Skip to content

Instantly share code, notes, and snippets.

@tnakagawa
Last active September 17, 2020 15:51
Show Gist options
  • Save tnakagawa/7a702597a526b873026e9ff10a757fdd to your computer and use it in GitHub Desktop.
Save tnakagawa/7a702597a526b873026e9ff10a757fdd to your computer and use it in GitHub Desktop.

Scriptless Script for DLC

Scriptless Script

Assumptions

pk_script
<witness version 0x0X> <public key / EC point : P >

witness
<sign : s > <random point : R >

Schnorr Signature

Assumptions

pk_script
<witness version 0x0X> <public key / EC point : P >

witness
<sign : s > <random point : R >

Schnorr Signature

G is base point for elliptic curve(EC).
R = rG is random point. (EC point)
P = pG is public key. (EC point)

Sign

s = r + H(R,P,m)p

Verify

sG = R + H(R,P,m)P

Proof

s = r + H(R,P,m)p
sG = rG + H(R,P,m)pG
sG = R + H(R,P,m)P

DLC

Alice public and private key is
Pa = xaG

Bob public and private key is
Pb = xbG

Fund

Alice and Bob make a combined public key.
The point can be public key for funding.
Fund point P is calculated below.

c = Hash(Pa || Pb)
μa = Hash(c || 0x01)
μb = Hash(c || 0x02)
P = μaPa + μbPb

Oracle

Olivia(Oracle) publish public key(Po) and contract point(Rn).
The contract point is related to the schedule Olivia will publish the answer contract.
Here, it is assumed that Olivia(Oracle) will publish the poof of massage "m" n days later.

Olivia(Oracle)'s key pair(public key and private key) is
Po = xoG

“Contract point”(Rn) which will be expired n days later and the random nouns(kn) is
Rn = knG

Message is
m : {mx , my}

Olivia publish Po, Rn and m : {mx , my}.
Alice and Bob may be able to make message lists by theirselves.

Contract

Scenarios

There are two scenarios.
If Olivia proves mx, Alice get 1.5 BTC and Bob get 0.5 BTC.
If Olivia proves my, Alice get 0.5 BTC and Bob get 1.5 BTC.

Contract transactions

Alice and Bob make contracts for all scenarios.
Here, it is two.

The transaction for the first scenario(tx1) is :

Input [0]: Fund
Output[0]: A -> 1.5 BTC
Output[1]: B -> 0.5 BTC

This transaction for the second scenario(tx2) is :

Input [0]: Fund
Output[0]: A -> 0.5 BTC
Output[1]: B -> 1.5 BTC

Random points

In order to make contract transactions, Alice and Bob make random nouns(rii) and random points(Rii) for each transaction.
Here, four points in total.
Alice and Bob make 2 points each, for tx1 and tx2.

Step1

Alice creates random points and the hash of concatenated points (hRa),which is for the commitment of these points.
Alice sends hRa to Bob.

Rax = raxG
Ray = rayG
hRa = Hash(Rax || Ray)

Bob creates random points and the hash of concatenated points (hRb),which is for the commitment of these points.
Bob sends hRb to Alice.

Rbx = rbxG
Rby = rbyG
hRb = Hash(Rbx || Rby)

Step2

Alice sends random points to Bob.

Bob sends random points to Alice.

Step3

Alice checks if the hash value is equal to the random points or not.

hRb =? Hash(Rbx || Rby)

Bob checks if the hash value is equal to the random points or not.

hRa =? Hash(Rax || Ray)

Alice and Bob agree Rax , Ray , Rbx and Rby.

contract point

Alice and Bob compute
Cx = Rn - Hash(Rn || mx)Po
Cy = Rn - Hash(Rn || my)Po

pre sign

Alice computes
sax = rax + Hash((Rax+Rbx+Cx) || P || tx1)μaxa
say = ray + Hash((Ray+Rby+Cy) || P || tx2)μaxa

Alice sends sax and say to Bob.

Bob computes
sbx = rbx + Hash((Rax+Rbx+Cx) || P || tx1)μbxb
sby = rby + Hash((Ray+Rby+Cy) || P || tx2)μbxb

Bob sends sbx and sby to Alice.

Alice checks

sbxG =? Rbx + Hash((Rax+Rbx+Cx) || P || tx1)μbPb
sbyG =? Rby + Hash((Rax+Rbx+Cx) || P || tx2)μbPb

Bob checks

saxG =? Rax + Hash((Rax+Rbx+Cx) || P || tx1)μaPa
sayG =? Ray + Hash((Rax+Rbx+Cx) || P || tx2)μaPa

N days later

Olivia computes
sox = kn - Hash(Rn || mx)xo

Olivia publish sox and mx.

Alice or Bob compute
s = sax + sbx + sox
R = Rax + Rbx + Cx

Alice or Bob send Transaction tx1 with (s,R).

References

Discreet Log Contracts / Thaddeus Dryja
https://adiabat.github.io/dlc.pdf

Re: Discreet Log Contracts / Ruben Somsen
https://lists.launchpad.net/mimblewimble/msg00485.html

Scaling Bitcoin 2018 Signatures Works / Andrew Poelstra / P.17-18
https://download.wpsoftware.net/bitcoin/2018-10-scaling-proposal/slides.pdf

Acknowledgements

Thank you very much for the review and the proofreading of Thaddeus Dryja and Yutaka Nakasone.

@RubenSomsen
Copy link

Found this through your post on the mailing list. Nice work 👍

  • It seems like you can simplify the example to A and B putting in 0.5 BTC and either A or B receiving 1 BTC
  • I think H(O,X) should be H(C,O,X)
  • Have you considered adding Mu-sig?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment