-
Verification of Bitcoin Script in Agda using Weakest Preconditions for Access Control
Authors:
Fahad F. Alhabardi,
Arnold Beckmann,
Bogdan Lazar,
Anton Setzer
Abstract:
This paper contributes to the verification of programs written in Bitcoin's smart contract language SCRIPT in the interactive theorem prover Agda. It focuses on the security property of access control for SCRIPT programs that govern the distribution of Bitcoins. It advocates that weakest preconditions in the context of Hoare triples are the appropriate notion for verifying access control. It aims…
▽ More
This paper contributes to the verification of programs written in Bitcoin's smart contract language SCRIPT in the interactive theorem prover Agda. It focuses on the security property of access control for SCRIPT programs that govern the distribution of Bitcoins. It advocates that weakest preconditions in the context of Hoare triples are the appropriate notion for verifying access control. It aims at obtaining human-readable descriptions of weakest preconditions in order to close the validation gap between user requirements and formal specification of smart contracts.
As examples for the proposed approach, the paper focuses on two standard SCRIPT programs that govern the distribution of Bitcoins, Pay to Public Key Hash (P2PKH) and Pay to Multisig (P2MS). The paper introduces an operational semantics of the SCRIPT commands used in P2PKH and P2MS, which is formalised in the Agda proof assistant and reasoned about using Hoare triples. Two methodologies for obtaining human-readable descriptions of weakest preconditions are discussed:
(1) a step-by-step approach, which works backwards instruction by instruction through a script, sometimes grouping several instructions together;
(2) symbolic execution of the code and translation into a nested case distinction, which allows to read off weakest preconditions as the disjunction of conjunctions of conditions along accepting paths.
A syntax for equational reasoning with Hoare Triples is defined in order to formalise those approaches in Agda.
Keywords and phrases: Blockchain; Cryptocurrency; Bitcoin; Agda; Verification; Hoare logic; Bitcoin script; P2PKH; P2MS; Access control; Weakest precondition; Predicate transformer semantics; Provable correctness; Symbolic execution; Smart contracts
△ Less
Submitted 11 June, 2022; v1 submitted 6 March, 2022;
originally announced March 2022.
-
On the Complexity of Local Graph Transformations
Authors:
Christian Scheideler,
Alexander Setzer
Abstract:
We consider the problem of transforming a given graph $G_s$ into a desired graph $G_t$ by applying a minimum number primitives from a particular set of local graph transformation primitives. These primitives are local in the sense that each node can apply them based on local knowledge and by affecting only its $1$-neighborhood. Although the specific set of primitives we consider makes it possible…
▽ More
We consider the problem of transforming a given graph $G_s$ into a desired graph $G_t$ by applying a minimum number primitives from a particular set of local graph transformation primitives. These primitives are local in the sense that each node can apply them based on local knowledge and by affecting only its $1$-neighborhood. Although the specific set of primitives we consider makes it possible to transform any (weakly) connected graph into any other (weakly) connected graph consisting of the same nodes, they cannot disconnect the graph or introduce new nodes into the graph, making them ideal in the context of supervised overlay network transformations. We prove that computing a minimum sequence of primitive applications (even centralized) for arbitrary $G_s$ and $G_t$ is NP-hard, which we conjecture to hold for any set of local graph transformation primitives satisfying the aforementioned properties. On the other hand, we show that this problem admits a polynomial time algorithm with a constant approximation ratio.
△ Less
Submitted 10 September, 2020; v1 submitted 25 April, 2019;
originally announced April 2019.
-
Relays: A New Approach for the Finite Departure Problem in Overlay Networks
Authors:
Christian Scheideler,
Alexander Setzer
Abstract:
A fundamental problem for overlay networks is to safely exclude leaving nodes, i.e., the nodes requesting to leave the overlay network are excluded from it without affecting its connectivity. To rigorously study self-tabilizing solutions to this problem, the Finite Departure Problem (FDP) has been proposed [12]. In the FDP we are given a network of processes in an arbitrary state, and the goal is…
▽ More
A fundamental problem for overlay networks is to safely exclude leaving nodes, i.e., the nodes requesting to leave the overlay network are excluded from it without affecting its connectivity. To rigorously study self-tabilizing solutions to this problem, the Finite Departure Problem (FDP) has been proposed [12]. In the FDP we are given a network of processes in an arbitrary state, and the goal is to eventually arrive at (and stay in) a state in which all leaving processes irrevocably decided to leave the system while for all weakly-connected components in the initial overlay network, all staying processes in that component will still form a weakly connected component. In the standard interconnection model, the FDP is known to be unsolvable by local control protocols, so oracles have been investigated that allow the problem to be solved [12]. To avoid the use of oracles, we introduce a new interconnection model based on relays. Despite the relay model appearing to be rather restrictive, we show that it is universal, i.e., it is possible to transform any weakly-connected topology into any other weakly-connected topology, which is important for being a useful interconnection model for overlay networks. Apart from this, our model allows processes to grant and revoke access rights, which is why we believe it to be of interest beyond the scope of this paper. We show how to implement the relay layer in a self-stabilizing way and identify properties protocols need to satisfy so that the relay layer can recover while serving protocol requests.
△ Less
Submitted 13 September, 2018;
originally announced September 2018.
-
On Underlay-Aware Self-Stabilizing Overlay Networks
Authors:
Thorsten Götte,
Christian Scheideler,
Alexander Setzer
Abstract:
We present a self-stabilizing protocol for an overlay network that constructs the Minimum Spanning Tree (MST) for an underlay that is modeled by a weighted tree. The weight of an overlay edge between two nodes is the weighted length of their shortest path in the tree. We rigorously prove that our protocol works correctly under asynchronous and non-FIFO message delivery. Further, the protocol stabi…
▽ More
We present a self-stabilizing protocol for an overlay network that constructs the Minimum Spanning Tree (MST) for an underlay that is modeled by a weighted tree. The weight of an overlay edge between two nodes is the weighted length of their shortest path in the tree. We rigorously prove that our protocol works correctly under asynchronous and non-FIFO message delivery. Further, the protocol stabilizes after $\mathcal{O}(N^2)$ asynchronous rounds where $N$ is the number of nodes in the overlay.
△ Less
Submitted 7 September, 2018;
originally announced September 2018.
-
Breaking the $\tildeΩ(\sqrt{n})$ Barrier: Fast Consensus under a Late Adversary
Authors:
Peter Robinson,
Christian Scheideler,
Alexander Setzer
Abstract:
We study the consensus problem in a synchronous distributed system of $n$ nodes under an adaptive adversary that has a slightly outdated view of the system and can block all incoming and outgoing communication of a constant fraction of the nodes in each round. Motivated by a result of Ben-Or and Bar-Joseph (1998), showing that any consensus algorithm that is resilient against a linear number of cr…
▽ More
We study the consensus problem in a synchronous distributed system of $n$ nodes under an adaptive adversary that has a slightly outdated view of the system and can block all incoming and outgoing communication of a constant fraction of the nodes in each round. Motivated by a result of Ben-Or and Bar-Joseph (1998), showing that any consensus algorithm that is resilient against a linear number of crash faults requires $\tilde Ω(\sqrt{n})$ rounds in an $n$-node network against an adaptive adversary, we consider a late adaptive adversary, who has full knowledge of the network state at the beginning of the previous round and unlimited computational power, but is oblivious to the current state of the nodes.
Our main contributions are randomized distributed algorithms that achieve almost-everywhere consensus w.h.p. against a late adaptive adversary who can block up to $εn$ nodes in each round, for a small constant $ε>0$. Our first protocol achieves binary and plurality consensus, and the second one achieves multi-value consensus. Both of our algorithms succeed in $O(\log n)$ rounds with high probability, thus showing an exponential gap to the aforementioned lower bound for strongly adaptive crash-failure adversaries, which can be strengthened to $Ω(n)$ when allowing the adversary to block nodes instead of permanently crashing them. In our algorithms each node contacts only an (amortized) constant number of peers in each communication round. We show that our algorithms are optimal up to constant (resp. sub-logarithmic) factors by proving that every almost-everywhere consensus protocol takes $Ω(\log_d n)$ rounds in the worst case, where $d$ is an upper bound on the number of communication requests initiated per node in each round. We complement our theoretical results with an experimental evaluation of the first protocol revealing a short convergence time.
△ Less
Submitted 2 May, 2018;
originally announced May 2018.
-
Modelling Bitcoin in Agda
Authors:
Anton Setzer
Abstract:
We present two models of the block chain of Bitcoin in the interactive theorem prover Agda. The first one is based on a simple model of bank accounts, while having transactions with multiple inputs and outputs. The second model models transactions, which refer directly to unspent transaction outputs, rather than user accounts. The resulting blockchain gives rise to a transaction tree. That model i…
▽ More
We present two models of the block chain of Bitcoin in the interactive theorem prover Agda. The first one is based on a simple model of bank accounts, while having transactions with multiple inputs and outputs. The second model models transactions, which refer directly to unspent transaction outputs, rather than user accounts. The resulting blockchain gives rise to a transaction tree. That model is formalised using an extended form of induction-recursion, one of the unique features of Agda. The set of transaction trees and transactions is defined inductively, while simultaneously recursively defining the list of unspent transaction outputs. Both structures model standard transactions, coinbase transactions, transaction fees, the exact message to be signed by those spending money in a transaction, block rewards, blocks, and the blockchain, and the second structure models as well maturation time for coinbase transactions and Merkle trees. Hashing and cryptographic operations and their correctness are dealt with abstractly by postulating corresponding operations. An indication is given how the correctness of this model could be specified and proven in Agda.
△ Less
Submitted 17 April, 2018;
originally announced April 2018.
-
Skueue: A Scalable and Sequentially Consistent Distributed Queue
Authors:
Michael Feldmann,
Christian Scheideler,
Alexander Setzer
Abstract:
We propose a distributed protocol for a queue, called \textsc{Skueue}, which spreads its data fairly onto multiple processes, avoiding bottlenecks in high throughput scenarios. \textsc{Skueue} can be used in highly dynamic environments, through the addition of join and leave requests to the standard queue operations enqueue and dequeue. Furthermore \textsc{Skueue} satisfies sequential consistency…
▽ More
We propose a distributed protocol for a queue, called \textsc{Skueue}, which spreads its data fairly onto multiple processes, avoiding bottlenecks in high throughput scenarios. \textsc{Skueue} can be used in highly dynamic environments, through the addition of join and leave requests to the standard queue operations enqueue and dequeue. Furthermore \textsc{Skueue} satisfies sequential consistency in the asynchronous message passing model. Scalability is achieved by aggregating multiple requests to a batch, which can then be processed in a distributed fashion without hurting the queue semantics. Operations in \textsc{Skueue} need a logarithmic number of rounds w.h.p. until they are processed, even under a high rate of incoming requests.
△ Less
Submitted 20 August, 2018; v1 submitted 21 February, 2018;
originally announced February 2018.
-
Trace and Stable Failures Semantics for CSP-Agda
Authors:
Bashar Igried,
Anton Setzer
Abstract:
CSP-Agda is a library, which formalises the process algebra CSP in the interactive theorem prover Agda using coinductive data types. In CSP-Agda, CSP processes are in monadic form, which sup- ports a modular development of processes. In this paper, we implement two main models of CSP, trace and stable failures semantics, in CSP-Agda, and define the corresponding refinement and equal- ity relations…
▽ More
CSP-Agda is a library, which formalises the process algebra CSP in the interactive theorem prover Agda using coinductive data types. In CSP-Agda, CSP processes are in monadic form, which sup- ports a modular development of processes. In this paper, we implement two main models of CSP, trace and stable failures semantics, in CSP-Agda, and define the corresponding refinement and equal- ity relations. Because of the monadic setting, some adjustments need to be made. As an example, we prove commutativity of the external choice operator w.r.t. the trace semantics in CSP-Agda, and that refinement w.r.t. stable failures semantics is a partial order. All proofs and definitions have been type checked in Agda. Further proofs of algebraic laws will be available in the CSP-Agda repository.
△ Less
Submitted 14 September, 2017;
originally announced September 2017.
-
Towards a Universal Approach for Monotonic Searchability in Self-Stabilizing Overlay Networks
Authors:
Christian Scheideler,
Alexander Setzer,
Thim Strothmann
Abstract:
For overlay networks, the ability to recover from a variety of problems like membership changes or faults is a key element to preserve their functionality. In recent years, various self-stabilizing overlay networks have been proposed that have the advantage of being able to recover from any illegal state. However, the vast majority of these networks cannot give any guarantees on its functionality…
▽ More
For overlay networks, the ability to recover from a variety of problems like membership changes or faults is a key element to preserve their functionality. In recent years, various self-stabilizing overlay networks have been proposed that have the advantage of being able to recover from any illegal state. However, the vast majority of these networks cannot give any guarantees on its functionality while the recovery process is going on. We are especially interested in searchability, i.e., the functionality that search messages for a specific identifier are answered successfully if a node with that identifier exists in the network. We investigate overlay networks that are not only self-stabilizing but that also ensure that monotonic searchability is maintained while the recovery process is going on, as long as there are no corrupted messages in the system. More precisely, once a search message from node $u$ to another node $v$ is successfully delivered, all future search messages from $u$ to $v$ succeed as well. Monotonic searchability was recently introduced in OPODIS 2015, in which the authors provide a solution for a simple line topology.
We present the first universal approach to maintain monotonic searchability that is applicable to a wide range of topologies. As the base for our approach, we introduce a set of primitives for manipulating overlay networks that allows us to maintain searchability and show how existing protocols can be transformed to use theses primitives.
We complement this result with a generic search protocol that together with the use of our primitives guarantees monotonic searchability.
As an additional feature, searching existing nodes with the generic search protocol is as fast as searching a node with any other fixed routing protocol once the topology has stabilized.
△ Less
Submitted 28 September, 2016; v1 submitted 18 July, 2016;
originally announced July 2016.
-
Towards Establishing Monotonic Searchability in Self-Stabilizing Data Structures (full version)
Authors:
Christian Scheideler,
Alexander Setzer,
Thim Strothmann
Abstract:
Distributed applications are commonly based on overlay networks interconnecting their sites so that they can exchange information. For these overlay networks to preserve their functionality, they should be able to recover from various problems like membership changes or faults. Various self-stabilizing overlay networks have already been proposed in recent years, which have the advantage of being a…
▽ More
Distributed applications are commonly based on overlay networks interconnecting their sites so that they can exchange information. For these overlay networks to preserve their functionality, they should be able to recover from various problems like membership changes or faults. Various self-stabilizing overlay networks have already been proposed in recent years, which have the advantage of being able to recover from any illegal state, but none of these networks can give any guarantees on its functionality while the recovery process is going on. We initiate research on overlay networks that are not only self-stabilizing but that also ensure that searchability is maintained while the recovery process is going on, as long as there are no corrupted messages in the system. More precisely, once a search message from node $u$ to another node $v$ is successfully delivered, all future search messages from $u$ to $v$ succeed as well. We call this property monotonic searchability. We show that in general it is impossible to provide monotonic searchability if corrupted messages are present in the system, which justifies the restriction to system states without corrupted messages. Furthermore, we provide a self-stabilizing protocol for the line for which we can also show monotonic searchability. It turns out that even for the line it is non-trivial to achieve this property. Additionally, we extend our protocol to deal with node departures in terms of the Finite Departure Problem of Foreback et. al (SSS 2014). This makes our protocol even capable of handling node dynamics.
This is the full version of a correspondent paper published at OPODIS'15.
△ Less
Submitted 21 December, 2015;
originally announced December 2015.
-
Minimum Linear Arrangement of Series-Parallel Graphs
Authors:
Martina Eikel,
Christian Scheideler,
Alexander Setzer
Abstract:
We present a factor $14D^2$ approximation algorithm for the minimum linear arrangement problem on series-parallel graphs, where $D$ is the maximum degree in the graph. Given a suitable decomposition of the graph, our algorithm runs in time $O(|E|)$ and is very easy to implement. Its divide-and-conquer approach allows for an effective parallelization. Note that a suitable decomposition can also be…
▽ More
We present a factor $14D^2$ approximation algorithm for the minimum linear arrangement problem on series-parallel graphs, where $D$ is the maximum degree in the graph. Given a suitable decomposition of the graph, our algorithm runs in time $O(|E|)$ and is very easy to implement. Its divide-and-conquer approach allows for an effective parallelization. Note that a suitable decomposition can also be computed in time $O(|E|\log{|E|})$ (or even $O(\log{|E|}\log^*{|E|})$ on an EREW PRAM using $O(|E|)$ processors).
For the proof of the approximation ratio, we use a sophisticated charging method that uses techniques similar to amortized analysis in advanced data structures.
On general graphs, the minimum linear arrangement problem is known to be NP-hard. To the best of our knowledge, the minimum linear arrangement problem on series-parallel graphs has not been studied before.
△ Less
Submitted 16 October, 2014;
originally announced October 2014.
-
RoBuSt: A Crash-Failure-Resistant Distributed Storage System
Authors:
Martina Eikel,
Christian Scheideler,
Alexander Setzer
Abstract:
In this work we present the first distributed storage system that is provably robust against crash failures issued by an adaptive adversary, i.e., for each batch of requests the adversary can decide based on the entire system state which servers will be unavailable for that batch of requests. Despite up to $γn^{1/\log\log n}$ crashed servers, with $γ>0$ constant and $n$ denoting the number of serv…
▽ More
In this work we present the first distributed storage system that is provably robust against crash failures issued by an adaptive adversary, i.e., for each batch of requests the adversary can decide based on the entire system state which servers will be unavailable for that batch of requests. Despite up to $γn^{1/\log\log n}$ crashed servers, with $γ>0$ constant and $n$ denoting the number of servers, our system can correctly process any batch of lookup and write requests (with at most a polylogarithmic number of requests issued at each non-crashed server) in at most a polylogarithmic number of communication rounds, with at most polylogarithmic time and work at each server and only a logarithmic storage overhead.
Our system is based on previous work by Eikel and Scheideler (SPAA 2013), who presented IRIS, a distributed information system that is provably robust against the same kind of crash failures. However, IRIS is only able to serve lookup requests. Handling both lookup and write requests has turned out to require major changes in the design of IRIS.
△ Less
Submitted 23 February, 2015; v1 submitted 17 September, 2014;
originally announced September 2014.
-
The planar minimum linear arrangement problem is different from the minimum linear arrangement problem
Authors:
Alexander Setzer
Abstract:
In various research papers, such as [2], one will find the claim that the minLA is optimally solvable on outerplanar graphs, with a reference to [1]. However, the problem solved in that publication, which we refer to as the planar minimum linear arrangement problem (planar minLA), is different from the minimum linear arrangement problem (minLA), as we show in this article.
In various research papers, such as [2], one will find the claim that the minLA is optimally solvable on outerplanar graphs, with a reference to [1]. However, the problem solved in that publication, which we refer to as the planar minimum linear arrangement problem (planar minLA), is different from the minimum linear arrangement problem (minLA), as we show in this article.
△ Less
Submitted 3 September, 2014;
originally announced September 2014.
-
Basic Network Creation Games with Communication Interests
Authors:
Andreas Cord-Landwehr,
Martina Hüllmann,
Peter Kling,
Alexander Setzer
Abstract:
Network creation games model the creation and usage costs of networks formed by a set of selfish peers. Each peer has the ability to change the network in a limited way, e.g., by creating or deleting incident links. In doing so, a peer can reduce its individual communication cost. Typically, these costs are modeled by the maximum or average distance in the network. We introduce a generalized versi…
▽ More
Network creation games model the creation and usage costs of networks formed by a set of selfish peers. Each peer has the ability to change the network in a limited way, e.g., by creating or deleting incident links. In doing so, a peer can reduce its individual communication cost. Typically, these costs are modeled by the maximum or average distance in the network. We introduce a generalized version of the basic network creation game (BNCG). In the BNCG (by Alon et al., SPAA 2010), each peer may replace one of its incident links by a link to an arbitrary peer. This is done in a selfish way in order to minimize either the maximum or average distance to all other peers. That is, each peer works towards a network structure that allows himself to communicate efficiently with all other peers. However, participants of large networks are seldom interested in all peers. Rather, they want to communicate efficiently only with a small subset of peers. Our model incorporates these (communication) interests explicitly. In the MAX-version, each node tries to minimize its maximum distance to nodes it is interested in.
Given peers with interests and a communication network forming a tree, we prove several results on the structure and quality of equilibria in our model. For the MAX-version, we give an upper worst case bound of O(\sqrt{n}) for the private costs in an equilibrium of n peers. Moreover, we give an equilibrium for a circular interest graph where a node has private cost Ω(\sqrt{n}), showing that our bound is tight. This example can be extended such that we get a tight bound of Θ(\sqrt{n}) for the price of anarchy. For the case of general communication networks we show the price of anarchy to be Θ(n). Additionally, we prove an interesting connection between a maximum independent set in the interest graph and the private costs of the peers.
△ Less
Submitted 23 July, 2012;
originally announced July 2012.
