2016 IEEE Symposium on Security and Privacy

Hawk: The Model of Cryptography and Privacy-Preserving Smart Contracts

Ahmed Kosba∗, Andrew Miller∗, Elaine Shi†, Zikai Wen†, Charalampos Papamanthou∗ ∗University of Maryland and †Cornell University {akosba, amiller}@cs.umd.edu, {rs2358, zw385}@cornell.edu, [email protected]

Abstract—Emerging systems over decentralized privacy. Such a blockchain provides a powerful abstraction for allow mutually distrustful parties to transact the design of distributed protocols. safely without trusted third parties. In the event of contrac- The blockchain’s expressive power is further enhanced by tual breaches or aborts, the decentralized blockchain ensures that honest parties obtain commensurate compensation. Existing the fact that naturally embody a discrete notion systems, however, lack transactional privacy. All transactions, of time, i.e., a clock that increments whenever a new block including flow of money between pseudonyms and amount is mined. The existence of such a trusted clock is crucial transacted, are exposed on the blockchain. for attaining financial fairness in protocols. In particular, Hawk We present , a decentralized smart contract system that malicious contractual parties may prematurely abort from a does not store financial transactions in the clear on the block- chain, thus retaining transactional privacy from the public’s view. protocol to avoid financial payment. However, with a trusted A Hawk programmer can write a private smart contract in an clock, timeouts can be employed to make such aborts evident, intuitive manner without having to implement cryptography, and such that the blockchain can financially penalize aborting our compiler automatically generates an efficient cryptographic parties by redistributing their collateral deposits to honest, protocol where contractual parties interact with the blockchain, non-aborting parties. This makes the blockchain model of using cryptographic primitives such as zero-knowledge proofs. cryptography more powerful than the traditional model without To formally define and reason about the security of our protocols, we are the first to formalize the blockchain model a blockchain where fairness is long known to be impossible of cryptography. The formal modeling is of independent interest. in general when the majority of parties can be corrupt [8], We advocate the community to adopt such a formal model when [17], [24]. In summary, blockchains allow parties mutually designing applications atop decentralized blockchains. unbeknownst to transact securely without a centrally trusted intermediary, and avoiding high legal and transactional cost. I. INTRODUCTION Despite the expressiveness and power of the blockchain and smart contracts, the present form of these technologies Decentralized cryptocurrencies such as [48] and alt- lacks transactional privacy. The entire sequence of actions coins [20] have rapidly gained popularity, and are often quoted taken in a smart contract are propagated across the network as a glimpse into our future [5]. These emerging cryptocur- and/or recorded on the blockchain, and therefore are publicly rency systems build atop a novel blockchain technology where visible. Even though parties can create new pseudonymous miners run distributed consensus whose security is ensured if public keys to increase their anonymity, the values of all trans- no adversary wields a large fraction of the computational (or actions and balances for each (pseudonymous) public key are other forms of) resource. The terms “blockchain” and “miners” publicly visible. Further, recent works have also demonstrated are therefore often used interchangeably. deanonymization attacks by analyzing the transactional graph Blockchains like Bitcoin reach consensus not only on a structures of cryptocurrencies [42], [52]. stream of data but also on computations involving this data. In We stress that lack of privacy is a major hindrance towards Bitcoin, specifically, the data include money transfer transac- the broad adoption of decentralized smart contracts, since fi- tion proposed by users, and the computation involves transac- nancial transactions (e.g., insurance contracts or stock trading) tion validation and updating a data structure called the unspent are considered by many individuals and organizations as being transaction output set which, imprecisely speaking, keeps track highly secret. Although there has been progress in designing of users’ account balances. Newly emerging privacy-preserving cryptocurrencies such as Zerocash [11] and systems such as [57] embrace the idea of running several others [26], [43], [54], these systems forgo programma- arbitrary user-defined programs on the blockchain, thus creat- bility, and it is unclear a priori how to enable programmability ing an expressive decentralized smart contract system. without exposing transactions and data in cleartext to miners. In this paper, we consider smart contract protocols where parties interact with such a blockchain. Assuming that the A. Hawk Overview decentralized concensus protocol is secure, the blockchain can We propose Hawk, a framework for building privacy- be thought of as a conceptual party (in reality decentralized) preserving smart contracts. With Hawk,anon-specialist pro- that can be trusted for correctness and availability but not for grammer can easily write a Hawk program without having to

2375-1207/16© 2016, Ahmed $31.00 Kosba. © Under2016 IEEE license to IEEE. 839 DOI 10.1109/SP.2016.55

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. implement any cryptography. Our Hawk compiler is in charge Protocol of compiling the program to a cryptographic protocol between Manager Blockchain the blockchain and the users. As shown in Figure 1, a Hawk program contains two parts: Coins

1) A private portion denoted φpriv which takes in parties’ input Users Data data (e.g., choices in a “rock, paper, scissors” game) as well as currency units (e.g., bids in an auction). φpriv performs computation to determine the payout distribution amongst Hawk Contract Compile the parties. For example, in an auction, winner’s bid goes to Public Ф Private Ф the seller, and others’ bids are refunded. The private Hawk pub priv program φ is meant to protect the participants’ data and Programmer priv Hawk the exchange of money. Fig. 1. overview. φ 2) A public portion denoted pub that does not touch private be equated with a trusted third party — even when the manager data or money. can deviate arbitrarily from the protocol or collude with the Our compiler will compile the Hawk program into the parties, the manager cannot affect the correct execution of following pieces which jointly define a cryptographic protocol the contract. In the event that a manager aborts the protocol, between users, the manager, and the blockchain: it can be financially penalized, and users obtain compensation • the blockchain’s program which will be executed by all accordingly. consensus nodes; The manager also need not be trusted to maintain the • a program to be executed by the users; and security or privacy of the underlying currency (e.g., it cannot • a program to be executed by a special facilitating party double-spend, inflate the currency, or deanonymize users). called the manager which will be explained shortly. Furthermore, if multiple contract instances run concurrently, Security guarantees. Hawk’s security guarantees encompass each contract may specify a different manager and the effects two aspects: of a corrupt manager are confined to that instance. Finally, the manager role may be instantiated with trusted comput- • On-chain privacy. On-chain privacy stipulates that transac- ing hardware like Intel SGX, or replaced with a multiparty tional privacy be provided against the public (i.e., against computation among the users themselves, as we describe in any party not involved in the contract) – unless the con- Section IV-C and Appendix A. tractual parties themselves voluntarily disclose information. Although in Hawk protocols, users exchange data with Terminology. In Ethereum [57], the blockchain’s portion of the blockchain, and rely on it to ensure fairness against the protocol is called an Ethereum contract. However, this Hawk aborts, the flow of money and amount transacted in the paper refers to the entire protocol defined by the program as a contract; and the blockchain’s program is a private Hawk program φpriv is cryptographically hidden from the public’s view. Informally, this is achieved by constituent of the bigger protocol. In the event that a manager sending “encrypted” information to the blockchain, and aborts the protocol, it can be financially penalized, and users relying on zero-knowledge proofs to enforce the correctness obtain compensation accordingly. of contract execution and money conservation. B. Example: Sealed Auction • Contractual security. While on-chain privacy protects con- Example program. Figure 2 shows a Hawk program for tractual parties’ privacy against the public (i.e., parties implementing a sealed, second-price auction where the highest not involved in the financial contract), contractual secu- bidder wins, but pays the second highest price. Second- rity protects parties in the same contractual agreement price auctions are known to incentivize truthful bidding under from each other. Hawk assumes that contractual parties certain assumptions, [55] and it is important that bidders act selfishly to maximize their own financial interest. In submit bids without knowing the bid of the other people. Our particular, they can arbitrarily deviate from the prescribed example auction program contains a private portion φpriv that protocol or even abort prematurely. Therefore, contractual determines the winning bidder and the price to be paid; and security is a multi-faceted notion that encompasses not only a public portion φpub that relies on public deposits to protect cryptographic notions of confidentiality and authenticity, bidders from an aborting manager. but also financial fairness in the presence of cheating and For the time being, we assume that the set of bidders are aborting behavior. The best way to understand contractual known a priori. security is through a concrete example, and we refer the Contractual security requirements. Hawk will compile this reader to Section I-B for a more detailed explanation. auction program to a cryptographic protocol. As mentioned Minimally trusted manager. The execution of Hawk con- earlier, as long as the bidders and the manager do not volun- tracts are facilitated by a special party called the manager. tarily disclose information, transaction privacy is maintained The manager can see the users’ inputs and is trusted not to against the public. Hawk also guarantees the following con- disclose users’ private data. However, the manager is NOT to tractual security requirements for parties in the contract:

840

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. 1 HawkDeclareParties(Seller,/* N parties */); as part of the Hawk contract, that govern financial fairness. 2 HawkDeclareTimeouts(/* hardcoded timeouts */); • Security against a dishonest manager. We ensure authen- 3 // Private portion φpriv ticity against a dishonest manager: besides aborting, a dis- 4 private contract auction(Inp &in, Outp &out) { honest manager cannot affect the outcome of the auction 5 int winner = -1; 6 int bestprice = -1; and the redistribution of money, even when it colludes with 7 int secondprice = -1; a subset of the users. We stress that to ensure the above, input independent privacy against a faulty manager is a 8 for (int i=0;i bestprice) { financially penalized, and the participants obtain correspond- 10 secondprice = bestprice; 11 bestprice = in.party[i].$val; ing remuneration. 12 winner = i; An auction with the above security and privacy requirements $ 13 } else if (in.party[i]. val > secondprice) { cannot be trivially implemented atop existing cryptocurrency 14 secondprice = in.party[i].$val; 15 } systems such as Ethereum [57] or Zerocash [11]. The former 16 } allows for programmability but does not guarantee transac- tional privacy, while the latter guarantees transactional privacy 17 // Winner pays secondprice to seller but at the price of even reduced programmability than Bitcoin. 18 // Everyone else is refunded 19 out.Seller.$val = secondprice; Aborting and timeouts. Aborting is dealt with using timeouts. 20 out.party[winner].$val = bestprice-secondprice; A Hawk program such as Figure 2 declares timeout parame- 21 out.winner = winner; ters using the HawkDeclareTimeouts special syntax. Three 22 for (int i=0;i

841

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. and can be useful in general for defining and modeling the applications either atop Ethereum or by forking off Ethereum, security of protocols in the blockchain model. Our formal such as prediction markets [3], supply chain provenance [6], model has also been adopted by the Gyges work [35] in crowd-based fundraising [1], and security and derivatives designing criminal smart contracts. trading [28]. In defining for formal blockchain model, we rely on a notion Security of the blockchain. Like earlier works that design called wrappers to modularize our protocol design and to sim- smart contract applications for cryptocurrencies, we rely on the plify presentation. Wrappers handle a set of common details underlying decentralized blockchain to be secure. Therefore, such as timers, pseudonyms, global ledgers in a centralized we assume the blockchain’s consensus protocol attains security place such that they need not be repeated in every protocol. when an adversary does not wield a large fraction of the com- New cryptography suite. We implement a new cryptography putational power. Existing cryptocurrencies are designed with suite that binds private transactions with programmable logic. heuristic security. On one hand, researchers have identified Our protocol suite contains three essential primitives freeze, attacks on various aspects of the system [29], [34]; on the compute, and finalize. The freeze primitive allows parties other, efforts to formally understand the security of blockchain to commit to not only normal data, but also coins. Committed consensus have begun [32], [45]. coins are frozen in the contract, and the payout distribution will Minimizing on-chain costs. Since every miner will execute φ later be determined by the program priv. During compute, the smart contract programs while verifying each transaction, parties open their committed data and currency to the manager, cryptocurrencies including Bitcoin and Ethereum collect trans- φ such that the manager can compute the function priv. Based on action fees that roughly correlate with the cost of execution. φ the outcome of priv, the manager now constructs new private While we do not explicitly model such fees, we design our coins to be paid to each recipient. The manager then submits protocols to minimize on-chain costs by performing most of to the blockchain both the new private coins as well as zero- the heavy-weight computation off-chain. knowledge proofs of their well-formedness. At this moment, 2) Additional Related Works: Leveraging blockchain for the previously frozen coins are now redistributed among the financial fairness. A few prior works have explored how to users. Our protocol suite strictly generalizes Zerocash since leverage the blockchain technology to achieve fairness in pro- Zerocash implements only private money transfers between tocol design. For example, Bentov et al. [17], Andrychowicz users without programmability. et al. [7], Kumaresan et al. [40], Kiayias et al. [36], as well We define the security of our primitives using ideal func- as Zyskind et al. [59], show how Bitcoin can be used to tionalities, and formally prove security of our constructions ensure fairness in secure multi-party computation protocols. under a simulation-based paradigm. These protocols also perform off-chain secure computation Implementation and evaluation. We built a Hawk prototype of various types, but do not guarantee transactional privacy and evaluated its performance by implementing several ex- (i.e., hiding the currency flows and amounts transacted). For ample applications, including a sealed-bid auction,a“rock, example, it is not clear how to implement our sealed auction paper, scissors” game, a application, and a example using these earlier techniques. Second, these earlier swap financial instrument. We propose interesting protocol works either do not offer system implementations or provide optimizations that gained us a factor of 10× in performance implementations only for specific applications (e.g., lottery). In relative to a straightforward implementation. We show that comparison, Hawk provides a generic platform such that non- for at about 100 parties (e.g., auction and crowdfunding), the specialist programmers can easily develop privacy-preserving manager’s cryptographic computation (the most expensive part smart contracts. of the protocol) is under 2.85min using 4 cores, translating Smart contracts. The conceptual idea of programmable elec- to under $0.14 of EC2 time. Further, all on-chain computation tronic “smart contracts” dates back nearly twenty years [53]. (performed by all miners) is very cheap, and under 20ms for Hawk Besides recent decentralized cryptocurrencies, which guaran- all cases. We will open source our framework in the tee authenticity but not privacy, other smart contract imple- near future. mentations rely on trusted servers for security [46]. Our work D. Background and Related Work therefore comes closest to realizing the original vision of 1) Background: The original Bitcoin offers limited pro- parties interacting with a trustworthy “virtual computer” that grammability through a scripting language that is neither executes programs involving money and data. Turing-complete nor user friendly. Numerous previous endeav- Programming frameworks for cryptography. Several works ors at creating smart contract-like applications atop Bitcoin have developed programming frameworks that take in high- (e.g., lottery [7], [17], micropayments [4],verifiable computa- level programs as specifications and generate cryptographic tion [40]) have demonstrated the difficulty of in retrofitting implementations, including compilers for secure multi-party Bitcoin’s scripting language – this serves well to motivate a computation [19], [39], [41], [51], authenticated data struc- Turing-complete, user-friendly smart contract language. tures [44], and (zero-knowledge) proofs [12], [30], [31], [49]. Ethereum is the first Turing-complete decentralized smart Zheng et al. show how to generate secure distributed protocols contract system. With Ethereum’s imminent launch, companies such as sealed auctions, battleship games, and banking applica- and hobbyists are already building numerous smart contract tions [58]. These works support various notions of security, but

842

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. none of them interact directly with money or leverage public sends to the blockchain. In reality, this means that the blockchains for ensuring financial fairness. Thus our work overlay network must have sufficient redundancy. However, is among the first to combine the “correct-by-construction” an adversary can drop messages delivered between parties cryptography approach with smart contracts. off the blockchain. Concurrent work. Our framework is the first to provide a • Pseudonyms. Users can make up an unbounded polynomial full-fledged formal model for decentralized blockchains as number of pseudonyms when communicating with the embodied by Bitcoin, Ethereum, and many other popular blockchain. decentralized cryptocurrencies. In concurrent and independent • Correctness and availability. We assume that the blockchain work, Kiayias et al. [36] also propose a blockchain model will perform any prescribed computation correctly. We also in the (Generalized) Universal Composability framework [23] assume that the blockchain is always available. and use it to derive results that are similar to what we Advantages of a generic blockchain model. We adopt describe in the online version [37], i.e., fair MPC with public a generic blockchain model where the blockchain can run deposits. However, the “programmability” of their formalism arbitrary Turing-complete programs. In comparison, previous is limited to their specific application (i.e., fair MPC with and concurrent works [7], [17], [40], [50] retrofit the artifacts public deposits). In comparison, our formalism is designed of Bitcoin’s limited and hard-to-use scripting language. In with much broader goals, i.e., to facilitate protocol designers Section VII and the online version [37], we present additional to design a rich class of protocols in the blockchain model. In theoretical results demonstrating that our generic blockchain particular, both our real-world wrapper (Figure 11) and ideal- model yields asymptotically more efficient cryptographic pro- world wrapper (Figure 10) model the presence of arbitrary user tocols. defined contract programs, which interact with both parties and B. Formally Modeling the Blockchain the ledger. Our formalism has also been adopted by the Gyges Our paper adopts a carefully designed notational system work [35] demonstrating its broad usefulness. such that readers may understand our constructions without II. THE BLOCKCHAIN MODEL OF CRYPTOGRAPHY understanding the precise details of our formal modeling. A. The Blockchain Model We stress, however, that we give formal, precise specifi- We begin by informally describing the trust model and cations of both functionality and security, and our protocols assumptions. We then propose a formal framework for the are formally proven secure under the Universal Composability “blockchain model of cryptography” for specifying and rea- (UC) framework. In doing so, we make a separate contribution soning about the security of protocols. of independent interest: we are the first to propose a formal, In this paper, the blockchain refers to a decentralized set UC-based framework for describing and proving the security of miners who run a secure consensus protocol to agree upon of distributed protocols that interact with a blockchain — the global state. We therefore will regard the blockchain as a we refer to our formal model as “the blockchain model of conceptual trusted party who is trusted for correctness and cryptography”. availability, but not trusted for privacy. The blockchain Programs, wrappers, and functionalities. In the remainder not only maintains a global ledger that stores the balance for of the paper, we will describe ideal specifications, as well every pseudonym, but also executes user-defined programs. as pieces of the protocol executed by the blockchain, the More specifically, we make the following assumptions: users, and the manager respectively as programs written in • Time. The blockchain is aware of a discrete clock that pseudocode. We refer to them as the ideal program (denoted increments in rounds. We use the terms rounds and epochs Ideal), the blockchain program (denoted B or Blockchain), and interchangeably. the user/manager program (denoted UserP) respectively. • Public state. All parties can observe the state of the block- All of our pseudo-code style programs have precise mean- chain. This means that all parties can observe the public ings in the UC framework. To “compile” a program to a ledger on the blockchain, as well as the state of any user- UC-style functionality or protocol, we apply a wrapper to defined blockchain program (part of a contract protocol). a program. Specifically, we define the following types of • Message delivery. Messages sent to the blockchain will wrappers: arrive at the beginning of the next round. A network • The ideal wrapper F(·) transforms an ideal program IdealP adversary may arbitrarily reorder messages that are sent into a UC ideal functionality F(IdealP). to the blockchain within the same round. This means that • The blockchain wrapper G(·) transforms a blockchain pro- the adversary may attempt a front-running attack (also gram B to a blockchain functionality G(B). The blockchain referred to as the rushing adversary by cryptographers), e.g., functionality G(B) models the program executing on the upon observing that an honest user is trading a stock, the blockchain. adversary preempts by sending a race transaction trading the • The protocol wrapper Π(·) transforms a user/manager same stock. Our protocols should be proven secure despite program UserP into a user-side or manager-side protocol such adversarial message delivery schedules. Π(UserP). We assume that all parties have a reliable channel to the One important reason for having wrappers is that wrappers im- blockchain, and the adversary cannot drop messages a party plement a set of common features needed by every smart con-

843

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. tract application, including time, public ledger, pseudonyms, IdealPcash and adversarial reordering of messages — in this way, we Init: Coins: a multiset of coins, each of the form (P, $val) need not repeat this notation for every blockchain application. Mint: Upon receiving (mint, $val) from some P: We defer our formal UC modeling to Appendix B. This will send (mint, P, $val) to A not hinder the reader in understanding our protocols as long assert ledger[P] ≥ $val as the reader intuitively understands our blockchain model and ledger[P]:=ledger[P] − $val assumptions described in Section II-A. Before we describe our append (P, $val) to Coins protocols, we define some notational conventions for writing Pour: On (pour, $val1, $val2, P1, P2, $val1, $val2) from P: “programs”. Readers who are interested in the details of our assert $val1 +$val2 =$val1 +$val2 formal model and proofs can refer to Appendix B. if P is honest, assert (P, $vali) ∈ Coins for i ∈{1, 2} C. Conventions for Writing Programs assert Pi = ⊥ for i ∈{1, 2} Our wrapper-based system modularizes notation, and allows remove one (P, $vali) from Coins for i ∈{1, 2} us to use a set of simple conventions for writing user-defined for i ∈{1, 2},ifPi is corrupted, send (pour, i, P $ ) A ( ,i,P ) A ideal programs, blockchain programs, and user protocols. We i, vali to ; else send pour i to describe these conventions below. if P is corrupted: (P, $ ) ∈ i ∈{1, 2} Timer activation points. The ideal functionality wrapper assert vali Coins for remove one (P, $vali) from Coins for i ∈{1, 2} F(·) and the blockchain wrapper G(·) implement a clock that for i ∈{1, 2}: add (Pi, $vali) to Coins advances in rounds. Every time the clock is advanced, the for i ∈{1, 2}:ifPi = ⊥, send (pour, $vali) to Pi wrappers will invoke the Timer activation point. Therefore, by convention, we allow the ideal program or the blockchain Fig. 3. Definition of IdealPcash. Notation: ledger denotes the public ledger, program can define a Timer activation point. Timeout oper- and Coins denotes the private pool of coins. As mentioned in Section II-C, ations (e.g., refunding money after a certain timeout) can be gray background denotes batched and delayed activation. All party names correspond to pseudonyms due to notations and conventions defined in implemented under the Timer activation point. Section II-B. Delayed processing in ideal programs. When writing the blockchain program, every message received by the blockchain When the context is clear, we avoid writing “as nym P ”, program is already delayed by a round due to the G(·) wrapper. and simply write “send m to G(B)”. Our formal system also When writing the ideal program, we introduce a simple allows users to send messages anonymously to the blockchain convention to denote delayed computation. Program instruc- – although this option will not be used in this paper. tions that are written in gray background denote computation Ledger and money transfers. A public ledger is denoted that does not take place immediately, but is deferred to ledger in our ideal programs and blockchain programs. When a the beginning of the next timer click. This is a convenient party sends $amt to an ideal program or a blockchain program, shorthand because in our real-world protocol, effectively any this represents an ordinary message transmission. Money computation done by a blockchain functionality will be de- transfers only take place when ideal programs or blockchain layed. For example, in our IdealPcash ideal program (see programs update the public ledger ledger. In other words, Figure 3), whenever the ideal functionality receives a mint or the symbol $ is only adopted for readability (to distinguish pour message, the ideal adversary S is notified immediately; variables associated with money and other variables), and does however, processing of the messages is deferred till the next not have special meaning or significance. One can simply think timer click. Formally, delayed processing can be implemented of this variable as having the money type. simply by storing state and invoking the delayed program in- structions on the next Timer click. By convention, we assume III. CRYPTOGRAPHY ABSTRACTIONS that the delayed instructions are invoked at the beginning of We now describe our cryptography abstraction in the form the Timer call. In other words, upon the next timer click, the of ideal programs. Ideal programs define the correctness and delayed instructions are executed first. security requirements we wish to attain by writing a speci- Pseudonymity. All party identifiers that appear in ideal fication assuming the existence of a fully trusted party. We programs, blockchain programs, and user-side programs by will later prove that our real-world protocols (based on smart default refer to pseudonyms. When we write “upon receiving contracts) securely emulate the ideal programs. As mentioned message from some P ”, this accepts a message from any earlier, an ideal program must be combined with a wrapper F pseudonym. Whenever we write “upon receiving message to be endowed with exact execution semantics. from P ”, without the keyword some, this accepts a message Overview. Hawk realizes the following specifications: from a fixed pseudonym P , and typically which pseudonym • Private ledger and currency transfer. Hawk relies on the we refer to is clear from the context. existence of a private ledger that supports private currency Whenever we write “send m to G(B) as nym P ” inside a transfers. We therefore first define an ideal functionality m P user program, this sends an internal message (“send”, , ) called IdealPcash that describes the requirements of a private to the protocol wrapper Π. The protocol wrapper will then ledger (see Figure 3). Informally speaking, earlier works authenticate the message appropriately under pseudonym P . such as Zerocash [11] are meant to realize (approximations

844

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. of) this ideal functionality – although technically this ought to spend a coin paid to itself until the next round. By contrast, to be interpreted with the caveat that these earlier works corrupted parties are allowed to spend coins paid to them in prove indistinguishability or game-based security instead the same round – this is due to the fact that any message is UC-based simulation security. routed immediately to the adversary, and the adversary can • Hawk-specific primitives. With a private ledger specified, also choose a permutation for all messages received by the we then define Hawk-specific primitives including freeze, blockchain in the same round (see Section II and Appendix B). compute, and finalize that are essential for enabling trans- Another subtlety in the IdealPcash functionality is while hon- actional privacy and programmability simultaneously. est parties always pour to existing pseudonyms, the function- ality allows the adversary to pour to non-existing pseudonyms A. Private Cash Specification IdealPcash denoted ⊥ — in this case, effectively the private coin goes At a high-level, the IdealPcash specifies the requirements of a into a blackhole and cannot be retrieved. This enables a private ledger and currency transfer. We adopt the same “mint” performance optimization in our UserPcash and Blockchaincash and “pour” terminology from Zerocash [11]. protocol later – where we avoid including the cti’s in the NIZK L Mint. The mint operation allows a user P to transfer money of POUR (see Section IV). If a malicious pourer chooses to P from the public ledger denoted ledger to the private pool compute the wrong cti, it is as if the recipient i did not ⊥ denoted Coins[P]. With each transfer, a private coin for user receive the pour, i.e., the pour is made to . P is created, and associated with a value val. B. Hawk Specification IdealPhawk For correctness, the ideal program IdealPcash checks that the user P has sufficient funds in its public ledger ledger[P] To enable transactional privacy and programmability simul- before creating the private coin. taneously, we now describe the specifications of new Hawk Pour. The pour operation allows a user P to spend money primitives, including freeze, compute, and finalize. The formal in its private bank privately. For simplicity, we define the specification of the ideal program IdealPhawk is provided in simple case with two input coins and two output coins. This Figure 4. Below, we provide some explanations. We also refer is sufficient for users to transfer any amount of money by the reader to Section I-C for higher-level explanations. “making change,” although it would be straightforward to Freeze. In freeze, a party tells IdealPhawk to remove one support more efficient batch operations as well. coin from the private coins pool Coins, and freeze it in the For correctness, the ideal program IdealPcash checks the blockchain by adding it to FrozenCoins. The party’s private P following: 1) for the two input coins, party indeed possesses input denoted in is also recorded in FrozenCoins. IdealPhawk private coins of the declared values; and 2) the two input coins checks that P has not called freeze earlier, and that a coin sum up to equal value as the two output coins, i.e., coins (P, val) exists in Coins before proceeding with the freeze. neither get created or vanish. Compute. When a party P calls compute, its private input Privacy. When an honest party P mints, the ideal-world in and the value of its frozen coin val are disclosed to the adversary A learns the pair (P, val) – since minting is raising manager PM. coins from the public pool to the private pool. Operations on Finalize. In finalize, the manager PM submits a public the public pool are observable by A. input inM to IdealPhawk. IdealPhawk now computes the outcome When an honest party P pours, however, the adversary A of φpriv on all parties’ inputs and frozen coin values, and learns only the output pseudonyms P1 and P2. It does not learn redistributes the FrozenCoins based on the outcome of φpriv. which coin in the private pool Coins is being spent nor the To ensure money conservation, the ideal program IdealPhawk name of the spender. Therefore, the spent coins are anonymous checks that the sum of frozen coins is equal to the sum of with respect to the private pool Coins. To get strong anonymity, output coins. new pseudonyms P1 and P2 can be generated on the fly to Interaction with public contract. The IdealP functional- receive each pour. We stress that as long as pour hides the hawk ity is parameterized by a public Hawk contract φ , which is sender, this “breaks” the transaction graph, thus preventing pub included in IdealP as a sub-module. During a finalize, linking analysis. hawk IdealP calls φ .check. The public contract φ typically If a corrupted party is the recipient of a pour, the adversary hawk pub pub serves the following purposes: additionally learns the value of the coin it receives. • Additional subtleties. Later in our protocol, honest parties Check the well-formedness of the manager’s input inM. keep track of a wallet of coins. Whenever an honest party For example, in our financial derivatives application (Sec- φ pours, it first checks if an appropriate coin exists in its local tion VI-B), the public contract pub asserts that the input wallet – and if so it immediately removes the coin from the corresponds to the price of a stock as reported by the stock wallet (i.e., without delay). In this way, if an honest party exchange’s authentic data feed. makes multiple pour transactions in one round, it will always • Redistribute public deposits. If parties or the manager have choose distinct coins for each pour transaction. Therefore, in aborted, or if a party has provided invalid input (e.g., less our IdealPcash functionality, honest pourers’ coins are immedi- than a minimum bet) the public contract φpub can now ately removed from Coins. Further, an honest party is not able redistribute the parties’ public deposits to ensure financial

845

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. party’s pseudonym P. We note that leaking the pseudonym P IdealPhawk(PM, {Pi}i∈[N],T1,T2,φpriv,φpub) Init: Call IdealP .Init. Additionally: does not hurt privacy, since a party can simply create a new cash P FrozenCoins: a set of coins and private in- pseudonym and pour to this new pseudonym immediately puts received by this contract, each of the form before the freeze. (P, in, $val). Initialize FrozenCoins := ∅. When an honest party calls compute, the manager PM gets Freeze: Upon receiving (freeze, $vali, ini) from Pi for some to observe its input and frozen coin’s value. However, the i ∈ [N]: public and other contractual parties do not observe anything assert current time T

call φpub.check(inM, out) Other simplifying assumptions we made include the follow- for i ∈ [N] such that Pi called compute: ing. Our basic IdealPhawk assumes that the set of pseudonyms add (Pi, $vali) to Coins participating in the contract as well as timeouts T1 and T2 are send (finalize, $vali) to Pi hard-coded in the program. This can also be easily relaxed as φpub: Run a local instance of public contract φpub. Messages mentioned in Section IV-C. between the adversary to φpub, and from φpub to parties are forwarded directly. IV. CRYPTOGRAPHIC PROTOCOLS Upon receiving message (pub,m) from party P: notify A of (pub,m) Our protocols are broken down into two parts: 1) the private cash part that implements direct money transfers between send m to φpub on behalf of P users; and 2) the Hawk-specific part that binds transactional IdealPcash: include IdealPcash (Figure 3). privacy with programmable logic. The formal protocol descrip- tions are given in Figures 5 and 6. Below we explain the high- Fig. 4. Definition of IdealPhawk. Notations: FrozenCoins denotes frozen coins owned by the contract; Coins denotes the global private coin pool defined by level intuition. IdealPcash; and (ini, vali) denotes the input data and frozen coin value of party Pi. A. Warmup: Private Cash and Money Transfers Our construction adopts a Zerocash-like protocol for im- fairness. For example, in our “Rock, Paper, Scissors” exam- plementing private cash and private currency transfers. For φ ple (see Section VI-B), the private contract priv checks if completeness, we give a brief explanation below, and we φ each party has frozen the minimal bet. If not, priv includes mainly focus on the pour operation which is technically more φ that information in out so that pub pays that party’s public interesting. The blockchain program Blockchaincash maintains deposit to others. a set Coins of private coins. Each private coin is of the format

Security and privacy requirements. The IdealPhawk specifies (P, coin := Comms($val)) the following privacy guarantees. When an honest party P freezes money (e.g., a bid), the adversary should not observe where P denotes a party’s pseudonym, and coin commits to the amount frozen. However, the adversary can observe the the coin’s value $val under randomness s.

846

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. Protocol UserPcash Init: Wallet: stores P’s spendable coins, initially ∅ Blockchaincash GenNym: sample a random seed skprf Init: : a reference string for the underlying system crs NIZK pkprf := PRFskprf (0) ∅ Coins: a set of coin commitments, initially return pkprf SpentCoins: set of spent serial numbers, initially ∅ Mint: On input (mint, $val), Mint: Upon receiving (mint, $val,s) from some party P, sample a commitment randomness s := ($ ) coin Comms val coin := Comms($val) (P, ) ∈/ assert coin Coins store (s, $val, coin) in Wallet assert [P] ≥ $ ledger val send (mint, $val,s) to G(Blockchaincash) [P]:= [P] − $ ledger ledger val Pour (as sender): On input (pour, $val1, $val2, P1, P2, $val1, add (P, coin) to Coins $val2), Pour: Anonymous receive (pour,π,{sni, Pi, coini, cti}i∈{1,2}}) assert $val1 +$val2 =$val1 +$val2 let MT be a merkle tree built over Coins for i ∈{1, 2}, assert (si, $vali, coini) ∈ Wallet for some statement := (MT.root, {sni, Pi, coini}i∈{1,2}) (si, coini) . (L ,π, ) assert NIZK Verify POUR statement let MT be a merkle tree over Blockchaincash.Coins for i ∈{1, 2}, for i ∈{1, 2}: assert sni ∈/ SpentCoins remove one (si, $vali, coini) from Wallet (P , ) ∈/ assert i coini Coins sni := PRFskprf (Pcoini) add sni to SpentCoins let branchi be the branch of (P, coini) in MT add (Pi, coini) to Coins sample randomness si,ri send (pour, coini, cti) to Pi, i :=  ($ i) coin Commsi val Relation (statement, witness) ∈LPOUR is defined as: cti := ENC(Pi.epk,ri, $valisi) := ( . , { i, Pi, } ) parse statement as (MT.root, {sni, Pi, coini}i∈{1,2}) statement MT root sn coini i∈{1,2} := (P, , { ,s , $ ,s ,r , $ }) parse witness as (P, skprf, {branchi,si, $vali,si,ri, $vali}) witness skprf branchi i vali i i vali π := . (L , , ) assert P.pkprf = PRFskprf (0) NIZK Prove POUR statement witness assert $val1 +$val2 =$val1 +$val2 AnonSend(pour,π,{sni, Pi, coini, cti}i∈{1,2}) for i ∈{1, 2}, to G(Blockchaincash) ( , , ) coini := Comms ($vali) Pour (as recipient): On receive pour coin ct from i G( ) assert MerkleBranch(MT.root, branchi, (Pcoini)) Blockchaincash : ($ s):= ( , ) assert sni = PRFskprf (Pcoini) let val DEC esk ct ($ )= i =  ($ i) assert Comms val coin assert coin Commsi val store (s, $val, coin) in Wallet output (pour, $val) Fig. 5. UserPcash construction. A trusted setup phase generates the NIZK’s common reference string crs. For notational convenience, we omit writing the crs explicitly in the construction. The Merkle tree MT is stored on the blockchain and not computed on the fly – we omit stating this in the protocol for notational simplicity. The protocol wrapper Π(·) invokes GenNym whenever a party creates a new pseudonym.

During a pour operation, the spender P chooses two coins can be demonstrated by a Merkle branch consistent with the in Coins to spend, denoted (P, coin1) and (P, coin2) where root hash, and this is done in zero-knowledge. := ($ ) i ∈{1, 2} coini Commsi vali for . The pour operation • (P, )   No double spending. Each coin coin has a cryptograph- pays val1 and val2 amount to two output pseudonyms denoted ically unique serial number sn that can be computed as P P + =  +  1 and 2 respectively, such that val1 val2 val1 val2. a pseudorandom function of P’s secret key and coin.To s i ∈{1, 2} The spender chooses new randomness i for , and pour a coin, its serial number sn must be disclosed, and a computes the output coins as zero-knowledge proof given to show the correctness of sn.    Blockchaincash checks that no sn is used twice. Pi, i :=  ($ ) coin Commsi vali • Money conservation. The zero-knowledge proof also attests   The spender gives the values si and vali to the recipient Pi to the fact that the input coins and the output coins have for Pi to be able to spend the coins later. equal total value. Now, the spender computes a zero-knowledge proof to show We make some remarks about the security of the scheme. that the output coins are constructed appropriately, where Intuitively, when an honest party pours to an honest party, correctness compasses the following aspects: the adversary A does not learn the values of the output • Existence of coins being spent. The coins being spent coins assuming that the commitment scheme Comm is hiding, (P, coin1) and (P, coin2) are indeed part of the private pool and the NIZK scheme we employ is computational zero- Coins. We remark that here the zero-knowledge property knowledge. The adversary A can observe the nyms that receive allows the spender to hide which coins it is spending – this the two output coins. However, as we remarked earlier, since is the key idea behind transactional privacy. these nyms can be one-time, leaking them to the adversary To prove this efficiently, Blockchaincash maintains a Merkle would be okay. Essentially we only need to break linkability tree MT over the private pool Coins. Membership in the set at spend time to ensure transactional privacy.

847

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. Protocol UserPhawk(PM, {Pi}i∈[N],T1,T2,φpriv,φpub) Blockchainhawk(PM, {Pi}i∈[N],T1,T2,φpriv,φpub) Init: Call UserPcash.Init. Init: See IdealPhawk for description of parameters Call Blockchaincash.Init. Protocol for a party P∈{Pi}i∈[N]: Freeze: Upon receiving (freeze,π,sni, cmi) from Pi: Freeze: On input (freeze, $val, in) as party P: T ≤ T assert current time 1 assert current time T

add sni to SpentCoins and store cmi for later sn := PRFskprf (Pcoin) Compute: Upon receiving (compute,π,ct) from Pi: let branch be the branch of (P, coin) in MT T ≤ T

Fig. 6. Blockchainhawk and UserPhawk construction.

848

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. When a corrupted party P∗ pours to an honest party P,even would make any aborts evident such that the contract can though the adversary knows the opening of the coin, it cannot financially punish an aborting user. spend the coin (P, coin) once the transaction takes effect by After obtaining the openings, the manager now computes ∗  the Blockchaincash, since P cannot demonstrate knowledge the payout distribution {vali}i∈[n] and public output out by of P’s secret key. We stress that since the contract binds the applying the private contract φpriv. The manager also constructs owner’s nym P to the coin, only the owner can spend it even a zero-knowledge proof attesting to the outcomes. when the opening of coin is disclosed. Finalize. When the manager submits the outcome of φpriv Technical subtleties. Our Blockchaincash uses a modified ver- and a zero-knowledge proof of correctness to Blockchainhawk, sion of Zerocash to achieve stronger security in the simulation Blockchainhawk verifies the proof and redistributes the frozen paradigm. In comparison, Zerocash adopts a strictly weaker, money accordingly. Here Blockchainhawk also passes the man- indistinguishability-based privacy notion called ledger indis- ager’s public input inM and public output out to the public tinguishability. In multi-party protocols, indistinguishability- Hawk contract φpub. The public contract φpub can be invoked based security notions are strictly weaker than simulation to check the validity of the manager’s input, as well as security. Not only so, the particular ledger indistinguishability redistribute public collateral deposit. notion adopted by Zerocash [11] appears subtly questionable Theorem 1. Assuming that the hash function in the Merkle upon scrutiny, which we elaborate on in the online ver- tree is collision resistant, the commitment scheme Comm sion [37]. This does not imply that the Zerocash construction is perfectly binding and computationally hiding, the NIZK is necessarily insecure – however, there is no obvious path scheme is computationally zero-knowledge and simulation to proving their scheme secure under a simulation based sound extractable, the encryption schemes ENC and SENC paradigm. are perfectly correct and semantically secure, the PRF scheme B. Binding Privacy and Programmable Logic PRF is secure, then, our protocols in Figures 5 and 6 securely So far, Blockchaincash, similar to Zerocash [11], only sup- emulates the ideal functionality F(IdealPhawk) against a ma- ports direct money transfers between users. We allow transac- licious adversary in the static corruption model. tional privacy and programmable logic simutaneously. Proof. Deferred to our online version [37]. Freeze. We support a new operation called freeze, that does not spend directly to a user, but commits the money as well C. Extensions and Discussions as an accompanying private input to a smart contract. This is Refunding frozen coins to users. In our implementation, done using a pour-like protocol: we extend our basic scheme to allow the users to reclaim • The user P chooses a private coin (P, coin) ∈ Coins, where their frozen money after a timeout T3 >T2. To achieve this, coin := Comms($val). Using its secret key, P computes the user P simply sends the contract a newly constructed coin serial number sn for coin – to be disclosed with the freeze (P, coin := Comms($val)) and proves in zero-knowledge that operation to prevent double-spending. its value $val is equal to that of the frozen coin. In this case, the user can identify the previously frozen coin in the clear, • The user P computes a commitment (val||in||k) to the i.e., there is no need to compute a zero-knowledge proof of contract where in denotes its input, and k is a symmetric membership within the frozen pool as is needed in a pour encryption key that is introduced due to a practical opti- transaction. mization explained later in Section V. Instantiating the manager with trusted hardware. In some P • The user now makes a zero-knowledge proof attesting to applications, it may be a good idea to instantiate the manager similar statements as in a pour operation, i.e., that the spent using trusted hardware such as the emerging Intel SGX. In this coin exists in the pool Coins, the sn is correctly constructed, case, the off-chain computation can take place in a secret SGX and that the val committed to the contract equals the value enclave that is not visible to any untrusted software or users. L of the coin being spent. See FREEZE in Figure 6 for details Alternatively, in principle, the manager role can also be split of the NP statement being proven. into two or more parties that jointly run a secure computation Compute. Next, computation takes place off-chain to compute protocol – although this approach is likely to incur higher  the payout distribution {vali}i∈[n] and a proof of correctness. overhead. In Hawk, we rely on a minimally trusted manager PM to We stress that our model is fundamentally different from perform computation. All parties would open their inputs to placing full trust in any centralized node. Trusted hardware the manager PM, and this is done by encrypting the opening cannot serve as a replacement of the blockchain. Any off- to the manager’s public key: chain only protocol that does not interact with the blockchain  cannot offer financial fairness in the presence of aborts – even ct := ENC(PM.epk,r,($valinks )) when trusted hardware is employed. The ciphertext ct is submitted to the smart contract along with Furthermore, even the use of SGX does not obviate the need appropriate zero-knowledge proofs of correctness. While the for our cryptographic protocol. If the SGX is trusted only by user can also directly send the opening to the manager off- a subset of parties (e.g., just the parties to a particular private chain, passing the ciphertext ct through the smart contract contact), rather than globally, then those users can benefit from

849

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. the efficiency of an SGX-managed private contract, while still B. Practical Considerations utilizing the more widely trusted underlying currency. Efficient SNARK circuits. A SNARK prover’s performance Pouring anonymously to long-lived pseudonyms. In our is mainly determined by the number of multiplication gates basic formalism of IdealPcash, the pour operation discloses in the algebraic circuit to be proven [12], [49]. To achieve the recipient’s pseudonyms to the adversary. This means that efficiency, we designed optimized circuits through two ways: IdealPcash only retains full privacy if the recipient generates 1) using cryptographic primitives that are SNARK-friendly, a fresh, new pseudonym every time. In comparison, Zero- i.e. efficiently realizable as arithmetic circuits under a specific cash [11] provides an option of anonymously spending to a SNARK parametrization. 2) Building customized circuit gen- long-lived pseudonym (in other words, having IdealPcash not erators to produce SNARK-friendly implementations instead reveal recipients’ pseudonyms to the adversary). of relying on compilers to translate higher level implementa- It would be straightforward to add this feature to Hawk as tion. well (at the cost of a constant factor blowup in performance); The main cryptographic building blocks in our system are: however, in most applications (e.g., a payment made after collision-resistant hash function for the Merkle trees, pseudo- receiving an invoice), the transfer is subsequent to some random function, commitment, and encryption. Our imple- interaction between the recipient and sender. mentation supports both 80-bit and 112-bit security levels. To Open enrollment of pseudonyms. In our current formalism, instantiate the CRH efficiently, we use an Ajtai-based SNARK- parties’ pseudonyms are hardcoded and known a priori. We can friendly collision-resistant hash function that is similar to the easily relax this to allow open enrollment of any pseudonym one used by Ben-Sasson et al. [14]. In our implementation, the q that joins the contract (e.g., in an auction). Our implementation modulus is set to be the underlying SNARK implementation d supports open enrollment. Due to SNARK’s preprocessing, 254-bit field prime, and the dimension is set to 3 for the 80- right now, each contract instance must declare an upper- bit security level, and to 4 for the 112-bit security level based bound on the number of participants. An enrollment fee on the analysis in [38]. For PRFs and commitments, we use can potentially be adopted to prevent a DoS attack where a hand-optimized implementation of SHA-256. Furthermore, the attacker joins the contract with many pseudonyms thus we adopt the SNARK-friendly primitives for encryption used preventing legitimate users from joining. How to choose the in the study by Kosba et al. [38], in which an efficient circuit correct fee amount to achieve incentive compatibility is left as for hybrid encryption in the case of 80-bit security level was an open research challenge. The a priori upper bound on the proposed. The circuit performs the public key operations in a F μ number of participants can be avoided if we adopt recursively prime-order subgroup of the Galois field extension p , where μ =4 p composable SNARKs [18], [25] or alternative proofs that do , is the underlying SNARK field prime (typically 254- pμ not require circuit-dependent setup [16]. bit prime, i.e. is over 1000-bit ), and the prime order of the subgroup used is 398-bit prime. This was originally inspired by Pinocchio coin [26]. The circuit then applies a lightweight V. A DOPTING SNARKSINUC PROTOCOLS AND cipher like Speck [10] or Chaskey-LTS [47] with a 128-bit key PRACTICAL OPTIMIZATIONS to perform symmetric encryption in the CBC mode, as using the standard AES-128 instead will result in a much higher A. Using SNARKs in UC Protocols cost [38]. For the 112-bit security, using the same method for Succinct Non-interactive ARguments of Knowledge [12], public key operations requires intensive factorization to find [33], [49] provide succinct proofs for general computation suitable parameters, therefore we use a manually optimized tasks, and have been implemented by several systems [12], RSA-OAEP encryption circuit with a 2048-bit key instead. [49], [56]. We would like to use SNARKs to instantiate the In the next section, we will illustrate how using SNARK- × NIZK proofs in our protocols — unfortunately, SNARK’s friendly implementations can lead to 2.0-3.7 savings in the security is too weak to be directly employed in UC protocols. size of the circuits at the 80-bit security level, compared to Specifically, SNARK’s knowledge extractor is non-blackbox the case when naive straightforward implementation are used. and cannot be used by the UC simulator to extract witnesses We will also illustrate that the performance is also practical from statements sent by the adversary and environment — in the higher security level case. doing so would require that the extractor be aware of the Optimizations for finalize. In addition to the SNARK- environment’s algorithm, which is inherently incompatible friendly optimizations, we focus on optimizing the O(N)- with UC security. sized finalize circuit since this is our main performance UC protocols often require the NIZKs to have simulation bottleneck. All other SNARK proofs in our scheme are for O(1) extractability. Although SNARKs do not satisfy simulation -sized circuits. Two key observations allow us to greatly extractability, Kosba et al. show that it is possible to apply improve the performance of the proof generation during efficient SNARK-lifting transformations to construct simula- finalize. tion extractable proofs from SNARKs [38]. Our implementa- Optimization 1: Minimize SSE-secure NIZKs. First, we ob- tions thus adopt the efficient SNARK-lifting transformations serve that in our proof, the simulator need not extract any new proposed by Kosba et al. [38]. witnesses when a corrupted manager submits proofs during a

850

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. T/F? finalize operation. All witnesses necessary will have been learned or extracted by the simulator at this point. Therefore, Program Compile Augment Balance.. we can employ an ordinary SNARK instead of a stronger Φpriv Check simulation sound extractable NIZK during finalize.For .. freeze and compute, we still use the stronger NIZK. This Comm Comm optimization reduces our SNARK circuit sizes by 1.5× as can Private Input Enc Enc be inferred from Figure 9 of Section VI, after SNARK-friendly Private inCoin Values Private outCoin Values .. optimizations are applied. Symmetric Enc Key Comm Comm Optimization 2: Minimize public-key encryption in SNARKs. Public statement (seen by contract) Second, during finalize, the manager encrypts each party randomness To Libsnark Pi’s output coins to Pi’s key, resulting in a ciphertext cti. Fig. 7. Compiler overview. Circuit augmentation for finalize. The ciphertexts {cti}i∈[N] would then be submitted to the contract along with appropriate SNARK proofs of correctness. Here, if a public-key encryption is employed to generate VI. IMPLEMENTATION AND EVALUATION the cti’s, it would result in relatively large SNARK circuit A. Compiler Implementation size. Instead, we rely on a symmetric-key encryption scheme Our compiler consists of several steps, which we illustrate denoted SENC in Figure 6. This requires that the manager in Figure 7 and describe below: and each Pi perform a key exchange to establish a symmetric Preprocessing: First, the input Hawk program is split into its key ki. During an compute, the user encrypts this ki to the public contract and private contract components. The public manager’s public key PM.epk, and prove that the k encrypted contract is Serpent code, and can be executed directly atop is consistent with the k committed to earlier in cmi. The an ordinary cryptocurrency platform such as Ethereum. The SNARK proof during finalize now only needs to include private contract is written in a subset of the C language, commitments and symmetric encryptions instead of public key and is passed as input to the Pinocchio arithmetic circuit encryptions in the circuit – the latter much more expensive. compiler [49]. Keywords such as HawkDeclareParties are This second optimization additionally gains us a factor of implemented as C preprocessors macros, and serve to de- 1.9× as shown in Figure 9 of Section VI after applying the fine the input (Inp) and output (Outp) datatypes. Currently, previous optimizations. Overall, all optimizations will lead to our private contract inherits the limitations of the Pinocchio a gain of more than 10× in the finalize circuit. compiler, e.g., cannot support dynamic-length loops. In the Remarks about the common reference string. SNARK future, we can relax these limitations by employing recursively schemes require the generation of a common reference string composition of SNARKs. (CRS) during a pre-processing step. This common reference Circuit Augmentation: After compiling the preprocessed pri- string consists of an evaluation key for the prover, and a vate contract code with Pinocchio, we have an arithmetic verification key for the verifier. Unless we employ recursively circuit representing the input/output relation φpriv. This be- composed SNARKs [18], [25] whose costs are significantly comes a subcomponent of a larger arithmetic circuit, which we higher, the evaluation key is circuit-dependent, and its size assemble using a customized circuit assembly tool. This tool is proportional to the circuit’s size. In comparison, the is parameterized by the number of parties and the input/output verification key is O(|in| + |out|) in size, i.e., depends on datatypes, and attaches cryptographic constraints, such as the total length of inputs and outputs, but independent of the computing commitments and encryptions over each party’s circuit size. We stress that only the verification key portion of output value, and asserting that the input and output values the CRS needs to be included in the public contract that lives satisfy the balance property. on the blockchain. Cryptographic Protocol: Finally, the augmented arithmetic We remark that the CRS for protocol UserP is shared cash circuit is used as input to a state-of-the-art zkSNARK library, globally, and can be generated in a one-time setup. In com- Libsnark [15]. To avoid implementing SNARK verification parison, the CRS for each Hawk contract would depend in Ethereum’s Serpent language, we must add a SNARK on the Hawk contract, and therefore exists per instance of verification opcode to Ethereum’s stack machine. We finally Hawk contract. To minimize the trust necessary in the CRS compile an executable program for the parties to compute the generation, one can employ either trusted hardware or use Libsnark proofs according to our protocol. secure multi-party computation techniques as described by Ben-Sasson et al. [13]. B. Additional Examples Finally, in the future when new primitives become suffi- Besides our running example of a sealed-bid auction (Fig- ciently fast, it is possible to drop-in and replace our SNARKs ure 2), we implemented several other examples in Hawk, with other primtives that do not require per-circuit preprocess- demonstrating various capabilities: ing. Examples include recursively composed SNARKs [18], Crowdfunding: A Kickstarter-style crowdfunding campaign, [25] or other efficient PCP constructions [16]. The commu- (also known as an assurance contract in economics litera- nity’s efforts at optimizing these constructions are underway. ture [9]) overcomes the “free-rider problem,” allowing a large

851

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. TABLE I TABLE II Performance of the zk-SNARK circuits for the user-side circuits: pour, Performance of the zk-SNARK circuits for the manager circuit freeze AND compute (SAME FOR ALL APPLICATIONS). MUL denotes finalize for different applications. The manager circuits are the same multiple (4) cores, and ONE denotes a single core. The mint operation does for both security levels. MUL denotes multiple (4) cores, and ONE denotes a not involve any SNARKs, and can be computed within tens of single core. microseconds. The Proof includes any additional cryptographic material used for the SNARK-lifting transformation. swap rps auction crowdfund #Parties 80-bit security 112-bit security 2 2 10 100 10 100 pour freeze compute pour freeze compute KeyGen(s)MUL 8.6 8.0 32.3 300.4 32.16 298.1 ONE KeyGen(s)MUL 26.3 18.2 15.9 36.7 30.5 34.6 27.8 24.9 124 996.3 124.4 976.5 ( ) MUL ONE 88.2 63.3 54.42 137.2 111.1 131.8 Prove s 3.2 3.1 15.4 169.3 15.2 169.2 ONE Prove(s) MUL 12.4 8.4 9.3 18.5 15.7 16.8 7.6 7.4 40.1 384.2 40.3 377.5 ( ) ONE 27.5 20.7 22.5 42.2 40.5 41.7 Verify ms 8.4 8.4 10 19.9 10 19.8 ( ) Verify ms 9.7 9.1 10.0 9.9 9.3 9.9 EvalKey(GB) 0.04 0.04 0.21 1.92 0.21 1.91 ( ) EvalKey(MB) 148 106 90 236 189 224 VerKey KB 3.3 2.9 12.9 113.8 12.9 113.8 ( ) VerKey(KB) 7.3 4.4 7.8 8.7 5.3 8.4 Proof KB 0.28 0.28 0.28 0.28 0.28 0.28 ( ) Proof(KB) 0.68 0.68 0.68 0.71 0.71 0.71 Stmt KB 0.22 0.2 1.03 9.47 1.03 9.47 Stmt(KB) 0.48 0.16 0.53 0.57 0.19 0.53

Naïve SNARK-friendly Impl. 2.3x number of parties to contribute funds towards some social 1.5 good. If the minimum donation target is reached before the 2.6x deadline, then the donations are transferred to a designated 1 party (the entrepreneur); otherwise, the donations are refunded. 2.0x Hawk preserves privacy in the following sense: a) the do- 1.0x 1.0x nations pledged are kept private until the deadline; and b) 0.5 1.0x if the contract fails, only the manager learns the amount by which the donations were insufficient. These privacy properties Number of mul gates (x 1 million) 0 may conceivably have a positive effect on the willingness pour freeze compute of entrepreneurs to launch a crowdfund campaign and its Fig. 8. Gains of using SNARK-friendly implementation for the user-side likelihood of success. circuits: pour, freeze and compute at 80-bit security. Rock Paper Scissors: A two-player lottery game, and natu- rally generalized to an N-player version. Our Hawk imple- present results for both 80-bit and 112-bit security levels. Our mentation provides the same notion of financial fairness as benchmarks actually consume at most 27GB of memory and 4 in [7], [17] and provides stronger security/privacy guarantees. cores in the most expensive case. Tables I and II illustrate the If any party (including the manager), cheats or aborts, the results – we focus on evaluating the zk-SNARK performance remaining honest parties receive the maximum amount they since all other computation time is negligible in comparison. might have won otherwise. Furthermore, we go beyond prior We highlight some important observations: works [7], [17] by concealing the players’ moves and the pseudonym of the winner to everyone except the manager. • On-chain computation (dominated by zk-SNARK verifica- tion time) is very small in all cases, ranging from 9to20 “Swap” Financial Instrument: An individual with a risky milliseconds The running time of the verification algorithm investment portfolio (e.g, one who owns a large number of ) may hedge his risks by purchasing insurance Naïve 10.5x (e.g., by effectively betting against the price of Bitcoin with 80 SNARK-friendly Impl. another individual). Our example implements a simple swap With Opt 1 instrument where the price of a stock at some future date 60 With Opt 2 (overall) (as reported by a trusted authority specified in the public contract) determines which of two parties receives a payout. 10.5x The private contract ensures the privacy of both the details of 40 the agreement (i.e., the price threshold) and the outcome. 2.8x 10.5x Hawk 20 1.9x The full programs for these examples are provided in 2.8x 2.8x 1.9x 1.0x our online version [37]. 1.9x Number of mul gates (x 1 million) 1.0x 1.0x 0 C. Performance Evaluation Auction (25) Auction (50) Auction (100) We evaluated the performance for various examples, using Fig. 9. Gains after adding each optimization to the finalize auction an Amazon EC2 r3.8xlarge virtual machine. We assume circuit, with 25, 50 and 100 Bidders. Opt 1 and Opt 2 are two practical a maximum of 264 leaves for the Merkle trees, and we optimizations detailed in Section V.

852

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. is just linearly dependent on the size of the public statement, TABLE III which is far smaller than the size of the computation, Additional theoretical results for fair MPC with public deposits. The table assumes that N parties wish to securely compute 1 bit of output that resulting into small verification time. will be revealed to all parties at the end. For collateral, we assume that each aborting party must pay all honest parties 1 unit of currency. • On-chain public parameters: As mentioned in Sec- tion IV-C, not the entire SNARK common reference string generic claim-or-refund [17] multi-lock [40] (CRS) need to be on the blockchain, but only the verification blockchain key part of the CRS needs to be on-chain. Our imple- On-chain cost O(N 2) O(N 2) O(N) mentation suggests the following: the private cash protocol # rounds O(N) O(1) O(1) requires a verification key of 23KB to be stored on-chain – Total collateral O(N 2) O(N 2) O(N2) this verification key is globally shared and there is only a single instance. Besides the globally shared public param- blockchain trusted for correctness and availability (but not eters, each Hawk contract will additionally require 13-114 for privacy), an interesting notion of fairness which we refer KB of verification key to be stored on-chain, for 10 to 100 to as “financial fairness” can be attained as shown by recent users. This per-contract verification key is circuit-dependent, works [7], [17], [40]. In particular, the blockchain can finan- i.e., depends on the contract program. We refer the readers cially penalize aborting parties by confiscating their deposits. to Section IV-C for more discussions on techniques for Earlier works in this space [7], [17], [40], [50] focus on performing trusted setup. protocols that retrofit the artifacts of Bitcoin’s limited scripting • Manager computation: Running private auction or crowd- language. Specifically, a few works use Bitcoin’s scripting funding protocols with 100 participants requires under language to construct intermediate abstractions such as “claim- 6.5min proof time for the manager on a single core, and or-refund” [17] or “multi-lock” [40], and build atop these under 2.85min on 4 cores. This translates to under $0.14 of abstractions to construct protocols. Table VII shows that by EC2 time [2]. assuming a generic blockchain model where the blockchain • User computation: Users’ proof times for pour, freeze can run Turing-complete programs, we can improve the effi- and compute are under one minute, and independent of the ciency of financially fair MPC protocols. number of parties. Additionally, in the worst case, the peak Fair MPC with private deposits. We further illustrate how to memory usage of the user is less than 4 GB. perform financially fair MPC using private deposits, i.e., where Savings from protocol optimizations. Figure 8 illustrates the amount of deposits cannot be observed by the public. The the performance gains attained by using a SNARK-friendly formal definitions, constructions, and proofs are supplied in implementation for the user-side circuits, i.e. pour, freeze the online version [37]. and compute w.r.t. the naive implementation at the 80-bit security level. We calculate the naive implementation cost ACKNOWLEDGMENTS using conservative estimates for the straightforward implemen- We gratefully acknowledge Jonathan Katz, Rafael Pass, tation of standard cryptographic primitives. The figure shows a and abhi shelat for helpful technical discussions about the gain of 2.0-2.6× compared to the naive implementation. Fur- zero-knowledge proof constructions. We also acknowledge thermore, Figure 9 illustrates the performance gains attained Ari Juels and Dawn Song for general discussions about by our protocol optimizations described in Section V The cryptocurrency smart contracts. This research is partially sup- figure considers the sealed-bid auction finalize circuit at dif- ported by NSF grants CNS-1314857, CNS-1445887, CNS- ferent number of bidders. We show that the SNARK-friendly 1518765, CNS-1514261, CNS-1526950, a Sloan Fellowship, implementation along with our two optimizations combined three Google Research Awards, Yahoo! Labs through the significantly reduce the SNARK circuit sizes, and achieve a Faculty Research Engagement Program (FREP) and a NIST gain of 10× relative to a straightforward implementation. The award. figure also illustrates that the manager’s cost is proportional to the number of participants. (By contrast, the user-side costs REFERENCES are independent of the number of participants). [1] http://koinify.com. VII. ADDITIONAL THEORETICAL RESULTS [2] Amazon ec2 pricing. http://aws.amazon.com/ec2/pricing/. Last but not the least, we present additional theoretical [3] Augur. http://www.augur.net/. [4] bitoinj. https://bitcoinj.github.io/. results to fruther illustrate the usefulness of our formal block- [5] The rise and rise of bitcoin. Documentary. chain model. In the interest of space, we defer details to the [6] Skuchain. http://www.skuchain.com/. online version [37], and only state the main findings here. [7] M. Andrychowicz, S. Dziembowski, D. Malinowski, and L. Mazurek. Secure Multiparty Computations on Bitcoin. In S&P, 2013. Fair MPC with public deposits in the generic blockchain [8] G. Asharov, A. Beimel, N. Makriyannis, and E. Omri. Complete model. As is well-understood, fairness is in general impossible characterization of fairness in secure two-party computation of boolean in plain models of multi-party computation when the majority functions. In TCC, 2015. [9] M. Bagnoli and B. L. Lipman. Provision of public goods: Fully can be corrupted. This was first observed by Cleve [24] implementing the core through private contributions. The Review of and later extended in subsequent papers [8]. Assuming a Economic Studies, 1989.

853

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. [10] R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, and [41] C. Liu, X. S. Wang, K. Nayak, Y. Huang, and E. Shi. ObliVM: A L. Wingers. The simon and speck families of lightweight block ciphers. programming framework for secure computation. In S&P, 2015. http://ia.cr/2013/404. [42] S. Meiklejohn, M. Pomarole, G. Jordan, K. Levchenko, D. McCoy, G. M. [11] E. Ben-Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, Voelker, and S. Savage. A fistful of bitcoins: characterizing payments and M. Virza. Zerocash: Decentralized anonymous payments from among men with no names. In IMC, 2013. Bitcoin. In S&P, 2014. [43] I. Miers, C. Garman, M. Green, and A. D. Rubin. Zerocoin: Anonymous [12] E. Ben-Sasson, A. Chiesa, D. Genkin, E. Tromer, and M. Virza. Snarks Distributed E-Cash from Bitcoin. In S&P, 2013. for C: verifying program executions succinctly and in zero knowledge. [44] A. Miller, M. Hicks, J. Katz, and E. Shi. Authenticated data structures, In CRYPTO, 2013. generically. In POPL, 2014. [13] E. Ben-Sasson, A. Chiesa, M. Green, E. Tromer, and M. Virza. Secure [45] A. Miller and J. J. LaViola Jr. Anonymous Byzantine Consensus from sampling of public parameters for succinct zero knowledge proofs. In Moderately-Hard Puzzles: A Model for Bitcoin, 2014. S&P, 2015. [46] M. S. Miller, C. Morningstar, and B. Frantz. Capability-based financial [14] E. Ben-Sasson, A. Chiesa, E. Tromer, and M. Virza. Scalable zero instruments. In FC, 2001. knowledge via cycles of elliptic curves. In CRYPTO, 2014. [47] N. Mouha, B. Mennink, A. Van Herrewege, D. Watanabe, B. Preneel, [15] E. Ben-Sasson, A. Chiesa, E. Tromer, and M. Virza. Succinct non- and I. Verbauwhede. Chaskey: An efficient mac algorithm for 32-bit interactive zero knowledge for a von neumann architecture. In Security, microcontrollers. In Selected Areas in Cryptography–SAC 2014, pages 2014. 306–323. Springer, 2014. [16] E. Ben-Sasson and M. Sudan. Short pcps with polylog query complexity. [48] S. Nakamoto. Bitcoin: A Peer-to-Peer Electronic Cash System. http: SIAM J. Comput., 2008. //bitcoin.org/bitcoin.pdf, 2009. [17] I. Bentov and R. Kumaresan. How to Use Bitcoin to Design Fair [49] B. Parno, C. Gentry, J. Howell, and M. Raykova. Pinocchio: Nearly Protocols. In CRYPTO, 2014. practical verifiable computation. In S&P, 2013. [18] N. Bitansky, R. Canetti, A. Chiesa, and E. Tromer. Recursive compo- [50] R. Pass and abhi shelat. Micropayments for peer-to-peer currencies. In sition and bootstrapping for snarks and proof-carrying data. In STOC, CCS, 2015. 2013. [51] A. Rastogi, M. A. Hammer, and M. Hicks. Wysteria: A programming [19] D. Bogdanov, S. Laur, and J. Willemson. Sharemind: A Framework for language for generic, mixed-mode multiparty computations. In S&P, Fast Privacy-Preserving Computations. In ESORICS. 2008. 2014. [20] J. Bonneau, A. Miller, J. Clark, A. Narayanan, J. A. Kroll, and [52] D. Ron and A. Shamir. Quantitative Analysis of the Full Bitcoin E. W. Felten. Research Perspectives and Challenges for Bitcoin and Transaction Graph. In FC, 2013. Cryptocurrencies. In S&P, 2015. [53] N. Szabo. Formalizing and securing relationships on public networks. [21] R. Canetti. Universally composable security: A new paradigm for First Monday, 1997. cryptographic protocols. In FOCS, 2001. [54] N. van Saberhagen. v 2.0. https://goo.gl/kfojVZ, 2013. [22] R. Canetti. Universally composable signature, certification, and authen- [55] W. Vickrey. Counterspeculation, auctions, and competitive sealed tication. In CSF, 2004. tenders. Journal of finance, 1961. [23] R. Canetti, Y. Dodis, R. Pass, and S. Walfish. Universally composable [56] R. S. Wahby, S. T. V. Setty, Z. Ren, A. J. Blumberg, and M. Walfish. security with global setup. In TCC. 2007. Efficient RAM and control flow in verifiable outsourced computation. [24] R. Cleve. Limits on the security of coin flips when half the processors In NDSS, 2015. are faulty. In STOC, 1986. [57] G. Wood. Ethereum: A secure decentralized transaction ledger. http: [25] C. Costello, C. Fournet, J. Howell, M. Kohlweiss, B. Kreuter, //gavwood.com/paper.pdf. M. Naehrig, B. Parno, and S. Zahur. Geppetto: Versatile verifiable [58] L. Zheng, S. Chong, A. C. Myers, and S. Zdancewic. Using replication computation. In S&P, 2015. and partitioning to build secure distributed systems. In S&P, 2003. [26] G. Danezis, C. Fournet, M. Kohlweiss, and B. Parno. Pinocchio Coin: [59] G. Zyskind, O. Nathan, and A. Pentland. Enigma: Decentralized building Zerocoin from a succinct pairing-based proof system. In computation platform with guaranteed privacy. PETShop, 2013. [27] C. Decker and R. Wattenhofer. Bitcoin transaction malleability and mtgox. In ESORICS. Springer, 2014. APPENDIX A [28] A. K. R. Dermody and O. Slama. announcement. https: FREQUENTLY ASKED QUESTIONS //bitcointalk.org/index.php?topic=395761.0. [29] I. Eyal and E. G. Sirer. Majority is not enough: Bitcoin mining is we address frequently asked questions. Some of this con- vulnerable. In FC, 2014. [30] C. Fournet, M. Kohlweiss, G. Danezis, and Z. Luo. Zql: A compiler for tent repeats what is already stated earlier, but we hope that privacy-preserving data processing. In USENIX Security, 2013. addressing these points again in a centralized section will help [31] M. Fredrikson and B. Livshits. Zø: An optimizing distributing zero- reiterate some important points that may be missed by a reader. knowledge compiler. In USENIX Security, 2014. [32] J. A. Garay, A. Kiayias, and N. Leonardos. The bitcoin backbone protocol: Analysis and applications. In Eurocrypt, 2015. A. Motivational [33] R. Gennaro, C. Gentry, B. Parno, and M. Raykova. Quadratic span programs and succinct NIZKs without PCPs. In Eurocrypt, 2013. “How does Hawk’s programming model differ from [34] E. Heilman, A. Kendler, A. Zohar, and S. Goldberg. Eclipse attacks on Ethereum?” Our high-level approach may be superior than bitcoin’s peer-to-peer network. In USENIX Security, 2015. [35] A. Juels, A. Kosba, and E. Shi. The ring of gyges: Using smart contracts Ethereum: Ethereum’s language defines the blockchain pro- for crime. Manuscript, 2015. gram, where Hawk allows the programmer to write a single [36] A. Kiayias, H.-S. Zhou, and V. Zikas. Fair and robust multi-party global program, and Hawk auto-generates not only the block- computation using a global transaction ledger. http://ia.cr/2015/574. chain program, but also the protocols for users. [37] A. Kosba, A. Miller, E. Shi, Z. Wen, and C. Papamanthou. Hawk: The blockchain model of cryptography and privacy-preserving smart “Why not spin off the formal blockchain modeling into contracts. http://ia.cr/2015/675. a separate paper?” The blockchain formal model could be [38] A. Kosba, Z. Zhao, A. Miller, H. Chan, C. Papamanthou, R. Pass, abhi shelat, and E. Shi. How to use snarks in universally composable presented on its own, but we gain evidence of its usefulness protocols. https://eprint.iacr.org/2015/1093, 2015. by implementing it and applying it to interesting practical [39] B. Kreuter, B. Mood, A. Shelat, and K. Butler. PCF: A portable circuit examples. Likewise our system implementation benefits from format for scalable two-party secure computation. In Security, 2013. [40] R. Kumaresan and I. Bentov. How to Use Bitcoin to Incentivize Correct the formalism because we can use our framework to provide Computations. In CCS, 2014. provable security.

854

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. B. Technical refund operation after a timeout. Second, our model captures “SNARKs do not offer simulation extractability required the role of a blockchain as a party trusted for correctness and for UC.” See Section V-A as well as Kosba et al. [38]. availability but not for privacy. Third, our formalism modular- izes our notations by factoring out common specifics related SNARK’s common reference string. See discussions in to the smart contract execution model, and implementing these Section V-B. in central wrappers. P P “Why are the recipient pseudonyms 1 and 2 revealed For simplicity, we assume that there can be any number to the adversary? And what about Zerocash’s persistent of identities in the system, and that they are fixed a priori. addresses feature?” See discussions in Section IV-C. It is easy to extend our model to capture registration of new “Isn’t the manager a trusted-third party?” No, our man- identities dynamically. We allow each identity to generate an ager is not a trusted third party. As we mention upfront arbitrary (polynomial) number of pseudonyms as in Bitcoin in Sections I-A and I-B, the manager need not be trusted and Ethereum. for correctness and input independence. Due to our use of zero-knowledge proofs, if the manager deviates from correct A. Programs, Functionalities, and Wrappers behavior, it will get caught. To make notations simple for writing ideal functionalities Further, each contract instance can choose its own manager, and smart contracts, we make a conscious notational choice of and the manager of one contract instance cannot affect the introducing wrappers. Wrappers implement in a central place security of another contract instance. Similarly, the manager a set of common features (e.g., timer, ledger, pseudonyms) that also need not be trusted to retain the security of the crypto- are applicable to all ideal functionalities and contracts in our currency as a whole. Therefore, the only thing we trust the blockchain model of execution. In this way, we can modularize manager for is posterior privacy. our notational system such that these common and tedious As mentioned in Section IV-C we note that one can possi- details need not be repeated in writing ideal, blockchain and bly rely on secure multi-party computation (MPC) to avoid user/manager programs. having to trust the manager even for posterier privacy – Blockchain functionality wrapper G: A blockchain function- however such a solution is unlikely to be practical in the ality wrapper G(B) takes in a blockchain program denoted B, near future, especially when a large number of parties are and produces a blockchain functionality. Our real world proto- involved. The thereotical formulation of this full-generality cols will be defined in the G(B)-hybrid world. Our blockchain MPC-based approach is detailed in the online version [37]. functionality wrapper is formally presented in Figure 11. We In our implementation, we made a conscious design choice point out the following important facts about the G(·) wrapper: and opted for the approach with a minimally trusted manager • Trusted for correctness and availability but not privacy. (rather than MPC), since we believe that this is a desirable The bloc kchain functionality wrapper G(·) stipulates that a sweet-spot that simultaneously attains practical efficiency and blockchain program is trusted for correctness and availabil- strong enough security for realistic applications. We stress that ity but not for privacy. In particular, the blockchain wrapper practical efficiency is an important goal of Hawk’s design. exposes the blockchain program’s internal state to any party In Section IV-C, we also discuss practical considerations that makes a query. for instantiating this manager. For the reader’s convenience, • Time and batched processing of messages. In popular de- we iterate: we think that a particularly promising choice is to centralized cryptocurrencies such as Bitcoin and Ethereum, rely on trusted hardware such as Intel SGX to obtain higher time progresses in block intervals marked by the creation assurance of posterior privacy. We stress again that even when of each new block. Intuitively, our G(·) wrapper captures we use the SGX to realize the manager, the SGX should not the following fact. In each round (i.e., block interval), the have to be trusted for retaining the global security of the blockchain program may receive multiple messages (also cryptocurrency. In particular, it is a very strong assumption to referred to as transactions in the cryptocurrency literature). require all participants to globally trust a single or a handful The order of processing these transactions is determined of SGX prcessor(s). With Hawk’s design, the SGX is only by the miner who mines the next block. In our model, we very minimally trusted, and is only trusted within the scope allow the adversary to specify an ordering of the messages of the current contract instance. collected in a round, and our blockchain program will then process the messages in this adversary-specified ordering. APPENDIX B • Rushing adversary. The blockchain wrapper G(·) naturally FORMAL TREATMENT OF PROTOCOLS IN THE captures a rushing adversary. Specifically, the adversary BLOCKCHAIN MODEL can first see all messages sent to the blockchain program We are the first to propose a UC model for the blockchain by honest parties, and then decide its own messages for model of cryptography. First, our model allows us to easily this round, as well as an ordering in which the blockchain capture the time and pseudonym features of cryptocurrencies. program should process the messages in the next round. In cryptocurrencies such as Bitcoin and Ethereum, time pro- Modeling a rushing adversary is important, since it captures gresses in block intervals, and the blockchain can query the a class of well-known front-running attacks, e.g., those that current time, and make decisions accordingly, e.g., make a exploit transaction malleability [11], [27]. For example, in

855

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. F(idealP) functionality Given an ideal program denoted idealP, the F(idealP) functionality is defined as below: Init: Upon initialization, perform the following: Time. Set current time T := 0. Set the receive queue rqueue := ∅. Pseudonyms. Set nyms := {(P1,P1),...,(PN ,PN )}, i.e., initially every party’s true identity is recorded as a default pseudonym for the party. Ledger. A ledger dictionary structure ledger[P ] stores the endowed account balance for each identity P ∈{P1,...,PN }. Before any new pseudonyms are generated, only true identities have endowed account balances. Send the array ledger[] to the ideal adversary S. idealP.Init. Run the Init procedure of the idealP program. Tick: Upon receiving tick from an honest party P : notify S of (tick, P ). If the functionality has collected tick confirmations from all honest parties since the last clock tick, then Call the Timer procedure of the idealP program. Apply the adversarial permutation perm to the rqueue to reorder the messages received in the previous round. For each (m, P¯) ∈ rqueue in the permuted order, invoke the delayed actions (in gray background) defined by ideal program idealP at the activation point named “Upon receiving message m from pseudonym P¯”. Notice that the program idealP speaks of pseudonyms instead of party identifiers. Set rqueue := ∅. Set T := T +1 Other activations: Upon receiving a message of the form (m, P¯) from a party P : Assert that (P,P¯ ) ∈ nyms. Invoke the immediate actions defined by ideal program idealP at the activation point named “Upon receiving message m from pseudonym P¯”. Queue the message by calling rqueue.add(m, P¯). Permute: Upon receiving (permute, perm) from the adversary S, record perm. GetTime: On receiving gettime from a party P , notify the adversary S of (gettime, P ), and return the current time T to party P . GenNym: Upon receiving gennym from an honest party P : Notify the adversary S of gennym. Wait for S to respond with ¯ anewnymP such that P/¯ ∈ nyms.Now,letnyms := nyms ∪{(P, P¯)}, and send P¯ to P . Upon receiving (gennym, P¯) from a corrupted party P :ifP/¯ ∈ nyms, let P¯ := nyms ∪{(P, P¯)}. Ledger operations: // inner activation ¯ ¯ Transfer: Upon receiving (transfer, amount, Pr) from some pseudonym Ps: ¯ ¯ Notify (transfer, amount, Pr, Ps) to the ideal adversary S. ¯ Assert that ledger[Ps] ≥ amount. ¯ ¯ ledger[Ps]:=ledger[Ps] − amount ¯ ¯ ledger[Pr]:=ledger[Pr]+amount ¯ ¯ /* Ps, Pr can be pseudonyms or true identities. Note that each party’s identity is a default pseudonym for the party. */ Expose: On receiving exposeledger from a party P , return ledger to the party P . Fig. 10. The F(idealP) functionality is parameterized by an ideal program denoted idealP. An ideal program idealP can specify two types of activation points, immediate activations and delayed activations. Activation points are invoked upon recipient of messages. Immediate activations are processed immediately, whereas delayed activations are collected and batch processed in the next round. The F(·) wrapper allows the ideal adversary S to specify an order perm in which the messages should be processed in the next round. For each delayed activation, we use the leak notation in an ideal program idealP to define the leakage which is immediately exposed to the ideal adversary S upon recipient of the message.

a “rock, paper, scissors” game, if inputs are sent in the as time, pseudonyms, a public ledger, and money transfers clear, an adversary can decide its input based on the other between parties. Our ideal functionality wrapper is formally party’s input. An adversary can also try to maul transactions presented in Figure 10. submitted by honest parties to potentially redirect payments Protocol wrapper Π: Our protocol wrapper allows us to to itself. Since our model captures a rushing adversary, modularize the presentation of user protocols. Our protocol we can write ideal functionalities that preclude such front- wrapper is formally presented in Figure 12. running attacks. Terminology. For disambiguation, we always refer to the Ideal functionality wrapper F: An ideal functionality user-defined portions as programs. Programs alone do not F(idealP) takes in an ideal program denoted idealP. Specif- have complete formal meanings. However, when programs ically, the wrapper F(·) part defines standard features such are wrapped with functionality wrappers (including F(·)

856

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. G(B) functionality Given a blockchain program denoted B, the G(B) functionality is defined as below: Init: Upon initialization, perform the following: A ledger data structure ledger[P¯] stores the account balance of party P¯. Send the entire balance ledger to A. Set current time T := 0. Set the receive queue rqueue := ∅. Run the Init procedure of the B program. Send the B program’s internal state to the adversary A. Tick: Upon receiving tick from an honest party, if the functionality has collected tick confirmations from all honest parties since the last clock tick, then Apply the adversarial permutation perm to the rqueue to reorder the messages received in the previous round. Call the Timer procedure of the B program. Pass the reordered messages to the B program to be processed. Set rqueue := ∅. Set T := T +1 Other activations: • Authenticated receive: Upon receiving a message (authenticated, m) from party P : Send (m, P ) to the adversary A Queue the message by calling rqueue.add(m, P ). • Pseudonymous receive: Upon receiving a message of the form (pseudonymous,m,P,σ¯ ) from any party: Send (m, P,σ¯ ) to the adversary A Parse σ := (nonce,σ), and assert Verify(P.¯ spk, (nonce,T,P.¯ epk,m),σ)=1 If message (pseudonymous,m,P,σ¯ ) has not been received earlier in this round, queue the message by calling rqueue.add(m, P¯). • Anonymous receive: Upon receiving a message (anonymous, m) from party P : Send m to the adversary A If m has not been seen before in this round, queue the message by calling rqueue.add(m). Permute: Upon receiving (permute, perm) from the adversary A, record perm. Expose: On receiving exposestate from a party P , return the functionality’s internal state to the party P . Note that this also implies that a party can query the functionality for the current time T . Ledger operations: // inner activation ¯ ¯ Transfer: Upon recipient of (transfer, amount, Pr) from some pseudonym Ps: ¯ Assert ledger[Ps] ≥ amount ¯ ¯ ledger[Ps]:=ledger[Ps] − amount ¯ ¯ ledger[Pr]:=ledger[Pr]+amount Fig. 11. The G(B) functionality is parameterized by a blockchain program denoted B. The G(·) wrapper mainly performs the following: i) exposes all of its internal states and messages received to the adversary; ii) makes the functionality time-aware: messages received in one round and queued and processed in the next round. The G(·) wrapper allows the adversary to specify an ordering to the messages received by the blockchain program in one round. and G(·)), we obtain functionalities with well-defined formal functionality in the real-world execution. On collecting “tick” meanings. Programs can also be wrapped by a protocol messages from all honeset parties, the F(idealP) or G(B) wrapper Π to obtain a full protocol with formal meanings. functionality would then advance the time T := T +1. The functionality also allows parties to query the current time T . B. Modeling Time When multiple messages arrive at the blockchain in a time At a high level, we express time in a way that conforms interval, we allow the adversary to choose a permutation to the Universal Composability framework [21]. In the ideal to specify the order in which the blockchain will process world execution, time is explicitly encoded by a variable the messages. This captures potential network attacks such T in an ideal functionality F(idealP). In the real world as delaying message propagation, and front-running attacks execution, time is explicitly encoded by a variable T in our (a.k.a. rushing attacks) where an adversary determines its own blockchain functionality G(B). Time progresses in rounds. The message after seeing what other parties send in a round. environment E has the choice of when to advance the timer. We assume the following convention: to advance the timer, C. Modeling Pseudonyms the environment E sends a “tick” message to all honest parties. We model a notion of “pseudonymity” that provides a form Honest parties’ protocols would then forward this message of privacy, similar to that provided by typical cryptocurren- to F(idealP) in the ideal-world execution, or to the G(B) cies such as Bitcoin. Any user can generate an arbitrary

857

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. Π(UserP) protocol wrapper in the G(B)-hybrid world Given a party’s local program denoted prot, the Π(prot) functionality is defined as below: Pseudonym related: E ( , ) ← (1λ) ( , ) ← GenNym: Upon receiving input gennym from the environment , generate epk esk Keygenenc , and spk ssk (1λ) := . (1λ, ( , )) := ∪{( , , )} Keygensign . Call payload prot GenNym epk spk . Store nyms nyms epk spk payload , and output (epk, spk, payload) as a new pseudonym. Send: Upon receiving internal call (send, m, P¯): If P¯ == P : send (authenticated, m)toG(B). // this is an authenticated send Else, // this is a pseudonymous send Assert that pseudonym P¯ has been recorded in nyms; Query current time T from G(B). Compute σ := Sign(ssk, (nonce,T,epk,m)) where ssk is the recorded secret signing key corresponding to P¯, nonce is a freshly generated random string, and epk is the recorded public encryption key corresponding to P¯. Let σ := (nonce,σ). Send (pseudonymous,m,P,σ¯ ) to G(B). AnonSend: Upon receiving internal call (anonsend, m, P¯): send (anonymous, m)toG(B). Timer and ledger transfers: ¯ ¯ Transfer: Upon receiving input (transfer, $amount, Pr, P ) from the environment E: ¯ Assert that P is a previously generated pseudonym. ¯ ¯ Send transfer, $amount, Pr to G(B) as pseudonym P . Tick: Upon receiving tick from the environment E, forward the message to G(B). Other activations: Act as pseudonym: Upon receiving any input of the form (m, P¯) from the environment E: Assert that P¯ was a previously generated pseudonym. Pass (m, P¯) the party’s local program to process. Others: Upon receiving any other input from the environment E, or any other message from a party: Pass the input/message to the party’s local program to process. Fig. 12. Protocol wrapper.

(polynomially-bounded) number of pseudonyms, and each of their pseudonyms, as described above. Additionally, “anon- pseudonym is “owned” by the party who generated it. The send” allows a user to publish a message without reference to correspondence of pseudonyms to real identities is hidden any pseudonym at all. from the adversary. In spite of pseudonymity, it is sometimes desirable to assign Effectively, a pseudonym is a public key for a digital a particular user to a specific role in a blockchain program signature scheme, and the corresponding private key is known (e.g., “auction manager”). The alternative is to assign roles by the party who “owns” the pseudonym. The blockchain on a “first-come first-served” basis (e.g., as the bidders in an functionality allows parties to publish authenticated messages auction). To this end, we allow each party to define generate that are bound to a pseudonym of their choice. Thus each inter- a single “default” pseudonym which is publicly-bound to action with the blockchain program is, in general, associated their real identity. We allow applications to make use of this with a pseudonym but not to a user’s real identity. through a convenient abuse of notation, by simply using a We abstract away the details of pseudonym management party identifier as a parameter or hardcoded string. Strictly by implementing them in our wrappers. This allows user- speaking, the pseudonym string is not determined until the defined applications to be written very simply, as though “gennym” subroutine is executed; the formal interpretation is using ordinary identities, while enjoying the privacy benefits that whenever such an identity is used, the default pseudonym of pseudonymity. associated with the identity is fetched from the blockchain Our wrapper provides a user-defined hook, “gennym”, that program. (This approach is effectively the same as taken by F is invoked each time a party creates a pseudonym. This Canetti [22], where a functionality CA allows each party to allows the application to define an additional per-pseudonym bind their real identity to a single public key of their choice). payload, such as application-specific public keys. From the Additional appendices are supplied in the online full ver- point-of-view of the application, this is simply an initialization sion [37]. subroutine invoked once for each participant. Our wrapper provides several means for users to communi- cate with a blockchain program. The most common way is for a user to publish an authenticated message associated with one

858

Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply.