2016 IEEE Symposium on Security and Privacy
Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts
Ahmed Kosba∗, Andrew Miller∗, Elaine Shi†, Zikai Wen†, Charalampos Papamanthou∗ ∗University of Maryland and †Cornell University {akosba, amiller}@cs.umd.edu, {rs2358, zw385}@cornell.edu, [email protected]
Abstract—Emerging smart contract systems over decentralized privacy. Such a blockchain provides a powerful abstraction for cryptocurrencies allow mutually distrustful parties to transact the design of distributed protocols. safely without trusted third parties. In the event of contrac- The blockchain’s expressive power is further enhanced by tual breaches or aborts, the decentralized blockchain ensures that honest parties obtain commensurate compensation. Existing the fact that blockchains naturally embody a discrete notion systems, however, lack transactional privacy. All transactions, of time, i.e., a clock that increments whenever a new block including flow of money between pseudonyms and amount is mined. The existence of such a trusted clock is crucial transacted, are exposed on the blockchain. for attaining financial fairness in protocols. In particular, Hawk We present , a decentralized smart contract system that malicious contractual parties may prematurely abort from a does not store financial transactions in the clear on the block- chain, thus retaining transactional privacy from the public’s view. protocol to avoid financial payment. However, with a trusted A Hawk programmer can write a private smart contract in an clock, timeouts can be employed to make such aborts evident, intuitive manner without having to implement cryptography, and such that the blockchain can financially penalize aborting our compiler automatically generates an efficient cryptographic parties by redistributing their collateral deposits to honest, protocol where contractual parties interact with the blockchain, non-aborting parties. This makes the blockchain model of using cryptographic primitives such as zero-knowledge proofs. cryptography more powerful than the traditional model without To formally define and reason about the security of our protocols, we are the first to formalize the blockchain model a blockchain where fairness is long known to be impossible of cryptography. The formal modeling is of independent interest. in general when the majority of parties can be corrupt [8], We advocate the community to adopt such a formal model when [17], [24]. In summary, blockchains allow parties mutually designing applications atop decentralized blockchains. unbeknownst to transact securely without a centrally trusted intermediary, and avoiding high legal and transactional cost. I. INTRODUCTION Despite the expressiveness and power of the blockchain and smart contracts, the present form of these technologies Decentralized cryptocurrencies such as Bitcoin [48] and alt- lacks transactional privacy. The entire sequence of actions coins [20] have rapidly gained popularity, and are often quoted taken in a smart contract are propagated across the network as a glimpse into our future [5]. These emerging cryptocur- and/or recorded on the blockchain, and therefore are publicly rency systems build atop a novel blockchain technology where visible. Even though parties can create new pseudonymous miners run distributed consensus whose security is ensured if public keys to increase their anonymity, the values of all trans- no adversary wields a large fraction of the computational (or actions and balances for each (pseudonymous) public key are other forms of) resource. The terms “blockchain” and “miners” publicly visible. Further, recent works have also demonstrated are therefore often used interchangeably. deanonymization attacks by analyzing the transactional graph Blockchains like Bitcoin reach consensus not only on a structures of cryptocurrencies [42], [52]. stream of data but also on computations involving this data. In We stress that lack of privacy is a major hindrance towards Bitcoin, specifically, the data include money transfer transac- the broad adoption of decentralized smart contracts, since fi- tion proposed by users, and the computation involves transac- nancial transactions (e.g., insurance contracts or stock trading) tion validation and updating a data structure called the unspent are considered by many individuals and organizations as being transaction output set which, imprecisely speaking, keeps track highly secret. Although there has been progress in designing of users’ account balances. Newly emerging cryptocurrency privacy-preserving cryptocurrencies such as Zerocash [11] and systems such as Ethereum [57] embrace the idea of running several others [26], [43], [54], these systems forgo programma- arbitrary user-defined programs on the blockchain, thus creat- bility, and it is unclear a priori how to enable programmability ing an expressive decentralized smart contract system. without exposing transactions and data in cleartext to miners. In this paper, we consider smart contract protocols where parties interact with such a blockchain. Assuming that the A. Hawk Overview decentralized concensus protocol is secure, the blockchain can We propose Hawk, a framework for building privacy- be thought of as a conceptual party (in reality decentralized) preserving smart contracts. With Hawk,anon-specialist pro- that can be trusted for correctness and availability but not for grammer can easily write a Hawk program without having to
2375-1207/16© 2016, Ahmed $31.00 Kosba. © Under2016 IEEE license to IEEE. 839 DOI 10.1109/SP.2016.55
Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. implement any cryptography. Our Hawk compiler is in charge Protocol of compiling the program to a cryptographic protocol between Manager Blockchain the blockchain and the users. As shown in Figure 1, a Hawk program contains two parts: Coins
1) A private portion denoted φpriv which takes in parties’ input Users Data data (e.g., choices in a “rock, paper, scissors” game) as well as currency units (e.g., bids in an auction). φpriv performs computation to determine the payout distribution amongst Hawk Contract Compile the parties. For example, in an auction, winner’s bid goes to Public Ф Private Ф the seller, and others’ bids are refunded. The private Hawk pub priv program φ is meant to protect the participants’ data and Programmer priv Hawk the exchange of money. Fig. 1. overview. φ 2) A public portion denoted pub that does not touch private be equated with a trusted third party — even when the manager data or money. can deviate arbitrarily from the protocol or collude with the Our compiler will compile the Hawk program into the parties, the manager cannot affect the correct execution of following pieces which jointly define a cryptographic protocol the contract. In the event that a manager aborts the protocol, between users, the manager, and the blockchain: it can be financially penalized, and users obtain compensation • the blockchain’s program which will be executed by all accordingly. consensus nodes; The manager also need not be trusted to maintain the • a program to be executed by the users; and security or privacy of the underlying currency (e.g., it cannot • a program to be executed by a special facilitating party double-spend, inflate the currency, or deanonymize users). called the manager which will be explained shortly. Furthermore, if multiple contract instances run concurrently, Security guarantees. Hawk’s security guarantees encompass each contract may specify a different manager and the effects two aspects: of a corrupt manager are confined to that instance. Finally, the manager role may be instantiated with trusted comput- • On-chain privacy. On-chain privacy stipulates that transac- ing hardware like Intel SGX, or replaced with a multiparty tional privacy be provided against the public (i.e., against computation among the users themselves, as we describe in any party not involved in the contract) – unless the con- Section IV-C and Appendix A. tractual parties themselves voluntarily disclose information. Although in Hawk protocols, users exchange data with Terminology. In Ethereum [57], the blockchain’s portion of the blockchain, and rely on it to ensure fairness against the protocol is called an Ethereum contract. However, this Hawk aborts, the flow of money and amount transacted in the paper refers to the entire protocol defined by the program as a contract; and the blockchain’s program is a private Hawk program φpriv is cryptographically hidden from the public’s view. Informally, this is achieved by constituent of the bigger protocol. In the event that a manager sending “encrypted” information to the blockchain, and aborts the protocol, it can be financially penalized, and users relying on zero-knowledge proofs to enforce the correctness obtain compensation accordingly. of contract execution and money conservation. B. Example: Sealed Auction • Contractual security. While on-chain privacy protects con- Example program. Figure 2 shows a Hawk program for tractual parties’ privacy against the public (i.e., parties implementing a sealed, second-price auction where the highest not involved in the financial contract), contractual secu- bidder wins, but pays the second highest price. Second- rity protects parties in the same contractual agreement price auctions are known to incentivize truthful bidding under from each other. Hawk assumes that contractual parties certain assumptions, [55] and it is important that bidders act selfishly to maximize their own financial interest. In submit bids without knowing the bid of the other people. Our particular, they can arbitrarily deviate from the prescribed example auction program contains a private portion φpriv that protocol or even abort prematurely. Therefore, contractual determines the winning bidder and the price to be paid; and security is a multi-faceted notion that encompasses not only a public portion φpub that relies on public deposits to protect cryptographic notions of confidentiality and authenticity, bidders from an aborting manager. but also financial fairness in the presence of cheating and For the time being, we assume that the set of bidders are aborting behavior. The best way to understand contractual known a priori. security is through a concrete example, and we refer the Contractual security requirements. Hawk will compile this reader to Section I-B for a more detailed explanation. auction program to a cryptographic protocol. As mentioned Minimally trusted manager. The execution of Hawk con- earlier, as long as the bidders and the manager do not volun- tracts are facilitated by a special party called the manager. tarily disclose information, transaction privacy is maintained The manager can see the users’ inputs and is trusted not to against the public. Hawk also guarantees the following con- disclose users’ private data. However, the manager is NOT to tractual security requirements for parties in the contract:
840
Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. 1 HawkDeclareParties(Seller,/* N parties */); as part of the Hawk contract, that govern financial fairness. 2 HawkDeclareTimeouts(/* hardcoded timeouts */); • Security against a dishonest manager. We ensure authen- 3 // Private portion φpriv ticity against a dishonest manager: besides aborting, a dis- 4 private contract auction(Inp &in, Outp &out) { honest manager cannot affect the outcome of the auction 5 int winner = -1; 6 int bestprice = -1; and the redistribution of money, even when it colludes with 7 int secondprice = -1; a subset of the users. We stress that to ensure the above, input independent privacy against a faulty manager is a 8 for (int i=0;i
841
Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. and can be useful in general for defining and modeling the applications either atop Ethereum or by forking off Ethereum, security of protocols in the blockchain model. Our formal such as prediction markets [3], supply chain provenance [6], model has also been adopted by the Gyges work [35] in crowd-based fundraising [1], and security and derivatives designing criminal smart contracts. trading [28]. In defining for formal blockchain model, we rely on a notion Security of the blockchain. Like earlier works that design called wrappers to modularize our protocol design and to sim- smart contract applications for cryptocurrencies, we rely on the plify presentation. Wrappers handle a set of common details underlying decentralized blockchain to be secure. Therefore, such as timers, pseudonyms, global ledgers in a centralized we assume the blockchain’s consensus protocol attains security place such that they need not be repeated in every protocol. when an adversary does not wield a large fraction of the com- New cryptography suite. We implement a new cryptography putational power. Existing cryptocurrencies are designed with suite that binds private transactions with programmable logic. heuristic security. On one hand, researchers have identified Our protocol suite contains three essential primitives freeze, attacks on various aspects of the system [29], [34]; on the compute, and finalize. The freeze primitive allows parties other, efforts to formally understand the security of blockchain to commit to not only normal data, but also coins. Committed consensus have begun [32], [45]. coins are frozen in the contract, and the payout distribution will Minimizing on-chain costs. Since every miner will execute φ later be determined by the program priv. During compute, the smart contract programs while verifying each transaction, parties open their committed data and currency to the manager, cryptocurrencies including Bitcoin and Ethereum collect trans- φ such that the manager can compute the function priv. Based on action fees that roughly correlate with the cost of execution. φ the outcome of priv, the manager now constructs new private While we do not explicitly model such fees, we design our coins to be paid to each recipient. The manager then submits protocols to minimize on-chain costs by performing most of to the blockchain both the new private coins as well as zero- the heavy-weight computation off-chain. knowledge proofs of their well-formedness. At this moment, 2) Additional Related Works: Leveraging blockchain for the previously frozen coins are now redistributed among the financial fairness. A few prior works have explored how to users. Our protocol suite strictly generalizes Zerocash since leverage the blockchain technology to achieve fairness in pro- Zerocash implements only private money transfers between tocol design. For example, Bentov et al. [17], Andrychowicz users without programmability. et al. [7], Kumaresan et al. [40], Kiayias et al. [36], as well We define the security of our primitives using ideal func- as Zyskind et al. [59], show how Bitcoin can be used to tionalities, and formally prove security of our constructions ensure fairness in secure multi-party computation protocols. under a simulation-based paradigm. These protocols also perform off-chain secure computation Implementation and evaluation. We built a Hawk prototype of various types, but do not guarantee transactional privacy and evaluated its performance by implementing several ex- (i.e., hiding the currency flows and amounts transacted). For ample applications, including a sealed-bid auction,a“rock, example, it is not clear how to implement our sealed auction paper, scissors” game, a crowdfunding application, and a example using these earlier techniques. Second, these earlier swap financial instrument. We propose interesting protocol works either do not offer system implementations or provide optimizations that gained us a factor of 10× in performance implementations only for specific applications (e.g., lottery). In relative to a straightforward implementation. We show that comparison, Hawk provides a generic platform such that non- for at about 100 parties (e.g., auction and crowdfunding), the specialist programmers can easily develop privacy-preserving manager’s cryptographic computation (the most expensive part smart contracts. of the protocol) is under 2.85min using 4 cores, translating Smart contracts. The conceptual idea of programmable elec- to under $0.14 of EC2 time. Further, all on-chain computation tronic “smart contracts” dates back nearly twenty years [53]. (performed by all miners) is very cheap, and under 20ms for Hawk Besides recent decentralized cryptocurrencies, which guaran- all cases. We will open source our framework in the tee authenticity but not privacy, other smart contract imple- near future. mentations rely on trusted servers for security [46]. Our work D. Background and Related Work therefore comes closest to realizing the original vision of 1) Background: The original Bitcoin offers limited pro- parties interacting with a trustworthy “virtual computer” that grammability through a scripting language that is neither executes programs involving money and data. Turing-complete nor user friendly. Numerous previous endeav- Programming frameworks for cryptography. Several works ors at creating smart contract-like applications atop Bitcoin have developed programming frameworks that take in high- (e.g., lottery [7], [17], micropayments [4],verifiable computa- level programs as specifications and generate cryptographic tion [40]) have demonstrated the difficulty of in retrofitting implementations, including compilers for secure multi-party Bitcoin’s scripting language – this serves well to motivate a computation [19], [39], [41], [51], authenticated data struc- Turing-complete, user-friendly smart contract language. tures [44], and (zero-knowledge) proofs [12], [30], [31], [49]. Ethereum is the first Turing-complete decentralized smart Zheng et al. show how to generate secure distributed protocols contract system. With Ethereum’s imminent launch, companies such as sealed auctions, battleship games, and banking applica- and hobbyists are already building numerous smart contract tions [58]. These works support various notions of security, but
842
Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. none of them interact directly with money or leverage public sends to the blockchain. In reality, this means that the blockchains for ensuring financial fairness. Thus our work overlay network must have sufficient redundancy. However, is among the first to combine the “correct-by-construction” an adversary can drop messages delivered between parties cryptography approach with smart contracts. off the blockchain. Concurrent work. Our framework is the first to provide a • Pseudonyms. Users can make up an unbounded polynomial full-fledged formal model for decentralized blockchains as number of pseudonyms when communicating with the embodied by Bitcoin, Ethereum, and many other popular blockchain. decentralized cryptocurrencies. In concurrent and independent • Correctness and availability. We assume that the blockchain work, Kiayias et al. [36] also propose a blockchain model will perform any prescribed computation correctly. We also in the (Generalized) Universal Composability framework [23] assume that the blockchain is always available. and use it to derive results that are similar to what we Advantages of a generic blockchain model. We adopt describe in the online version [37], i.e., fair MPC with public a generic blockchain model where the blockchain can run deposits. However, the “programmability” of their formalism arbitrary Turing-complete programs. In comparison, previous is limited to their specific application (i.e., fair MPC with and concurrent works [7], [17], [40], [50] retrofit the artifacts public deposits). In comparison, our formalism is designed of Bitcoin’s limited and hard-to-use scripting language. In with much broader goals, i.e., to facilitate protocol designers Section VII and the online version [37], we present additional to design a rich class of protocols in the blockchain model. In theoretical results demonstrating that our generic blockchain particular, both our real-world wrapper (Figure 11) and ideal- model yields asymptotically more efficient cryptographic pro- world wrapper (Figure 10) model the presence of arbitrary user tocols. defined contract programs, which interact with both parties and B. Formally Modeling the Blockchain the ledger. Our formalism has also been adopted by the Gyges Our paper adopts a carefully designed notational system work [35] demonstrating its broad usefulness. such that readers may understand our constructions without II. THE BLOCKCHAIN MODEL OF CRYPTOGRAPHY understanding the precise details of our formal modeling. A. The Blockchain Model We stress, however, that we give formal, precise specifi- We begin by informally describing the trust model and cations of both functionality and security, and our protocols assumptions. We then propose a formal framework for the are formally proven secure under the Universal Composability “blockchain model of cryptography” for specifying and rea- (UC) framework. In doing so, we make a separate contribution soning about the security of protocols. of independent interest: we are the first to propose a formal, In this paper, the blockchain refers to a decentralized set UC-based framework for describing and proving the security of miners who run a secure consensus protocol to agree upon of distributed protocols that interact with a blockchain — the global state. We therefore will regard the blockchain as a we refer to our formal model as “the blockchain model of conceptual trusted party who is trusted for correctness and cryptography”. availability, but not trusted for privacy. The blockchain Programs, wrappers, and functionalities. In the remainder not only maintains a global ledger that stores the balance for of the paper, we will describe ideal specifications, as well every pseudonym, but also executes user-defined programs. as pieces of the protocol executed by the blockchain, the More specifically, we make the following assumptions: users, and the manager respectively as programs written in • Time. The blockchain is aware of a discrete clock that pseudocode. We refer to them as the ideal program (denoted increments in rounds. We use the terms rounds and epochs Ideal), the blockchain program (denoted B or Blockchain), and interchangeably. the user/manager program (denoted UserP) respectively. • Public state. All parties can observe the state of the block- All of our pseudo-code style programs have precise mean- chain. This means that all parties can observe the public ings in the UC framework. To “compile” a program to a ledger on the blockchain, as well as the state of any user- UC-style functionality or protocol, we apply a wrapper to defined blockchain program (part of a contract protocol). a program. Specifically, we define the following types of • Message delivery. Messages sent to the blockchain will wrappers: arrive at the beginning of the next round. A network • The ideal wrapper F(·) transforms an ideal program IdealP adversary may arbitrarily reorder messages that are sent into a UC ideal functionality F(IdealP). to the blockchain within the same round. This means that • The blockchain wrapper G(·) transforms a blockchain pro- the adversary may attempt a front-running attack (also gram B to a blockchain functionality G(B). The blockchain referred to as the rushing adversary by cryptographers), e.g., functionality G(B) models the program executing on the upon observing that an honest user is trading a stock, the blockchain. adversary preempts by sending a race transaction trading the • The protocol wrapper Π(·) transforms a user/manager same stock. Our protocols should be proven secure despite program UserP into a user-side or manager-side protocol such adversarial message delivery schedules. Π(UserP). We assume that all parties have a reliable channel to the One important reason for having wrappers is that wrappers im- blockchain, and the adversary cannot drop messages a party plement a set of common features needed by every smart con-
843
Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. tract application, including time, public ledger, pseudonyms, IdealPcash and adversarial reordering of messages — in this way, we Init: Coins: a multiset of coins, each of the form (P, $val) need not repeat this notation for every blockchain application. Mint: Upon receiving (mint, $val) from some P: We defer our formal UC modeling to Appendix B. This will send (mint, P, $val) to A not hinder the reader in understanding our protocols as long assert ledger[P] ≥ $val as the reader intuitively understands our blockchain model and ledger[P]:=ledger[P] − $val assumptions described in Section II-A. Before we describe our append (P, $val) to Coins protocols, we define some notational conventions for writing Pour: On (pour, $val1, $val2, P1, P2, $val1, $val2) from P: “programs”. Readers who are interested in the details of our assert $val1 +$val2 =$val1 +$val2 formal model and proofs can refer to Appendix B. if P is honest, assert (P, $vali) ∈ Coins for i ∈{1, 2} C. Conventions for Writing Programs assert Pi = ⊥ for i ∈{1, 2} Our wrapper-based system modularizes notation, and allows remove one (P, $vali) from Coins for i ∈{1, 2} us to use a set of simple conventions for writing user-defined for i ∈{1, 2},ifPi is corrupted, send (pour, i, P $ ) A ( ,i,P ) A ideal programs, blockchain programs, and user protocols. We i, vali to ; else send pour i to describe these conventions below. if P is corrupted: (P, $ ) ∈ i ∈{1, 2} Timer activation points. The ideal functionality wrapper assert vali Coins for remove one (P, $vali) from Coins for i ∈{1, 2} F(·) and the blockchain wrapper G(·) implement a clock that for i ∈{1, 2}: add (Pi, $vali) to Coins advances in rounds. Every time the clock is advanced, the for i ∈{1, 2}:ifPi = ⊥, send (pour, $vali) to Pi wrappers will invoke the Timer activation point. Therefore, by convention, we allow the ideal program or the blockchain Fig. 3. Definition of IdealPcash. Notation: ledger denotes the public ledger, program can define a Timer activation point. Timeout oper- and Coins denotes the private pool of coins. As mentioned in Section II-C, ations (e.g., refunding money after a certain timeout) can be gray background denotes batched and delayed activation. All party names correspond to pseudonyms due to notations and conventions defined in implemented under the Timer activation point. Section II-B. Delayed processing in ideal programs. When writing the blockchain program, every message received by the blockchain When the context is clear, we avoid writing “as nym P ”, program is already delayed by a round due to the G(·) wrapper. and simply write “send m to G(B)”. Our formal system also When writing the ideal program, we introduce a simple allows users to send messages anonymously to the blockchain convention to denote delayed computation. Program instruc- – although this option will not be used in this paper. tions that are written in gray background denote computation Ledger and money transfers. A public ledger is denoted that does not take place immediately, but is deferred to ledger in our ideal programs and blockchain programs. When a the beginning of the next timer click. This is a convenient party sends $amt to an ideal program or a blockchain program, shorthand because in our real-world protocol, effectively any this represents an ordinary message transmission. Money computation done by a blockchain functionality will be de- transfers only take place when ideal programs or blockchain layed. For example, in our IdealPcash ideal program (see programs update the public ledger ledger. In other words, Figure 3), whenever the ideal functionality receives a mint or the symbol $ is only adopted for readability (to distinguish pour message, the ideal adversary S is notified immediately; variables associated with money and other variables), and does however, processing of the messages is deferred till the next not have special meaning or significance. One can simply think timer click. Formally, delayed processing can be implemented of this variable as having the money type. simply by storing state and invoking the delayed program in- structions on the next Timer click. By convention, we assume III. CRYPTOGRAPHY ABSTRACTIONS that the delayed instructions are invoked at the beginning of We now describe our cryptography abstraction in the form the Timer call. In other words, upon the next timer click, the of ideal programs. Ideal programs define the correctness and delayed instructions are executed first. security requirements we wish to attain by writing a speci- Pseudonymity. All party identifiers that appear in ideal fication assuming the existence of a fully trusted party. We programs, blockchain programs, and user-side programs by will later prove that our real-world protocols (based on smart default refer to pseudonyms. When we write “upon receiving contracts) securely emulate the ideal programs. As mentioned message from some P ”, this accepts a message from any earlier, an ideal program must be combined with a wrapper F pseudonym. Whenever we write “upon receiving message to be endowed with exact execution semantics. from P ”, without the keyword some, this accepts a message Overview. Hawk realizes the following specifications: from a fixed pseudonym P , and typically which pseudonym • Private ledger and currency transfer. Hawk relies on the we refer to is clear from the context. existence of a private ledger that supports private currency Whenever we write “send m to G(B) as nym P ” inside a transfers. We therefore first define an ideal functionality m P user program, this sends an internal message (“send”, , ) called IdealPcash that describes the requirements of a private to the protocol wrapper Π. The protocol wrapper will then ledger (see Figure 3). Informally speaking, earlier works authenticate the message appropriately under pseudonym P . such as Zerocash [11] are meant to realize (approximations
844
Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. of) this ideal functionality – although technically this ought to spend a coin paid to itself until the next round. By contrast, to be interpreted with the caveat that these earlier works corrupted parties are allowed to spend coins paid to them in prove indistinguishability or game-based security instead the same round – this is due to the fact that any message is UC-based simulation security. routed immediately to the adversary, and the adversary can • Hawk-specific primitives. With a private ledger specified, also choose a permutation for all messages received by the we then define Hawk-specific primitives including freeze, blockchain in the same round (see Section II and Appendix B). compute, and finalize that are essential for enabling trans- Another subtlety in the IdealPcash functionality is while hon- actional privacy and programmability simultaneously. est parties always pour to existing pseudonyms, the function- ality allows the adversary to pour to non-existing pseudonyms A. Private Cash Specification IdealPcash denoted ⊥ — in this case, effectively the private coin goes At a high-level, the IdealPcash specifies the requirements of a into a blackhole and cannot be retrieved. This enables a private ledger and currency transfer. We adopt the same “mint” performance optimization in our UserPcash and Blockchaincash and “pour” terminology from Zerocash [11]. protocol later – where we avoid including the cti’s in the NIZK L Mint. The mint operation allows a user P to transfer money of POUR (see Section IV). If a malicious pourer chooses to P from the public ledger denoted ledger to the private pool compute the wrong cti, it is as if the recipient i did not ⊥ denoted Coins[P]. With each transfer, a private coin for user receive the pour, i.e., the pour is made to . P is created, and associated with a value val. B. Hawk Specification IdealPhawk For correctness, the ideal program IdealPcash checks that the user P has sufficient funds in its public ledger ledger[P] To enable transactional privacy and programmability simul- before creating the private coin. taneously, we now describe the specifications of new Hawk Pour. The pour operation allows a user P to spend money primitives, including freeze, compute, and finalize. The formal in its private bank privately. For simplicity, we define the specification of the ideal program IdealPhawk is provided in simple case with two input coins and two output coins. This Figure 4. Below, we provide some explanations. We also refer is sufficient for users to transfer any amount of money by the reader to Section I-C for higher-level explanations. “making change,” although it would be straightforward to Freeze. In freeze, a party tells IdealPhawk to remove one support more efficient batch operations as well. coin from the private coins pool Coins, and freeze it in the For correctness, the ideal program IdealPcash checks the blockchain by adding it to FrozenCoins. The party’s private P following: 1) for the two input coins, party indeed possesses input denoted in is also recorded in FrozenCoins. IdealPhawk private coins of the declared values; and 2) the two input coins checks that P has not called freeze earlier, and that a coin sum up to equal value as the two output coins, i.e., coins (P, val) exists in Coins before proceeding with the freeze. neither get created or vanish. Compute. When a party P calls compute, its private input Privacy. When an honest party P mints, the ideal-world in and the value of its frozen coin val are disclosed to the adversary A learns the pair (P, val) – since minting is raising manager PM. coins from the public pool to the private pool. Operations on Finalize. In finalize, the manager PM submits a public the public pool are observable by A. input inM to IdealPhawk. IdealPhawk now computes the outcome When an honest party P pours, however, the adversary A of φpriv on all parties’ inputs and frozen coin values, and learns only the output pseudonyms P1 and P2. It does not learn redistributes the FrozenCoins based on the outcome of φpriv. which coin in the private pool Coins is being spent nor the To ensure money conservation, the ideal program IdealPhawk name of the spender. Therefore, the spent coins are anonymous checks that the sum of frozen coins is equal to the sum of with respect to the private pool Coins. To get strong anonymity, output coins. new pseudonyms P1 and P2 can be generated on the fly to Interaction with public contract. The IdealP functional- receive each pour. We stress that as long as pour hides the hawk ity is parameterized by a public Hawk contract φ , which is sender, this “breaks” the transaction graph, thus preventing pub included in IdealP as a sub-module. During a finalize, linking analysis. hawk IdealP calls φ .check. The public contract φ typically If a corrupted party is the recipient of a pour, the adversary hawk pub pub serves the following purposes: additionally learns the value of the coin it receives. • Additional subtleties. Later in our protocol, honest parties Check the well-formedness of the manager’s input inM. keep track of a wallet of coins. Whenever an honest party For example, in our financial derivatives application (Sec- φ pours, it first checks if an appropriate coin exists in its local tion VI-B), the public contract pub asserts that the input wallet – and if so it immediately removes the coin from the corresponds to the price of a stock as reported by the stock wallet (i.e., without delay). In this way, if an honest party exchange’s authentic data feed. makes multiple pour transactions in one round, it will always • Redistribute public deposits. If parties or the manager have choose distinct coins for each pour transaction. Therefore, in aborted, or if a party has provided invalid input (e.g., less our IdealPcash functionality, honest pourers’ coins are immedi- than a minimum bet) the public contract φpub can now ately removed from Coins. Further, an honest party is not able redistribute the parties’ public deposits to ensure financial
845
Authorized licensed use limited to: IEEE Xplore. Downloaded on April 06,2021 at 21:38:47 UTC from IEEE Xplore. Restrictions apply. party’s pseudonym P. We note that leaking the pseudonym P IdealPhawk(PM, {Pi}i∈[N],T1,T2,φpriv,φpub) Init: Call IdealP .Init. Additionally: does not hurt privacy, since a party can simply create a new cash P FrozenCoins: a set of coins and private in- pseudonym and pour to this new pseudonym immediately puts received by this contract, each of the form before the freeze. (P, in, $val). Initialize FrozenCoins := ∅. When an honest party calls compute, the manager PM gets Freeze: Upon receiving (freeze, $vali, ini) from Pi for some to observe its input and frozen coin’s value. However, the i ∈ [N]: public and other contractual parties do not observe anything assert current time T