Off-chain Execution and Verification of Computationally Intensive Smart Contracts

04/19/2021 ∙ by Emrah Sariboz, et al. ∙ New Mexico State University 0

We propose a novel framework for off-chain execution and verification of computationally-intensive smart contracts. Our framework is the first solution that avoids duplication of computing effort across multiple contractors, does not require trusted execution environments, supports computations that do not have deterministic results, and supports general-purpose computations written in a high-level language. Our experiments reveal that some intensive applications may require as much as 141 million gas, approximately 71x more than the current block gas limit for computation in Ethereum today, and can be avoided by utilizing the proposed framework.



There are no comments yet.


page 1

page 2

page 3

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

A smart contract is a computer program that resides on the Ethereum blockchain and gets executed automatically when predetermined conditions are met. Depending on the complexity, every transaction that modifies a smart contract’s state consumes a certain amount of gas (the unit of cost in the Ethereum blockchain). As a result of this, it becomes infeasible to use smart contracts for computationally intensive applications such as image recognition and zero-knowledge proofs. In this paper, we refer to such contracts as computationally intensive smart contracts (CICs).

Recent studies have explored alternative solutions to eliminate the cost and make CIC execution scalable. Proposed solutions to this end either replicate the CIC’s execution across a small subset of nodes or require a Trusted Execution Environment (TEE), which engenders greater trust. An alternative to the aforementioned methods is to outsource the CIC computation to a third party that does the computation and generates a proof of correctness for the same, that can be verified in polynomial time. Using this approach, the client can verify the returned computation’s correctness in a much more efficient manner than re-executing it. Our work falls into verifiable computation category where we propose a solution that is scalable, avoids duplicating computations, and does not require tamper-resistant hardware or trusted execution environments.

Ii Related Work

Trusted Hardware: TEE has been adopted to alleviate scalability and confidentiality obstructions of smart contracts in [6, 3, 27]. However, recent studies have identified several attack on SGX — we avoid the impact as we do not need SGX[17, 19, 25, 18, 28, 20, 16]. Replicated Computation: Outsourcing CIC execution to a set of delegators has been proposed by [7]; however, this model suffers from the large overhead of replicated computation and lacks support for randomized computations, which we address in our work. Verifiable Computation: Interactive proofs (IPs)  [11] and probabilistically checkable proofs (PCPs) [1] laid the foundations of provable verifiable computation which has been studied in [15, 8, 24, 14, 5, 13, 12, 4]. Despite promising asymptotics, these proof systems are highly impractical and may take inordinately long to verify instances with small input sizes [21]. Another line of work applies the above theoretical foundations to practice on cloud computing settings studied in [22, 23, 26]; however, they are far from being scalable for general-purpose computation. Adoption of zk-SNARKs[2] to verify smart contracts was proposed by [9]; however, their solution requires that the application code be written in a domain-specific language that they designed. This differs from our work as our work supports computations that are written in a high-level language.

Fig. 1: Schematic diagram of interactions between the entities and the corresponding function calls in the framework.

Iii Construction

The components of our framework are as follows: a client (Alice) who wishes to outsource a computationally intensive job, a worker (Bob) who does the computation for the client in exchange for some monetary reward, a miner (Charlie) to validate the transactions, and Broker contract, a smart contract which acts as an intermediary between the client and the worker.

Client’s Operations: Alice writes the details of the smart contract to be executed to her publicly accessible server Step 1 in Figure 1. The details contain the inputs needed for execution, the fee given to a worker, the collateral the worker needs to deposit to register for this job, and the maximum time she is willing to allot for the computation result to be delivered to her. She posts this job creation request to the blockchain  by interacting with the Broker Contract in Step 2. This request contains the URL of her server, which has all the aforementioned details.

Worker’s Operations: If Bob is interested in executing the computation, he goes to the specified server URL to check whether he has enough resources to complete the computation within the requested time interval in Step 3 and registers for the job by depositing the required collateral to Broker Contract in Step 4. He retrieves the inputs needed for the computation from Alice’s server in Step 5. He performs the computation locally in Step 6, generates proof of correctness, and uploads them to his server in Step 7. He then submits the URL to Broker Contract for the verification by calling getPaid() function in Step 8 to get compensated for his work which internally starts the proof-verification mechanism.

Miner’s Operations: Charlie picks up the transaction posted by Bob, executes the Broker Contract, and retrieves the result and proof from Bob’s server in Step 9. The Broker Contract checks whether the proof was posted within a specified time limit, verifies the proof and result, and posts them to Alice’s server. Broker Contract outputs a transaction paying Bob his fee and refunding his collateral if the verifications are successful in Step 10. However, Alice gets refunded her fee and also gets Bob’s collateral if the verifications fail.

Computation Input KeyGen (s) ProofGen (s) Verify (ms)
Matrix Mult. 7070 40.251.48 117.914.24 22
110110 158.438.89 487.4693.50 910
Image Match. 4545 32.230.76 75.121.89 7061
8585 115.893.32 317.888.68 92
MultiVar Poly 500040 36.232.58 140.817.12 82
644170 65.703.60 1220.828.59 82
Floyd-Warshall 1616 45.573.00 112.066.86 12
2525 166.404.36 514.9913.35 37

The mean and standard deviation for computationally intensive applications

Iv Results And Evaluation

The proposed framework’s performance has been evaluated on four computationally intensive applications as in [21].

Matrix Multiplication takes two matrices as an input, and , and computes . Image Matching takes a () sized image kernel and computes the point in an image where the minimum difference happens between the image and the kernel. Multi-Variate polynomial evaluation takes a polynomial of degree , containing coefficients, and evaluates it over () variables taken as inputs. Floyd-Warshall algorithm takes an matrix representing the adjacency matrix of an -vertex graph. It computes the shortest paths among all the vertices.

According to our calculations, the gas required to implement these applications in smart contracts is infeasible given the current block gas limit of 12 million [10], e.g., 142 million gas units for image matching.

Evaluation: The above applications were written in C and first transformed into an arithmetic circuit. Next, the Pinocchio compiler is used to generate Quadratic Arithmetic Program (QAP), evaluation and verification keys [21]. In our experiments, the key generation phase is completed by the client and given to the worker along with the QAP. On receiving these parameters, the worker executes the code and posts the proof to the server he controls.

Our experimental results, detailed in Table I, show that our framework provides quick proof verification, for different sizes of input parameters for all applications. The framework also maintains a constant proof size of 288 bytes in all cases. As expected, we have noticed an increase in the proof generation time with an increase in the application parameters’ size. This growth was linear for all except image matching, which was super linear due to an increase in the number of multiplication gates and equality comparisons in the equivalent arithmetic table.

V Conclusion

We proposed a novel framework for execution and the verification of the CICs by offloading them to a computationally powerful entity using an incentive mechanism. Unlike other proposed solutions, our work prevents replicated computation, eliminates the need for TEEs, and supports computations with random results.


  • [1] S. Arora and S. Safra (1998) Probabilistic checking of proofs: a new characterization of np. Journal of the ACM (JACM) 45 (1), pp. 70–122. Cited by: §II.
  • [2] N. Bitansky, R. Canetti, A. Chiesa, and E. Tromer (2012) From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, ITCS ’12, New York, NY, USA, pp. 326–349. External Links: ISBN 9781450311151, Link, Document Cited by: §II.
  • [3] R. Cheng, F. Zhang, J. Kos, W. He, N. Hynes, N. Johnson, A. Juels, A. Miller, and D. Song (2018) Ekiden: a platform for confidentiality-preserving, trustworthy, and performant smart contract execution. arXiv preprint arXiv:1804.05141. Cited by: §II.
  • [4] K. Chung, Y. T. Kalai, and S. P. Vadhan (2010) Improved delegation of computation using fully homomorphic encryption. In Advances in Cryptology - CRYPTO, pp. 483–501. Cited by: §II.
  • [5] G. Cormode, M. Mitzenmacher, and J. Thaler (2012) Practical verified computation with streaming interactive proofs. In Innovations in Theoretical Computer Science ITCS, pp. 90–112. Cited by: §II.
  • [6] P. Das, L. Eckey, T. Frassetto, D. Gens, K. Hostáková, P. Jauernig, S. Faust, and A. Sadeghi (2019) FastKitten: practical smart contracts on bitcoin. In 28th USENIX Security Symposium (USENIX Security 19), pp. 801–818. Cited by: §II.
  • [7] S. Das, V. J. Ribeiro, and A. Anand (2018) YODA: enabling computationally intensive contracts on blockchains with byzantine and selfish nodes. arXiv preprint arXiv:1811.03265. Cited by: §II.
  • [8] W. Du and M. T. Goodrich (2005) Searching for high-value rare events with uncheatable grid computing. In Applied Cryptography and Network Security, Third International Conference, ACNS, pp. 122–137. Cited by: §II.
  • [9] J. Eberhardt and S. Tai (2018) ZoKrates - scalable privacy-preserving off-chain computations. 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), pp. 1084–1091. Cited by: §II.
  • [10] (2020 (accessed December 16, 2020)) Ethereum stats. External Links: Link Cited by: §IV.
  • [11] U. Feige, S. Goldwasser, L. Lovász, S. Safra, and M. Szegedy (1996) Interactive proofs and the hardness of approximating cliques. Journal of the ACM (JACM) 43 (2), pp. 268–292. Cited by: §II.
  • [12] R. Gennaro, C. Gentry, and B. Parno (2010) Non-interactive verifiable computing: outsourcing computation to untrusted workers. In Advances in Cryptology - CRYPTO, T. Rabin (Ed.), pp. 465–482. Cited by: §II.
  • [13] S. Goldwasser, Y. T. Kalai, and G. N. Rothblum (2008) Delegating computation: interactive proofs for muggles. In

    Proceedings of the 40th Annual ACM Symposium on Theory of Computing STOC

    pp. 113–122. Cited by: §II.
  • [14] P. Golle and I. Mironov (2001) Uncheatable distributed computations. In Topics in Cryptology - CT-RSA 2001, The Cryptographer’s Track at RSA Conference 2001, San Francisco, CA, USA, April 8-12, 2001, Proceedings, pp. 425–440. Cited by: §II.
  • [15] P. Golle and S. G. Stubblebine (2001) Secure distributed computing in a commercial environment. In Financial Cryptography, 5th International Conference, FC 2001, Grand Cayman, British West Indies, February 19-22, 2002, Proceedings, pp. 279–294. Cited by: §II.
  • [16] J. Götzfried, M. Eckert, S. Schinzel, and T. Müller (2017) Cache attacks on Intel SGX. In Proceedings of the 10th European Workshop on Systems Security, pp. 1–6. Cited by: §II.
  • [17] M. Hähnel, W. Cui, and M. Peinado (2017) High-resolution side channels for untrusted operating systems. In 2017 USENIX Annual Technical Conference (USENIX ATC) 17, pp. 299–312. Cited by: §II.
  • [18] S. Lee, M. Shih, P. Gera, T. Kim, H. Kim, and M. Peinado (2017) Inferring fine-grained control flow inside SGX enclaves with branch shadowing. In 26th USENIX Security Symposium (USENIX Security 17), pp. 557–574. Cited by: §II.
  • [19] A. Moghimi, G. Irazoqui, and T. Eisenbarth (2017) Cachezoom: How SGX amplifies the power of cache attacks. In International Conference on Cryptographic Hardware and Embedded Systems, pp. 69–90. Cited by: §II.
  • [20] A. Nilsson, P. N. Bideh, and J. Brorsson (2020) A Survey of Published Attacks on Intel SGX. Technical report Cited by: §II.
  • [21] B. Parno, J. Howell, C. Gentry, and M. Raykova (2013) Pinocchio: nearly practical verifiable computation. In 2013 IEEE Symposium on Security and Privacy, pp. 238–252. Cited by: §II, §IV, §IV.
  • [22] S. T. V. Setty, R. McPherson, A. J. Blumberg, and M. Walfish (2012) Making argument systems for outsourced computation practical (sometimes). In 19th Annual Network and Distributed System Security Symposium, NDSS, Cited by: §II.
  • [23] S. T. V. Setty, V. Vu, N. Panpalia, B. Braun, A. J. Blumberg, and M. Walfish (2012) Taking proof-based verified computation a few steps closer to practicality. In Proceedings of the 21th USENIX Security Symposium, pp. 253–268. Cited by: §II.
  • [24] R. Sion (2005) Query execution assurance for outsourced databases. In Proceedings of the 31st International Conference on Very Large Data Bases VLDB, pp. 601–612. Cited by: §II.
  • [25] J. Van Bulck, N. Weichbrodt, R. Kapitza, F. Piessens, and R. Strackx (2017) Telling your secrets without page faults: stealthy page table-based attacks on enclaved execution. In 26th USENIX Security Symposium (USENIX Security 17), pp. 1041–1056. Cited by: §II.
  • [26] V. Vu, S. T. V. Setty, A. J. Blumberg, and M. Walfish (2013) A hybrid architecture for interactive verifiable computation. In IEEE Symposium on Security and Privacy, SP, pp. 223–237. Cited by: §II.
  • [27] K. Wüst, S. Matetic, S. Egli, K. Kostiainen, and S. Capkun (2020) ACE: asynchronous and concurrent execution of complex smart contracts. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, CCS ’20, New York, NY, USA, pp. 587–600. External Links: ISBN 9781450370899 Cited by: §II.
  • [28] Y. Xu, W. Cui, and M. Peinado (2015) Controlled-channel attacks: deterministic side channels for untrusted operating systems. In 2015 IEEE Symposium on Security and Privacy, pp. 640–656. Cited by: §II.