Smart Contracts on Bitcoin Blockchain BitFury Group Sep 04, 2015 (Version 1.1) Abstract Smart contracts are one of the more promising directions for Bitcoin. Now, with the advent of so called Bitcoin 2.0 technologies such as Ethereum, the problem of smart contracts within the Bit- coin ecosystem gains new importance. This report studies possible smart contract applications for Bitcoin and outlines directions for further research. Version History Version Date Change description 1.0 Aug 13, 2015 Initial version 1.1 Sep 04, 2015 Added a copyright notice and a watermark © 2015 Bitfury Group Limited Without permission, anyone may use, reproduce or distribute any material in this paper for noncommercial and educational use (i.e., other than for a fee or for commercial purposes) provided that the original source and the applicable copyright notice are cited. Smart contracts are one of the more promising directions for cryptocurrencies and Bitcoin in par- ticular. A smart contract is understood as a computer protocol used to facilitate and automate financial contracts [1]. The term smart contract was introduced by Nick Szabo in 1990s [2] and became more relevant than ever before in 2010s after digital currencies gained popularity. One of the advantages in using Bitcoin as a medium for smart contracts is the inherent low trust ap- proach. Built-in Bitcoin mechanisms let users minimize counterparty risks by utilizing mathematical and algorithmic tools, not by relying on a mediator’s authority, as it is often the case in the traditional approach. Bitcoin is criticized because of the insufficient expressive means for smart contracts. The Ether- eum project [3] launched on July 30th, 2015 was developed as a replacement of the Bitcoin protocol specifically targeted for smart contract users. Because of the critique, the following questions arise: • What possibilities and perspectives does the Bitcoin protocol have as a medium for smart con- tracts? • What are the main drawbacks of Bitcoin compared to the alternatives (e.g., Ethereum)? Can these drawbacks be eliminated or alleviated while staying within the protocol? 1 Theory 1.1 Scripts All information in the Bitcoin protocol is stored in the form of a decentralized ledger – the blockchain. The building block of the blockchain is a transaction containing on or more inputs and outputs [4]. Each transaction input is an unspent output (UTXO) of one of previous transactions recorded on the blockchain1. Each transaction output is associated with the value – an integer denoting the spendable − amount of currency in satoshi (10 8 BTC). The sum of all transaction input values (i.e., the values of UTXOs associated with these inputs) equals to the sum of all transaction output values, plus the transaction fee paid to a miner for including the transaction into a block. Therefore, we can view a transaction as redistribution of wealth by “destroying” existing UTXOs and creating new ones. Each UTXO has to specify a person (or several persons) eligible for spending wealth associated with it. To accomplish this, the Bitcoin protocol introduces a scripting language [5]. The language describes the execution of a certain program on a stack machine [6], therefore resembling Forth progamming language [7]. The capabilities of the scripting language are severely limited compared to general pur- pose PLs; for example, it lacks cycles, I/O, and persistent states. These restrictions were introduced to protect the Bitcoin network from DoS-attacks and get acceptable timings for transaction and block verification. Each transaction output contains a script which locks, or encumbers, the money associated with the UTXO. This script is commonly referred to as scriptPubKey. To spend this money, a user of the 1Except for coinbase transaction inputs which we won’t consider in the report as they are not so interesting from the point of view of smart contracts. – 2 – Bitcoin network must demonstrate the proof of ownership in the form of an unlocking script scriptSig. Hence, a script is a part of each input and each output of a transaction. Verification of the pair (scriptPubKey, scriptSig) is performed in several steps: 1. Execute the unlocking script scriptSig; remember the stack state after the execution. 2. Not changing the stack, execute the locking script scriptPubKey. 3. If after executing both scripts, the stack isn’t empty and the top value does not evaluate to false (i.e., it contains one or more 1-bits), the verification is successful. Several scripting language instructions may determine the verification state immediately upon their execution (e.g., RETURN and VERIFY). Example. For the most common transaction type (pay-to-pubKeyHash), the unlocking script scriptSig consists of pushing two numbers into the stack: • the digital signature of the spending transaction • the public key of the user. The locking script scriptPubKey performs the following steps: 1. Check that the public key upon hashing is equal to the address [8] of the UTXO. The address in the binary form is a part of the locking script. 2. Check that the public key corresponds to the digital signature and the transaction. If both conditions hold, a specific transaction input is correct. If all transaction inputs are correct, the transaction is correct in whole and can be propagated or included in a block. Example. Arbitrary data can be stored in the Bitcoin blockchain using the following form of the lock- ing script: 1. RETURN instruction 2. data RETURN makes the validation process fail immediately. This means all money for UTXOs encumbered with the specified form of the locking script is lost forever; the only useful function of the UTXO is storing the data in the script. 1.2 Transaction Versions Two Bitcoin features helping implement smart contracts are transaction lock time and input versions [4]. Both these fields are used to determine whether the transaction in question is final, i.e. whether or not it can be included in blocks. Currently, non-final transactions are not propagated across the network; nevertheless, they are useful for creating and updating smart contracts. – 3 – Transaction lock time is an unsigned 4-byte integer that specifies either the minimal timestamp or the minimal block height when the transaction is considered final. “Ordinary” transactions that just move the value around have this field set to zero; for these transactions the value of both lock time and input versions are ignored. If the lock time is a non-zero value not exceeding 500 million, it is treated as block height; otherwise, it is considered as a UNIX timestamp. Example. A transaction with lock time set to 400,000 cannot be included in any block with the height less than 400,000. Note that Bitcoin clients currently forbid the propagation of such a transaction across the network until the 400,000th block is actually mined; however, it can be safely propagated after the lock time condition is met. Each transaction input also has a 4-byte unsigned integer value associated with it, the input version. The versions are useful in constructing transactions from several sources, as they allow signing inputs independently (see the explanation of signatures below). The input versions are active only when the containing transaction specifies a non-zero lock time. In theory, the transaction with the higher ver- sion of inputs should replace the transaction with the lower version in the transaction memory pool. However, the corresponding functionality was removed from the reference Bitcoin client implemen- tation, and as of now, version fields are mostly useless. 1.3 Signatures Bitcoin protocol allows several kinds of user signatures. The core functionality of a signature is as follows: Problem. Prove that the user possessing the private key corresponding to the given public key pub- Key, has authorized the transaction tx to spend their money. To solve this problem, the Bitcoin protocol uses elliptic curve digital signatures [9]. Each signature is computed based on the hash of the transaction tx. This makes it impossible for third parties to alter the transaction after it entered the Bitcoin network while maintaining the validity of the signature, e.g. in a MitM attack [10]. The parts of the transaction used to produce the hash used in digital signatures depend on the type of the signature. This type is specified as an additional byte at the end of the signature [11]. There are three types of signatures: • SIGHASH_ALL (default type). All of the transaction content is used to get the hash, except for unlocking scripts (if these scripts were included, signature embedded in one of the inputs would invalidate signatures in all other unlocking scripts), but including all input versions, references to UTXOs, and specifications of all outputs. This type of signature can be expressed as: “The user agrees to put their money in, as long as the others put their money in the specified way, and the money is spent as agreed”. – 4 – • SIGHASH_NONE. The tx hash is based on all transaction inputs, and ignores input versions and outputs. This type of signature can be expressed as: “The user agrees to put their money in, as long as the others put their money in the specified way; the user does not care how the money is spent”. • SIGHASH_SINGLE. The tx hash uses a single output, the index of which is the same as the index of the current input. This type of signature can be expressed as: “The user agrees to put their money in, as long as the others put their money in the specified way; the user only cares about their part of the money”. Additionally, the ANYONECANPAY modifier can be used together with any of these three methods. The modifier means that the tx hash ignores all transaction inputs except the current one.