Offchain Contract Data for CSV Protocols
Alice and Bob want to put a token in an offchain contract that expresses:
- Alice can take the token if she reveals the sha3 preimage of a hash within a week
- Otherwise, Bob can take the token
The problem is that Alice does not want to use any onchain data to reveal the preimage. This is possible with the following setup upfront:
- Alice creates a random key
Kand encrypts her preimage with that key
- In the contract she commits to the resulting ciphertext and also to
- She sends the contract and the ciphertext to Bob
- Bob creates an adaptor signature for Alice to spend the token, such that she reveals the secret key of
Kby completing the signature. Bob can detect that signature onchain.
- If the decrypted preimage was incorrect, then Alice simply burned her UTXO and cannot prove a valid transition. In contrast, Bob can prove that the preimage was incorrect an receive the token to his fallback UTXO.