcoin. In 28th
USENIX Security Symposium (USENIX Security 19), 2019.
Ethereum Average Gas Price Chart
- Etherscan
Etherscan. Ethereum Average Gas Price Chart. https://etherscan.io/
chart/gasprice, 2020.
DFINITY technology overview series, consensus system. CoRR
- Timo Hanke
- Mahnush Movahedi
- Dominic Williams
Timo Hanke, Mahnush Movahedi, and Dominic Williams. DFINITY
technology overview series, consensus system. CoRR, abs/1805.04548,
2018.
Intel software guard extensions: Epid provisioning and attestation services
- Simon Johnson
- Vinnie Scarlata
- Carlos Rozas
- Ernie Brickell
- Frank Mckeen
Simon Johnson, Vinnie Scarlata, Carlos Rozas, Ernie Brickell, and
Frank Mckeen. Intel software guard extensions: Epid provisioning and
attestation services. White Paper, 1(1-10):119, 2016.
Arbitrum: Scalable, private smart contracts
- A Harry
- Steven Kalodner
- Xiaoqi Goldfeder
- S Matthew Chen
- Edward W Weinberg
- Felten
Harry A. Kalodner, Steven Goldfeder, Xiaoqi Chen, S. Matthew
Weinberg, and Edward W. Felten. Arbitrum: Scalable, private smart
contracts. In 27th USENIX Security Symposium (USENIX Security
2018). USENIX Association, 2018.
Commit-chains: Secure, scalable off-chain payments. Cryptology ePrint Archive
- Rami Khalil
- Alexei Zamyatin
- Guillaume Felley
- Pedro Moreno-Sanchez
- Arthur Gervais
Rami Khalil, Alexei Zamyatin, Guillaume Felley, Pedro Moreno-Sanchez, and Arthur Gervais. Commit-chains: Secure, scalable off-chain
payments. Cryptology ePrint Archive, Report 2018/642, 2018.
Hawk: The blockchain model of cryptography and privacy-preserving smart contracts
- Ahmed Kosba
- Andrew Miller
- Elaine Shi
- Zikai Wen
- Charalampos Papamanthou
Ahmed Kosba, Andrew Miller, Elaine Shi, Zikai Wen, and Charalampos
Papamanthou. Hawk: The blockchain model of cryptography and
privacy-preserving smart contracts. In Security and Privacy (SP), 2016
IEEE Symposium on. IEEE, 2016.
ARMageddon: Cache attacks on mobile devices
- Moritz Lipp
- Daniel Gruss
- Raphael Spreitzer
- Clémentine Maurice
- Stefan Mangard
Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, and
Stefan Mangard. ARMageddon: Cache attacks on mobile devices. In
25th USENIX Security Symposium (USENIX Security 16), 2016.
ROTE: Rollback protection for trusted execution
- Sinisa Matetic
- Mansoor Ahmed
- Kari Kostiainen
- Aritra Dhar
- David Sommer
- Arthur Gervais
- Ari Juels
- Srdjan Capkun
Sinisa Matetic, Mansoor Ahmed, Kari Kostiainen, Aritra Dhar, David
Sommer, Arthur Gervais, Ari Juels, and Srdjan Capkun. ROTE:
Rollback protection for trusted execution. In 26th USENIX Security
Symposium (USENIX Security 17), 2017.
Arbitrum rollup: Off-chain contracts with on-chain security
- Offchain Labs
- Inc
Offchain Labs, Inc. Arbitrum rollup: Off-chain contracts with on-chain
security. 2020.
What's the big idea behind Ethereum's world com
- Travis Patron
Travis Patron. What's the big idea behind Ethereum's world computer.
https://www.coindesk.com/whats-big-idea-behind-ethereumsworld-computer/, 2016.
Plasma: Scalable autonomous smart contracts
- Joseph Poon
- Vitalik Buterin
Joseph Poon and Vitalik Buterin. Plasma: Scalable autonomous smart
contracts. 2017.
The programming language Lua
- Puc-Rio
PUC-Rio. The programming language Lua. https://www.lua.org/, 2020.
Scalable, resilient, and configurable permissioned blockchain fabric
- Sajjad Rahnama
- Suyash Gupta
- M Thamir
- Jelle Qadah
- Mohammad Hellings
- Sadoghi
Sajjad Rahnama, Suyash Gupta, Thamir M Qadah, Jelle Hellings, and
Mohammad Sadoghi. Scalable, resilient, and configurable permissioned
blockchain fabric. Proceedings of the VLDB Endowment, 13(12), 2020.
How to check your ethereum transaction
- Andrey Sergeenkov
Andrey Sergeenkov.
How to check your ethereum transaction.
https://www.coindesk.com/learn/how-to-check-your-ethereumtransaction/. Accessed 24-08-2022.
Strengthening vm isolation with integrity protection and more
- Amd Sev-Snp
AMD SEV-SNP. Strengthening vm isolation with integrity protection
and more. White Paper, January, 2020.
A scalable verification solution for blockchains. CoRR, abs
- Jason Teutsch
- Christian Reitwießner
Jason Teutsch and Christian Reitwießner. A scalable verification
solution for blockchains. CoRR, abs/1908.04756, 2019.
Ethereum: A secure decentralised generalised transaction ledger. Ethereum project yellow paper
- Gavin Wood
Gavin Wood et al. Ethereum: A secure decentralised generalised
transaction ledger. Ethereum project yellow paper, 2014.
Bitcontracts: Adding expressive smart contracts to legacy cryptocurrencies
- Karl Wüst
- Loris Diana
- Kari Kostiainen
- Ghassan Karame
- Sinisa Matetic
- Srdjan Capkun
Karl Wüst, Loris Diana, Kari Kostiainen, Ghassan Karame, Sinisa
Matetic, and Srdjan Capkun. Bitcontracts: Adding expressive smart
contracts to legacy cryptocurrencies. 2019.
Slimchain: scaling blockchain transactions through off-chain storage and parallel processing
- Cheng Xu
- Ce Zhang
- Jianliang Xu
- Jian Pei
Cheng Xu, Ce Zhang, Jianliang Xu, and Jian Pei. Slimchain: scaling
blockchain transactions through off-chain storage and parallel processing. Proceedings of the VLDB Endowment, 14(11):2314-2326, 2021.
- Yann Lecun
- Corinna Cortes
- J C Christopher
- Burges
Yann LeCun and Corinna Cortes and Christopher J.C. Burges. THE
MNIST DATABASE. http://yann.lecun.com/exdb/mnist/, 2020.
Paralysis proofs: Safe access-structure updates for cryptocurrencies and more
- Fan Zhang
- Philip Daian
- Iddo Bentov
- Ari Juels
Fan Zhang, Philip Daian, Iddo Bentov, and Ari Juels. Paralysis proofs:
Safe access-structure updates for cryptocurrencies and more. IACR
Cryptol. ePrint Arch., 2018:96, 2018.