Skip to content

Latest commit

 

History

History
81 lines (48 loc) · 5.63 KB

README.md

File metadata and controls

81 lines (48 loc) · 5.63 KB

Formal specification for Miniscript in Alloy

This repository contains the Alloy specification of Miniscript - a language for writing (a subset of) Bitcoin Scripts

It is based on the original specification in prose, with a bit of peeking into the source of C++ and Rust implementations.

The specification can be found in miniscript.als

The produced models are best viewed in Alloy viewer with the theme found in the miniscript.thm file applied. Applying the theme will mask unnecessary objects and sets. But please note that sometimes you want to see some of these hidden sets or objects in the model view. Please use the 'Theme' menu in the viewer to customize.

What is modelled

The model is the tree of nodes, each node corresponds to the Miniscript fragment.

The nodes are combined according to the rules that govern correctness and non-malleability properties.

Timelocks are tracked across the node tree so that a predicate on the node can state if there is a conflict between blockheight- and blocktime-based timelocks

Witnesses Sig, Preimage and WitBool can have 'valid' and 'invalid' values, and the model instance can be analysed to understand what witnesses will be required for the particular spend of the script.

Witness configuration can result in some nodes being excluded from the execution (like in Or_i, only one branch will be executed depending on the WitBool in the witness). Nodes that are excluded from the execution with particular witness configuration will be in the IgnoredNode (directly ignored) and TransitivelyIgnoredNode (descendant of ignored) sets. The miniscript.thm theme uses gray color for ignored nodes.

What this can be used for

Implementing Miniscript libraries

The formal spec can be used as an additional reference to original spec. Navigating the formal spec may be easier after you get all the meanings from the prose spec

Generating test cases for implementations

The model viewer of Ally has an ability to export the model instance to .dot file (of Graphviz DOT language). This file can be processed and converted, for example, to the script as a string, the properties of the script and the witnesses for the script. The properties and witnesses can then be compared to the ones generated by the implementation. The current problem is the inability of Alloy analyzer to automate generation of model instances, so you would need to hit 'Next' and then save via 'File/Export' for each instance. Maybe this can be overcome with desktop automation software. Alloy is open-source, so it also might happen in the future that there will be the option to automate instance generation and export to DOT files.

Checking the implementation against the spec

Write a program that uses certain implementation to generate checks for Alloy to check against. It will generate a file that starts with open miniscript, and then has a sequence of predicates each checking the validity of a certain model instance that is generated by that program. And then a check clause that checks all the predicates.

Extending or amending Miniscript

It should be much easier to extend or amend Miniscript when you can check the properties of the model. The Alloy analyzer is for bounded model checking, so the size of the checked model that can be practically checked is limited. Nevertheless, due to small scope hypothesis (which asserts that most bugs can be demonstrated with small counterexamples) checking the properties in Alloy can be valuable tool in addition to reasoning by the human

Exploring the properties of Miniscript

The visualisation of the model instances is excellent in Alloy. The spec can be easily changed and many properties to check against the model can be devised. This makes the spec a good tool to explore the properties of Miniscript

Limitations

Non-malleable satisfaction algorithm is not modelled

It might be possible to model the non-malleable satisfaction algorithm, but currently only the type system that can enforce the static properties of the script, and just satisfactions/dissatisfactions is modelled, without detection if particulare sat/dsat is malleable. With model of non-malleable satisfaction algorithm, it will be possible to check more properties of the runtime behavior of the signer.

Resource limits are not modelled

Modelling resource limits would require to model the properties of Bitcoin script, while this specification is only concerned with Miniscript.

There may be mistakes or omissions in the model

At the moment, the specification was only checked with its internal predicates. It was not checked against any real-world implementation, and even checking against the implementation does not give the ultimate guarantees, so reviews and corrections are always welcome!

There are likely more interesting properties to check

Some of the predicates is checked with well_formed check, but there might be more ways to check for the spec consistency, to check certain properties of the model, or to find interesting instances. Please feel free to share ideas for new predicates to apply to the model !

Authors and contributors

This Miniscript specification in Alloy specification language was created by Dmitry Petukhov and released under a Creative Commons Attribution-ShareAlike 4.0 International License

Miniscript and its original specification in prose was designed and implemented by Pieter Wuille, Andrew Poelstra, and Sanket Kanjalkar at Blockstream Research, but is the result of discussions with several other people.