← Back to team overview

mimblewimble team mailing list archive

Re: Scriptless scripting and deniable swaps


On Fri, Feb 03, 2017 at 10:42:14PM +0000, Andrew Poelstra wrote:
> Pieter Wuille in particular has stressed to me what a great feature of MW it is
> that everything looks the same, and that breaking this property should be taken
> very seriously.

In this line of thinking, I gave a presentation at MIT recently about the
various things you can do just with kernel signatures. The slides are here:


Kanzure has kindly written a transcript of the talk, though the audio was
a bit choppy:

> At the Stanford BPASE Conference [2] I gave a talk where I briefly mentioned that
> it was possible to do atomic swaps with no preimages at all. I'll explain how to
> do this in a second, but first I want to revise my proposal from my last mail.
>   * Each kernel (née excess value) K signs the challenge H(K || f || L), where
>     K is the kernel itself, f is the fee it is attesting must exist in this
>     transaction, and L is an optional locktime, measured in blockheight.
>   * By default L is the empty string, there needs to be a special flag to indicate
>     that it is nontrivial. Hopefully the actual presence of nontrivial locktimes
>     will be rare since they are only used in the adversarial backout case of most
>     protocols. Since a locktime L must stay in the blockchain forever we should
>     discourage their use somehow.
> So I'm removing all script support, even for just hash preimages.

At the end of my talk I mentioned that I didn't know how to do locktimes in a
scriptless script way and therefore we need this explicit L. I'm happy to say
that this is no longer true. Ethan Heilman pointed out that it is possible to
make a "timelocked signature" that requires grinding through a sequential
proof-of-work to do. This is described here:


He also suggested the locktime should be cancellable and extendable by having
the would-be recipient reveal a key to the sender, but we didn't work out all
the details. If this works then we should be able to get the effect of a
relative lock-time, having indefinitely-open lightning channels, and so forth.
Exciting times.

Therefore I revise my proposal again, to remove the explicit locktime, and
have only the fee.


Andrew Poelstra
Mathematics Department, Blockstream
Email: apoelstra at wpsoftware.net
Web:   https://www.wpsoftware.net/andrew

"A goose alone, I suppose, can know the loneliness of geese
 who can never find their peace,
 whether north or south or west or east"
       --Joanna Newsom

Attachment: signature.asc
Description: PGP signature

Follow ups