Using Chains for what They re Good For

Similar documents
Scriptless Scripts. Scriptless Scripts. Andrew Poelstra. March 4, 2017

Blind Signatures in Scriptless Scripts

Upgrading Bitcoin: Segregated Witness. Dr. Johnson Lau Bitcoin Core Contributor Co-author of Segregated Witness BIPs March-2016

The power of Blockchain: Smart Contracts. Foteini Baldimtsi

Bitcoin and Blockchain

Security, Privacy and Interoperability in Payment- Channel Networks

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

BLOCKCHAIN Blockchains and Transactions Part II A Deeper Dive

Discreet Log Contracts

ENEE 457: E-Cash and Bitcoin

Multiparty Computation (MPC) protocols

Cryptography and Cryptocurrencies. Intro to Cryptography and Cryptocurrencies

CS 251: Bitcoin and Cryptocurrencies Fall 2016

Chapter 13. Digital Cash. Information Security/System Security p. 570/626

Computer Security. 14. Blockchain & Bitcoin. Paul Krzyzanowski. Rutgers University. Spring 2019

Blockchain, Cryptocurrency, Smart Contracts and Initial Coin Offerings: A Technical Perspective

Whitepaper Rcoin Global

Bitcoin, Security for Cloud & Big Data

Chapter 9: Key Management

Smalltalk 3/30/15. The Mathematics of Bitcoin Brian Heinold

Concurrency and Privacy with Payment Channel Networks

Radix - Tempo. Dan Hughes Abstract

Radix - Tempo. Dan Hughes

Problem: Equivocation!

Viacoin Whitepaper. Viacoin Dev Team September 12, Abstract

Securing Bitcoin wallets: A new DSA threshold signature scheme that is usable in the real world

The Blockchain. Josh Vorick

Ergo platform: from prototypes to a survivable cryptocurrency

Anonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research

EECS 498 Introduction to Distributed Systems

Collective Edwards-Curve Digital Signature Algorithm

Blockchain. CS 240: Computing Systems and Concurrency Lecture 20. Marco Canini

Lecture 6. Mechanics of Bitcoin

Spring 2010: CS419 Computer Security

Security Analysis of the Lightning Network

Hyperledger Fabric v1:

Lecture 3. Introduction to Cryptocurrencies

Ergo platform. Dmitry Meshkov

Page Total

BlockFin A Fork-Tolerant, Leaderless Consensus Protocol April

Radix - Public Node Incentives

A SIMPLE INTRODUCTION TO TOR

Lecture 10, Zero Knowledge Proofs, Secure Computation

Zero-Knowledge proof of knowledge transfer. Perm summer school on blockchain 2018

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Who wants to be a millionaire? A class in creating your own cryptocurrency

Catena: Preventing Lies with

Net Trust: User-Centered Detection of Pharming, Phishing and Fraud. L Jean Camp

Blockchain Certification Protocol (BCP)

Privacy-Enabled NFTs: User-Mintable, Non-Fungible Tokens With Private Off-Chain Data

ICS 421 & ICS 690. Bitcoin & Blockchain. Assoc. Prof. Lipyeow Lim Information & Computer Sciences Department University of Hawai`i at Mānoa

University of Duisburg-Essen Bismarckstr Duisburg Germany HOW BITCOIN WORKS. Matthäus Wander. June 29, 2011

Blockchains & Cryptocurrencies

Bitcoin. CS6450: Distributed Systems Lecture 20 Ryan Stutsman

CS 251: Bitcoin and Crypto Currencies Fall 2015

Cryptographic Protocols 1

Lecture 9. Anonymity in Cryptocurrencies

Alternatives to Blockchains. Sarah Meiklejohn (University College London)

WHITEPAPER 1.0 Boostx, Lead Developer BoxyCoin

E-cash. Cryptography. Professor: Marius Zimand. e-cash. Benefits of cash: anonymous. difficult to copy. divisible (you can get change)

Set: Hub-and-Spoke Cryptographic Payment Channels

Digital Cash Systems

An efficient implementation of Monero subaddresses. 1 Introduction. Sarang Noether and Brandon Goodell Monero Research Lab October 3, 2017

BBc-1 : Beyond Blockchain One - An Architecture for Promise-Fixation Device in the Air -

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Cryptographic Checksums

cchannel Generalized State Channel Specification

Blockchain Beyond Bitcoin. Mark O Connell

Sharding. Making blockchains scalable, decentralized and secure.

An Analysis of Atomic Swaps on and between Ethereum Blockchains Research Project I

Unblockable Chains. Is Blockchain the ultimate malicious infrastructure? Omer Zohar

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Decentralizing Authorities into Scalable Strongest-Link Cothorities

Blockchain without Bitcoin. Muralidhar Gopinath October 19, 2017 University at Albany

hard to perform, easy to verify

The Technology behind Smart Contracts

LECTURE 2 BLOCKCHAIN TECHNOLOGY EVOLUTION

TOPPERCASH TOPPERCASH WHITEPAPER REFORM THE BEST OF BLOCKCHAIN

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Emulation of Hash-Time-Locked Contracts of the Lightning network by a trusted, but publically auditable escrow service

Introduction to Cryptography in Blockchain Technology. December 23, 2018

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Crypto tricks: Proof of work, Hash chaining

Security (and finale) Dan Ports, CSEP 552

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Karaoke. Distributed Private Messaging Immune to Passive Traffic Analysis. David Lazar, Yossi Gilad, Nickolai Zeldovich

Introduction to Modern Cryptography. Benny Chor

Exceptional Access Protocols. Alex Tong

WAVE: A decentralised authorization system for IoT via blockchain smart contracts

Security Analysis of Bitcoin. Dibyojyoti Mukherjee Jaswant Katragadda Yashwant Gazula

SmartPool: practical decentralized pool mining. Loi Luu, Yaron Velner, Jason Teutsch, and Prateek Saxena August 18, 2017

REM: Resource Efficient Mining for Blockchains

Transactions as Proof-of-Stake! by Daniel Larimer!

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

1 Introduction. Sarah Meiklejohn and Rebekah Mercer Möbius: Trustless Tumbling for Transaction Privacy

OpenbankIT: a banking platform for e- money management based on blockchain technology

Lecture 44 Blockchain Security I (Overview)

Biomedical and Healthcare Applications for Blockchain. Tiffany J. Callahan Computational Bioscience Program Hunter/Kahn Labs

P2P BitCoin: Technical details

STRUCTURING MULTI TRANSACTION CONTRACTS IN BITCOIN. Jeremy Rubin

Transcription:

Using Chains for what They re Good For Andrew Poelstra usingchainsfor@wpsoftware.net Scaling Bitcoin, November 5, 2017 1 / 14

On-Chain Smart Contracting Bitcoin (and Ethereum, etc.) uses a scripting language to describe smart contracts and enforce their execution. These scripts must be downloaded, parsed, validated by all full nodes on the network. Can t be compressed or aggregated. Valid execution can t be assured until the transaction is confirmed: unpredictable, long delays. 2 / 14

On-Chain Smart Contracting Script verification rules must be agreed upon by all participants. The details of the script are visible forever, compromising privacy and fungibility. Miners can see contract contents before including them, and may not want to (potential legal liability, external incentives, etc.) 3 / 14

On-Chain Smart Contracting Most contracts need only one thing from the blockchain: an immutable ordering of commitments to prevent double-spending. 4 / 14

Execution vs Verification Blockchain validators must check whether scripts execute successfully. This is strictly easier than actually executing the scripts (Post s Theorem). May be assisted by a witness. In crypto, we talk about (zero-knowledge) arguments that some script returns true. May be assisted by a transcript. 5 / 14

Verifiability vs Public Verifiability Blockchain verifiers must check that coins are only spent with correct authorization, and only once. They don t necessarily need to know what correct authorization means, they just need to agree on it. Consider moving coins to a multisig output, where multiple distrusting signers check external conditions before signing to move them to their final destinations (Gibson 2017). 6 / 14

Scriptless Scripts Suppose these distrusting signers want to enforce conditions on each other: a smart contract. The script paradigm demands they reveal witnesses to their conditions on the public chain, along with their signature. But what if the signature was the witness? Then the blockchain would only need to check a multisignature, or should I say... a scriptless script. 7 / 14

Scriptless Scripts Scriptless scripts: magicking digital signatures so that they can only be created by faithful execution of a smart contract. Limited in power, but not nearly as much as you might expect. Mimblewimble is a blockchain design that supports only scriptless scripts, and derives its privacy and scaling properties from this. 8 / 14

Schnorr multi-signatures are Scriptless Scripts By adding Schnorr signature keys, a new key is obtained which can only be signed with with the cooperation of all parties. The parties must interact to sign: first they agree on the message and nonces, then they contribute to the signatures. (Don t try this at home: some extra precautions are needed to prevent adversarial choice of keys.) 9 / 14

Adaptor Signatures Instead use another ephemeral keypair (t, T ) and treat T as the hash of t. When doing a multi-signature replace the old nonce R with R + T, and now the signature s must be replaced by s + t to be valid. Now the original s is an adaptor signature. Anyone with this can compute a valid signature from t or vice-versa. They can verify that it is an adaptor signature for T, no trust needed. 10 / 14

Atomic (Cross-chain) Swaps Parties Alice and Bob send coins on their respective chains to 2-of-2 outputs. Bob thinks of a keypair (t, T ) and gives T to Alice. Before Alice signs to give Bob his coins, she demands adaptor signatures with T from him for both his signatures: the one taking his coins and the one giving her coins. Now when Bob signs to take his coins, Alice learns t from one adaptor signature, which she can combine with the other adaptor signature to take her coins. 11 / 14

Basic Lightning Suppose Alice is paying David through Bob and Carol. She produces an onion-routed path Alice Bob Carol David and asks for public keys B, C and D from each participant. She sends coins to a 2-of-2 between her and Bob. She asks Bob for an adaptor signature with B + C + D before signing to send him the coins. Similarly Bob sends coins to Carol, first demanding an adaptor signature with C + D from her. Carol sends to David, demanding an adaptor signature with D. 12 / 14

Features of Adaptor Signatures Adaptor signatures work across blockchains, even if they use different EC groups, though this requires a bit more work. After a signature hits the chain, anyone can make up a (t, T ) and compute a corresponding adaptor signature for it, so the scheme is deniable. It also does not link the signatures in any way. Adaptor signatures are re-blindable, as we saw in the Lightning example. This is also deniable and unlinkable. 13 / 14

Thank You Andrew Poelstra <whattheyregoodfor@wpsoftware.net> 14 / 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback