Hi everyone, For those who are unfamiliar, Statechains enable the transfer UTXOs off-chain with the help of a Statechain entity (trusted server(s)) without giving them full custodial control over your coins [0]. At Scaling Bitcoin ‘18 [1] I briefly mentioned utilizing blind signatures [2] to make the entity unaware of what it's signing. I now think this is the more interesting approach. The functionality can be described fairly elegantly as follows.
Blind signing server with two functions users can call: // Start new signature chain (1) requestNewKey(userPubkey) => returns a new serverPubkey and registers it to userPubkey // Extend existing chain (2) requestBlindSig(userSignature, blindedMessage, nextUserPubkey) => returns blindSignature, registers the serverPubkey to nextUserPubkey The resulting output is a public ECC chain (one blindSignature per user, one chain per serverPubkey) of blindly signed messages, requested by users (1, 2, 3, etc.): userSignature1(blindedMessage1, userPubkey2) => blindSignature1 userSignature2(blindedMessage2, userPubkey3) => blindSignature2 etc. Assuming the server is honest (more on this below), we can use it to transfer over the signing rights of a private key without actually changing the key itself. The functionality is general and therefore suitable for more than just Bitcoin, but let's walk through the primary envisioned use case where we transfer the ownership of a Bitcoin UTXO off-chain. Note that the server is kept completely unaware that it's handling a BTC transaction, since it's signing blindly: - B uses function (1) with userPubkey = B to request serverPubkey A - B then generates transitory key X, and creates a single MuSig key AX (key X is called “transitory” because its private key will later be passed on) - B prepares tx1: 1BTC to AX (he doesn't send it yet) - B creates tx2: an eltoo tx [3] that assigns the 1BTC back to B (off-chain) - B uses (2) with nextUserPubkey = B and blindedMessage = tx2 - B sends tx1 to the blockchain and waits for it to confirm - B receives a key from C in order to prepare a payment - B creates tx3: an eltoo tx (with higher priority) with 1BTC to C (off-chain) - B uses (2) with nextUserPubkey = C and blindedMessage = tx3 - B passes the private key of X (the transitory key) on to C - C takes blinded tx2 and tx3 from the public server output and unblinds them with X - C only accepts the payment if everything is in order [4] Even if the server goes offline, C can still get the money by sending tx3 to the blockchain. A and B can collude to take the money from C, but since all instances of userSignature and blindSignature are published openly, cheating is publicly detectable (e.g. the server signed two messages from B instead of one). Trust can be distributed by turning the server into a multisig threshold key, so serverPubkey A becomes e.g. 8-of-12 multisig. This means security can be on par with federated sidechains [5], and is similar to how ZmnSCPxj replaced the escrow key with a federation in “Smart Contracts Unchained” [6]. Lastly, by utilizing adaptor signatures [7], the userSignature can be tied to the blindSignature. In fact, this can be done for any number of signatures, allowing multiple signing sessions to take place atomically [8]. This denies the server the ability to selectively publish one signature and not the other, allowing safe atomic swaps via the server. Essentially, anything that requires UTXO ownership can be achieved off-chain via Blind Statechains. Coinjoin, Lightning channel opening/adjusting/closing, Discreet Log Contract style bets [9], cross-chain atomic swaps, etc. Since the blind signing server functionality is non-specific to Bitcoin, it'll be useful for non-cryptocurrency related use cases as well, but I have not given this a lot of thought. I also recently published a more high-level overview of Statechains here, which may be of interest: https://medium.com/@RubenSomsen/statechains-non-custodial-off-chain-bitcoin-transfer-1ae4845a4a39 -- Ruben Somsen [0] Statechains paper: https://github.com/RubenSomsen/rubensomsen.github.io/blob/master/img/statechains.pdf [1] Statechains Scaling Bitcoin ‘18: http://youtu.be/FI9cwksTrQs?t=47m36s Transcript: http://diyhpl.us/wiki/transcripts/scalingbitcoin/tokyo-2018/statechains/ [2] Blind signatures, Jonas Nick: http://diyhpl.us/wiki/transcripts/building-on-bitcoin/2018/blind-signatures-and-scriptless-scripts/ [3] eltoo: https://blockstream.com/eltoo.pdf [4] Similar to client-side validation, Peter Todd: https://diyhpl.us/wiki/transcripts/scalingbitcoin/milan/client-side-validation/ [5] Sidechains Appendix A, federated peg: https://blockstream.com/sidechains.pdf [6] Smart Contracts Unchained ,ZmnSCPxj: https://zmnscpxj.github.io/bitcoin/unchained.html [7] Adaptor signatures, Andrew Poelstra: http://diyhpl.us/wiki/transcripts/layer2-summit/2018/scriptless-scripts/ [8] Adam Gibson (Waxwing) separately made a similar observation on his blog: https://joinmarket.me/blog/blog/multiparty-s6/ [9] Discreet Log Contracts, Thaddeus Dryja: https://adiabat.github.io/dlc.pdf _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev