Bitcoin is one of the most prominent examples of a distributed cryptographic protocol that is extensively used in reality. Nonetheless, existing security proofs are property-based, and as such they do not support composition. In this work, we put forth a universally composable treatment of the Bitcoin protocol. We specify the goal that Bitcoin aims to achieve as an instance of a parameterizable ledger functionality and present a UC abstraction of the Bitcoin blockchain protocol. Our ideal functionality is weaker than the first proposed candidate by Kiayias, Zhou, and Zikas [EUROCRYPT’16], but unlike the latter suggestion, which is arguably not implementable by the UC Bitcoin protocol, we prove that the one proposed here is securely UC-realized by the protocol assuming access to a global clock, to model time-based executions, a random oracle, to model hash functions, and an idealized network, to model message dissemination. We further show how known property-based approaches can be cast as special instances of our treatment and how their underlying assumptions can be cast in UC as part of the setup functionalities and without restricting the environment or the adversary.

比特币是现实中广泛使用的分布式加密协议最突出的例子之一。尽管如此，现有的安全证明是基于属性的，因此它们不支持组合。在这项工作中，我们提出了比特币协议的通用可组合处理方法。我们将比特币要实现的目标指定为可参数化账本功能的实例，并提出比特币区块链协议的 UC 抽象。我们的理想功能比 Kiayias、Zhou 和 Zikas [EUROCRYPT'16] 提出的第一个候选功能要弱，但与后一个建议不同的是，后一个建议可能无法通过 UC 比特币协议实现，我们证明这里提出的功能是安全的 UC -通过协议实现，假设访问全局时钟，对基于时间的执行进行建模，随机预言，对哈希函数进行建模，以及理想化网络，对消息传播进行建模。我们进一步展示了如何将已知的基于属性的方法转换为我们处理的特殊实例，以及如何将它们的基本假设作为设置功能的一部分在 UC 中转换，而不限制环境或对手。