ScriptlessScript_for_DLC.md

Scriptless Script for DLC

Scriptless Script

Assumptions

pk_script
<witness version 0x0X> <public key / EC point : P >

witness
<sign : s > <random point : R >

Schnorr Signature

Assumptions

pk_script
<witness version 0x0X> <public key / EC point : P >

witness
<sign : s > <random point : R >

Schnorr Signature

G is base point for elliptic curve(EC).
R = rG is random point. (EC point)
P = pG is public key. (EC point)

Sign

s = r + H(R,P,m)p

Verify

sG = R + H(R,P,m)P

Proof

s = r + H(R,P,m)p
sG = rG + H(R,P,m)pG
sG = R + H(R,P,m)P

DLC

Alice public and private key is
P_a = x_aG

Bob public and private key is
P_b = x_bG

Fund

Alice and Bob make a combined public key.
The point can be public key for funding.
Fund point P is calculated below.

c = Hash(P_a || P_b)
μ_a = Hash(c || 0x01)
μ_b = Hash(c || 0x02)
P = μ_aP_a + μ_bP_b

Oracle

Olivia(Oracle) publish public key(P_o) and contract point(R_n).
The contract point is related to the schedule Olivia will publish the answer contract.
Here, it is assumed that Olivia(Oracle) will publish the poof of massage "m" n days later.

Olivia(Oracle)'s key pair(public key and private key) is
P_o = x_oG

“Contract point”(R_n) which will be expired n days later and the random nouns(k_n) is
R_n = k_nG

Message is
m : {m_x , m_y}

Olivia publish P_o, R_n and m : {m_x , m_y}.
Alice and Bob may be able to make message lists by theirselves.

Contract

Scenarios

There are two scenarios.
If Olivia proves m_x, Alice get 1.5 BTC and Bob get 0.5 BTC.
If Olivia proves m_y, Alice get 0.5 BTC and Bob get 1.5 BTC.

Contract transactions

Alice and Bob make contracts for all scenarios.
Here, it is two.

The transaction for the first scenario(tx1) is :

Input [0]: Fund
Output[0]: A -> 1.5 BTC
Output[1]: B -> 0.5 BTC

This transaction for the second scenario(tx2) is :

Input [0]: Fund
Output[0]: A -> 0.5 BTC
Output[1]: B -> 1.5 BTC

Random points

In order to make contract transactions, Alice and Bob make random nouns(r_ii) and random points(R_ii) for each transaction.
Here, four points in total.
Alice and Bob make 2 points each, for tx1 and tx2.

Step1

Alice creates random points and the hash of concatenated points (h_Ra),which is for the commitment of these points.
Alice sends h_Ra to Bob.

R_ax = r_axG
R_ay = r_ayG
h_Ra = Hash(R_ax || R_ay)

Bob creates random points and the hash of concatenated points (h_Rb),which is for the commitment of these points.
Bob sends h_Rb to Alice.

R_bx = r_bxG
R_by = r_byG
h_Rb = Hash(R_bx || R_by)

Step2

Alice sends random points to Bob.

Bob sends random points to Alice.

Step3

Alice checks if the hash value is equal to the random points or not.

h_Rb =? Hash(R_bx || R_by)

Bob checks if the hash value is equal to the random points or not.

h_Ra =? Hash(R_ax || R_ay)

Alice and Bob agree R_ax , R_ay , R_bx and R_by.

contract point

Alice and Bob compute
C_x = R_n - Hash(R_n || m_x)P_o
C_y = R_n - Hash(R_n || m_y)P_o

pre sign

Alice computes
s_ax = r_ax + Hash((R_ax+R_bx+C_x) || P || tx1)μ_ax_a
s_ay = r_ay + Hash((R_ay+R_by+C_y) || P || tx2)μ_ax_a

Alice sends s_ax and s_ay to Bob.

Bob computes
s_bx = r_bx + Hash((R_ax+R_bx+C_x) || P || tx1)μ_bx_b
s_by = r_by + Hash((R_ay+R_by+C_y) || P || tx2)μ_bx_b

Bob sends s_bx and s_by to Alice.

Alice checks

s_bxG =? R_bx + Hash((R_ax+R_bx+C_x) || P || tx1)μ_bP_b
s_byG =? R_by + Hash((R_ax+R_bx+C_x) || P || tx2)μ_bP_b

Bob checks

s_axG =? R_ax + Hash((R_ax+R_bx+C_x) || P || tx1)μ_aP_a
s_ayG =? R_ay + Hash((R_ax+R_bx+C_x) || P || tx2)μ_aP_a

N days later

Olivia computes
s_ox = k_n - Hash(R_n || m_x)x_o

Olivia publish s_ox and m_x.

Alice or Bob compute
s = s_ax + s_bx + s_ox
R = R_ax + R_bx + C_x

Alice or Bob send Transaction tx1 with (s,R).

References

Discreet Log Contracts / Thaddeus Dryja
https://adiabat.github.io/dlc.pdf

Re: Discreet Log Contracts / Ruben Somsen
https://lists.launchpad.net/mimblewimble/msg00485.html

Scaling Bitcoin 2018 Signatures Works / Andrew Poelstra / P.17-18
https://download.wpsoftware.net/bitcoin/2018-10-scaling-proposal/slides.pdf

Acknowledgements

Thank you very much for the review and the proofreading of Thaddeus Dryja and Yutaka Nakasone.

This is the basic structure for the way to do it, however:
Alice and Bob can't just send each other s1a and s2a as you described; they need to share different Ra and Rb points for each s they are computing. (otherwise Alice or Bob can find the other party's private key)

Otherwise, the idea is they create a signature where the R value is the sum of their R values as well as the oracles signature public key. R = Ra + Rb + oG

Then they just add the oracle signature to their s value once they have it, as you wrote, s = s1a + s1b + cx

So to set up for 2 possible outcomes:

Alice makes ka1, ka2, multiplies them by G and sends Ra1, Ra2

Bob similarly sends Rb1, Rb2

Both parties compute R1 = Ra1 + Rb1 + so1G, R2 = Ra2 + Rb2 + so2G

Alice computes sa1 = ka1 - h(R, m)a, sa2 = ka2 - h(R1, m)a and sends them over to Bob.

Bob computes sb1 = kb1 - h(R, m)b, sb2 = kb2 - h(R2, m)b and sends them over to Bob.

They can then make the channel or funding transaction. Once the oracle releases so1 or so2, either Alice or Bob can make a valid signature with s = sa1 + sb1 + so1 or s = sa2 + sb2 + so2

This is nice because there are no timeouts and it looks like a normal payment, even in the uncooperative case.

also, initial writeup is here: https://lists.launchpad.net/mimblewimble/msg00485.html

Thank you very much, Tadge.

It was updated.

demo code
https://github.com/tnakagawa/scriptless-script-dlc-demo

Found this through your post on the mailing list. Nice work 👍

• It seems like you can simplify the example to A and B putting in 0.5 BTC and either A or B receiving 1 BTC
• I think H(O,X) should be H(C,O,X)
• Have you considered adding Mu-sig?