The State of
Why do I care?
Building the COMIT protocol
- connecting blockchains
- facilitate cross-chain applications
A conditional transfer
- Scripting language
- Bitcoin scripts
- Ethereum contracts
- "Scriptless scripts"
- signatures + private keys
OP_IF OP_SHA256 [91d6a24697ed31932537ae598d3de3131e1fcd0641b9ac4be7afcb376386d71e] OP_EQUALVERIFY OP_DUP OP_HASH160 [9f4a0cf348b478336cb1d87ea4c8313a7ca3de19] OP_ELSE  OP_CHECKSEQUENCEVERIFY OP_DROP OP_DUP OP_HASH160 [65252e57f727a27f32c77098e14d88d8dbec0181] OP_ENDIF OP_EQUALVERIFY OP_CHECKSIG
- 4 transactions
- 2 conditional payments
- What if Alice is a greedy person?
- Alice monitors LTC:BTC on an exchange
- Doesn't evolve in her favor
- Wait for timeout of her HTLC
Alice has an option she didn't pay for
What to do?
- Figure out the problem
Fix it! (for real)
- Attribute fault
Uniquely attributable fault
- Alice needs to lose something
- On which chain?
- Put up collateral
~ diff ./swap-rev-0 ./swap-rev-1
- Same condition
- Redeem pays Alice
- Refund pays Bob
- Alice is incentivized to redeem Bob's HTLC
- Bob no longer needs to trust Alice
- Alice now needs to trust Bob :(
- Bob could just not do anything
- Get free money after the timeout
- Allow Alice to take back her collateral
- Only as long as Bob did not make his transaction
- Needs to be the same transaction/contract
- Alice creates TX with collateral input + total output
- Sends TX to Bob
- Bob adds remaining funds & broadcasts
- Cancel? -> Spend UTXO elsewhere
But we have LN!
- Signatures instead of hash functions
- Indistinguishable from regular transactions
Alice (\(x_a\), \(t\))
\(G \cdot (x_b + t)\)
\(G \cdot (x_a + x_b)\)
Alice doesn't know \(x_b\), Bob doesn't know \(t\)
=> Neither of them can spend
- Bob creates adaptor signature
- Alice completes it
- Doesn't learn \(x_b\)
- Is forced to reveal \(t\)
- Bob learns \(t\)
Equivalent to an
Atomic Swap with HTLCs
- Alice has a "secret"
- Alice cannot take Bob's fund without reveal "secret"
- Both parties can take their money back
Open research questions
How to do 'Scriptless Scripts' across different curves?
- Relies on signatures
- Signatures are curve-specific
- How can we use across different curves?
How to uniquely attribute fault in multi-hop payment channels?
Situation: Bob doesn't redeem LTC from Charlie:
- He wants to scam Charlie
- He didn't receive the pre-image from Alice
Charlie cannot tell the difference
=> fault CANNOT be uniquely attributed
=> punishment scheme doesn't work
How to build HTLCs without knowing the recipient?
What do we need for HTLCs?
- Redeem address
- Refund address
The State of
Thanks for listening!
The State of Atomic Swaps
By Thomas Eizinger