You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A trust-minimised stablecoin for Bitcoin-backed fiat money. It mimics traditional banking. Dollar tokens (USDx) are created and destroyed based on collaterized loans.
Basic Protocol
Alice sends a collateral of 1 BTC to a bank to receive a loan of e.g. $40000 in USDx tokens created by the bank.
To redeem her collateral Alice has to pay back her loan within 4 years. To "pay back" means Alice destroys 40000 USDx.
If Alice does not pay her loan back on time then the bank sells her collateral to the market. To "sell" means the buyer destroys 40000 USDx.
This protocol requires that within a period of 4 years the BTC price always increases.
This is a scheme for stealth addresses which requires little computational overhead for the recipient to scan the chain. It builds upon manypreviousideas. It reduces the overhead for scans from O( #TXs ) to O( #users ).
Protocol
All senders register on their first send a public key in a public directory.
Recipients perform a DH key exchange with each sender key in the directory to derive all their potential receive addresses.
For a threshold point over n points we can assign "weights" or "number of votes per key":
(T₁,w₁), (T₂,w₂), ...,(Tₙ,wₙ).
Instead of using each Tᵢ only once, we also use the keys Tᵢ+H(Tᵢ|1)G, Tᵢ+H(Tᵢ|2)G, ..., Tᵢ+H(Tᵢ|wᵢ)G during the creation of the threshold point. So, if Alice learns Tᵢ she learns the key for all of its votes.
Let's define the total number of votes as N = sum{wᵢ}. Now, we can choose any threshold t < N by enumerating all sums of subsets of size t. We can apply the OR operator to these sums to condense the threshold condition into a single point.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If Alice learns the dlog of T₁, or T₂, ..., or Tₙ, then she also learns the dlog of X.
This is possible using verifiable encryption (see "Juggling" by Shlomovits et al.). An OR operator allows to condense complex spending conditions into a single point. This prevents the combinatorial explosions which usually occur when using multi-oracles. An OR operator makes spending conditions easily composable. In theory, it even enables arbitrary computations on values provided by oracles.
Motivation
Applications for the OR operator include Discreet Log Contracts (DLCs), adaptor signatures, and Point Time Locked Contracts (PTLCs):
We expect an oracle will publish some number 𝑁 by signing each of its n bits.
Given a constant c, we want to express the spending condition 𝑁 ≥ c in a single adaptor point.
The key idea is to construct an OR operator for adaptor points. This is possible with verifiable encryption. An OR operator allows to condense complex spending conditions into a single point. This prevents the combinatorical explosions that usually occure when using multi-oracles. An OR operator makes spending conditions easily composable. In theory, it even enables arbitrary computations.
Number Format
We define B₁ to Bₙ to represent the adaptor points for oracle signatures of those bits of 𝑁 that are equal to 1: