Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Mimblewimble Discreet Log Contracts with Adaptor Signatures by Ruben Somsen

Hi all,

Tadge Dryja's Discreet Log Contracts (DLC) can be combined with Andrew Poelstra's Adaptor Signatures (AS). I'm simply describing the combination of the two existing concepts without any fundamental changes, but I thought it was worth writing out explicitly since I haven't seen any write-up. Hopefully it doesn't contain any errors.

Starting from Schnorr signature [R, s].

In DLC, the oracle will reveal one of multiple possible s values as part of signing the outcome of an event. This s is essentially a private key for which the public key S can be calculated ahead of time (because R is committed to in advance).

In AS, instead of just R (essentially a public key), you add a second public key P of which the payer wishes to obtain the private key p from the payee. Only by revealing p can the payee make the signature valid, and thus receive the payment.

If we use S in place of P, we have essentially combined DLC and AS.

I believe this reduces the complexity of the Bitcoin contracts described in Dryja's DLC paper, since it is no longer possible to submit the wrong state (the signature won't be valid).

As a side note, DLC + graftroot can achieve the same thing.

More detailed example:

Alice and Bob (A and B) want to bet 1 BTC on whether it will rain tomorrow.

Olivia will publish "yes" or "no" under her key O and commitment R.

This means there are two possible values for S:

S1 = R + hash(R, "yes")*O
S2 = R + hash(R, "no")*O

Alice and Bob create a payment channel under key A + B = C with 1 BTC each.

They propose two possible channel updates: 2 BTC for Alice if it rains, or 2 BTC for Bob if it doesn't.

The channel update (simplified to single key C) where Alice wins is signed with:

R1 = r*G + S1
s' = r + hash(R1, transaction)*c

Note that we wrote s' because s is not complete. We added S1 to R, so we need to add s1 to s' in order to get s.

And similarly for Bob:

R2 = r*G + S2
s' = r + hash(R2, transaction)*c

Let's say Bob was right and Olivia signs "no", thereby revealing s2. This now completes the signature: s = s' + s2.

s*G == R2 +  hash(R2, transaction)*C

Cheers, Ruben Somsen

Discreet Log Contracts Youtube: https://www.youtube.com/watch?v=Vpr3vKeByfM Adaptor Scripts: https://download.wpsoftware.net/bitcoin/wizardry/mw-slides/2017-06-iheie-paris/slides.pdf

@kanzure

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.