Balzac is an high-level language for writing transactions, verifying their correctness, and compiling them into actual Bitcoin transactions. It is based on the formal.
Table of contents
In this contract, A wants to choose a secreta, and reveal it before the deadlined; ifA does not reveal the secret withind,B can redeem the 1B deposit as a compensation:. OnlyAcan choose the first branch, by revealinga. After that, anyone can further reduce the contract, and transfer 1B toA. Only after timed, if therevealhas not been performed, any participant can perform the withdraw in the second branch, which transfers 1B toB.
Fun with Bitcoin smart contracts
Therefore, before the deadlineAhas the option to reveal a avoiding the penalty , or to keep it secret paying the penalty. If no branch is taken by timed, a race condition occurs: in such case, the first one who fires thewithdrawgets the money. Using the preconditionA:! If A reveals, then B can choose not to reveal.
Doing so, however, B will lose his deposit, since, after d0, A can withdraw the 2B deposited in the contract. Instead, if B reveals, the 2B are split between A and B. Note that d0 must be sufficiently greater than d, to avoid the attack whereA waits until the very last moment to reveal her secret, so making it difficult forBto respect the deadline. Now that we have introduced all the primitives of BitML, we can combine them to construct more advanced contracts. For instance, consider a multiparty lottery where n players put their bets in a pot, and a winner — fairly chosen among the players — redeems the whole pot.
We model a lottery similar to the one in [2,3], for two playersA andBwho bet 1B each. The contract preconditions are the following:.
monument to balzac
The contract is the following:. We also show a variant of the two-players lottery which requires no collateral, similarly to [7,16]. Here, B must reveal first. IfB does not reveal his secret by the deadlined, or the secret has not the expected length, then A can redeem 2B. Otherwise, A in turn must reveal by the deadline d0, or letB redeem 2B. If bothA andB reveal, then the winner is determined by comparing the lengths of their secrets. As before, the rational strategy for each player is to choose a secret length 0 or 1, and reveal it.
This makes the lottery fair, even in the absence of a collateral.
- ataturk havalimani bitcoin.
- bursa lowongan kerja btc.
- how to exchange btc for iota on bitfinex;
- bitcoin pasen.
Using similar insights, we can craft contracts for other games. For instance, considerRock-Paper-Scissors, a two players hand game where both players choose simultaneously a hand-shape, and the winner is decided along with the following rules: rock beats scissors, scissors beats paper, and paper beats rock. We model the game for two playersA andBwho bet 1B each, and represent their moves as secrets of length 0 rock , 1 paper , and 2 scissors.
We define the following boolean predicate to determine the winner:. The contract is split in three parts, each with a balance of 2B: the first two parts allow the players to redeem the collaterals by revealing their secrets in time similarly to the first version of the lottery , while the third one computes the winner.
If a and b have the same length i. Notice that if a player chooses a secret of unexpected length, then it may happen that the 2B in the third part of the. In this section we show how to execute on Bitcoin the contracts in Section 2. We start by providing some minimal background on Bitcoin. A transaction rep-resents a transfer of bitcoins, and the sequence of all transactions is stored in a public, append-only data structure called blockchain. When a new transaction T is appended to the blockchain, it redeems bitcoins from one or more transac-tions already on the blockchain.
For the aims of this paper we abstract from the fact that, in Bitcoin, there exist some transactions so-called coinbase which generate bitcoins from nothing, and that transactions are grouped into blocks. The simplest Bitcoin transaction, which transfers 1B to participant A, can be represented as follows, using the notation in :. In our case, the script requires a signature xof A on. To evaluate the script, the formal parameter x will be instantiated to the value of thewitfield calledwitness ofT0.
In the previous figure, the witnessw in TA is the actual parameter used to evaluate the script in T, the transaction. That sum is now under the control ofA, since she is the only participant who can provide the needed witness in T0. To execute a BitML contract, the involved users first translate it into a set of Bitcoin transactions, using the compiler in . Then, they append one or more of these transactions to the Bitcoin blockchain. Intuitively, appending a transaction corresponds to a step of the contract execution, and so it may require users to perform the corresponding actions, like e.
To compile contracts we will often exploit more advanced features of Bitcoin transactions than the above-mentioned ones, like e. Further, we will often use more complex output scripts, and we will specify time constraints on when a transaction can be appended to the blockchain5. We will illustrate these features along with the examples where. After that, they insert the signatures in the wit fields as shown in the figure above. This guarantees that, after the contract starts executing, it can be run until completion. Note that, since bothAandBknow the witness ofTinit, any of them can append such transaction.
In Bitcoin, this corresponds to appending to the blockchain the transaction T0 B , which redeems 1B from Tinit. After that, 1B. The compiler produces the following two transactions:. As before, these signa-tures are exchanged only after all the other signasigna-tures have been exchanged and verified. Once the contract is stipulated, its execution proceeds as in Section3.
- GitHub - balzac-lang/balzac: Balzac is a domain-specific language to write Bitcoin transactions.;
- bitcoin us exchange?
- Scaling Bitcoin workshop : Tel Aviv 2021.
- BALZaC — BALZaC _ documentation!
- bali bitcoin meetup.
To deal with time constraints, we exploit theabsLockfield of the Bitcoin trans-action: namely, setting T. For instance, recall PayAfter from 5. The BitML compiler produces the following two transactions:.
In this way, even if after stipulation all the participants know all the witnesses, T0 B cannot be appended to the blockchain until timed, and as a consequence,B cannot use the 1B inT0 B before such date. Recall nowPayOrRecover from 6. The transactions obtained by compiling it are similar to the previous ones:.
As seen in the previous examples, to implement contract stipulation participants must exchange and verify their signatures on the Bitcoin transactions generated by the compiler.
However, in case of contracts with authorizations, some signa-tures can be provided only during the execution of the contract, after stipulation. For instance, compilingPayAuth in 7 results in the following transactions:. Providing such signature at run time corresponds to the following computation step in BitML:.
Bitcoin transactions can have multiple outputs: in this case, whoever redeems the transaction must specifywhich output it is redeeming. This feature is exploited to compile the split construct of BitML. For instance, compiling PaySplit from 8 produces the following transactions:.
Similarly, the two outputs of Tsplit can be. Assume that the Bitcoin counterpart ofxis a transactionTx, from whichA. Instead, if Tx has. Recall PaySecret from Section 2. To ensure that s a cannot be recovered by brute force, even when N is small6 , we let the actual length of s. In this way, the other participants cannot infers a assumingHto be preimage resistant , nor its length.
Fun with Bitcoin smart contracts
Further,Acannot later on reveal a different secret or a different length assuming collision resistance. The BitML compiler generates the transactions:. These witnesses are provided. As before, we assume thatAcommits to a secrets a by broadcasting its hashh a.