Which Event Happened First? Deferred Choice on Blockchain Using Oracles

First come, first served: Critical choices between alternative actions are often made based on events external to an organization, and reacting promptly to their occurrence can be a major advantage over the competition. In Business Process Management (BPM), such deferred choices can be expressed in process models, and they are an important aspect of process engines. Blockchain-based process execution approaches are no exception to this, but are severely limited by the inherent properties of the platform: The closed-world environment prevents direct access to external entities and data, and the passive runtime based entirely on atomic transactions impedes continual monitoring and detection of events. In this paper we provide an in-depth examination of the semantics of deferred choice, and transfer them to environments such as the blockchain. We introduce and compare several oracle architectures able to satisfy certain requirements, and show that they can be implemented using state-of-the-art blockchain technology.


Introduction
Noticing a low-level system malfunction, receiving an order from a customer, or a stock finally reaching the strike price-events are pervasive on every layer of abstraction in Business Process Management (BPM) [1]. Often being a part of complex structural and behavioral patterns, individual events directly govern how businesses and their core processes operate. Reacting to events promptly and correctly has a significant impact on the business performance, which is further exacerbated when events occur external to the business and are publicly visible to all competitors.
In today's digital and automated businesses, it is the job of the process engine to keep track of such events and inform running process instances of event detections. Traditionally being deployed on premise or in cloud systems, a process engine monitors external event sources continuously using the wide range of techniques at its disposal, for example via querying public interfaces or subscribing to news channels. This ensures a timely handling of events and execution of processes compliant with their specification, which not only drives the business value of a process but might also carry a legal relevance.
Recent approaches at implementing core aspects of process engines as smart contracts on blockchains, however, face severe issues trying to achieve the same level of support for events. While the integrity, immutability, and non-repudation guarantees of blockchains provide clear benefits [2]-especially in collaborative settings [3]-, they cause a peculiar execution environment which is isolated by design and inherently driven by transactions. That is, process engines neither have the same techniques at their disposal to detect external events or access external data sources, nor are they running constantly outside of discrete transactions resulting in delayed or even missed event detections. This has led to minimal or non-existing support for external events in state-of-the-art blockchain-based process engines [4].
The goal of this paper is to resolve these issues, and provide a tight integration of external events on blockchain despite the idiosyncratic limitations of the platform. We will specifically consider one of the major structural patterns in this context, deferred choice, in which not only the detection of events but also their ordering influences a process [5]. To achieve this, we will analyze the core semantics of external events and deferred choice, and then adapt them to cope with the transaction-driven execution environment of the blockchain. We will provide concrete architectures using oracles to circumvent the isolation and access external event data, which we assess within a prototypical implementation.
The paper is structured as follows: We first introduce preliminaries from the fields of BPM and blockchain technology in Sect. 2. After detailing our guiding research questions in Sect. 3, we start with the definition of a formal execution semantics in Sect. 4. We propose generic oracle architectures to implement the semantics in Sect. 5, and provide a concrete prototype in Sect. 6 which forms the basis of an evaluation in Sect. 7. After giving an overview of related work in Sect. 8, we discuss our results and conclude in Sect. 9.

Preliminaries
In this section, preliminary knowledge about BPM and blockchain technology will be introduced, with a focus on events and how the limitations of blockchain affect them.

Business Process Management and Events
Businesses are driven by recurring processes, in which activities are performed to reach a certain business goal. BPM is concerned with making these processes palpable and support them during their entire lifecycle: from initial identification to structured modeling and execution using a process engine and subsequent optimization [1].
Events are an essential aspect of business processes and refer to "points in time" [1, p. 85] at which something happens, in contrast to activities with a particular duration. Events can take many shapes: The de facto industry standard for business process models, Business Process Model and Notation (BPMN), for example, includes more than 10 types of events [6]. From error events, which represent system errors interrupting the regular process execution, to compensation events, which start attempts at rolling back certain activitiesthere are many options to represent critical business scenarios.
During the execution of a process, a process engine has to detect events as they occur to correctly apply their effects in a timely fashion. This is especially complex for events occurring external to the process engine. Common examples are events caused by explicit external actions, like receiving an order or inquiries from customers within messages. External events can also be caused more implicitly based on properties of the larger execution environment of the process, such as detecting a condition becoming satisfied, e.g., a stock reaching a specific price [5]. Timer events also fall into this category and rely on the current time of the environment [7], allowing absolute or relative temporal constraints to be specified [8].
External events are the core building blocks of one of the fundamental patterns in workflow modeling and BPM: deferred choice [5]. Deferred choice describes situations in which the exclusive choice between alternative execution branches of a process depends on the operating environment, i.e., which of a set of external events is detected first. As these events are caused by actions or circumstances outside the influence of the process engine, the choice is deferred until the first event is detected-essentially modeling a "race condition where the first [e]vent that is triggered wins" [6, p. 298].

Blockchain and BPM
Advancing from its roots in cryptocurrencies [9], blockchain has since emerged as a dedicated software platform which especially lends itself to business processes [3].
Blockchain Technology. Blockchains are distributed ledgers which store and process data and transactions. Smart contracts are programs whose code and state is persisted as data on the blockchain, and which can be called using transactions targeting their exposed functions [10]. The result of these transactions comes into effect during mining, a process in which transactions are ordered, executed, and bundled into a new block cryptographically linked to its predecessor.
Smart contracts and interactions with them enjoy all the benefits of blockchain technology: Their integrity can be easily validated, the origin of transactions can not be repudiated, and the smart contract state can not be forged [10].  This makes them a valuable system component in low trust but high stakes scenarios involving several organizations, such as business process collaborations.

Consumer
As a consequence, however, smart contracts need to adhere to several restrictions caused by the blockchain's idiosyncratic properties. For one, they operate in an isolated closed-world environment for integrity and traceability reasons, meaning they can not access any data or service outside the blockchain itself. Secondly, smart contracts are inherently passive and are only executed within discrete transactions during the mining process. This lends them a kind of transaction-driven character, as they will always be "paused" between transactions and can not implement ongoing behavior such as busy-waiting.
Oracles. In practice, oracles are used to somewhat escape the isolation of blockchains and connect smart contracts to external entities [11]. They generally consist of two components: an off-chain oracle provider, which is not subject to the blockchain's restrictions and can freely access data, services, and entities; and a publicly known oracle smart contract, which serves as a link between the consumers and the oracle provider. Existing oracles usually use one of two basic architectures [12]: The storage oracle (see Fig. 1a) provides synchronous data access by storing current data on the blockchain. On each data update (1a) a transaction is sent (1b) to update a storage variable (1c) in the oracle smart contract. Consumers can then query the oracle smart contract (2a), which directly responds with the last known data (2b).
The request-response oracle (see Fig. 1b) provides asynchronous access to external data, avoiding the use of on-chain storage. Instead, the oracle provider keeps track of the current data, for example by getting updates (1a) and storing them locally (1b). Consumer smart contracts can call the oracle smart contract (2a), which emits the query in an event using the blockchain's event layer (2b). The oracle provider picks up this event (3a), and sends the data to the consumer smart contract in a new transaction (3b).
Blockchain-Based Process Engines. The potential synergy of blockchain technology and BPM was acknowledged early on [2], shortly after first work was conducted to use smart contracts for secure and traceable process execution [3]. This has spawned an impressive amount of research, especially regarding collaborative processes which benefit considerably from the blockchain's security properties [13].
In most approaches, one or more smart contracts keep track of the state of a process instance. Actions within the process are funneled through the smart contract using transactions, which can directly advance the state of the process instance accordingly or be rejected if they do not conform to the process specification. In any case, the blockchain provides a tamper-proof audit log [3]. Such process smart contracts need to implement the correct semantics of the original process model specification. Whether this is achieved using code generation [3,14,15] or interpretation [16] is secondary, as long as each source process concept is mapped to an equivalent smart contract concept.
In practice, this mapping is a particular problem for external events and the deferred choice pattern-which we will elaborate on in the remainder of this paper.

Deferred Choice on Blockchain
The deferred choice pattern relies on capabilities which the blockchain innately lacks-a continuous monitoring of the external environment, conflicting with the passive and isolated environment encapsulating smart contracts. In this section, we will further illustrate these issues, and describe our approach in solving them.

Motivating Example
Railway companies often sell tickets to their trains in advance, especially on long-haul routes. Many companies also provide membership-based discount cards, which give customers a percentage off their ticket price. Optimally, the customer books a ticket with their discount, arrives at the train station before departure, and the ticket is honored. Figure 2 shows this scenario modeled as a BPMN collaboration diagram between the railway company and external actors, in which the train's departure is expressed by a message (e t ) from the Railway Infrastructure Manager (RIM).
Of course, reality is often more complex, and the diagram contains several exception paths after the event-based gateway g-the canonical representation of a deferred choice in BPMN [6]. The customer may cancel their ticket (e c ), a severe weather might prohibit the train's departure (e w ), or the discount card may expire before the train departs (e d ). In all cases, the ticket is voided with a variable display of generosity from the railway company in making amends for the loss of the ticket.

Detecting External Events on Blockchain
In blockchain-based process execution, the business logic expressed in the model in Fig. 2   the process engine. Within some transaction to this smart contract, the process execution will reach the gateway g and the deferred choice is started. The transaction finishes, and the smart contract lies dormant. In Fig. 3, we call this transaction tx. Additionally, the figure shows how the external environment might develop while the smart contract is inactive: First, the customer's discount card expires. Then, the meteorological service issues a severe weather warning. And finally, the customer-perhaps in an attempt to get a refund on the soon-to-be voided ticket-sends a message asking for a ticket cancellation. Being an explicit action by a process participant, this message is issued via a transaction tx , finally waking the smart contract up again. In tx , the smart contract is able to detect e d , since the deadline has passed; it acquires the current weather warning level using an oracle and is able to detect e w ; and the transaction itself leads to the detection of e c . However, it is impossible for the smart contract to decide which event came first and should win the race-which is acutely relevant, since a refund may erroneously be sent.
This example illustrates that the deferred choice pattern is challenging to implement for smart contracts for two reasons: First, the passiveness of smart contracts makes it difficult to perform continuous tasks which process engines have to perform, like monitoring implicit events-e d and e w are missed because there is by default no system automatically issuing a transaction. Second, existing oracle architectures only provide access to current states of external data  Figure 3: Indeterminate behavior of a process smart contract due to temporal gaps between transactions sources, making it impossible to determine when exactly a condition became fulfilled.

Research Questions
The goal of this paper is to enable the correct execution of deferred choice patterns within smart contracts on blockchain to enable full compliance in blockchain-based process execution frameworks. To this end, we plan to address the issues we have identified by answering the following research questions: RQ 1. How can the intended semantics of deferred choice be achieved in a transaction-driven environment like the blockchain? RQ 2. How can the resulting semantics be implemented with the help of practical oracle architectures?
The first questions will be the focus of Sect. 4, while the second question will be tackled in Sect. 5 and onward.

Deferred Choice Execution Semantics
To gauge the impact of transaction-driven execution platforms like blockchains, we introduce a formal semantics of deferred choice from a continual perspective. It comprises of two layers as suggested in literature [5]: the operating environment in which events explicitly occur or whose properties make events implicitly occur, and the deferred choice detecting those events. We then adapt the semantics to the notion of transactions.

Operating Environment
A deferred choice represents a local decision based on external factors outside the influence of the process engine (see Sect. 2.1), which are summarized as the environment: Definition 1 (environment). The (operating) environment encapsulates all actors, systems, and information external to the process engine which are necessary to execute a deferred choice. In particular, this includes a set D of external variables.
Clearly, the environment is tailored to an individual application of the deferred choice pattern. For instance, the environment of the deferred choice g in the train ticket process (see Fig. 2) comprises of two external actors: the customer and the RIM. There also has to be an external variable, say D = {d w }, holding the current weather warning level, which would be stored within a database at the meteorological service. Lastly, the current time is logically part of the environment, and is used to keep track of the discount card expiration.
To keep our definitions concise, we assume in the following that we consider exactly one arbitrary but fixed deferred choice and its associated environment. Likewise, all examples will refer to the deferred choice g from our motivating example (see Sect. 3.1).
While explicit events are usually actively triggered by external actors, implicit events rely on certain environment properties at a specific point in time. For example, conditional events are bound to the values of an external variable, and timer events to the current environment time, all subsumed in the environment state: Definition 2 (environment state). Let D be the domain of all possible values of external variables. Then an environment state s = (t, ν) is a tuple consisting of a timestamp t ∈ N and a valuation function ν : D → D assigning a value to each variable. The set of all environment states is called ES.
We use the natural numbers N as timestamps, which is a common abstraction found in information systems, and results in a discrete and uniform time domain. Naturally, the state of the environment changes and evolves as time passes: Definition 3 (successors). Let s = (t, ν), s = (t , ν ) ∈ ES be environment states. Then s is a successor of s, or s → s , iff t = t + 1.
An example trace of such environment states is shown in the upper part of Tab. 1, e.g., s 1 = (t 1 , ν 1 ) with t 1 = 73 and ν 1 (d w ) = 0. The timestamps grow by 1 in each successive state, and the valuation function changes unpredictably.

Deferred Choice
The structure of a deferred choice is simple: Definition 4 (deferred choice). A deferred choice is made between a non-empty set E of external events.
These events can be both explicit and implicit. In the train ticket example, for instance, the deferred choice g is given by It is helpful to think of a deferred choice as a "race" with a single winner. Like for all races, there are two important milestones: when it starts and when it ends. A deferred choice starts or is activated when it is encountered during process execution, e.g., gateway g is reached; and ends once a winning event is detected, e.g., the expiration of the discount card e d . The detection of events is contingent on the current environment state as well as the one at activation: Definition 5 (event detection). Given a deferred choice E, det : E ×ES ×ES → {true, f alse} is the Boolean detection function with det(e, s a , s) = true, iff an event e can be detected in environment state s assuming activation happened in s a .
In extension, s a , s)} is the set of all implicit events which can be detected under these circumstances.
The concrete definition of det depends on the type of event. Several examples can be seen in the middle part of Tab. 1. For the implicit events, expressions over the environment states can be given: det(e d , s a , s)= t ≥ 76 means that the discount card expires at timestamp 76; and det(e w , s a , s)= ν(d w ) ≥ 2 means that the severe weather warning event e w is detected as the corresponding external variable d w reaches the value 2. Thus, both these events can be detected in s 5 assuming activation at s 1 : E det (s 1 , s 5 ) = {e d , e w }. Explicit events, on the other hand, are based on concrete actions in the environment, e.g., messages sent by external actors, and follow no discernible pattern.

Continual Execution Semantics
In a race, a winner is determined immediately upon their reaching of the goal. Achieving this behavior for deferred choice (see Sect. 2.1) requires a continual observation of the environment to detect events as soon as possible. To express this formally, we propose a state transition system based on the evolution of the deferred choice alongside the environment state: Definition 6 (deferred choice state). Given a deferred choice E, a deferred choice state (s a , s, e) ∈ ES × ES × (E ∪ {nil}) is a tuple with s a the environment state at activation, s the last observed environment state, and e the winning event or nil, if no event has won yet. The set of all such states is called CS.
The initial states of the transition system are determined by the environment state when the deferred choice is activated and the race starts: Definition 7 (initial states). The set CS 0 ⊆ CS of all initial states of a deferred choice E is given by Notably, an initial state might already be the end of the race: If events can be detected immediately, one of them must be chosen. There is no sense of priority; for example (see Tab. 1), (s 5 , s 5 , e d ) and (s 5 , s 5 , e w ) are the valid initial states when starting in s 5 , but (s 1 , s 1 , nil) is the only one when starting in s 1 . The race ends when a winner is found: Using these notions, we can finally define the operational semantics of deferred choice using an unlabeled terminal transition system with initial states [17]: describes its continual execution semantics.
The transition relation includes several constraints. For one, (i) the two referenced environment states need to be direct successors. There can be no gap in time between them, expressing the continual nature of transitions. Further, (ii) if an event wins, it must be among those detected in the new environment state s . Lastly, (iii) the winner may only remain undecided if no event could have been detected.
The bottom part of Tab. 1 shows an example trace (a) of the continual semantics, starting with the state (s 1 , s 1 , nil) ∈ CS 0 . The state evolves alongside the environment, until e d is detected and the transition system arrives in the final state (s 1 , s 4 , e d ) ∈ F.

Transaction-Driven Execution Semantics
The continual execution semantics works under the assumption that each environment state is observed: Deadlines being reached or conditions becoming satisfied will immediately be registered, and corresponding events be detected.
However, this is not the case in a transaction-driven environment like the blockchain. Each change of the deferred choice state, that is activating and transitioning to new states with , needs to be contained within a blockchain transaction. Time passes between transactions, in which the smart contract storing the state lies dormant. This directly leads to environment states being missed, violating rule (i) of the continual transition relation .
Thus, needs to be adapted. Rule (i) needs to be relaxed to allow for gaps, and the other rules modified to cope with those gaps. In a first step, we reconsider the event detection function det. Instead of just checking whether an implicit event may be detected in a single environment state, we extend it to return the time at which an event was first detected-that is, when it crossed the finish line in the race: Definition 10 (timed event detection). Let ∈ N be a fixed and sufficiently large timestamp arbitrarily far in the future that will realistically never be reached in the environment.
Given a deferred choice E, the function det T : E × ES × ES → N determines for det T (e, s a , s) the earliest timestamp at which e could have been detected starting from the environment state s a up to s. If no such timestamp exists, is returned as an indicator that the event could not have been detected.
In extension, t T : ES × ES → N with t T (s a , s) := min{det T (e, s a , s) | e ∈ E} is the earliest detection time of any event, or if none was detected at all.
For example, in the train ticket scenario (see Tab. 1), the discount card first expired at timestamp 76, leading to, e.g., det T (e d , s 1 , s 6 ) = 76. It is also the first event to occur, thus t T (s 1 , s 6 ) = 76 holds as well. Assuming that such a function exists-which we will qualify in the next section-, we can devise of a new transition system: Definition 11 (transaction-driven transition system). Given a deferred choice E, the transition system CS, T , CS 0 , F with a transition relation T ⊆ CS × CS such that (s a , s, nil) T (s a , s , e) ⇐⇒ t < t ∧ describes its transaction-driven execution semantics.
The transaction-driven transition relation T only requires that s is after s and not a direct successor anymore in rule (i)-which allows for the mentioned gaps. Rule (ii) expresses that if an event is chosen as the winner, it must have been detected and no event may have been detected earlier. Rule (iii) checks that the winner remains undecided only if no event could have been detected at all.
Speaking in terms of the race analogy, the transaction-driven semantics basically corresponds to the referee determining the time each participant has finished after the race, and retroactively deciding on the winner. Table 1 shows example traces (b) and (c) for this behavior. In trace (b), we directly transition from the initial state (s 1 , s 1 , nil) to (s 1 , s 6 , e d ), correctly identifying e d as the winner. Trace (c) arrives at the same conclusion.

Timed Event Detection on Blockchain
While the transaction-driven transition relation T ostensibly solves the issues of deferred choice on blockchain, it relies on a major assumption: that a timed detection function det T exists. The actual definition of such a function is needed for an implementation, however, and may be non-obvious depending on the type of event that is concerned. In the scope of this paper, we consider three types of events: Message Events. In blockchain-based process execution, message events usually get translated to transactions as shown in Fig. 3. The detection of a message event is then equivalent to the corresponding transaction being mined, which can easily be retrieved by the smart contract. det T for message events thus comes down to determining whether the current transaction directly corresponds to a message.
Timer Events. Since the exact deadline for absolute and delay for relative timers is known, it is easy to retroactively determine when they should have been detected first. Given, for example, a relative timer event e with a delay δ and a detection function of the form det(e, s a , s)= t a + δ ≤ t, we can directly derive det T : If the delay has passed since activation, it has done so exactly t a + δ. For absolute timer events, det T looks similar.
Conditional Events. The valuation function ν may change arbitrarily between environment states. There is no way to deduce the intermediate values of external variables from the environment states at activation and transitioning alone. Thus, det T can not be specified for conditional events without additional assumptions. We suggest two approaches to this end: The history approach assumes the intermediate environment states s a = s 1 → s 2 → · · · → s n = s and thus all valuations of the external variables are available. Using a simple search, one can then find the earliest timestamp at which the continual detection function det returned true: The publish-subscribe approach moves responsibility towards the environment: We consider a system in which the deferred choice smart contract subscribes to an external variable, and is notified of any changes with transactions. In these transactions, the smart contract could be sure that they have received a complete picture of all conditional event occurences up to that point, and det T (e, s a , s i ) would be equal to det(e, s a , s i ) until an event detection.
A core difference between the approaches is how quickly conditional events are detected after the occur. For the history approach, this entirely depends on the timing of transactions, as events can be detected retroactively. The publish-  subscribe approach, conversely, ensures a very timely reaction to conditional events since we assume an active notification. In contrast to the other event types, though, both the approaches for conditional events currently lack support in practice, which we will examine in the next section.

Extended Oracle Architectures
Oracles are needed to implement conditional events within smart contracts, since they rely on the values of external variables. In addition, these oracles must provide certain functionality to support the transaction-driven semantics-that is, they must either deliver historical data, or provide publish-subscribe services (see Sect. 4.5). However, existing oracle architectures like storage and requestresponse are not capable of either. We propose a set of purposeful extensions and refinements of existing architectures [4,11] precisely targeting these capabilities.

History Oracles
History oracles allow consumers to obtain not only the present value of an external data variable, but also a history of past values. This makes it possible to implement the history approach at timed event detection explained in Sect. 4.5. We introduce two variants of the history oracle: Architecture. The synchronous on-chain history oracle (see Fig. 4a) is a direct extension of the existing storage oracle (see Fig. 1a). The oracle provider observes the external data variable, and on data updates (1a) sends a transaction containing the new value to the oracle smart contract (1b). Instead of overwriting the old value, however, the new value is added to an on-chain database holding a full history of the data (1c). A consumer can then query a slice of this historical data (2a) and immediately receive result (2b).
The asynchronous off-chain history oracle (see Fig. 4b) likewise extends the existing request-response oracle (see Fig. 1b). Again, the oracle provider listens to updates of the external variable (1a), but stores a full history of the valuation off-chain (1b). A consumer smart contract may now submit a query for a  Figure 5: Architecture and behavior of the publish-subscribe oracle slice of the data to the oracle smart contract (2a), which is emitted using the blockchain's event layer (2b). On receiving the query (3a), the oracle provider subsequently provides the requested data in a new transaction (3b).
Interfaces. Table 2 shows the interfaces of all oracle architectures described in this paper in terms of the formalization in Sect. 4. Regular storage and requestresponse oracles, for instance, do not require any input from the consumer smart contract, and return the current value of the external variable from D they target.
Regular history oracles are supplied one parameter, a timestamp from N at which to start the slice of historical values. As an output, consumers will get a list of timestamped data values. Specific points in time can then be found, for example, using a simple binary search.

Publish-Subscribe Oracles
As the name suggests, publish-subscribe oracles employ the well-known publish-subscribe software pattern, and let consumers subscribe to a specific external variable to actively notify them immediately of any changes. The effect is that no historical data needs to be stored, which corresponds to the publishsubscribe approach presented in Sect. 4.5. However, the onus of providing those updates in time is shifted to an off-chain component, in this case the oracle provider.
Architecture. Figure 5 shows the architecture of the publish-subscribe oracle. The off-chain oracle provider observes the external data variable, and on updates (1a) stores the most recent value locally (1b) and also provides it to all subscriber smart contracts already registered (1c). To subscribe, a consumer smart contract queries the oracle smart contract (2a) which emits an appropriate event (2b). This event is picked up by the oracle provider (3a), which adds the consumer smart contract to the list of subscribers (3b) and also provides the current value immediately to avoid any gaps (3c).
Interfaces. From an interface perspective, the regular publish-subscribe oracle is equal to the traditional oracles (see Tab. 2). It does not require additional input, and provides a singular value each time an update occurs. Note that we do not consider unsubscription in detail in the scope of this paper. However, it could trivially be implemented by exposing an unsubscription function, which leads to the consumer smart contract being removed from the list of subscribers.

Conditional Oracle Variants
The oracle architectures above provide a strict separation of responsibilities when it comes to evaluating conditional events: the oracle provides the current value of the external variable, and the process smart contract evaluates specific conditions based on these values locally. This pattern is realistic in that it protects the business knowledge of an organization-conditions themselves may be confidential and stored in protected areas of the blockchain.
However, the cost of operating a system on a blockchain platform heavily depends on both the amount of transactions being performed as well as the size of their payload, owing to the limited amount of storage space available [18]. Thus, we propose conditional oracles as a trade-off between confidentiality and cost by externalizing the evaluation of the condition attached to a conditional event to the oracle, either within its on-chain or off-chain infrastructure. The goal is to cut down on the number of necessary transactions and the amount of data being exchanged.
The conditional variants alter the interfaces of the oracles as shown in the lower half of Tab. 2. As an additional input, an expression from the domain EXPR of all possible expressions is given. We do not specify the structure of those expressions in detail, but require them to yield a Boolean result and only reference external variables the specific oracle provides.
The output will then reflect the evaluation of the condition on the basis of the values of the external variable. This is particularly interesting for history oracles, which either return the earliest timestamp within the bounds given by the start timestamp at which the condition was fulfilled, or to express the condition never evaluated to true-essentially reproducing the detection function given in Sect. 4.5. The conditional publish-subscribe oracle, on the other hand, returns no specific value at all. Instead, a transaction is sent as a signal as soon as the condition becomes true. Overall, this reduces both the amount of transactions needed as well as the payload size of the remaining transactions.

Prototypical Implementation
To prove the feasibility of the transaction-driven semantics and oracle architectures, we developed a prototypical implementation. It enables deployment of individual deferred choices containing message, timer, and conditional events on the blockchain, outside the context of their process. The source code with all necessary information to reproduce our results is available online 1 .

System Design
The design of the prototype is narrowly aligned to that of the various oracle architectures. There are three essential groups of components: (i) the blockchain smart contracts, (ii) the off-chain oracle providers, and (iii) an off-chain simulation framework. Figure 6 shows the overall structure as an UML class diagram. The non-standard contract and event stereotypes are used for smart contract classes and event types, respectively.
The general design goal was to achieve a level playing field for comparing the different semantics and oracles. That is, we refrained from selective optimization of individual approaches. At the same time, the system design is laid out to be as generic as possible, for example streamlining the interfaces to a minimum as explained later in this section.
A major theme of the prototype is a strict separation between synchronous and asynchronous oracles, which results in the dual class layout for the oracle providers, oracle smart contracts, and deferred choices. For each concrete oracle architecture (see Sect. 5), e.g., the synchronous on-chain history oracle, there is a set of three corresponding concrete classes. All custom code related to single or a group of oracle architectures can be moved to these classes. In the following, we will walk through each part of the prototype.

Blockchain Smart Contracts
We use Ethereum [18] as our target blockchain, since it provides all features necessary and its development ecosystem is well-maintained and accessible. The core process logic is contained within smart contracts, which are implemented using the associated Solidity programming language. For the data domain D, we use uint256, which is the largest static and atomic data type that Solidity allows for. Timestamps are also stored using uint256, and is set to the type's largest value 2 256 − 1 which is "sufficiently" (see Def. 10) far-several hundred billion years-in the future.
Oracles. The smart contract classes AsyncOracle and SyncOracle contain the interfaces of the oracles (see Fig. 6). Parameters and query results are encoded in raw byte arrays (bytes) via the same mechanism Ethereum uses to encode transactions. This allows us to use common interfaces for all oracles, from which data can be extracted according to specific interfaces (see Tab. 2). Larger payloads will incur a higher cost following the rules in the standard [18].
For synchronous oracles, the current value or historical values are stored on the blockchain and updated/appended via set. Synchronous oracles may thus directly return a result upon query being called. For asynchronous oracles, the off-chain oracle provider stores data-no setter functions or on-chain storage are needed. Instead, queries are emitted using a custom Query event type containing all the required information for the off-chain oracle provider. Consumers need to extend an additional OracleConsumer contract to receive the later callback transaction.
A primary concern for asynchronous oracles is achieving correlation: A consumer needs to be able to link the transaction providing the query result to the query itself. In practice, there are various strategies. For example, Provable 2 returns a unique query ID, which is attached alongside the query result for later matching. In our prototype, consumers choose an ID themselves in the form of the corr value.
Deferred Choice. The contract class Choice and its children implement the state and behavior of deferred choice. Calling activate via a transaction initially activates the deferred choice (equivalent to picking a valid initial state from CS 0 ), and trigger is used to perform a step of the transition relation T and potentially trigger an event and pick it as the winner.
In this context, the non-determinism of the transition system is an issueif multiple events are detected at the same time, both are valid winners and there is no sense of priority (see Sect. 4.3). Smart contracts are deterministic, though, and one event needs to be chosen. To this end, we opted for a two-phase strategy: Transactions may include a preferred event e i for each action which is   Figure 7 shows a schematic overview of the actions performed within all transactions depending on the oracle type. The complexity of the asynchronous oracles becomes especially apparent since the smart contract needs to keep track of all oracle callbacks, and asynchronously continue the event detection across transactions once the required external variable values are all gathered.

Off-Chain Components
The off-chain components are implemented in Javascript using Node.js and the Ethereum connector library web3.js.
Oracle Providers. The oracle providers are responsible for bridging the gap between the oracle smart contract and the external variable they observe. They manage communication responsibilities, mainly updating the oracle smart contract and sending responses to consumer requests depending on the oracle type. In the scope of this paper, we do not further investigate the connection to the original source of the variable. Existing approaches using RESTful APIs or similar can be used in practice.
Simulation Framework. To evaluate our proposals, we implemented a framework to simulate oracles and deferred choices in a reproducible way. For example, one such simulation may re-enact the scenario used in our running example in Tab. 1. To this end, a set of Simulator instances replay pre-defined lists of actions on their targets, e.g., sending data updates to an oracle provider or calling activation and trigger logic on a deferred choice contract.

Evaluation
We evaluated our approach using the prototype from two perspectivesthe correctness as well as the overall cost. All simulations were performed on a private Ethereum network with a single node running an official implementation of the Ethereum protocol (Go Ethereum, v1.9.21), using a virtual machine with 12 GB of RAM and 4 CPUs. The detailed specification and raw results of all simulations are available online alongside the prototype.

Correctness
To verify the correctness of the transaction-driven semantics implementation, we generated n random deferred choices, each with k events e 0 , ..., e k−1 . An associated simulation timeline was chosen specifically such that the events occur sequentially in order; that is, a transaction is sent for explicit events, a deadline is passed for timer events, or a condition on an oracle becomes true for conditional events. As a result, event e 0 is always the unambiguous winner and must be chosen by a correct approach.
To serve as a baseline, we implemented the regular storage and requestresponse oracles and the continual semantics as well. Each of the 10 oracle variants was then used to simulate n = 60 scenarios, half of which with k = 5 events and the other half with k = 10 events. With a delay of 60 s between subsequent groups of transactions, the experiment took around four days (99:22:10) in total.
The share of simulations which yielded the correct winner e 0 is shown in Tab. 3 for each regular and conditional oracle variant. The transaction-driven semantics approaches perform without fail, giving evidence that they indeed describe the intended behavior of deferred choice and that the implementation is accurate. As expected, the continual semantics using the traditional oracles encounter issues when certain event configurations resembling the problematic example in Sect. 3.2 are generated-they only pick the correct winner in around 35% of cases, i.e., those in which the first event randomly turns out be explicit.

Cost
Cost is a major factor that influences the adoption of any approach in practice. On Ethereum, cost is expressed using gas, a stable measure that quantifies the computational complexity and storage requirements of a transaction, and directly translates to the cost in cryptocurrency. We compare the gas cost of all approaches using a series of simulations. Again, the traditional oracle patterns storage and request-response are included for comparison.
Simulation Design. All simulation scenarios follow the same pattern, in which c deferred choices consisting of exactly one conditional event each access a single shared oracle. The oracle receives u data updates. A trigger transaction is sent to each deferred choice at each fifth update, of which only the last will lead to the conditional event's detection by design. This recreates a realistic timeline of events for an oracle with multiple consumer contracts. Deployment Cost. Initially, the smart contracts need to be created on the blockchain, incurring a one-time deployment cost contingent on the code size. Table 4 shows the average deployment costs we have observed. For oracles, there are three significant outliers owing to their more complex code: the regular onchain history oracle contains code to return the correct slice of historical data, and the two synchronous conditional oracles contain code to evaluate conditions. As expected, they are thus more expensive to deploy.
For deferred choice, the differences are less pronounced. There is a clear indication, though, that the externalization of evaluation logic to the oracle for the conditional variants reduces the code complexity of the choice itself, and that the more powerful approaches like publish-subscribe and history oracles require larger smart contracts.
Operating Cost. The operating cost was derived by dividing the total cost minus deployment costs by the number of consumers c, arriving at an average cost per consumer. The results were normalized globally from the minimum (165,407 gas for the storage oracle with c = 20, u = 1) to the maximum (1,656,007 gas for the publish-subscribe oracle with u = 30), producing the overview shown in Fig. 8.
Several observations are immediately apparent: All synchronous oracles (Fig. 8a-d) become relatively less expensive the more consumers share the cost, as visible by the decline along the y-axis. This is not the case for asynchronous oracles (Fig. 8e-j), as their cost linearly scales with the number of consumers.    Naturally, the more updates there are, the more expensive the approaches tend to get, albeit on different scales. This is especially evident for the on-chain history (Fig. 8c-d) and the regular off-chain history (Fig. 8g) oracles, which show a clear superlinear trajectory on the x-axis because of storage and payload cost increases. This is not the case for the other oracles, which experience at most a linear growth alongside the number of updates. Notably, while the regular publishsubscribe oracle is the most expensive in our tests, it exhibits a very predictable and linear growth of cost per update, which is not tied to storage or payload requirements.
Interestingly, the conditional variants of the storage and request-response oracles are almost exactly as expensive as their regular counterparts. This is mainly due to Ethereum's padding of transaction parameters to words (256 bit), making a Boolean value take up just as much space as an integer. However, for history oracles the effect is very apparent, and for publish-subscribe considerable: the conditional variants outperform the regular variants by a steady margin the larger the payloads get and the more transactions are to be sent.

Related Work
In this paper, we have considered the semantics of deferred choice in formal terms, proposed concrete oracle architectures, and provided a blockchain-based implementation. Accordingly, we refer to related work from these three areas.
Deferred Choice Semantics. In their seminal research on workflow patterns, Russell et al. describe the semantics of deferred choice using colored Petri nets [5]. The "moment of choice", that is waiting for an event to occur, is modeled as a place, and each alternative path as an outgoing transition. Thus, only one branch may be taken per token. Most subsequent literature to this day adopts these semantics: Dijkman et al. [19], for instance, use the Petri net abstraction for analysis and verification purposes. The BPMN standard itself describes a similar token system, but each outgoing branch initially receives a token and all but one are withdrawn after the choice is made [6]. However, none of the works mentioned considers gaps in perception, or specifically discusses the detection of external events.
Some works by Corradini et al. [20], Houhou et al. [21], or Kheldoun et al. [22], are more focussed on collaborations, and thus spend more time on deferred choice. However, they only consider explicit message events and their detection. There is no notion of transactions or external data sources, and no discussion of the interplay with implicit-timer, conditional, or otherwiseevents.
Kossak et al. provide the most detailed discussion of the semantics of deferred choice as modeled using event-based gateways in BPMN [23]. Their main focus, however, is on instantiating event-based gateways and their incon-sistencies, which are a special flavor of deferred choice that is not immediately applicable to this paper.
Overall, we find that existing literature on the semantics of deferred choice is mostly focused on verification, and if external events are considered at all this is mostly limited to messages. We thus provide a novel perspective that is especially useful for transaction-driven environments.
Oracle Architectures. An important aspect of this paper is the proposal of oracle architectures as extended and refined from our own previous work [4]. While these are directly based on existing oracle patterns (see Sect. 2.2) [11], we extend their capabilities specifically-but not limited-to support of deferred choice. This focus is, to the best of our knowledge, yet unexplored: In an exhaustive literature survey focused on trust considerations, Al Breiki et al. identify only three fundamental oracle design patterns in literature and practice [12]. Two of them correspond to the basic storage and request-response patterns. A third is called publish-subscribe pattern by the authors, but is different to the pattern of the same name we propose: While the goal is to access data "that is expected to change" [12], this is achieved through on-chain or off-chain flags which are manually polled. This renders them insufficient for implementing transaction-driven semantics using the publish-subscribe strategy (see Sect. 10), since the active notification of changes is a prerequisite.
Other existing work in the oracle area is chiefly concerned with the core functionality of oracles, that is, providing external data to smart contracts on the blockchain. As such, trust [24], reliability [25], or integration aspects [26] are paramount, more so than deviating from standard architectures to support specific workflow patterns.
Deferred Choice on Blockchain. Numerous approaches at blockchain-based process execution have emerged, ranging from limited prototypes to powerful process engines with support for a wide range of business process constructs (see Sect. 2.2) [13]. However, deferred choice in its entirety is rarely among those supported constructs.
López-Pintado et al. implement deferred choice only for internal as well as message events in their Caterpillar engine, which circumvents the problem of gaps in perception since no implicit external events occur [14]. Approaches like Lorikeet [27] and others [28,29,16,30,3] likewise suggest some support for deferred choice for messages and internal events, but do not discuss related issues in detail. This uncertainty is exacerbated by the fact that prototypical implementations are rarely publicly available.
Still, even though deferred choice does not seem to have been a focus in any existing work, some do consider more types of events. In our own work, we implement conditional events to monitor local process data [15]. Some approaches support constructs which can be used to emulate the behavior of external events, like service tasks in Caterpillar [14] or on-chain asset registries in Lorikeet [27]. Weber et al. discuss connecting to external services using a dedicated trigger component, which could also assume the role of a request-response oracle [3]. Similarly, many approaches including all of the above allow the inclusion of custom script annotations within their source models, which could potentially be used to access oracles non-natively and emulate resolution of deferred choice (see Fig. 7) on a process level.
Lastly, temporal constraints and timer events are largely absent in blockchainbased process engines due to the platform's inherent difficulties in these regards [31]. They are sometimes mentioned [15,3,29], but never discussed in detail. Abid et al. provide a notable exception and extend Caterpillar with several notions of timer events, albeit not in a deferred choice setting [32].
In summary, deferred choice has not been the focus of any approach at blockchain-based process execution yet. Thus, we find that our work significantly extends on existing research in numerous fields, and is the first to provide an end-to-end vision of the deferred choice pattern on blockchain.

Discussion and Conclusion
Our research has been guided by the research questions postulated in Sect. 3.3. On a fundamental level, we are confident that we were able to answer both of them: We have shown that the semantics of deferred choice can successfully be transferred to transaction-driven environments like the blockchain, and that we can provide feasible implementations in practice. Some reservations remain, of course: Perhaps most importantly, we did not take into account some concrete network and protocol delays that are present in blockchains and Ethereum in particular: There is no notion of forks, side chains, or confirmation time. As such, our paper presents results obtained in an ideal environment. At the same time, this largely blockchain-agnostic point of view helps keeping our results generalizable in turn.
Further, the prototype is surely not production-ready. Authentication and security features were omitted completely, and several optimizations were left out to not unfairly influence the direct comparison of the oracles. We also do not support some deferred choice and oracle configurations, e.g., multiple types of oracles being used in the same deferred choice instance. These design decisions were necessary to keep the development scope manageable.
Still, the prototype and results of our evaluation provide important insights for future blockchain-based process engines and associated oracle development. In particular, it is apparent that supporting deferred choice comes at a price, and the required novel oracle architectures tend to be more expensive than existing approaches with less functionality. More gravely, due to the platform's storage limitations, some approaches might not be feasible for all data sources and scenarios: We have shown that on-chain history oracles might quickly become infeasible when the exponential pricing of storage in Ethereum fully comes into to play with growing storage demands. There are, of course, conceivable solutions to this, e.g., only storing data for a certain amount of time to keep demands on a constant level. On the other hand, we have shown that conditional publish-subscribe oracles can even outperform existing oracle architectures without any optimization.
To summarize, in this paper we have considered the issues regarding the conceptual as well as practical implementation of the deferred choice workflow pattern in transaction-driven execution environments like the blockchain. To this end, we formally characterized the source and cause of these issues, and provided several strategies to resolve them. We adapted blockchain-agnostic oracle architectures to support these strategies in practice, and showed the feasibility of the both the formal and the architectural results by a proof-of-concept implementation. The fundamental outcomes of this paper may serve as a blueprint for future blockchain-based process engines.