The State of
Atomic Swaps
History
Why do I care?
Building the COMIT protocol
- decentralized
- trustless
- open
- connecting blockchains
- facilitate cross-chain applications
Hash-Time-Lock Contracts
A conditional transfer
- Secret
- Timeout
How to?
- Scripting language
- Bitcoin scripts
- Ethereum contracts
- "Scriptless scripts"
- signatures + private keys
- ???
OP_IF
OP_SHA256
[91d6a24697ed31932537ae598d3de3131e1fcd0641b9ac4be7afcb376386d71e]
OP_EQUALVERIFY OP_DUP
OP_HASH160 [9f4a0cf348b478336cb1d87ea4c8313a7ca3de19]
OP_ELSE
[9000] OP_CHECKSEQUENCEVERIFY OP_DROP
OP_DUP
OP_HASH160 [65252e57f727a27f32c77098e14d88d8dbec0181]
OP_ENDIF
OP_EQUALVERIFY OP_CHECKSIG
Atomic Swap
How to?
- 4 transactions
- 2 conditional payments
UNFAIR!
Why unfair?
- What if Alice is a greedy person?
- Alice monitors LTC:BTC on an exchange
- Doesn't evolve in her favor
- Wait for timeout of her HTLC
Alice has an option she didn't pay for
Unfair protocol
What to do?
Fix it!
- Figure out the problem
- ???
- Profit!
Fix it! (for real)
- Attribute fault
- Punishment
Uniquely attributable fault
Punishment
- Alice needs to lose something
- On which chain?
- Put up collateral
Atomic Swap
(rev. 1)
~ diff ./swap-rev-0 ./swap-rev-1
+
+
Collateral design
- HTLC
- Same condition
- Redeem pays Alice
- Refund pays Bob
Consequences
- Alice is incentivized to redeem Bob's HTLC
- Bob no longer needs to trust Alice
- Alice now needs to trust Bob :(
Still unfair!
- Bob could just not do anything
- Get free money after the timeout
Atomic Swap
(rev. 2)
Another tweak!
- Allow Alice to take back her collateral
- Only as long as Bob did not make his transaction
- Needs to be the same transaction/contract
- Alice creates TX with collateral input + total output
- Sends TX to Bob
- Bob adds remaining funds & broadcasts
- Cancel? -> Spend UTXO elsewhere
UTXO-based currencies
Transaction
Inputs
Outputs
0.1 LTC
0
1
0
1 LTC
1.1 LTC
But we have LN!
Privacy
Scriptless scripts
- Signatures instead of hash functions
- Indistinguishable from regular transactions
Workflow
1 BTC
Alice (\(x_a\), \(t\))
Bob (\(x_b\))
10 LTC
\(G \cdot (x_b + t)\)
\(G \cdot (x_a + x_b)\)
Alice doesn't know \(x_b\), Bob doesn't know \(t\)
=> Neither of them can spend
- Bob creates adaptor signature
- Alice completes it
- Doesn't learn \(x_b\)
- Is forced to reveal \(t\)
- Bob learns \(t\)
Equivalent to an
Atomic Swap with HTLCs
- Alice has a "secret"
- Alice cannot take Bob's fund without reveal "secret"
- Both parties can take their money back
Open research questions
How to do 'Scriptless Scripts' across different curves?
- Relies on signatures
- Signatures are curve-specific
- How can we use across different curves?
- Bitcoin
- Monero
- Cardano
How to uniquely attribute fault in multi-hop payment channels?
A
Situation: Bob doesn't redeem LTC from Charlie:
- He wants to scam Charlie
- He didn't receive the pre-image from Alice
Charlie cannot tell the difference
=> fault CANNOT be uniquely attributed
=> punishment scheme doesn't work
B
C
A
B
C
BTC
LTC
How to build HTLCs without knowing the recipient?
What do we need for HTLCs?
- Redeem address
- Refund address
- Timeout
- Hash
The State of
Atomic Swaps
Thanks for listening!
Contact
@oetzn
coblox
thomas@coblox.tech
https://coblox.tech
https://slides.com/thomas_eizinger/the_state_of_atomic_swaps
The State of Atomic Swaps
By Thomas Eizinger
The State of Atomic Swaps
Slides for the talk at Scaling Bitcoin on 07-09-2018.
- 762