Abstract
MimbleWimble is a privacy-oriented cryptocurrency technology which provides security and scalability properties that distinguish it from other protocols of its kind. We present and briefly discuss those properties and outline the basis of a model-driven verification approach to address the certification of the correctness of an implementation of the protocol.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The methodology proposed in this work also applies to the Beam implementation: https://www.beam-mw.com.
- 2.
For simplicity, fees are left aside.
- 3.
When dealing with global states, \(valid\_state\) is validChain.
- 4.
Given a state s, a transaction t and an error code ec, \({ ErrorMsg (s,t,ec)}\) holds iff error ec is an acceptable response when the execution of t is requested on state s.
- 5.
- 6.
From now on we will refer to Pîrlea and Sergey model simply as PS.
References
Anderson, J.: Computer Security technology planning study. Technical report, Deputy for Command and Management System, USA (1972)
Barthe, G., Dupressoir, F., Grégoire, B., Kunz, C., Schmidt, B., Strub, P.-Y.: EasyCrypt: a tutorial. In: Aldini, A., Lopez, J., Martinelli, F. (eds.) FOSAD 2012-2013. LNCS, vol. 8604, pp. 146–166. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10082-1_6
Bartzia, E.-I., Strub, P.-Y.: A formal library for elliptic curves in the coq proof assistant. In: Klein, G., Gamboa, R. (eds.) ITP 2014. LNCS, vol. 8558, pp. 77–92. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08970-6_6
Bell, D.E., LaPadula, L.J.: Secure computer systems: Mathematical foundations. Technical report MTR-2547, vol. 1, MITRE Corp., Bedford, MA (1973)
Bertot, Y., Castéran, P., (informaticien) Huet, G., Paulin-Mohring, C.: Interactive theorem proving and program development: Coq’Art : the calculus of inductive constructions. Texts in theoretical computer science. Springer, Berlin, New York (2004). Données complémentaires http://coq.inria.fr
Betarte, G., Cristiá, M., Luna, C., Silveira, A., Zanarini, D.: Set-based models for cryptocurrency software. CoRR, abs/1908.00591 (2019)
Betarte, G., Cristiá, M., Luna, C., Silveira, A., Zanarini, D.: Towards a formally verified implementation of the mimblewimble cryptocurrency protocol. CoRR, abs/1907.01688 (2019)
Bhargavan, K., et al.: Formal verification of smart contracts: short paper. In: Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security, PLAS 2016, pp. 91–96. ACM, New York (2016)
Blanchet, B.: CryptoVerif: a computationally sound mechanized prover for cryptographic protocols. In Dagstuhl seminar “Formal Protocol Verification Applied”, October 2007
Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14 2001), 11–13 June 2001, Cape Breton, Nova Scotia, Canada, pp. 82–96. IEEE Computer Society (2001)
Buterin, V.: Critical update re: Dao vulnerability, June 2016
Cristiá, M., Rossi, G.: A decision procedure for restricted intensional sets. In: de Moura, L. (ed.) CADE 2017. LNCS (LNAI), vol. 10395, pp. 185–201. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63046-5_12
Cristiá, M., Rossi, G.: Solving quantifier-free first-order constraints over finite sets and binary relations. J. Automated Reasoning 64, 295–330 (2019). https://doi.org/10.1007/s10817-019-09520-4
Cristiá, M., Rossi, G., Frydman, C.: log as a test case generator for the test template framework. In: Hierons, R.M., Merayo, M.G., Bravetti, M. (eds.) SEFM 2013. LNCS, vol. 8137, pp. 229–243. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40561-7_16
Dénès, M., Hritcu, C., Lampropoulos, L., Paraskevopoulou, Z., Pierce, B.: Quickchick: Property-based testing for coq. In: The Coq Workshop (2014)
Korsell, E., Mueller, P., Schumann, Y.: Spectrecoin. https://spectreproject.io/Spectrecoin_White-Paper.pdf, June 2019
Fanti, G.C., et al.: Dandelion++: lightweight cryptocurrency networking with formal anonymity guarantees. CoRR, abs/1805.11060 (2018)
Fuchsbauer, G., Orrù, M., Seurin, Y.: Aggregate cash systems: a cryptographic investigation of mimblewimble. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 657–689. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_22
Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_10
Gibson, A.: An investigation into confidential transactions (2018). https://github.com/AdamISZ/ConfidentialTransactionsDoc/blob/master/essayonCT.pdf
Grin Community. Grin: Open Research Problems (2020). https://grin.mw/open-research-problems
Grin Team. Privacy Primer, November 2018. https://github.com/mimblewimble/docs/wiki/Grin-Privacy-Primer
Grin Team. Dandelion++ in Grin: Privacy-Preserving Transaction Aggregation and Propagation, July 2019. https://github.com/mimblewimble/grin/blob/master/doc/dandelion/dandelion.md
Grishchenko, I., Maffei, M., Schneidewind, C.: A semantic framework for the security analysis of ethereum smart contracts. In: Bauer, L., Küsters, R. (eds.) POST 2018. LNCS, vol. 10804, pp. 243–269. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89722-6_10
Hirai, Y.: Defining the ethereum virtual machine for interactive theorem provers. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 520–535. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0_33
Miers, I.: Blockchain Privacy: Equal Parts Theory and Practice, February 2019. https://www.zfnd.org/blog/blockchain-privacy/#flashlight
Idelberger, F., Governatori, G., Riveret, R., Sartor, G.: Evaluation of logic-based smart contracts for blockchain systems. In: Alferes, J.J.J., Bertossi, L., Governatori, G., Fodor, P., Roman, D. (eds.) RuleML 2016. LNCS, vol. 9718, pp. 167–183. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-42019-6_11
Jedusor, T.: Introduction to MimbleWimble and Grin (2016). https://github.com/mimblewimble/grin/blob/master/doc/intro.md
Jedusor, T.: Mimblewimble (2016). scalingbitcoin.org/papers/mimblewimble.txt
Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_12
Letouzey, P.: A new extraction for coq. In: Geuvers, H., Wiedijk, F. (eds.) TYPES 2002. LNCS, vol. 2646, pp. 200–219. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39185-1_12
Luu, L., Chu, D., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Weippl, E., Katzenbeisser, S. Kruegel, C., Myers, A., Halevi, S. (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October, 2016, pp. 254–269. ACM (2016)
Maxwell, G.: Confidential transactions write up (2020). https://people.xiph.org/~greg/confidential_values.txt
Metere, R., Dong, C.: Automated cryptographic analysis of the pedersen commitment scheme. In: Rak, J., Bay, J., Kotenko, I., Popyack, L., Skormin, V., Szczypiorski, K. (eds.) MMM-ACNS 2017. LNCS, vol. 10446, pp. 275–287. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-65127-9_22
Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system, March 2009. Cryptography Mailing list at https://metzdowd.com
Pîrlea, G., Sergey, I.: Mechanising blockchain consensus. In: Proceedings of CPP 2018, pp. 78–90. ACM, New York (2018)
Poelstra, A.: Mimblewimble, October 2016. https://download.wpsoftware.net/bitcoin/wizardry/mimblewimble.pdf
The Coq Dev. Team. The Coq Proof Assistant Reference Manual - V. 8.9.0 (2019)
Venkatakrishnan, S.B., Fanti, G.C., Viswanath, P.: Dandelion: Redesigning the bitcoin network for anonymity. CoRR, abs/1701.04439 (2017)
Wanseob-Lim. Ethereum 9 3/4: Send ERC20 privately using Mimblewimble and zk-SNARKs, September 2019. https://ethresear.ch/t/ethereum-9-send-erc20-privately-using-mimblewimble-and-zk-snarks/6217
Wood, G.: Ethereum: A secure decentralised generalised transaction ledger eip-150 revision (759dccd - 2017–08-07) (2017). Accessed 03 Jan 2018
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Excerpt of a Z Model of a Consensus Protocol
The following are some snippets of a Z model of a consensus protocol based on the model developed by Pîrlea and Sergey [36]. For reasons of space we just reproduce a little part of it.
The time stamps used in the protocol are modeled as natural numbers. Then we have the type of addresses (Addr), the type of hashes (Hash), the type of proofs objects (Proof) and the type of transactions (Tx). Differently from Pîrlea and Sergey’s modelFootnote 6 we modeled addresses as a given type instead as natural numbers. In PS the only condition required for these types is that they come equipped with equality, which is the case in Z.
The block data structure is a record with three fields: prev, (usually) points to the parent block; txs, stores the sequence of transactions stored in the block; and pf is a proof object required to validate the block.
The local state space of a participating network node is given by three state variables: as, are the addresses of the peers this node is aware of; bf, is a block forest (not shown) which records the minted and received blocks; and tp, is a set of received transactions which eventually will be included in minted blocks.
The system configuration is represented by two state variables: Delta, which establishes a mapping between network addresses and the corresponding node (local) states (in PS this variable is referred to as the global state); and P, a set of packets (which represent the messages exchanged by nodes).
Packets are just tuples of two addresses (origin and destination) and a message.
The model has twelve state transitions divided into two groups: local and global. Local transitions are those executed by network nodes, while global transitions promote local transitions to the network level. In turn, the local transitions are grouped into receiving and internal transitions. Receiving transitions model the nodes receiving messages from other nodes and, possibly, sending out new messages; internal transitions model the execution of instructions run by each node when some local condition is met. Here, we show only the local, receiving transition named RcvAddr.
As can be seen, RcvAddr receives a packet (p?) and sends out a set of packets (ps!). The node checks whether or not the packet’s destination address coincides with its own address. In that case, the node adds the received addresses to its local state and sends out a set of packets that are either of the form (p?.2, a, ConnectMsg) or \((p?.2,a,AddrMsg~as')\). The former are packets generated from the received addresses and sent to the new peers the node now knows, while the latter are messages telling its already known peers that it has learned of new peers.
B Excerpt of a \(\{log\}\) Prototype of a Consensus Protocol
In this section we show the \(\{log\}\) code corresponding to the Z model presented in Appendix A. \(\{log\}\) code can be seen as both a formula and a program [13]. Thus, in this case we use the code as a prototype or executable model of the Z model. The intention is twofold: to show that passing from a Z specification to a \(\{log\}\) program is rather easy, and to show how a \(\{log\}\) program can be used as a prototype. The first point is achieved mainly because \(\{log\}\) provides the usual Boolean connectives and most of the set and relational operators available in Z. Hence, it is quite natural to encode a Z specification as a \(\{log\}\) program.
Given that \(\{log\}\) is based on Prolog its programs resemble Prolog programs. The \(\{log\}\) encoding of RcvAddr is the following:
As can be seen, rcvAddr is clause receiving the before state (LocState), the input variable (P), the output variable (Ps) and the after state (LocState_). As in Prolog, \(\{log\}\) programs are based on unification with the addition of set unification. In this sense, a statement such as LocState = [as,As]/Rest (set) unifies the parameter received with a set term singling out the state variable needed in this case (As) and the rest of the variables (Rest). The same is done with packet P where _ means any value as first component and addrMsg(Asm) gets the set of addresses received in the packet without introducing an existential quantifier.
The set comprehensions used in the Z specification are implemented with \(\{log\}\) ’s so-called Restricted Intentional Sets (RIS) [12]. A RIS is interpreted as a set comprehension where the control variable ranges over a finite set (D and As).
Given rcvAddr we can perform simulations on \(\{log\}\) such as:
in which case \(\{log\}\) returns:
That is, \(\{log\}\) binds values for all the free variables in a way that the formula is satisfied (if it is satisfiable at all). In this way we can trace the execution of the protocol w.r.t. states and outputs by starting from a given state (e.g. S) and input values (e.g. |[_,this,addrMsg(a1,a2)]), and chaining states throughout the execution of the state transitions included in the simulation (e.g. S1 and S2).
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Betarte, G., Cristiá, M., Luna, C., Silveira, A., Zanarini, D. (2020). Towards a Formally Verified Implementation of the MimbleWimble Cryptocurrency Protocol. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2020. Lecture Notes in Computer Science(), vol 12418. Springer, Cham. https://doi.org/10.1007/978-3-030-61638-0_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-61638-0_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-61637-3
Online ISBN: 978-3-030-61638-0
eBook Packages: Computer ScienceComputer Science (R0)