-
STRUCTURINGMULTITRANSACTIONCONTRACTSINBITCOIN
JeremyRubin
-
IsCashBitcoin’sKillerApp?
• Ethereumdoessmartcontracts!– liketheDAO
*Betteridge’sLaw
-
SafeContractExtensionsforBitcoinContracts
• Toolsforcomplexcontracts• Avoidinternalcomplexity
-
WeCanHaveItAll
• TransactionlevelinvariantscalledCovenantscangetusthere
-
Contributions
• ExtensionstoCovenants• MerkleCompressedCovenants•
TransactionDiagrams• Multi-PhaseExecutionTechniques
-
BACKGROUNDKNOWLEDGECovenantContracts
-
TheNaughtyBanker
•
YouaskBob’sBanktoholda$100deposit– Bobbuyshimselfsomenewsneakerswithyourmoney
-
CovenantContracts
• ContractsthatREQUIREcreationofacontractofcertainform
•
Example:HiringaBanker– Theyhaveyourmoneybutonlyyoucanwithdraw!
-
PlaceholderNotation
• highlevel:– COV(plainEnglishinvariant)
• script:– OP_COV
• Examples:– COV(Bob’sBankonlyletsmewithdraw)– OP_COV
-
MakingCovenants
• TwoMajorVariant– InvariantbyExecution
• OP_COV[MES16]“Introspective”– Patternmatching
• “Computational”Limpractical– InvariantbyConstruction
• RecoveredPubKey“Cryptographic”–
OP_CHECKSIGFROMSTACK+OP_CAT/SUBSTR– SIGHASH_MASK-ing
• MultiSig“Trustful”– 1ofNhonesty
-
LGraveConcernsL• Fungibility&Privacy– ForcedCompliance
• ComputationalExplosion– LoopscouldmakeTuringComplete
• OpenTopic:Expressive&Safecontractswithoutcovenants?–
LikepreventingTuringCompleteness…
• {CSS,MOV,C++Templates…}areTuringComplete–
TrivialBitcoin“covenants”
• sum(Outputs)
-
COVENANTSextensionsto
-
TaleofExpiredAccounts
•
Let’ssayyouhaveaphonenumberas2FAtoyourbankaccount– Whenyouchangeyournumber,youwantthe2FAtochangetoo
– Infact,youwanttonotbeabletochangeyourphonebeforeyour2FApointstothenewrecord
-
Input-JoinCovenant
• Twooutputsforcedtobeconsumedinonetransaction
• ExecutionorConstructionbasedimplementations
ü MinimalBitcoinExtensionsneeded
-
TwoCarsProblem
•
YouneedOnecaratnoon– YouhaveaFerrariandaPorsche– Youwantyour(reallygood)friendtoborrowonecaratnoonbutnottheonethatyouwant
– “OnlyafterIhavechosenshouldyoubeabletodriveaway”
-
ImpossibleInputCovenant
• Proveaninputcreationimpossible1.
Proveaninputwasalreadyconsumed2.
Constructinputfromconsumedinput3.
1&2Proveinputcreationimpossible
•
“Constructive”withoutextension,“Introspective”withnewOpCodes–
Consumingoutputexclusivelymadeinabranchequivalenttochainintrospection
– Mustbeconstructedaheadoftime
-
BadAirlines
•
You’reflyingfromJFKtoSFOwithalayoverinORD– YougoJFKàORD– ORDgetssnowedin– You’restuckinthesnow
• HowcanweensureJFKàSFOnexttime?
-
IntermediateOutputCovenant
• OP_IS_IUTXOrequiresoutputatindexbespentinsameblock
• Badfortwo-phase-commitprotocols– Exceptbetweencommits
•
Complicatesblock-creationcode– Child-Pays-For-Parentsimilar
-
BadAirlines(Part2)
•
Youbookyourowntransfers,avoidingORDandothercoldairports– Whenyougettotheairportyourealizethefirstcheck-inwon’tgiveyouallyourtickets,youneedtogothroughsecuritytwice
-
VirtualOutputCovenant• OP_SIG_VUTXOrequiresthatoutputat
redeemablewith• OP_IS_VUTXOrequiressomeotherinputscript
provideproof– allowsoptimizingmalleatingprovers…
• SamegoalasOP_IS_IUTXO– Nomultipletransactions–
Nominingcomplexity– AdditionalSigningcomplexity
• Couldpermitshared-stack– Throughalt-stack?
• Safe“TuringComplete”recursion?–
𝚫0,Russell'sPostTheoremTraceWitness–
Youcantweetmetoo…“ImmaletyoufinishbutVUTXOisthebest𝚫0–@JeremyRubin”
-
MERKLECOVENANTSapplication
-
CompressedContracts
• Summarizeuselessclauseincontract
•
Example:AppendixA– ProvideyourTaxPayerIDhere____– SeeAppendixAifnoTaxPayerID
-
MAST:MerkelizedAbstractSyntaxTree
• O(log(n))brancheliminationcompression
• HuffmanCodable• Example:Compileif(A){T}else{F}
toassert(H(code)==(A?H(T):H(F)));eval(code);
-
BitcoinImplementation(Proposal)
• Putallbranchesintoatree&run•
Example– if(A){if(B){C}else{D}}else{E}– MerkleTreeof{`assert(A&&B);C`,`assert(A&&~B);D`,`assert(~A);E`}
– Provebranchinthetree,thenrun•
OneInputinsideoneTransaction
-
Properties
• AtomicExecution– Nointermediatestate
• MinimalHash“Overhead”– 1Hash/PrunedBranch,1ParentHash
• Noneedtorevealnot-takenbranch
-
ConditionalCovenant
•
MakeanOutputasfollows– scriptpubkey:OP_IFOP_COVOP_ELSEOP_COVOP_ENDIF
-
IN
OUT
scriptsig:OP_TRUEscriptpubkey:OP_IFOP_COVOP_ELSEOP_COVOP_ENDIF
A
IN
OUT
scriptsig:OP_FALSEscriptpubkey:OP_IFOP_COVOP_ELSEOP_COVOP_ENDIF
B
EitherRedTxorBlueTxTransac5on1(ifBranch1)
Transac5on1(ifBranch2)
-
IN
OUT
In
scriptsig:OP_TRUEscriptpubkey:OP_IFOP_COVOP_ELSEOP_COVOP_ENDIF
scriptsig:OP_FALSEscriptpubkey(==A):OP_IFOP_COVOP_ELSEOP_COVOP_ENDIF
D
RedTx;EitherCorD?
OUT
Transac5on1(ifBranch1)
Transac5on2(ifBranch2)
-
Properties• Non-AtomicExecutionMode–
Intermediatestatesallowed– Extrahashperbranch
• AtomicExecutionMode– UsingOP_IS_VUTXO–
MinimalHash“Overhead”
• 1Hash/PrunedBranch,1ParentHash•
Noneedtorevealnot-takenbranch• SignatureParallelizationbenefits•
LargerMaxScriptSize
-
TRANSACTIONDIAGRAMS
-
Primitives:Transaction
A
B
input:Ascript:“…”scriptSig:“…”output:B
-
A
Primitives:OutputCovenant
COV(B)
B
input:Ascript:COV(B)scriptSig:“…”output:B
-
ACOV(B) COV(C)
Primitives:ConditionalCovenant
B C
input:Ascript:OP_IFOP_COVOP_ELSEOP_COVOP_ENDIFscriptSig:OP_TRUEoutput:B
-
Primitives:ANDCovenants
FCOV(H)COV(G)
G H
input:Fscript:OP_COVOP_COVOP_ENDIFscriptSig:outputs:G,H
-
Primitives:InputJoinCovenant
A INP(B)
C
B INP(A)
A B
C
inputs:A,Bscript:“…”scriptSig:“…”outputs:C
-
Primitives:ImpossibleInputCovenant
(Constructive)
XCOV(A) COV(B)
A B
C INP(~B)
D
~A~B
inputs:C,~Bscript:“…”scriptSig:“…”outputs:D
inputs:Xscript:OP_IFOP_ELSEOP_ENDIFOP_COVscriptSig:“…”outputs:~B,A
-
Primitives:ImpossibleInputCovenant
XCOV(A) COV(B)
A B
C INP(~B)
D
~A~B
inputs:C,~Bscript:“…”scriptSig:“…”outputs:D
inputs:Xscript:OP_IFOP_ELSEOP_ENDIFOP_COVscriptSig:“…”outputs:~B,A
-
Primitives:ImpossibleInputCovenant
XCOV(A) COV(B)
A B
C INP(~B)
D
~A~B
inputs:C,~Bscript:“…”scriptSig:“…”outputs:D
inputs:Xscript:OP_IFOP_ELSEOP_ENDIFOP_COVscriptSig:“…”outputs:~B,A
-
Primitives:VirtualOutput
A B
C
input:Ascript:OP_IS_IUTXOscriptSig:“…”output:B,C
A B
C
0Satoshi
-
COV(A) COV(B)
ACOV(C) COV(D) BCOV(E) COV(F)
C ED F
MAST
-
COV(A) COV(B)
ACOV(C) COV(D) BCOV(E) COV(F)
C ED F
MASTExecution
-
COV(A) COV(B)
ACOV(C) COV(D) BCOV(E) COV(F)
C E F
MAST
DCOV(H)COV(G)
G H
-
COV(C) COV(F)
C E F
Shorthand
DCOV(H)COV(G)
G H
COV(E)COV(D)
-
COV(C) COV(F)
C E F
Shorthand
G H
COV(E)COV(G,H)
-
COV(C) COV(F)
C E F
Shorthand
G H
COV(E)COV(G,H)
-
COV(C) COV(F)
C E F
ShorthandwithDepth
G H
COV(E)COV(G,H)2 3 2 2
-
MULTI-PHASEEXECUTIONtechniquesfor
-
StuckState
•
Amulti-transactioncontractwhichisstuckatacertainbranch,whenotherbranchescouldhaveavoidedthestuckstate
• TransactionsCANNOTberolledback
-
StuckState
BOP_FALSEOP_VERIFY
COV(A) COV(B)
ACOV(C) COV(D)SELECT
C DOP_FALSEOP_VERIFY
SELECT
-
SimplyNon-Stuck
•
Avoidcontractsthatmaygetstuck– Onlyusevirtual/intermediateoutputs
• Two-phasecommitsmustbeabletogetstuck
-
Taken-Branch-EliminationRollback
•
[Ifafteracceptabledelay,]recreateallofatransaction’sinputscriptswithoutbranchtaken
• Finite(nolooping)• NoNewOpcode• Drawback:ProgramSize
-
COV(A) COV(B)
Taken-Branch-EliminationRollback
A
COV(C) TIMEOUT;RE
C
COV(A)
A
-
SafeHighVoltageSwitching
•
AskanElectricalEngineerhowtheykeephighvoltagecircuitswithlowvoltagecontrolseparate– OpticalIsolation!
-
OpticalIsolatedContracts
• Useseparatecontrolflowforaccesscontrolandvalue
• Impossibleinputcovenantsensurefundusagewithprotocol
-
OpticalIsolatedContracts
A
M01000Satoshi(Feesonly)
COV(INP(~F)) COV(F)
E
G
F
B
~F
COV(A) COV(B)
COV(F)
INP(~F)
M1 100Bitcoin
-
OpticalIsolatedContracts
A
M01000Satoshi(Feesonly)
COV(INP(~F)) COV(F)
E
G
F
B
~F
COV(A) COV(B)
COV(F)
INP(~F)
M1 100Bitcoin
-
OpticalIsolatedContracts
A
M01000Satoshi(Feesonly)
COV(INP(~F)) COV(F)
E
G
F
B
~F
COV(A) COV(B)
COV(F)
INP(~F)
M1 100Bitcoin
-
OpticalIsolatedContracts
A
M01000Satoshi(Feesonly)
COV(INP(~F)) COV(F)
E
G
F
B
~F
COV(A) COV(B)
COV(F)
INP(~F)
M1 100Bitcoin
-
TheDeliProblem
•
Youwanttobuysomedeli-meatsandpreparedfoods– Butthelineisblockingthecounter– Deli-numbercongestioncontrol?
-
CongestionControl
• Supposeyouhaveatimesensitivecloseoperation
• Doacheap“commit-close”txn•
Moreexpensiveclosewhenexcessbandwidthavailable–
size(COVCLOSE)<size(CLOSE)
• Sendbothtominer,theycanchoose!•
Overall,moreexpensive,butfaster
-
CongestionControl
closeBob
RSMC Alice
closeAlice
RSMC Bob
⚡
-
CongestionControl
closeBob
RSMC Alice
closeAlice
RSMC Bob
⚡
COV(CloseBob) COV(CloseAlice)
-
CongestionControl
closeBob
RSMC Alice
closeAlice
RSMC Bob
⚡
COV(CloseBob) COV(CloseAlice)
-
Etc
• InductiveExecution– Startfromthelasttransactionup
•
SingleInductionExecution– runforward,exceptforfirststeprunasabove
• RateLimitedRollback• TraditionalM-of-Ntimeouts
-
QualityofServiceMatters
•
Wecan’tjustmakeprotocolsmoreresource-efficient,weneedtomakethemworkbetterwhenresourcesareconstrained
-
“SecureContractsIsolateValue”
•
Giveyourfriendthekeystoyourcar– butnotthegaragedooropener– becauseyoucanopenthegaragedoorfromyourphone
• ThatBitcointransactionpropagatevaluemakesincentivesharder
-
CovenantsAreNotEvil
•
Therearestrongreasonstofeargeneral-purposecovenants,buttheystillareworthconsideration
• VUTXO-onlyCOVislowrisk
-
BitcoinMustPickBattles
• Tensionbetweensecurityandcomplexity
• Keepscriptssimplepredicates!•
Betterhigher-orderinter-outputinteractionmaybesafer
![Contracts Restatement of Contracts 2[2]](https://img.pdfslide.net/doc/110x75/552501dc4a7959a2488b4959/contracts-restatement-of-contracts-22.jpg)
