References of "Biryukov, Alex 50000799"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailOn degree-d zero-sum sets of full rank
Beierle, Christof UL; Biryukov, Alex UL; Udovenko, Aleksei UL

in Cryptography and Communications (2019)

A set 𝑆⊆𝔽𝑛2 is called degree-d zero-sum if the sum ∑𝑠∈𝑆𝑓(𝑠) vanishes for all n-bit Boolean functions of algebraic degree at most d. Those sets correspond to the supports of the n-bit Boolean ... [more ▼]

A set 𝑆⊆𝔽𝑛2 is called degree-d zero-sum if the sum ∑𝑠∈𝑆𝑓(𝑠) vanishes for all n-bit Boolean functions of algebraic degree at most d. Those sets correspond to the supports of the n-bit Boolean functions of degree at most n − d − 1. We prove some results on the existence of degree-d zero-sum sets of full rank, i.e., those that contain n linearly independent elements, and show relations to degree-1 annihilator spaces of Boolean functions and semi-orthogonal matrices. We are particularly interested in the smallest of such sets and prove bounds on the minimum number of elements in a degree-d zero-sum set of rank n. The motivation for studying those objects comes from the fact that degree-d zero-sum sets of full rank can be used to build linear mappings that preserve special kinds of nonlinear invariants, similar to those obtained from orthogonal matrices and exploited by Todo, Leander and Sasaki for breaking the block ciphers Midori, Scream and iScream. [less ▲]

Detailed reference viewed: 49 (2 UL)
Full Text
Peer Reviewed
See detailPrivacy Aspects and Subliminal Channels in Zcash
Biryukov, Alex UL; Feher, Daniel UL; Vitto, Giuseppe UL

in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Securit (2019, November)

In this paper we analyze two privacy and security issues for the privacy-oriented cryptocurrency Zcash. First we study shielded transactions and show ways to fingerprint user transactions, including ... [more ▼]

In this paper we analyze two privacy and security issues for the privacy-oriented cryptocurrency Zcash. First we study shielded transactions and show ways to fingerprint user transactions, including active attacks.We introduce two new attacks which we call Danaan-gift attack and Dust attack. Following the recent Sapling update of Zcash protocol we study the interaction between the new and the old zk-SNARK protocols and the effects of their interaction on transaction privacy. In the second part of the paper we check for the presence of subliminal channels in the zk-SNARK protocol and in Pedersen Commitments. We show presence of efficient 70-bit channels which could be used for tagging of shielded transactions which would allow the attacker (malicious transaction verifier) to link transactions issued by a maliciously modified zk-SNARK prover, while would be indistinguishable from regular transactions for the honest verifier/user. We discuss countermeasures against both of these privacy issues. [less ▲]

Detailed reference viewed: 130 (11 UL)
Full Text
Peer Reviewed
See detailCryptocurrencies and Blockchain Technology
Biryukov, Alex UL; García-Alfaro

in Data Privacy Management, Cryptocurrencies and Blockchain Technology - ESORICS 2019 International Workshops (2019, September)

Detailed reference viewed: 9 (0 UL)
Full Text
See detailWhite-Box and Asymmetrically Hard Crypto Design
Biryukov, Alex UL

Presentation (2019, May 18)

In this talk we surveyed some our recent works related to the area of white-box cryptogaphy. Specifically the resource hardness framework from Asiacrypt'2017 and its relation to the incompressibility and ... [more ▼]

In this talk we surveyed some our recent works related to the area of white-box cryptogaphy. Specifically the resource hardness framework from Asiacrypt'2017 and its relation to the incompressibility and weak-WBC. [less ▲]

Detailed reference viewed: 124 (5 UL)
Full Text
Peer Reviewed
See detailTransaction Clustering Using Network Traffic Analysis for Bitcoin and Derived Blockchains
Biryukov, Alex UL; Tikhomirov, Sergei UL

in IEEE INFOCOM 2019 Workshop Proceedings (2019)

Bitcoin is a decentralized digital currency introduced in 2008 and launched in 2009. Bitcoin provides a way to transact without any trusted intermediary, but its privacy guarantees are questionable, and ... [more ▼]

Bitcoin is a decentralized digital currency introduced in 2008 and launched in 2009. Bitcoin provides a way to transact without any trusted intermediary, but its privacy guarantees are questionable, and multiple deanonymization attacks have been proposed. Cryptocurrency privacy research has been mostly focused on blockchain analysis, i.e., extracting information from the transaction graph. We focus on another vector for privacy attacks: network analysis. We describe the message propagation mechanics in Bitcoin and propose a novel technique for transaction clustering based on network traffic analysis. We show that timings of transaction messages leak information about their origin, which can be exploited by a well connected adversarial node. We implement and evaluate our method in the Bitcoin testnet with a high level of accuracy, deanonymizing our own transactions issued from a desktop wallet (Bitcoin Core) and from a mobile (Mycelium) wallet. Compared to existing approaches, we leverage the propagation information from multiple peers, which allows us to overcome an anti-deanonymization technique (“diffusion”) used in Bitcoin. [less ▲]

Detailed reference viewed: 125 (5 UL)
Full Text
Peer Reviewed
See detailPortrait of a Miner in a Landscape
Biryukov, Alex UL; Feher, Daniel UL

in IEEE INFOCOM 2019 Workshop Proceedings (2019)

Mining is one of the core elements of the proof-of-work based cryptocurrency economy. In this paper we investigate the generic landscape and hierarchy of miners on the example of Ethereum and Zcash, two ... [more ▼]

Mining is one of the core elements of the proof-of-work based cryptocurrency economy. In this paper we investigate the generic landscape and hierarchy of miners on the example of Ethereum and Zcash, two blockchains that are among the top 5 in terms of USD value of created coins. Both chains used ASIC resistant proofs-of-work which favors GPU mining in order to keep mining decentralized. This however has changed with recent introduction of ASIC miners for these chains. This transition allows us to develop methods that might detect hidden ASIC mining in a chain (if it exists), and to study how the introduction of ASICs effects the decentralization of mining power. Finally, we describe how an attacker might use public blockchain information to invalidate the privacy of miners, deducing the mining hardware of individual miners and their mining rewards. [less ▲]

Detailed reference viewed: 80 (9 UL)
Full Text
Peer Reviewed
See detailPrivacy and Linkability of Mining in Zcash
Biryukov, Alex UL; Feher, Daniel UL

in Proceedings of 2019 IEEE Conference on Communications and Network Security (2019)

With the growth in popularity for cryptocurrencies the need for privacy preserving blockchains is growing as well. Zcash is such a blockchain, providing transaction privacy through zero-knowledge proofs ... [more ▼]

With the growth in popularity for cryptocurrencies the need for privacy preserving blockchains is growing as well. Zcash is such a blockchain, providing transaction privacy through zero-knowledge proofs. In this paper we analyze transaction linkability in Zcash based on the currency minting transactions (mining). Using predictable usage patterns and clustering heuristics on mining transactions an attacker can link to publicly visible addresses over 84% of the volume of the transactions that use a ZK-proof. Since majority of Zcash transactions are not yet using ZK-proofs, we show that overall 95.5% of the total number of Zcash transactions are potentially linkable to public addresses by just observing the mining activity. [less ▲]

Detailed reference viewed: 145 (18 UL)
Full Text
Peer Reviewed
See detailDeanonymization and linkability of cryptocurrency transactions based on network analysis
Biryukov, Alex UL; Tikhomirov, Sergei UL

in Proceedings of 2019 IEEE European Symposium on Security and Privacy (EuroS&P) (2019)

Bitcoin, introduced in 2008 and launched in 2009, is the first digital currency to solve the double spending problem without relying on a trusted third party. Bitcoin provides a way to transact without ... [more ▼]

Bitcoin, introduced in 2008 and launched in 2009, is the first digital currency to solve the double spending problem without relying on a trusted third party. Bitcoin provides a way to transact without any trusted intermediary, but its privacy guarantees are questionable. Despite the fact that Bitcoin addresses are not linked to any identity, multiple deanonymization attacks have been proposed. Alternative cryptocurrencies such as Dash, Monero, and Zcash aim to provide stronger privacy by using sophisticated cryptographic techniques to obfuscate transaction data. Previous work in cryptocurrency privacy mostly focused on applying data mining algorithms to the transaction graph extracted from the blockchain. We focus on a less well researched vector for privacy attacks: network analysis. We argue that timings of transaction messages leak information about their origin, which can be exploited by a well connected adversarial node. For the first time, network level attacks on Bitcoin and the three major privacy-focused cryptocurrencies have been examined. We describe the message propagation mechanics and privacy guarantees in Bitcoin, Dash, Monero, and Zcash. We propose a novel technique for linking transactions based on transaction propagation analysis. We also unpack address advertisement messages (ADDR), which under certain assumptions may help in linking transaction clusters to IP addresses of nodes. We implement and evaluate our method, deanonymizing our own transactions in Bitcoin and Zcash with a high level of accuracy. We also show that our technique is applicable to Dash and Monero. We estimate the cost of a full-scale attack on the Bitcoin mainnet at hundreds of US dollars, feasible even for a low budget adversary. [less ▲]

Detailed reference viewed: 539 (21 UL)
Full Text
Peer Reviewed
See detailSecurity and Privacy of Mobile Wallet Users in Bitcoin, Dash, Monero, and Zcash
Biryukov, Alex UL; Tikhomirov, Sergei UL

in Pervasive and Mobile Computing (2019)

Mobile devices play an increasingly important role in the cryptocurrency ecosystem, yet their privacy guarantees remain unstudied. To verify transactions, they either trust a server or use simple payment ... [more ▼]

Mobile devices play an increasingly important role in the cryptocurrency ecosystem, yet their privacy guarantees remain unstudied. To verify transactions, they either trust a server or use simple payment verification. First, we review the security and privacy of popular Android wallets for Bitcoin and the three major privacy-focused cryptocurrencies (Dash, Monero, Zcash). Then, we investigate the network-level properties of cryptocurrencies and propose a method of transaction clustering based on timing analysis. We implement and test our method on selected wallets and show that a moderately resourceful attacker can correlate transactions issued from one device with relatively high accuracy. [less ▲]

Detailed reference viewed: 88 (9 UL)
Full Text
Peer Reviewed
See detailReCon: Sybil-Resistant Consensus from Reputation
Biryukov, Alex UL; Feher, Daniel UL

in Pervasive and Mobile Computing (2019)

In this paper we describe how to couple reputation systems with distributed consensus protocols to provide a scalable permissionless consensus protocol with a low barrier of entry, while still providing ... [more ▼]

In this paper we describe how to couple reputation systems with distributed consensus protocols to provide a scalable permissionless consensus protocol with a low barrier of entry, while still providing strong resistance against Sybil attacks for large peer-to-peer networks of untrusted validators. We introduce reputation module ReCon, which can be laid on top of various consensus protocols such as PBFT or HoneyBadger. The protocol takes external reputation ranking as input and then ranks nodes based on the outcomes of consensus rounds run by a small committee, and adaptively selects the committee based on the current reputation. ReCon can tolerate larger threshold of malicious nodes (up to slightly above 1/2) compared to the 1/3 limit of BFT consensus algorithms. [less ▲]

Detailed reference viewed: 34 (3 UL)
Full Text
Peer Reviewed
See detailFELICS-AEAD: Benchmarking of Lightweight Authenticated Encryption Algorithms
Cardoso Dos Santos, Luan UL; Groszschädl, Johann UL; Biryukov, Alex UL

in Smart Card Research and Advanced Applications, 18th International Conference (2019)

Cryptographic algorithms that can simultaneously provide both encryption and authentication play an increasingly important role in modern security architectures and protocols (e.g.\ TLS v1.3). Dozens of ... [more ▼]

Cryptographic algorithms that can simultaneously provide both encryption and authentication play an increasingly important role in modern security architectures and protocols (e.g.\ TLS v1.3). Dozens of authenticated encryption systems have been designed in the past five years, which has initiated a large body of research in cryptanalysis. The interest in authenticated encryption has further risen after the National Institute of Standards and Technology (NIST) announced an initiative to standardize ``lightweight'' authenticated ciphers and hash functions that are suitable for resource-constrained devices. However, while there already exist some cryptanalytic results on these recent designs, little is known about their performance, especially when they are executed on small 8, 16, and 32-bit microcontrollers. In this paper, we introduce an open-source benchmarking tool suite for a fair and consistent evaluation of Authenticated Encryption with Associated Data (AEAD) algorithms written in C or assembly language for 8-bit AVR, 16-bit MSP430, and 32-bit ARM Cortex-M3 platforms. The tool suite is an extension of the FELICS benchmarking framework and provides a new AEAD-specific low-level API that allows users to collect very fine-grained and detailed results for execution time, RAM consumption, and binary code size in a highly automated fashion. FELICS-AEAD comes with two pre-defined evaluation scenarios, which were developed to resemble security-critical operations commonly carried out by real IoT applications to ensure the benchmarks are meaningful in practice. We tested the AEAD tool suite using five authenticated encryption algorithms, namely AES-GCM and the CAESAR candidates ACORN, ASCON, Ketje-Jr, and NORX, and present some preliminary results. [less ▲]

Detailed reference viewed: 8 (6 UL)
Full Text
See detailOn Degree-d Zero-Sum Sets of Full Rank
Beierle, Christof UL; Biryukov, Alex UL; Udovenko, Aleksei UL

E-print/Working paper (2018)

A set S⊆Fn2 is called degree-d zero-sum if the sum ∑s∈Sf(s) vanishes for all n-bit Boolean functions of algebraic degree at most d. Those sets correspond to the supports of the n-bit Boolean functions of ... [more ▼]

A set S⊆Fn2 is called degree-d zero-sum if the sum ∑s∈Sf(s) vanishes for all n-bit Boolean functions of algebraic degree at most d. Those sets correspond to the supports of the n-bit Boolean functions of degree at most n−d−1. We prove some results on the existence of degree-d zero-sum sets of full rank, i.e., those that contain n linearly independent elements, and show relations to degree-1 annihilator spaces of Boolean functions and semi-orthogonal matrices. We are particularly interested in the smallest of such sets and prove bounds on the minimum number of elements in a degree-d zero-sum set of rank n. The motivation for studying those objects comes from the fact that degree-d zero-sum sets of full rank can be used to build linear mappings that preserve special kinds of nonlinear invariants, similar to those obtained from orthogonal matrices and exploited by Todo, Leander and Sasaki for breaking the block ciphers Midori, Scream and iScream. [less ▲]

Detailed reference viewed: 33 (1 UL)
Full Text
Peer Reviewed
See detailAttacks and Countermeasures for White-box Designs
Biryukov, Alex UL; Udovenko, Aleksei UL

in Peyrin, Thomas; Galbraith, Steven (Eds.) Advances in Cryptology – ASIACRYPT 2018 (2018, November)

In traditional symmetric cryptography, the adversary has access only to the inputs and outputs of a cryptographic primitive. In the white-box model the adversary is given full access to the implementation ... [more ▼]

In traditional symmetric cryptography, the adversary has access only to the inputs and outputs of a cryptographic primitive. In the white-box model the adversary is given full access to the implementation. He can use both static and dynamic analysis as well as fault analysis in order to break the cryptosystem, e.g. to extract the embedded secret key. Implementations secure in such model have many applications in industry. However, creating such implementations turns out to be a very challenging if not an impossible task. Recently, Bos et al. proposed a generic attack on white-box primitives called differential computation analysis (DCA). This attack was applied to many white-box implementations both from academia and industry. The attack comes from the area of side-channel analysis and the most common method protecting against such attacks is masking, which in turn is a form of secret sharing. In this paper we present multiple generic attacks against masked white-box implementations. We use the term “masking” in a very broad sense. As a result, we deduce new constraints that any secure white-box implementation must satisfy. Based on the new constraints, we develop a general method for protecting white-box implementations. We split the protection into two independent components: value hiding and structure hiding. Value hiding must pro- vide protection against passive DCA-style attacks that rely on analysis of computation traces. Structure hiding must provide protection against circuit analysis attacks. In this paper we focus on developing the value hiding component. It includes protection against the DCA attack by Bos et al. and protection against a new attack called algebraic attack. We present a provably secure first-order protection against the new al- gebraic attack. The protection is based on small gadgets implementing secure masked XOR and AND operations. Furthermore, we give a proof of compositional security allowing to freely combine secure gadgets. We derive concrete security bounds for circuits built using our construction. [less ▲]

Detailed reference viewed: 767 (20 UL)
Full Text
Peer Reviewed
See detailPrivacy-preserving KYC on Ethereum
Biryukov, Alex UL; Khovratovich, Dmitry; Tikhomirov, Sergei UL

Scientific Conference (2018, May 09)

Identity is a fundamental concept for the financial industry. In order to comply with regulation, financial institutions must verify the identity of their customers. Identities are currently handled in a ... [more ▼]

Identity is a fundamental concept for the financial industry. In order to comply with regulation, financial institutions must verify the identity of their customers. Identities are currently handled in a centralized way, which diminishes users' control over their personal information and threats their privacy. Blockchain systems, especially those with support for smart contracts (e.g.,~Ethereum), are expected to serve as a basis of more decentralized systems for digital identity management. We propose a design of a privacy-preserving KYC scheme on top of Ethereum. It would let providers of financial services leverage the potential of blockchain technology to increase efficiency of customer onboarding while complying with regulation and protecting users' privacy. [less ▲]

Detailed reference viewed: 458 (22 UL)
Full Text
Peer Reviewed
See detailOptimal First-Order Boolean Masking for Embedded IoT Devices
Biryukov, Alex UL; Dinu, Dumitru-Daniel UL; Le Corre, Yann UL et al

in CARDIS 2017: Smart Card Research and Advanced Applications (2018, January 26)

Boolean masking is an effective side-channel countermeasure that consists in splitting each sensitive variable into two or more shares which are carefully manipulated to avoid leakage of the sensitive ... [more ▼]

Boolean masking is an effective side-channel countermeasure that consists in splitting each sensitive variable into two or more shares which are carefully manipulated to avoid leakage of the sensitive variable. The best known expressions for Boolean masking of bitwise operations are relatively compact, but even a small improvement of these expressions can significantly reduce the performance penalty of more complex masked operations such as modular addition on Boolean shares or of masked ciphers. In this paper, we present and evaluate new secure expressions for performing bitwise operations on Boolean shares. To this end, we describe an algorithm for efficient search of expressions that have an optimal cost in number of elementary operations. We show that bitwise AND and OR on Boolean shares can be performed using less instructions than the best known expressions. More importantly, our expressions do no require additional random values as the best known expressions do. We apply our new expressions to the masked addition/subtraction on Boolean shares based on the Kogge-Stone adder and we report an improvement of the execution time between 14% and 19%. Then, we compare the efficiency of first-order masked implementations of three lightweight block ciphers on an ARM Cortex-M3 to determine which design strategies are most suitable for efficient masking. All our masked implementations passed the t-test evaluation and thus are deemed secure against first-order side-channel attacks. [less ▲]

Detailed reference viewed: 112 (7 UL)
Full Text
Peer Reviewed
See detailTriathlon of Lightweight Block Ciphers for the Internet of Things
Dinu, Dumitru-Daniel UL; Le Corre, Yann UL; Khovratovich, Dmitry UL et al

in Journal of Cryptographic Engineering (2018)

In this paper, we introduce a framework for the benchmarking of lightweight block ciphers on a multitude of embedded platforms. Our framework is able to evaluate the execution time, RAM footprint, as well ... [more ▼]

In this paper, we introduce a framework for the benchmarking of lightweight block ciphers on a multitude of embedded platforms. Our framework is able to evaluate the execution time, RAM footprint, as well as binary code size, and allows one to define a custom "figure of merit" according to which all evaluated candidates can be ranked. We used the framework to benchmark implementations of 19 lightweight ciphers, namely AES, Chaskey, Fantomas, HIGHT, LBlock, LEA, LED, Piccolo, PRESENT, PRIDE, PRINCE, RC5, RECTANGLE, RoadRunneR, Robin, Simon, SPARX, Speck, and TWINE, on three microcontroller platforms: 8-bit AVR, 16-bit MSP430, and 32-bit ARM. Our results bring some new insights into the question of how well these lightweight ciphers are suited to secure the Internet of things. The benchmarking framework provides cipher designers with an easy-to-use tool to compare new algorithms with the state of the art and allows standardization organizations to conduct a fair and consistent evaluation of a large number of candidates. [less ▲]

Detailed reference viewed: 110 (1 UL)
Full Text
See detailGuru: Universal Reputation Module for Distributed Consensus Protocols
Biryukov, Alex UL; Feher, Daniel UL; Khovratovich, Dmitry UL

Report (2017)

In this paper we describe how to couple reputation systems with distributed consensus protocols to provide high-throughput highly-scalable consensus for large peer-to-peer networks of untrusted validators ... [more ▼]

In this paper we describe how to couple reputation systems with distributed consensus protocols to provide high-throughput highly-scalable consensus for large peer-to-peer networks of untrusted validators. We introduce reputation module Guru, which can be laid on top of various consensus protocols such as PBFT or HoneyBadger. It ranks nodes based on the outcomes of consensus rounds run by a small committee, and adaptively selects the committee based on the current reputation. The protocol can also take external reputation ranking as input. Guru can tolerate larger threshold of malicious nodes (up to slightly above 1/2) compared to the 1/3 limit of BFT consensus algorithms. [less ▲]

Detailed reference viewed: 421 (30 UL)
Full Text
See detailState of the Art in Lightweight Symmetric Cryptography
Biryukov, Alex UL; Perrin, Léo Paul UL

E-print/Working paper (2017)

Lightweight cryptography has been one of the ``hot topics'' in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in ... [more ▼]

Lightweight cryptography has been one of the ``hot topics'' in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a ``lightweight'' algorithm is usually designed to satisfy. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (\nist{}...) and international (\textsc{iso/iec}...) standards are listed. We then discuss some trends we identified in the design of lightweight algorithms, namely the designers' preference for \arx{}-based and bitsliced-S-Box-based designs and simple key schedules. Finally, we argue that lightweight cryptography is too large a field and that it should be split into two related but distinct areas: \emph{ultra-lightweight} and \emph{IoT} cryptography. The former deals only with the smallest of devices for which a lower security level may be justified by the very harsh design constraints. The latter corresponds to low-power embedded processors for which the \aes{} and modern hash function are costly but which have to provide a high level security due to their greater connectivity. [less ▲]

Detailed reference viewed: 1046 (11 UL)
Full Text
Peer Reviewed
See detailSide-Channel Attacks meet Secure Network Protocols
Biryukov, Alex UL; Dinu, Dumitru-Daniel UL; Le Corre, Yann UL

in Gollmann, Dieter; Miyaji, Atsuko; Kikuchi, Hiroaki (Eds.) Applied Cryptography and Network Security - 15th International Conference, ACNS 2017, Kanazawa, Japan, July 10-12, 2017. Proceedings (2017, June)

Side-channel attacks are powerful tools for breaking systems that implement cryptographic algorithms. The Advanced Encryption Standard (AES) is widely used to secure data, including the communication ... [more ▼]

Side-channel attacks are powerful tools for breaking systems that implement cryptographic algorithms. The Advanced Encryption Standard (AES) is widely used to secure data, including the communication within various network protocols. Major cryptographic libraries such as OpenSSL or ARM mbed TLS include at least one implementation of the AES. In this paper, we show that most implementations of the AES present in popular open-source cryptographic libraries are vulnerable to side-channel attacks, even in a network protocol scenario when the attacker has limited control of the input. We present an algorithm for symbolic processing of the AES state for any input configuration where several input bytes are variable and known, while the rest are fixed and unknown as is the case in most secure network protocols. Then, we classify all possible inputs into 25 independent evaluation cases depending on the number of bytes controlled by attacker and the number of rounds that must be attacked to recover the master key. Finally, we describe an optimal algorithm that can be used to recover the master key using Correlation Power Analysis (CPA) attacks. Our experimental results raise awareness of the insecurity of unprotected implementations of the AES used in network protocol stacks. [less ▲]

Detailed reference viewed: 246 (27 UL)
Full Text
Peer Reviewed
See detailFindel: Secure Derivative Contracts for Ethereum
Biryukov, Alex UL; Khovratovich, Dmitry UL; Tikhomirov, Sergei UL

Scientific Conference (2017, April 07)

Blockchain-based smart contracts are considered a promising technology for handling financial agreements securely. In order to realize this vision, we need a formal language to unambiguously describe ... [more ▼]

Blockchain-based smart contracts are considered a promising technology for handling financial agreements securely. In order to realize this vision, we need a formal language to unambiguously describe contract clauses. We introduce Findel -- a purely declarative financial domain-specific language (DSL) well suited for implementation in blockchain networks. We implement an Ethereum smart contract that acts as a marketplace for Findel contracts and measure the cost of its operation. We analyze challenges in modeling financial agreements in decentralized networks and outline directions for future work. [less ▲]

Detailed reference viewed: 1580 (85 UL)