Assumptions
pk_script
<witness version 0x0X> <public key / EC point : P >
witness
<sign : s > <random point : R >
Assumptions
pk_script
<witness version 0x0X> <public key / EC point : P >
witness
<sign : s > <random point : R >
G is base point for elliptic curve(EC).
R = rG is random point. (EC point)
P = pG is public key. (EC point)
s = r + H(R,P,m)p
sG = R + H(R,P,m)P
s = r + H(R,P,m)p
sG = rG + H(R,P,m)pG
sG = R + H(R,P,m)P
Alice public and private key is
Pa = xaG
Bob public and private key is
Pb = xbG
Alice and Bob make a combined public key.
The point can be public key for funding.
Fund point P is calculated below.
c = Hash(Pa || Pb)
μa = Hash(c || 0x01)
μb = Hash(c || 0x02)
P = μaPa + μbPb
Olivia(Oracle) publish public key(Po) and contract point(Rn).
The contract point is related to the schedule Olivia will publish the answer contract.
Here, it is assumed that Olivia(Oracle) will publish the poof of massage "m" n days later.
Olivia(Oracle)'s key pair(public key and private key) is
Po = xoG
“Contract point”(Rn) which will be expired n days later and the random nouns(kn) is
Rn = knG
Message is
m : {mx , my}
Olivia publish Po, Rn and m : {mx , my}.
Alice and Bob may be able to make message lists by theirselves.
There are two scenarios.
If Olivia proves mx, Alice get 1.5 BTC and Bob get 0.5 BTC.
If Olivia proves my, Alice get 0.5 BTC and Bob get 1.5 BTC.
Alice and Bob make contracts for all scenarios.
Here, it is two.
The transaction for the first scenario(tx1) is :
Input [0]: Fund
Output[0]: A -> 1.5 BTC
Output[1]: B -> 0.5 BTC
This transaction for the second scenario(tx2) is :
Input [0]: Fund
Output[0]: A -> 0.5 BTC
Output[1]: B -> 1.5 BTC
In order to make contract transactions, Alice and Bob make random nouns(rii) and random points(Rii) for each transaction.
Here, four points in total.
Alice and Bob make 2 points each, for tx1 and tx2.
Step1
Alice creates random points and the hash of concatenated points (hRa),which is for the commitment of these points.
Alice sends hRa to Bob.
Rax = raxG
Ray = rayG
hRa = Hash(Rax || Ray)
Bob creates random points and the hash of concatenated points (hRb),which is for the commitment of these points.
Bob sends hRb to Alice.
Rbx = rbxG
Rby = rbyG
hRb = Hash(Rbx || Rby)
Step2
Alice sends random points to Bob.
Bob sends random points to Alice.
Step3
Alice checks if the hash value is equal to the random points or not.
hRb =? Hash(Rbx || Rby)
Bob checks if the hash value is equal to the random points or not.
hRa =? Hash(Rax || Ray)
Alice and Bob agree Rax , Ray , Rbx and Rby.
Alice and Bob compute
Cx = Rn - Hash(Rn || mx)Po
Cy = Rn - Hash(Rn || my)Po
Alice computes
sax = rax + Hash((Rax+Rbx+Cx) || P || tx1)μaxa
say = ray + Hash((Ray+Rby+Cy) || P || tx2)μaxa
Alice sends sax and say to Bob.
Bob computes
sbx = rbx + Hash((Rax+Rbx+Cx) || P || tx1)μbxb
sby = rby + Hash((Ray+Rby+Cy) || P || tx2)μbxb
Bob sends sbx and sby to Alice.
Alice checks
sbxG =? Rbx + Hash((Rax+Rbx+Cx) || P || tx1)μbPb
sbyG =? Rby + Hash((Rax+Rbx+Cx) || P || tx2)μbPb
Bob checks
saxG =? Rax + Hash((Rax+Rbx+Cx) || P || tx1)μaPa
sayG =? Ray + Hash((Rax+Rbx+Cx) || P || tx2)μaPa
Olivia computes
sox = kn - Hash(Rn || mx)xo
Olivia publish sox and mx.
Alice or Bob compute
s = sax + sbx + sox
R = Rax + Rbx + Cx
Alice or Bob send Transaction tx1 with (s,R).
Discreet Log Contracts / Thaddeus Dryja
https://adiabat.github.io/dlc.pdf
Re: Discreet Log Contracts / Ruben Somsen
https://lists.launchpad.net/mimblewimble/msg00485.html
Scaling Bitcoin 2018 Signatures Works / Andrew Poelstra / P.17-18
https://download.wpsoftware.net/bitcoin/2018-10-scaling-proposal/slides.pdf
Thank you very much for the review and the proofreading of Thaddeus Dryja and Yutaka Nakasone.
demo code
https://github.com/tnakagawa/scriptless-script-dlc-demo