This post originally appeared on Medium as part of a three-part series on Bitcoin smart contracts, and we republished with permission from Xiaohui Liu. Read part 1 here and part 2 here.
We introduce a generic approach to skip on-chain computation in Bitcoin smart contracts, while ensuring security in the presence of malicious parties. In this approach, honest contracting parties can reach agreements peer to peer off chain and opportunistically decide to short-circuit complex computational alternative.
Outsource example
Alice asks Bob to compute an input/witnessĀ xĀ which makesĀ functionĀ f(x)Ā return true. For example,Ā fĀ can be a hash puzzle, a solution toĀ a Sudoku puzzleĀ orĀ a Travelling Salesman ProblemĀ (TSP). If Bob can provideĀ x, he is paid inĀ Tx1Ā as shown below. Otherwise, Alice can cancel and get her fund back inĀ Tx2Ā after timeĀ t, which is pre-signed by Bob. This is dual toĀ Timed Commitment SchemeĀ (TCS) we introduced before, in the sense that Bob has to respond in time, not Alice.
Outsource with cooperation
Now let us modify the above contract/protocol slightly. Bob, instead of redeeming Aliceās fund by broadcastingĀ Tx1, shares his witnessĀ xĀ with Alice directly. Alice can validate it off chain and ensure it is expected (i.e.,Ā f(x)Ā evaluates to true). Afterwards, she has two choices:
In choice 1, Bob can still createĀ Tx1Ā and redeem Aliceās fund. Alice cannot cheat and does not gain anything.
In choice 2, Alice chooses to be honest and can enjoy significant benefits.
Privacy
Often, Alice does not wantĀ xĀ to be public. Maybe it is the preimage in a hash puzzle, acting as token to access her rental car, or the answer to the TSPās problem is secret of her logistics companyās route. x would be exposed inĀ Tx1Ā and be shielded inĀ Tx3.
Efficiency
fĀ can be a computationally intensive function, which has to be evaluated by all miners ifĀ Tx1Ā is used. IfĀ Tx3Ā is used,Ā fĀ is not evaluated by miners at all, since a contract function is only called when it is used in the spending transaction to unlock. Instead, only two signatures have to be checked, which can be many orders of magnitude smaller and independent of the complexity ofĀ f.
From Aliceās perspective, she is incentivized to act honestly and choose 2 to gain privacy. Her honesty also offloads heavy computation off chain, reducing overall tasks on the Bitcoin network.
Generalization
The idea is applicable to all types of smart contracts where multiple parties can reach mutual agreements off chain, thus avoid heavy on-chain computation and gain additional privacy by following the contract/protocol honestly. This is achieved with no loss of security and fairness, even if some parties try to cheat. It is expected to gain wide adoption in practice.
Source: Read Full Article