Skip to content

Instantly share code, notes, and snippets.

@taariq

taariq/Discreet_log_adaptor_sigs.md

Last active May 22, 2018 18:59
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save taariq/818a5281bb4edec3c7c8461e5ac2384a to your computer and use it in GitHub Desktop.
Save taariq/818a5281bb4edec3c7c8461e5ac2384a to your computer and use it in GitHub Desktop.
Download ZIP
Mimblewimble Discreet Log Contracts with Adaptor Signatures by Ruben Somsen
Raw
Discreet_log_adaptor_sigs.md

Hi all,

Tadge Dryja's Discreet Log Contracts (DLC) can be combined with Andrew Poelstra's Adaptor Signatures (AS). I'm simply describing the combination of the two existing concepts without any fundamental changes, but I thought it was worth writing out explicitly since I haven't seen any write-up. Hopefully it doesn't contain any errors.

Starting from Schnorr signature [R, s].

In DLC, the oracle will reveal one of multiple possible s values as part of signing the outcome of an event. This s is essentially a private key for which the public key S can be calculated ahead of time (because R is committed to in advance).

In AS, instead of just R (essentially a public key), you add a second public key P of which the payer wishes to obtain the private key p from the payee. Only by revealing p can the payee make the signature valid, and thus receive the payment.

If we use S in place of P, we have essentially combined DLC and AS.

I believe this reduces the complexity of the Bitcoin contracts described in Dryja's DLC paper, since it is no longer possible to submit the wrong state (the signature won't be valid).

As a side note, DLC + graftroot can achieve the same thing.

More detailed example:

Alice and Bob (A and B) want to bet 1 BTC on whether it will rain tomorrow.

Olivia will publish "yes" or "no" under her key O and commitment R.

This means there are two possible values for S:

S1 = R + hash(R, "yes")*O
S2 = R + hash(R, "no")*O

Alice and Bob create a payment channel under key A + B = C with 1 BTC each.

They propose two possible channel updates: 2 BTC for Alice if it rains, or 2 BTC for Bob if it doesn't.

The channel update (simplified to single key C) where Alice wins is signed with:

R1 = r*G + S1
s' = r + hash(R1, transaction)*c

Note that we wrote s' because s is not complete. We added S1 to R, so we need to add s1 to s' in order to get s.

And similarly for Bob:

R2 = r*G + S2
s' = r + hash(R2, transaction)*c

Let's say Bob was right and Olivia signs "no", thereby revealing s2. This now completes the signature: s = s' + s2.

s*G == R2 +  hash(R2, transaction)*C

Cheers, Ruben Somsen

Discreet Log Contracts Youtube: https://www.youtube.com/watch?v=Vpr3vKeByfM Adaptor Scripts: https://download.wpsoftware.net/bitcoin/wizardry/mw-slides/2017-06-iheie-paris/slides.pdf

@kanzure
Copy link

kanzure commented May 22, 2018

http://diyhpl.us/wiki/transcripts/discreet-log-contracts/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment