The State of

Atomic Swaps

History

Why do I care?

Building the COMIT protocol

  • decentralized
  • trustless
  • open
  • connecting blockchains
  • facilitate cross-chain applications

Hash-Time-Lock Contracts

A conditional transfer

  • Secret
  • Timeout

How to?

  • Scripting language
    • Bitcoin scripts
    • Ethereum contracts
  • "Scriptless scripts"
    • signatures + private keys
  • ???
OP_IF 
  OP_SHA256 
  [91d6a24697ed31932537ae598d3de3131e1fcd0641b9ac4be7afcb376386d71e]
  OP_EQUALVERIFY OP_DUP 
  OP_HASH160 [9f4a0cf348b478336cb1d87ea4c8313a7ca3de19] 
OP_ELSE 
  [9000] OP_CHECKSEQUENCEVERIFY OP_DROP 
  OP_DUP 
  OP_HASH160 [65252e57f727a27f32c77098e14d88d8dbec0181] 
OP_ENDIF 
OP_EQUALVERIFY OP_CHECKSIG

Atomic Swap

How to?

  • 4 transactions
  • 2 conditional payments

UNFAIR!

Why unfair?

  • What if Alice is a greedy person?
  • Alice monitors LTC:BTC on an exchange
  • Doesn't evolve in her favor
  • Wait for timeout of her HTLC

Alice has an option she didn't pay for

Unfair protocol

What to do?

Fix it!

  1. Figure out the problem
  2. ???
  3. Profit!

Fix it! (for real)

  1. Attribute fault
  2. Punishment

Uniquely attributable fault

Punishment

  • Alice needs to lose something
  • On which chain?
  • Put up collateral

Atomic Swap

(rev. 1)

~ diff ./swap-rev-0 ./swap-rev-1

+

+

Collateral design

  • HTLC
  • Same condition
  • Redeem pays Alice
  • Refund pays Bob

Consequences

  • Alice is incentivized to redeem Bob's HTLC
  • Bob no longer needs to trust Alice
  • Alice now needs to trust Bob :(

Still unfair!

  • Bob could just not do anything
  • Get free money after the timeout

Atomic Swap

(rev. 2)

Another tweak!

  • Allow Alice to take back her collateral
  • Only as long as Bob did not make his transaction
  • Needs to be the same transaction/contract
  • Alice creates TX with collateral input + total output
  • Sends TX to Bob
  • Bob adds remaining funds & broadcasts
  • Cancel? -> Spend UTXO elsewhere

UTXO-based currencies

Transaction

Inputs

Outputs

0.1 LTC

0

1

0

1 LTC

1.1 LTC

But we have LN!

Privacy

Scriptless scripts

  • Signatures instead of hash functions
  • Indistinguishable from regular transactions

Workflow

1 BTC

Alice (\(x_a\), \(t\))

Bob (\(x_b\))

10 LTC

\(G \cdot (x_b + t)\)

\(G \cdot (x_a + x_b)\)

Alice doesn't know \(x_b\), Bob doesn't know \(t\)

=> Neither of them can spend

  1. Bob creates adaptor signature
  2. Alice completes it
    1. Doesn't learn \(x_b\)
    2. Is forced to reveal \(t\)
  3. Bob learns \(t\)

Equivalent to an

Atomic Swap with HTLCs

  • Alice has a "secret"
  • Alice cannot take Bob's fund without reveal "secret"
  • Both parties can take their money back

Open research questions

How to do 'Scriptless Scripts' across different curves?

  • Relies on signatures
  • Signatures are curve-specific
  • How can we use across different curves?
    • Bitcoin
    • Monero
    • Cardano

How to uniquely attribute fault in multi-hop payment channels?

A

Situation: Bob doesn't redeem LTC from Charlie:

  • He wants to scam Charlie
  • He didn't receive the pre-image from Alice

Charlie cannot tell the difference

=> fault CANNOT be uniquely attributed

=> punishment scheme doesn't work

B

C

A

B

C

BTC

LTC

How to build HTLCs without knowing the recipient?

What do we need for HTLCs?

  • Redeem address
  • Refund address
  • Timeout
  • Hash

The State of
Atomic Swaps

Thanks for listening!

Contact

@oetzn

coblox

thomas@coblox.tech

https://coblox.tech

https://slides.com/thomas_eizinger/the_state_of_atomic_swaps

The State of Atomic Swaps

By Thomas Eizinger

The State of Atomic Swaps

Slides for the talk at Scaling Bitcoin on 07-09-2018.

  • 762