forked from cheng/wallet
362b7e653c
Which affected all documentation files.
335 lines
18 KiB
Markdown
335 lines
18 KiB
Markdown
---
|
||
title:
|
||
Contracts on the blockchain
|
||
...
|
||
# Terminology
|
||
|
||
A rhocoin is an unspent transaction output, and it is the public key
|
||
that identifies that unspent transaction output, the private key that
|
||
can sign with that public key, the point which is the mathematical
|
||
object of which that public key is the text representation, and the
|
||
scalar which is the mathematical object that the secret can construct.
|
||
|
||
A public key and and its associated secret key can do all sorts of
|
||
things as well as control rocoins – logons, identifying participants in
|
||
a conversation, and signing a message, among them.
|
||
|
||
We talk about points and scalars, meaning points on the elliptic curve
|
||
and scalars, large numbers modulo the order of the curve, the
|
||
mathematical objects underlying these keys, when we combine them
|
||
mathematically in interesting ways, for example adding several points to
|
||
create a public key that requires several secrets, possessed by several
|
||
different people, to use. Scalars can be added and multiplied, points
|
||
can be added or subtracted from other points, and points can be
|
||
multiplied by scalars. When we design contracts on the blockchain, we
|
||
should refer to scalars and points, but the rest of the time, we should
|
||
talk about coins, public keys, and private keys. Normal people should
|
||
never need to hear of points and scalars, and should not need to know
|
||
what they are. Only people writing software to manage blockchain based
|
||
interactions need to talk about or think about points and scalars.
|
||
|
||
# Instant irrevocable transctions
|
||
|
||
## Why we need Schnorr signatures
|
||
|
||
In order that people can meet in person to exchange fiat for blockchain
|
||
money in person, they need a transfer that is instant and irrevocable.
|
||
|
||
Bob wants to buy blockchain money for cash. Ann wants to sell for cash.
|
||
They agree to meet in person, and do the exchange – paper money in a
|
||
brown paper bag.
|
||
|
||
Ann and Bob cooperate over the network to create a postdated transaction
|
||
spending an as yet nonexistent coin whose public key is the sum of a
|
||
public key whose secret key is known only to Bob, and a public key whose
|
||
secret key is known only to Ann, and *after* that transaction is
|
||
created, Ann issues a transaction placing value an unspent transaction
|
||
output in that coin, creates a rhocoin for that public key, knowing that
|
||
if nothing further is done, the coin eventually comes back to her. Then,
|
||
before the postdated transaction becomes placeable on the blockchain,
|
||
they meet in person, and once the cash is in her hands and she has
|
||
counted it, she then reveals her secret key to Bob, and his wallet can
|
||
instantly tell him that the coin is in his wallet right and spendable
|
||
right now – but will become spendable by Ann at block number so and so.
|
||
Bob can now spend that coin, but Ann still cannot spend it and needs to
|
||
spend it before the postdated transaction becomes spendable on the
|
||
blockchain. He presumably spends it to a coin wholly controlled by him,
|
||
or uses it in some other transaction, and Ann discards the now useless
|
||
postdated transaction.
|
||
|
||
Note that such a joint shnorr signature is absolutely indistinguishable
|
||
on the blockchain from any other signature, so no one, except for Ann
|
||
and Bob, can tell there was anything different about this transaction.
|
||
|
||
To represent this contract to normies, we call it a coin commitment, a
|
||
coin locked to someone else’s wallet for a certain period. We refain
|
||
from talking about points and scalars. Ann creates a coin that she
|
||
cannot use for anything except paying Bob, until a certain time has
|
||
passed, and once this coin is registered on the blockchain, Bob knows
|
||
she has created this coin and what it is worth, (though no one except
|
||
Ann and Bob knows it is for this purpose) but once the coin is on the
|
||
blockchain, she can use it to instantly pay Bob, in a message over the
|
||
network that his wallet will immediately register as payment completed,
|
||
without needing a third party escrow agent that governments will want to
|
||
register and regulate, as you have use in order to do instant payments
|
||
with bitcoin, or offline by Bob manually typing in the secret that makes
|
||
the coin spendable by Bob, though it can be texted in the clear, since
|
||
no one but Bob can make use of it. It only needs to be kept secret until
|
||
the time comes for Bob to receive the payment. But if she does not
|
||
instantly pay Bob, she can convert it into a regular coin, spendable by
|
||
her and only by her at any time, once its lockup time has expired.
|
||
conversely, once she has given Bob the secret, Bob can use it any
|
||
transaction, such as a transaction spending it to himself, before its
|
||
time is up. The blockchain contains no information showing this
|
||
committed coin is any different from any other, the information that
|
||
makes this coin different being in the secrets in Ann’s and Bob’s
|
||
wallets, not in the blockchain where governments are likely to look for
|
||
someone to regulate. The information that makes this coin different is
|
||
that the secret that controls it is split between Ann’s wallet and
|
||
Bob’s wallet, and Ann and Bob have already created a secret
|
||
transaction, stored in Ann’s wallet, spending the coin to a destination
|
||
determined by Ann, which transaction remains in her wallet until the
|
||
time is up, or until Bob, having received the secret from Ann, spends
|
||
the coin. This transaction is made possible, not by any terribly clever
|
||
cryptographic mathematics, but by the fact that our blockchain, unlike
|
||
the others, is organized around client wallets chatting privately with
|
||
other client wallets. Every other blockchain has necessary cryptographic
|
||
mathematics to do the equivalent, usually more powerfull and general
|
||
than anything on the rhocoin blockchain, and Monaro has immensely
|
||
superior cryptographic capabilities, but somehow, they don’t, the
|
||
difference being that rhocoin is designed to avoid uses of the internet
|
||
that render a blockchain vulnerable to regulation, rather than to use
|
||
clever cryptography to avoid regulation. The attack points whereby
|
||
government is getting hold of crypto currencies are not the
|
||
cryptography, which is usually bulletproof, but the domain name system,
|
||
the certificate authorities, and the world wide web, which is completely
|
||
vulnerable.
|
||
|
||
# General purpose scripts
|
||
|
||
Ethereum has a general purpose script language, which seems like
|
||
overkill, and indeed it was overkill, since humans started to misbehave,
|
||
and other humans started to judge transactions, so that the laws of
|
||
mathematics failed to dictate the outcomes, and those human judges are
|
||
predictably misbehaving.
|
||
|
||
Bitcoin has a also has a fully general stackbased language
|
||
pay-to-scripthash (P2SH) also called Bitcoin script. But this led to
|
||
problems, so they effectively disabled it, by making only a small set of
|
||
scripts permissible. Seems that we have not yet figured out how to
|
||
safely enable run time user designed contracts on the blockchain. We
|
||
instead need a short list of payment rules fixed at compile time. We
|
||
shall not create a script language capable of embedding arbitrary
|
||
contracts in the blockchain at runtime, as it would be impossible for one of
|
||
the parties to figure out the gotchas cooked up by the other party.
|
||
|
||
Rather than our model being the infamous click through contract and shrink
|
||
wrap contract, our model should be the returnable writs of The Lion of
|
||
Justice, Henry the First. The Anglo Saxon legal system has been going
|
||
downhill since the death of Henry the second. It is time for a restoration.
|
||
If we cannot restore, bypass. People wanted to use the legal system of The
|
||
Lion of Justice, rather than the ecclesiastical legal system, and if we do
|
||
things right, people will want to use our legal system.
|
||
|
||
A returnable writ is a royal command that has blanks that the parties to a
|
||
dispute or a contract can fill in, but they cannot write their own writ
|
||
ad hoc.
|
||
|
||
The trouble with excessive flexibility is that the parties to a dispute are
|
||
likely to have asymmetric knowledge of the implications of the contract, which
|
||
problem can be mitigated by having as few possible contracts as possible, and
|
||
those contracts authorized by the consensus of the blockchain. We can
|
||
increase flexibility by having multi transaction transactions, where different
|
||
elements of the aggregate transaction invoke different writs, but too much
|
||
flexibility is likely to bite people.
|
||
|
||
# Atomic Swaps on separate blockchains
|
||
|
||
A proof of stake currency is like a corporation, like shares in a
|
||
corporation. So we are going to have many corporations, and individuals
|
||
will want to exchange shares in one corporation, with shares in
|
||
another. We would like to do this without direct linking of
|
||
blockchains, without trusted intermediaries, because a trusted
|
||
intermediary is a target for regulation, where the state imposes
|
||
mandatory trust, while protecting profoundly untrustworthy behavior.
|
||
|
||
Bob is owns some crypto currency in the foo blockchain, and wants to
|
||
exchange it with Carol’s crypto carrency in the bar blockchain.
|
||
|
||
Bob agrees with Carol to give her three units of his foo currency, for
|
||
five units of her bar currency.
|
||
|
||
But, how do we make it so that the transaction is completed? We don’t
|
||
want Carol giving five units, and Bob replying “Hah hah fooled you”.
|
||
|
||
So Carol creates an output of five units that can be spent by a secret
|
||
key that only she knows after ten blocks, but until then can be spent by
|
||
Bob’s secret, plus a preimage that only she knows. The output contains
|
||
Bob’s public key, Carol’s public key, and the public hash of a secret
|
||
preimage known only to Carol. Bob waits until that output becomes final
|
||
and spendable in the bar blockchain. Bob then creates an output of three
|
||
units that can be spent by a secret key that Bob knows after five blocks
|
||
in the foo chain, but until then, can be spent by a carol’s secret key,
|
||
plus the preimage of a value known only to Carol. The output also
|
||
contains Carol’s public key, Bob’s public key, and the pubic hash of a
|
||
secret preimage known only to Carol, except that the public keys in
|
||
Bob’s output are in the opposite order to Carol’s, and the times are
|
||
different. After a while, both outputs become final and spendable in
|
||
their respective blockchains. Carol then uses her preimage to spend
|
||
those three units in the foo chain, thereby automatically revealing it
|
||
to Bob, which preimage Bob immediately employs to spend the output on
|
||
the bar chain.
|
||
|
||
To spend an output, it has to be an input, one of many, to a
|
||
transaction, and the whole transaction has to be signed by every
|
||
signature required by every input, as each input defines a valid
|
||
signature. So an input/output carries information amounting to a
|
||
quantity of money, possibly a user name, and a signature definition. In
|
||
the simplest and most common case, a public key defines what would
|
||
constitute a valid signature.
|
||
|
||
The immutability of the output comes from the fact that is part of
|
||
transaction, and the entire transaction has to be as signed, that the
|
||
transaction has to be signed by the signatures for all the inputs. For
|
||
this case, contract conditional on pre-image for a certain range of
|
||
block numbers, the signature block has to the pre-image as well as the
|
||
regular signature.
|
||
|
||
# Micro and Nanopayments.
|
||
|
||
The blockchain is heavy, thus unsuitable for small and fast payments,
|
||
such as the payments needed for storage and bandwidth while pirating
|
||
files.
|
||
|
||
Small fast payments require trust, thus trusted intermediaries backed up
|
||
by the blockchain.
|
||
|
||
How do we know if we can trust an intermediary?
|
||
|
||
Because he has a history of signed contracts, that it is easy to prove
|
||
whether a contract has been honored, and no one has produced a contract
|
||
that he signed, alleged that contract was dishonored, and he could not
|
||
prove it was honored.
|
||
|
||
Assume Bob is a trusted intermediary between Ann and Carol. Ann wants to
|
||
pay people, Carol among them, probabilistically – in lottery tickets
|
||
that if won will result in payments on the blockchain.
|
||
|
||
The protocol is that Ann creates the unspent transaction output, which
|
||
comes to exist, unspent, on the blockchain, and no one can spend it
|
||
except Bob says so, since any transaction spending that output will need
|
||
a Bob signature. So if Bob is an OK guy, no double spending shall ever
|
||
happen. If no double spending has ever happened, we can probably trust
|
||
Bob for transactions similar to past transactions. If no past double
|
||
spends, likely no future double spends.
|
||
|
||
Ann promises to give Carol a lottery ticket for services rendered, Carol
|
||
gives Ann a signed hash of a secret preimage, and renders those
|
||
services. Ann issues a lottery ticket by creating a random number, and
|
||
giving Carol a signed hash of Carol’s hash and the lottery identifier.
|
||
The ticket will be valid if the hash of Ann’s secret preimage, and
|
||
Carol’s secret preimage has certain properties – typically that its
|
||
value in big endian order modulo 2^64^ is less than a certain amount.
|
||
The ticket commits Ann to the lottery conditions, being a hash of their
|
||
secrets, and the conditions agreed to.
|
||
|
||
Carol shows Bob the lottery ticket, and asks
|
||
|
||
> “will I get paid if the secrets under the hashes meet the required
|
||
> condition.”
|
||
|
||
Bob tells Carol
|
||
|
||
> “Sure. I will issue a payment for block number such of the blockchain,
|
||
> the current block, if the preimage meets the conditions.”
|
||
|
||
thereby assuring Carol that Ann is on the up and up and providing the
|
||
data needed to create a valid transaction if the lottery ticket is
|
||
valid. Bob provides a link to the transaction output that will be used
|
||
showing that Carol has put real money where her mouth is, asserts it is
|
||
unspent, and promises not to validate any further potentially winning
|
||
lottery tickets for this block period, unless shown evidence that
|
||
previously validated lottery tickets were losing tickets.
|
||
|
||
Carol, who has some reason to trust Bob, now knows that Ann is issuing
|
||
valid lottery tickets – even if this was a losing lottery ticket. Bob
|
||
will refuse to issue more validations for this lottery and this block
|
||
period. unless Carol provides proof that this was a losing lottery
|
||
ticket.
|
||
|
||
If Carol goes dark at this point, the money is frozen till the next
|
||
block period, which causes minor and temporary inconvenience for Ann and
|
||
Bob but does not benefit Carol.
|
||
|
||
Suppose it is a winning lottery ticket – she informs Bob and Carol so
|
||
that they know to issue a new lottery, and now injects it into the
|
||
blockchain with the required data, and hashes that links to the
|
||
conversations between herself, Bob, and Alice. If the payment goes
|
||
through – the transaction inputs are real and have not been previously
|
||
spent. then done. If the transaction fails for block n of the block
|
||
chain, when Bob said it would succeed, she uses the proof of failure -
|
||
that blockchain input was invalid or spent in this block when Bob said
|
||
it would be valid and unspent for this block, plus the previous
|
||
conversations between herself, Bob, and Carol, to prove to the world
|
||
that Bob was cheating.
|
||
|
||
If, on the other hand, there are lots of transactions of this form that
|
||
have successfully gone through, and none that failed in this fashion,
|
||
these provide compelling evidence that Bob is an honest dealer.
|
||
|
||
If Bob goes dark at some point (going dark means ceasing to respond, or
|
||
issuing responses that will be rejected and ignored as invalid) the
|
||
money remains unspent and unspendable, Ann and Carol are inconvenienced,
|
||
no one wins, and no proof of bad behavior is generated. But Bob cannot
|
||
stay up for losing lottery tickets, but then conveniently go dark for
|
||
winning lottery tickets because he issues the data required for a
|
||
winning lottery ticket (or data that would prove he is a cheater) before
|
||
he knows whether the ticket is winning or not.
|
||
|
||
If Carol goes dark, she does not get paid, but does not get proof of bad
|
||
behavior by Ann or Bob.
|
||
|
||
If Ann goes dark, she does not pay Carol. Carol knows Ann is behaving
|
||
badly, ceases to deal with her, but may not get proof of bad behavior by
|
||
Ann that she can show to other people. But getting such proof is not
|
||
very useful anyway, since Carol’s identity is cheap and expendable,
|
||
while Bob’s identity is durable and valuable.
|
||
|
||
Random stranger Ann contacts random stranger Carol, offers to pay in
|
||
lottery tickets for data. Perhaps she wants to watch some movies. Shows
|
||
proof that lottery prize recently existed in a recent block on the
|
||
blockchain, which shows that Ann is not a total flake. Gets some data on
|
||
trust. Provides lottery ticket. Bob says lottery ticket could win,
|
||
depending on a secret that Carol has committed to, but not revealed.
|
||
Carol checks that in the past Bob has paid out on lots of lottery
|
||
tickets and not defected on any lottery ticket. More trust ensues. Ann
|
||
now has reason to trust Carol, Carol has reason to trust Ann, without
|
||
anyone being exposed to large risks and without any actual blockchain
|
||
transactions taking place. It takes an expensive blockchain transaction
|
||
to create the lottery prize, but having created it, Ann and Bob can do
|
||
very large numbers of transactions off blockchain on trust.
|
||
|
||
# Institutions on the blockchain
|
||
|
||
A lot of people, instead of controlling outputs on the bitcoin
|
||
blockchain by secret keys, have a login account, username and password,
|
||
with an “exchange”. That “exchange” (the institution, not the
|
||
particular transaction mediated by the institution) owes them bitcoins,
|
||
payable on demand. And from time to time an exchange goes belly up,
|
||
blaming the federal government or hackers, and just does not pay its
|
||
clients the bitcoins it owes.
|
||
|
||
We call them “exchanges”, not “banks”, because the word “banks” implies
|
||
a government guarantee, and a long past of honoring transactions, which
|
||
these exchanges seldom have, but they are performing bank like
|
||
functions.
|
||
|
||
We would like to have evidence of the institutions reserve fraction, of
|
||
its term transformation (maturity transformation).
|
||
|
||
Solution: Institution runs its own side chain, with a small number of
|
||
peers. The Merkle-patricia dac of unspent transaction outputs has in
|
||
each node the sum of the money in each subtree, and the hash of subtree
|
||
hashes and sums. Thus the standard client wallet will report the total
|
||
owing/shares on issue
|