FASTKITTEN: Practical Smart Contracts on Bitcoin
Total Page:16
File Type:pdf, Size:1020Kb
FASTKITTEN: Practical Smart Contracts on Bitcoin Poulami Das* Lisa Eckey* Tommaso Frassetto§ David Gens§ Kristina Hostáková* Patrick Jauernig§ Sebastian Faust* Ahmad-Reza Sadeghi§ Technische Universität Darmstadt, Germany * fi[email protected] § fi[email protected] Abstract A particular important shortcoming of Bitcoin is its limited Smart contracts are envisioned to be one of the killer appli- support for so-called smart contracts. Smart contracts are cations of decentralized cryptocurrencies. They enable self- (partially) self-enforcing protocols that allow emitting trans- enforcing payments between users depending on complex actions based on complex program logic. Smart contracts program logic. Unfortunately, Bitcoin – the largest and by far enable countless novel applications in, e.g., the financial in- most widely used cryptocurrency – does not offer support for dustry or for the Internet of Things, and are often quoted as complex smart contracts. Moreover, simple contracts that can a glimpse into our future [9]. The most prominent cryptocur- be executed on Bitcoin are often cumbersome to design and rency that currently allows to run complex smart contracts is very costly to execute. In this work we present FASTKITTEN, Ethereum [16], which has been designed to support Turing a practical framework for executing arbitrarily complex smart complete smart contracts. While Ethereum is continuously contracts at low costs over decentralized cryptocurrencies gaining popularity, integrating contracts directly into a cryp- which are designed to only support simple transactions. To tocurrency has several downsides as frequently mentioned this end, FASTKITTEN leverages the power of trusted comput- by the advocates of Bitcoin. First, designing large-scale se- ing environments (TEEs), in which contracts are run off-chain cure distributed systems is highly complex, and increasing to enable efficient contract execution at low cost. We formally complexity even further by adding support for complex smart prove that FASTKITTEN satisfies strong security properties contracts also increases the potential for introducing bugs. when all but one party are malicious. Finally, we report on Second, in Ethereum, smart contracts are directly integrated a prototype implementation which supports arbitrary con- into the consensus mechanics of the cryptocurrency, which re- tracts through a scripting engine, and evaluate performance quires in particular that all nodes of the decentralized system through benchmarking a provably fair online poker game. Our execute all contracts. This makes execution of contracts very implementation illustrates that FASTKITTEN is practical for costly and limits the number and complexity of applications complex multi-round applications with a very small latency. that can eventually be run over such a system. Finally, many Combining these features, FASTKITTEN is the first truly prac- applications for smart contracts require confidentiality, which tical framework for complex smart contract execution over is currently not supported by Ethereum. Bitcoin. There has been significant research effort in addressing these challenges individually. Some works aim to extend the func- 1 Introduction tionality of Bitcoin by showing how to build contracts over Starting with their invention in 2008, decentralized cryptocur- Bitcoin by using multiparty computation (MPC) [37,38,40], rencies such as Bitcoin [51] currently receive broad attention others focus on achieving privacy-preserving contracts (e.g., both from academia and industry. Since the rise of Bitcoin, Hawk [35], Ekiden [19]) by combining existing cryptocur- countless new cryptocurrencies have been launched to address rencies with trusted execution environments (TEEs). How- some of the shortcomings of Nakamoto’s original proposal. ever, as we elaborate in Section 2, all of these solutions suf- Examples include Zerocash [47] which improves on Bitcoin’s fer from various deficiencies: they cannot be integrated into limited anonymity, and Ethereum [16] which offers complex existing cryptocurrencies such as Bitcoin, are highly ineffi- smart contract support. Despite these developments, Bitcoin cient (e.g., they use heavy cryptographic techniques such as still remains by far the most popular and intensively stud- non-interactive zero-knowledge proofs or general MPC), do ied cryptocurrency, with its current market capitalization of not support money mechanics, or have significant financial $109 billion which accounts for more than 50% of the total costs due to complex transactions and high collateral (money cryptocurrency market size [2]. blocked by the parties in MPC-based solutions). In this work, we propose FASTKITTEN, a novel system that online poker can run with an overall match latency of leverages trusted execution environments (TEEs) utilizing 45ms and costs per player are in order of magnitude of well-established cryptocurrencies, such as Bitcoin, to offer one USD, which demonstrates FASTKITTEN’s practical- full support for arbitrary complex smart contracts. We empha- ity. size that FASTKITTEN does not only address the challenges We emphasize that FASTKITTEN requires only a single TEE discussed above, but is also highly efficient. It can be easily which can be owned either by one of the participants or by an integrated into existing cryptocurrencies and hence is ready to external service provider which we call the operator. In addi- use today. FASTKITTEN achieves these goals by using a TEE tion, smart contracts running in the FASTKITTEN execution to isolate the contract execution inside an enclave, shielding framework support private state and secure inputs, and thus, it from potentially malicious users. The main challenges of offer even more powerful contracts than Ethereum. Finally, this solution, such as for instance how to load and validate we stress that FASTKITTEN can support contracts that may blockchain data inside the enclave or how to prevent denial span over multiple different cryptocurrencies where each par- of service attacks, are discussed in Section 3.1. Moving the ticipant may use her favorite currency for the money handled contract execution into the secure enclave guarantees correct by the contract. and private evaluation of the smart contract even if it is not running on the blockchain and verified by the decentralized 2 Related Work network. This approach circumvents the efficiency shortcom- Support for execution of arbitrary complex smart contracts ing of cryptocurrencies like Ethereum, where contracts have over decentralized cryptocurrencies was first proposed and to be executed in parallel by thousands of users. Most related implemented by the Ethereum cryptocurrency. As pointed to our work is the recently introduced Ekiden system [19], out in Section 1, running smart contracts over decentralized which uses a TEE to support execution of multiparty compu- cryptocurrencies results in significant overheads due to the tations but does support contracts that handle coins. While replicated execution of the contract. While there are currently Ekiden is efficient for single round contracts, it is not de- huge research efforts aiming at reducing these overheads signed for complex reactive multi-round contracts, and their (for instance, via second layer solutions such as state chan- off-chain execution. The latter is one of the main goals of nels [24, 49], Arbitrum [34] or Plasma [55], outsourcing of FASTKITTEN. computation [58], or permissioned blockchains [46]), these so- We summarize our main goals and contributions below. lutions work only over cryptocurrencies with support complex • Smart Contracts for Bitcoin: We support arbitrary smart contracts, e.g. over Ethereum. Another line of work, multi-round smart contracts executed amongst any fi- which includes Hawk [36] and the “Ring of Gyges” [33], is nite number of participants, where our system can be run addressing the shortcoming that Ethereum smart contracts on top of any cryptocurrency with only limited script- cannot keep private state. However, also these solutions are ing functionality. We emphasize that Bitcoin is only one based on complex smart contracts and hence cannot be inte- example over which our system can be deployed today; grated into popular legacy cryptocurrencies such as Bitcoin, even cryptocurrencies that are simpler than Bitcoin can which is the main goal of FASTKITTEN. be used for FASTKITTEN. In this section we will focus on related work, which con- • Efficient Off-Chain Execution: Our protocol is de- siders smart contract execution on Bitcoin. We separately signed to keep the vast majority of program execution discuss multiparty computation based smart contracts and so- off-chain in the standard case if all parties follow the lutions using a TEE. We provide a more detailed discussion on protocol. Since our system incentivizes honest behavior how the above-mentioned Ethereum based solutions compare for most practical use cases, FASTKITTEN can thus run to FASTKITTEN in Appendix A. Additionally, in Section 8 in real-time at low costs. we discuss some exemplary contract use cases and compare • Formal Security Analysis: We formally analyze the their execution inside FASTKITTEN with the execution over security of FASTKITTEN in a strong adversarial model. Ethereum. We prove that either the contract is executed correctly, Multiparty computation for smart contracts An interest- or all honest parties get their money back that they have ing direction to realize complex contracts over Bitcoin