Abstract
Validation of Bitcoin transactions rely upon the successful execution of scripts written in a simple and effective, non-Turing-complete by design language, simply called script. This makes the validation of closed scripts, i.e. those associated to actual transactions and bearing full information, straightforward. Here we address the problem of validating open scripts, i.e. we address the validation of redeeming scripts against the whole set of possible inputs, i.e. under which general conditions can Bitcoins be redeemed? Even if likely not one of the most complex languages and demanding verification problems, we advocate the merit of formal verification for the Bitcoin validation framework. We propose a symbolic verification theory for open script, a verifier tool-kit, and illustrate examples of use on Bitcoin transactions. Contributions include (1) a formalisation of (a fragment of script) the language; (2) a novel symbolic approach to script verification, suitable, e.g. for the verification of newly defined and non-standard payment schemes; and (3) building blocks for a larger verification theory for the developing area of Bitcoin smart contracts. The verification of smart contracts, i.e. agreements built as transaction-based protocols, is currently a problem that is difficult to formalise and computationally demanding.
R. Klomp and A. Bracciali —This research has been partially supported by The DataLab, UK, and partially informed by collaborations within COST Action IC1406 cHiPSet research network. Authors would like to thank Flavio Pizzorno for interesting feedback on the work. Andrea Bracciali is a Research Affiliate to the UCL Centre for Blockchain Technologies.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
More precisely, constraints specify the required state of the stack for successful termination, after the execution of the input script. If constraints are satisfiable, a trivial input script pushing expected data on the stack always exists.
- 2.
In this paper we refer to the settings where flags MANDATORY_SCRIPT_VERIFY_FLAGS and SCRIPT_VERIFY_DERSIG are enabled and all other flags are disabled.
- 3.
Although there are multiple values equal to false and multiple values equal to true, the Bitcoin Core client always instantiates these as \(\epsilon \) and [0x01] respectively. Our symbolic verifier assumes the same representations.
- 4.
It is important to remark here that some type definitions, and other features, may depend on how the Bitcoin client is initialised. For instance, checking the dimension of a key depends on an initialisation parameter. We assume in this paper that the checking is done. We defer the verification against different possible initialisations to future work, noting that it must be addressed as different settings can affect correctness in different ways.
- 5.
Some operations may be more restrictive on the length of accepted keys, as well as their format. We will model this in the specific rules defining such operations, as appropriate. See Sect. 5.2.
- 6.
With the added note that matching public keys must be provided in the same order as the signatures they match with. Additionally, each provided public key can at most be matched with one signature.
- 7.
This is conforming to the Bitcoin Core client, which contains a bug resulting in this additional stack entry to be popped from the stack.
- 8.
With ID: 75bb6417afc7500a6389201a67bfc2428a1241170a214bbf6833a389191036fe.
- 9.
With ID: cd2dacbd05389580cb569985b3a8b1db67ea6cc84371223590e241a5026d0a8a.
- 10.
Source: https://en.bitcoin.it/wiki/Contract.
References
Github - bitcoin/bitcoin: Bitcoin core integration/staging tree. https://github.com/bitcoin/bitcoin/. Accessed 12 June 2018
The gnu prolog web site. http://gprolog.org/. Accessed 18 June 2018
Script - bitcoin wiki. https://en.bitcoin.it/wiki/Script
Swi-prolog. http://www.swi-prolog.org/. Accessed 18 June 2018
Andrychowicz, M., Dziembowski, S., Malinowski, D., Mazurek, Ł.: Modeling bitcoin contracts by timed automata. In: Legay, A., Bozga, M. (eds.) FORMATS 2014. LNCS, vol. 8711, pp. 7–22. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10512-3_2
Andrychowicz, M., Dziembowski, S., Malinowski, D., Mazurek, L.: Secure multiparty computations on bitcoin. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 443–458. IEEE (2014)
Bartoletti, M., Pompianu, L.: An empirical analysis of smart contracts: platforms, applications, and design patterns. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 494–509. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0_31
Bartoletti, M., Zunino, R.: Bitml: a calculus for bitcoin smart contracts. Technical report, Cryptology ePrint Archive, Report 2018/122 (2018)
Bhargavan, K., et al.: Formal verification of smart contracts: short paper. In: Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security, pp. 91–96. ACM (2016)
Bonneau, J., Miller, A., Clark, J., Narayanan, A., Kroll, J.A., Felten, E.W.: Sok: Research perspectives and challenges for bitcoin and cryptocurrencies. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 104–121. IEEE (2015)
Delgado-Segura, S., Pérez-Sola, C., Navarro-Arribas, G., Herrera-Joancomartı, J.: Analysis of the bitcoin utxo set. In: The 5th Workshop on Bitcoin and Blockchain Research (2018)
Delmolino, K., Arnett, M., Kosba, A., Miller, A., Shi, E.: Step by step towards creating a safe smart contract: lessons and insights from a cryptocurrency lab. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 79–94. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53357-4_6
Gerard, D.: Smart contracts, stupid humans: new major ethereum erc-20 token bugs batchoverflow and proxyoverflow (2018). https://davidgerard.co.uk/blockchain/2018/04/26/smart-contracts-stupid-humans-new-major-erc-20-token-bugs-batchoverflow-and-proxyoverflow/
Atzei, N., Bartoletti, M., Cimoli, T., Lande, S., Zunino, R.: SoK: unraveling bitcoin smart contracts. In: Bauer, L., Küsters, R. (eds.) POST 2018. LNCS, vol. 10804, pp. 217–242. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89722-6_9
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. Bitcoin project white paper (2009)
Szabo, N.: Formalizing and securing relationships on public networks. First Monday 2(9) (1997)
Wood, G.: Ethereum: a secure decentralised generalised transaction ledger. Ethereum Proj. Yellow Paper 151, 1–32 (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Klomp, R., Bracciali, A. (2018). On Symbolic Verification of Bitcoin’s script Language. In: Garcia-Alfaro, J., Herrera-Joancomartí, J., Livraga, G., Rios, R. (eds) Data Privacy Management, Cryptocurrencies and Blockchain Technology. DPM CBT 2018 2018. Lecture Notes in Computer Science(), vol 11025. Springer, Cham. https://doi.org/10.1007/978-3-030-00305-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-00305-0_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00304-3
Online ISBN: 978-3-030-00305-0
eBook Packages: Computer ScienceComputer Science (R0)