Formally Specifying Blockchain Protocols

Size: px

Start display at page:

Download "Formally Specifying Blockchain Protocols"

Beryl Warren
5 years ago
Views:

1 Formally Specifying Blockchain Protocols 1

2 IOHK company building blockchain applications research focused invested in functional programming built Cardano network, Ada cryptocurrency 2

3 Blockchain Protocols 3

4 Permission-less Decentralised Ledger decentralisation no trusted authority permission-less anyone can join persistence established entries can not be deleted liveness entries submitted to the system will be included 4

5 Bitcoin Blockchain Block Block Block Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx 5

6 Bitcoin Blockchain Block Block Block Prev Hash Prev Hash Prev Hash Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx 5

7 Bitcoin Blockchain Block Block Block Prev Hash Prev Hash Prev Hash Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx split ledger into blocks everyone takes turns, assume honest majority permission-less: Sybil attack 5

8 Bitcoin Blockchain Block Block Block Nonce Nonce Nonce Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx split ledger into blocks everyone takes turns, assume honest majority permission-less: Sybil attack Proof of Work 5

9 Proof of Work randomised leader election, one CPU, one vote reward the winner longest chain wins: hard to revert old blocks unless you have >50% of CPUs problems: huge energy consumption mining pools lead to centralisation 6

10 Proof of Stake Different leader selection: weighted by stake each time slot, randomly pick one coin owner produces a block needs randomness, naive approaches vulnerable to grinding attack 7

11 Ouroboros First Provably Secure Proof of Stake Protocol split time into slots, elect leader for each slot based on stake stakeholders are responsible for agreeing on randomness for next epoch proven secure against adversary with less than 50% stake running in production in Cardano 8

12 Ouroboros Praos extension of Ouroboros to semi-synchronous setting deal gracefully with message delay as delay increases, adversary grows stronger currently implementing for future versions of Cardano 9

13 From Paper to Implementation 10

14 Paper and Implementation publication high level of abstraction written in plain English and mathematical formulae has proofs of security code deals with all the details written in Haskell proofs? 11

15 Small Steps no Big Leap translate the algorithm to a formal language executable specification same level of abstraction small steps of incremental refinement small enough to verify/prove explicit design decisions simulate & test every refinement 12

16 Process Calculi model distributed systems by processes and channels parallel and sequential composition sending and receiving data observational equivalence, bisimilarity equational reasoning P Q : P α P,Q α Q,P Q <latexit sha1_base64="lzjg5h427flcezllf9hb+5t6aaa=">aaacv3icdzfnsysxfibpjfvr/aq6dbmuqqspu1hn9q6kblxowarqgcuzng2dmcmqzo6ldp0v/ibbhfev3i3ph6cilwqe3jfnjdmjm8g18bxxx10qla+sltcq6xubw9vvnd1blxnfwydkidv9jjojnrko4uaw+0wxtglb7ulhq2l+94cpzwv6y8yzixicpnzakrpr9aqycgdnumoyr4vxb/q+55+fzohsygexp5oahjonpp2bwfj8odkolpz7eklirkic2glpfxe0brdufsw1sa962kh7mxhb28o/w0czqd6jw9ybue8aepsqz2ff0jxhqaecte42vmxebsrdqwctsphrlif9xchrwkwxytoqzm+akcpr9mlakrtsq2bux4oce63hswx3jmhg+ms2nb/lurkz/ioknma5ysmdhztibtgstkdm+lwxastyallf7v0jhafcauxfvd4o4wfonnabda9th3ejc5vhhw7ggbrgqwuuiyaouhib/07jwxb+uecuuox5vtdz1ozbj7k7byvorve=</latexit> <latexit sha1_base64="x+abkuyvnx4rau/rsrbn7cmnzv8=">aaacv3icdzhnsgmxfiuzy6u1/lufn7oifaklkvnrx7os3bicglwhm5y7adogm5mhyshl6lp4dl6k4ejfxy3pj1bfdwq+zsm9sw7chdolhefdsudy+fmfwmjxaxllda20vngjrcojbrlbhbwlqvhoytruthn6l0gkucjpbfhwocpvh6lutmtxepdqiijezlqmgdzwuyqyf9ykjxthkdnvuus67vhbbi5opnbyopswr1ieg2fykgs9vgypxdo9dzzpa/yqb7jxv9awgvezfleg7djureqmhu1vi/docvua/o52z8vift562fhapve/i0ga0vgtdkq1ak6igwykzottydfpfu2apecptgzgefevzom3dfgectq4k6rzsczjd7yig0ipqrsanrhovvqdjcy/slaqu6dbxuik1tqmk4o6kcda4ngucydjsjqfgaaimbkrjn2qqlt5i+lsep6h5mg1xnuazhgxakic2kzlti9qyexn6ap5qikiekofvs7kwx82suftwmsrbu1rntep2etful+v0w==</latexit> <latexit sha1_base64="x+abkuyvnx4rau/rsrbn7cmnzv8=">aaacv3icdzhnsgmxfiuzy6u1/lufn7oifaklkvnrx7os3bicglwhm5y7adogm5mhyshl6lp4dl6k4ejfxy3pj1bfdwq+zsm9sw7chdolhefdsudy+fmfwmjxaxllda20vngjrcojbrlbhbwlqvhoytruthn6l0gkucjpbfhwocpvh6lutmtxepdqiijezlqmgdzwuyqyf9ykjxthkdnvuus67vhbbi5opnbyopswr1ieg2fykgs9vgypxdo9dzzpa/yqb7jxv9awgvezfleg7djureqmhu1vi/docvua/o52z8vift562fhapve/i0ga0vgtdkq1ak6igwykzottydfpfu2apecptgzgefevzom3dfgectq4k6rzsczjd7yig0ipqrsanrhovvqdjcy/slaqu6dbxuik1tqmk4o6kcda4ngucydjsjqfgaaimbkrjn2qqlt5i+lsep6h5mg1xnuazhgxakic2kzlti9qyexn6ap5qikiekofvs7kwx82suftwmsrbu1rntep2etful+v0w==</latexit> CCS, CSP, ACP, π-calculus 13

17 Psi Calculus Parametric Family of Process Calculi specify types of terms, conditions, assertions well-established theory and tooling Psi Calculi Workbench 14

18 EDSL in Haskell implement Psi calculus as EDSL in Haskell write Ouroboros Praos in this language starting point for simulations export to proof assistant (Isabelle, Coq) refine, add networking, production code 15

19 Psi in Haskell 16

20 Psi in Haskell add broadcast channels, sub-processes 16

21 Modelling Performance And Failure 17

22 Timeliness in Blockchains how long does it take for transactions to be recorded? how long does it take to join the network? can blocks propagate through the whole network in a single slot? what are the resource requirements for a node? 18

23 Impairment of Quality: ΔQ improper CDF 19

24 ΔQ in Haskell 20

25 Example: Ring 21

26 Example: Ring 21

27 Example: Ring 21

28 Annotate Psi simulations will take ΔQ annotations into account can be ignored when exporting to proof assistant 22

29 Composing ΔQ 23

30 Composing ΔQ Last to Finish: min 23

31 Composing ΔQ First to Finish: max 23

32 Composing ΔQ Sequential Composition: Convolution 23

33 Symbolic ΔQ assign ΔQ terms to atomic operations, channels algebraic rules to manipulate ΔQ expressions complementary to simulations: see why performance is as it is 24

34 High-Assurance Blockchain Implementations cryptocurrencies carry large value blockchains proposed for other critical infrastructure (land deeds) needs to be fit for purpose need high assurance peer reviewed, provably secure protocols high-assurance software development methodology take small steps from protocol to production code design for performance open repository: 25

OUROBOROS PRAOS: AN ADAPTIVELY-SECURE, SEMI-SYNCHRONOUS

OUROBOROS PRAOS: AN ADAPTIVELY-SECURE, SEMI-SYNCHRONOUS PROOF-OF-STAKE BLOCKCHAIN Bernardo David Tokyo Tech & IOHK Peter Gaži IOHK Aggelos Kiayias U. Edinburgh & IOHK Eurocrypt 2018 Alexander Russell U.