Bitlayer Research: OP-DLC 2大道至简

Original Title: "Bitlayer Core Technology: DLC and Its Optimization Considerations"

Original authors: mutourend & lynndell, Bitlayer Research Group

1. Introduction

Discreet Log Contract (DLC) is a contract execution framework based on oracle machines proposed by Tadge Dryja at MIT in 2018. DLC allows two parties to make conditional payments based on predefined conditions. The possible outcomes are agreed upon and pre-signed by both parties, and these pre-signed agreements are used to execute payments when the oracle signs the result. Therefore, DLC enables new applications for decentralized finance while ensuring the security of Bitcoin deposits.

The previous article "DLC Principle Analysis and Its Optimization Thinking" summarized the advantages of DLC in privacy protection, complex contracts, and low asset risk, and also analyzed the problems of Secret Key risk, Decentralization Trust Risk, and collusion risk in DLC, and introduced decentralized oracles, threshold signatures, and optimistic challenge mechanisms into DLC to solve various problems it should face. Because the DLC involves three participants, Oracle Machine, Alice, and Bob, the conspiracy between different participants is relatively complex, resulting in relatively complex prevention strategies. Complex defense strategies are not perfect, do not conform to simplicity, and lack the beauty of simplicity.

In Bitcoin, any behavior of any participant needs to be implemented through a UTXO. Therefore, using the Consensus Mechanism to ensure that the UTXO is correct is resistant to arbitrary attacks. Similarly, in DLC, any behavior of any party needs to be implemented through a CET (Contract ution Transaction). Therefore, if you use the optimistic challenge mechanism to ensure that the CET is correct, you will be able to resist arbitrary attacks. Specifically, after Oracle Machine stake the 2B TC, you will be able to sign the CET. Add an optimistic challenge mechanic to CET. If the CET is not challenged, or if the challenge is successfully tackled, the CET is correct, the Settlement can be completed, Oracle Machine the stake is released, and the fee is paid; If Oracle attempts to do evil, anyone can successfully challenge, the CET will not Settlement, the Oracle Machine will lose its stake, and the Oracle Machine will no longer be able to sign the same CET. In line with the simplicity of the avenue, with simple beauty.

2. DLC Principle

Alice and Bob sign a bet agreement: bet on whether the hash value of the ξth block is odd or even. If it is odd, Alice wins the game and can withdraw the assets; if it is even, Bob wins the game and can withdraw the assets. Use DLC to pass the information of the ξth block through an oracle machine to construct a conditional signature so that the correct winner can win all the assets.

The elliptic curve generator is G, and the order is q. The Oracle Machine, Alice, and Bob have their respective key pairs (z, Z), (x, X), (y, Y).

Funding Transaction (on-chain): Alice and Bob create a funding transaction together, each locking 10 BTC in a 2-of-2 multisig output (one public key X belongs to Alice, and one public key Y belongs to Bob).

Building CET (off-chain): Alice and Bob create CET 1 and CET 2 for spending investment transactions.

Oracle Machine calculates the commitment R = k · G, and then calculates S and S'

S := R - hash(OddNumber, R) · Z

S' := R - hash(EvenNumber, R) · Z

The new public keys corresponding to Alice and Bob are as follows:

PK^{Alice} := X + S

PK^{Bob} := Y + S'.

Settlement (off-chain->on-chain): When the first Block is successfully generated, the corresponding CET 1 or CET 2 is signed Oracle Machine according to the hash value of the Block.

If the hash is odd, the Oracle Machine signs as follows s

s := k - hash(OddNumber, R) z

Broadcast CET 1.

If the hash is even, the Oracle Machine signs s'

s' := k - hash(EvenNumber, R) z

Broadcast CET 2.

Withdrawal (on-chain): If the oracle broadcasts CET 1, Alice can calculate a new private key and spend the locked 20 BTC.

sk^{Alice} = x + s

If the oracle broadcasts CET 2, then Bob can calculate a new private key and spend the locked 20 BTC

sk^{Bob} = y + s'

Bitlayer research team found that: in the above process, any action needs to be implemented through CET. Therefore, only need to use the optimistic challenge mechanism to ensure the correct CET, it can resist any attack. Incorrect CET will be challenged, not executed, while the correct CET will be executed. In addition, the Oracle Machine needs to pay the price for malicious behavior.

If the program to be challenged is f(t), CET should be constructed as follows.

s = k - hash(f(t), R) z.

Assuming the actual situation is that the hash value of the ξ block is an odd number, i.e. f(ξ) = OddNumber, the oracle machine should sign CET 1

s := k - hash(OddNumber, R) z.

However, the Oracle Machine maliciously modifies the function value to Even and signs CET 2:

s' := k - hash(EvenNumber, R) z.

Therefore, any user can thwart this malicious behavior based on f(ξ) ≠ OddNumber.

3.OP-DLC 2

OP-DLC includes the following 5 provisions:

• The Oracle Machine is composed of an alliance with n participants, and any member can sign CET. Stake 2B TC, and the Oracle Machine can release signed transaction fees. If a member behaves maliciously, they will lose their stake. Other members can continue to sign CET to ensure that users can withdraw funds. Alice and Bob can also become Oracle Machines, truly only trusting themselves and minimizing trust.
• If the Oracle Machine behaves maliciously and modifies the result, it will inevitably lead to the situation where f1(ξ) ≠ z1, f2(z1) ≠ z2. Therefore, any participant can initiate a challenge, that is, carry out Disprove-CET1 transaction.
• If the oracle honestly signs CET, then no party can initiate a valid Disprove transaction. 1 week later, CET can be settled correctly. In addition, the oracle will receive 0.05 BTC as a reward, which is used for its 2B TC 1-week stake and the fee for honestly signing CET.
• Any participant can challenge Oracle_sign:

If Oracle_sign is honest, Disprove-CET 1 transaction cannot be initiated, and CET settlement will be executed after 1 week. In addition, the Oracle Machine stake will be unlocked and receive fees;

If Oracle_sign is dishonest, i.e., anyone successfully initiates a Disprove-CET 1 transaction and successfully spends connector A output, the signature of the oracle is invalid, resulting in a loss of 2B TC staked, and the oracle will no longer be able to initiate the same result signature for the DLC contract in the future. Because the Settle-CET 1 that relies on the connector A output will be permanently invalidated.

• The challenge in OP-DLC is permissionless, meaning that any participant can supervise whether the contract in OP-DLC is executed correctly. Therefore, the trust in the Oracle Machine is minimized. Compared to the Lighting Network, Alice and Bob can also be offline. Because only honest signatures from the Oracle Machine will settle CET, while malicious Oracle Machines can be challenged and punished by anyone.

Advantages:

• High asset control system, trust only yourself: Both Alice and Bob can become Oracle Machines and sign CET. The optimistic challenge mechanism will defeat the wrong CET, so it is impossible to do evil. Therefore, OP-DLC allows users to only trust themselves. In BitVM, users need to act as Operators and must participate in all subsequent deposits to only trust themselves. If a user acts as an Operator and only participates in depositing a single UTXO in BitVM, and this UTXO can be legitimately reimbursed by any other (n-1) Operators, then the user's future withdrawals will still require trust in other Operators to make the payment. The reimbursement authority for BitVM Operators is locked to each individual deposit UTXO.
• High capital utilization: If users only trust themselves, the required amount of funds will vary. In OP-DLC, users rely on their own funds for withdrawal and do not need to provide an equal amount of funds as collateral; whereas in BitVM, users need to provide an equal amount of funds as collateral and then get reimbursed. This brings greater financial pressure.
• The signing oracle needs to be determined when depositing in OP-DLC, but users can also become oracles and sign for themselves.

Disadvantages:

• Withdrawal takes 1 week: Essentially, the capital cost of both OP-DLC and BitVM is present and equal. Withdrawal from OP-DLC requires a challenge period to obtain the funds; if BitVM relies on users to advance the funds, the same amount of advanced funds also needs to go through the challenge period for successful reimbursement. If BitVM relies on other Operators to advance quick withdrawals, it means that the capital cost of an equal amount of funds to the Operator needs to be paid as a fee.
• The number of signatures that need to be pre-signed is growing rapidly and is linearly related to the number of CET. You need as many CET as possible to enumerate all the withdrawal results.

4. Conclusion

OP-DLC introduces optimistic challenge mechanism into CET, ensuring that incorrect CET is not settled and corresponding malicious oracle machine loses stake; ensuring that correct CET is executed, and oracle machine stake is unlocked and receives fees. This method can resist arbitrary attacks and has simplicity and beauty.

Reference

• Specification for Discreet Log Contracts
• Discreet Log Contracts
• DLC Principle Analysis and Optimization Considerations
• Optimistic Rollup
• BitVM 2: Permissionless Verification on Bitcoin