Analysis of DLC principles and its optimization considerations
Original title: Bitlayer Core Technology: DLC and Its Optimization Considerations
Original author: lynndell, mutourend, Bitlayer Research Group
1 . Introduction
Discreet Log Contract (DLC) is a set of oracle-based contract execution solutions proposed by Tadge Dryja of MIT in 2018. DLC allows two parties to make conditional payments based on predefined conditions. Each party determines and pre-signs possible outcomes, and uses these pre-signatures to execute the payment when an oracle signs the results. As a result, DLC enables new decentralized financial applications while keeping Bitcoin deposits safe.
Compared with the Lightning Network, DLC has the following significant advantages:
· Privacy:DLC is superior to Lightning Network in terms of privacy protection, contract details are only shared between participants and not stored on the blockchain. In contrast, Lightning Network transactions are routed through public channels and nodes, and their information is open and transparent;
· The complexity and flexibility of financial contracts Characteristics:DLC can create and execute complex financial contracts directly on the Bitcoin network, such as derivatives, insurance, and gambling contracts, while the Lightning Network is mainly used for fast small payments and cannot support complex applications;
· Reduced counterparty risk: DLC funds are locked in multi-sig contracts and will only be released upon the outcome of predefined events Release reduces the risk of either party not complying with the contract. Although the Lightning Network reduces the need for trust, there is still some counterparty risk in terms of channel management and liquidity provision;
· No need to manage payment channels :DLC operations do not require the creation or maintenance of payment channels, which are a core component of the Lightning Network. Channel management is complex and resource-consuming;
· Scalability for specific use cases: The Lightning Network improves Bitcoin’s transaction throughput to a certain extent, while DLC provides better scalability for complex contracts on Bitcoin.
Although DLC has great advantages in Bitcoin ecological applications, there are still some risks and problems, such as:
· Key risk:The private key of the oracle and the promised random number are at risk of being leaked or lost, resulting in the loss of user assets;
· Centralized trust risk:The problem of centralization of oracle machines can easily lead to denial of service attacks;
· Decentralization prevents key derivation:If the oracle is decentralized, the oracle node only owns the private key shard. However, decentralized oracle nodes cannot directly use BIP32 for key derivation based on private key sharding;
· Collusion risk:
strong>If the oracle nodes collude with each other or collude with the participating parties, the trust problem of the oracle machine is still not solved. A reliable supervision mechanism is needed to minimize oracle trust;
· Fixed denomination change problem:Conditional signatures need to be constructed Contracts are preceded by a deterministic set of enumerable events to construct transactions. Therefore, DLC will have a minimum amount limit for asset redistribution, resulting in a fixed denomination change problem.
To this end, this article proposes some solutions and optimization ideas to solve the risks and problems of DLC and improve the security of the Bitcoin ecosystem.
2. DLC Principle
Alice and Bob sign a betting agreement: Bet on the nth +k blocks have hashes that are odd or even. If it is an odd number, Alice wins the game and can withdraw the asset in t time; if it is an even number, Bob wins the game and can withdraw the asset in t time. Using DLC, the n+kth block information is passed through the oracle to construct a conditional signature so that the correct winner wins all assets.
Initialization: The elliptic curve generator is G and the order is q.
Key generation: The oracle, Alice and Bob independently generate their own private and public keys.
· The private key of the oracle is z and the public key is Z, satisfying the relationship Z=z⋅G;
· Alice’s private key The key is x, the public key is
Capital transaction: Alice and Bob create a funding transaction together, each locking 1BTC in a 2-of-2 multi- Sign output (a public key X belongs to Alice, a public key Y belongs to Bob).
Contract Execution Transaction:Alice and Bob create two Contract Execution Transactions (CET) for spending capital injection transactions.
The oracle calculates the commitment
$R:=k ⋅ G$
Then, calculates S and S'
$S:=R-hash(OddNumber,R) ⋅ Z,$
$S':=R-hash(EvenNumber,R) ⋅ Z$
Broadcast (R,S,S').
Alice and Bob each calculate the corresponding new public key
$PK^{Alice}:=X+ S,$
$PK^{Bob}:=Y+ S'.$
Settlement:When the n+kth block After it appears, the oracle machine generates the corresponding s or s' based on the hash value of the block.
· If the hash value of n+k block is odd, the oracle calculates and broadcasts s
$s:=k-hash(OddNumber,R) ⋅ z$
· If the hash value of the n+kth block is an even number, the oracle calculates the union Broadcast s'
$s':=k-hash(EvenNumber,R) ⋅ z$
Withdraw coins:One of the participants, Alice or Bob, can withdraw assets based on s or s' broadcast by the oracle.
· If the oracle broadcasts s, Alice can calculate the new private key sk^{Alice} and extract the locked 2 BTC
$sk^{Alice}:= x + s.$
· If the oracle broadcasts s', Bob can calculate the new private key sk^ {Bob}, and withdraw the 2 BTC locked
$sk^{Bob}:= y + s'.$
Analysis: The new private key sk^{Alice} calculated by Alice and the new public key The key PK^{Alice} satisfies the discrete logarithm relationship
$sk^{Alice} ⋅ G= (x+s) ⋅ G=X +S=PK^{Alice}$
In this case, Alice’s withdrawal will be successful.
Similarly, the new private key sk^{Bob} calculated by Bob and the new public key PK^{Bob} satisfy the discrete logarithm relationship
$sk^{Bob} ⋅ G= (y+s') ⋅ G=Y+S'=PK^{Bob}$
This situation Next, Bob’s withdrawal will be successful.
In addition, if the oracle broadcasts s, it is useful to Alice, but not to Bob. Because Bob cannot be used to calculate the corresponding new private key sk^{Bob}. In the same way, if the oracle broadcasts s', it is useful to Bob, but not to Alice. Because Alice cannot be used to calculate the corresponding new private key sk^{Alice}.
Finally, the above description omits time locks. A time lock needs to be added to allow one party to calculate a new private key and withdraw coins within t time. Otherwise, if the t time is exceeded, the other party can withdraw the assets using the original private key.
3.DLC Optimization
3.1 Key Management
In the DLC protocol, the private key of the oracle and the promised random number are crucial. If the private key of the oracle machine and the promised random number are leaked or lost, it will easily lead to the following four security problems:
(1) The oracle machine is lost Private key z
If the oracle loses the private key, DLC cannot be settled, resulting in the need to execute the DLC refund contract. Therefore, a refund transaction is set up in the DLC protocol to prevent the oracle from losing its private key.
(2) The oracle leaks the private key z
If the private key of the oracle is leaked, all DLC based on the private key will face the risk of fraudulent settlement. An attacker who steals the private key can sign any message they want, achieving complete control over the outcome of all future contracts. Furthermore, an attacker is not limited to publishing a single signed message, but can also publish conflicting messages, such as signing the n+kth block with odd and even hashes at the same time.
(3) The oracle leaks or reuses the random number k
If the oracle If the oracle machine leaks the random number k, then in the settlement phase, regardless of whether the oracle machine broadcasts s or s', the attacker can calculate the private key z of the oracle machine as follows
$z:=(k-s)/hash(OddNumber, R)$
$z:=(k-s ')/hash(EvenNumber, R)$
If the oracle reuses the random number k, then after 2 settlements, the attacker can use the signature broadcast by the oracle , solve the system of equations according to one of the following four situations, and find the private key z of the oracle machine,
Case 1:
$s_1=k-hash(OddNumber_1, R) ⋅ z$
$s_2=k-hash(OddNumber_2, R) ⋅ z$
Case 2:
$s_1'=k-hash(EvenNumber_1, R) ⋅ z$
$s_2'=k-hash(EvenNumber_2, R) ⋅ z$
Case 3:
$s_1=k-hash(OddNumber_1, R) ⋅ z$
$s_2'=k-hash(EvenNumber_2, R) ⋅ z$
Case 4:
$s_1'=k-hash(EvenNumber_1, R) ⋅ z$
$s_2=k-hash(OddNumber_2, R) ⋅ z$
(4) The oracle machine is lost randomly Number k
If the oracle loses the random number k, the corresponding DLC cannot be settled, and the DLC refund contract needs to be executed.
Therefore, in order to improve the security of the oracle private key, BIP32 should be used to derive the child or grandchild key for signature. In addition, to improve the security of the random number, the hash value k:=hash(z, counter) of the private key and counter should be used as the random number k to prevent the random number from being repeated or lost.
3.2 Decentralized Oracle
In DLC, the role of the oracle is crucial , which provides key external data that determines the outcome of the contract. To improve the security of these contracts, decentralized oracles are needed. Unlike centralized oracles, decentralized oracles spread the responsibility for providing accurate and tamper-proof data across multiple independent nodes, which can reduce the risk of relying on a single point of failure and reduce the possibility of manipulation or targeted attacks. Through decentralized oracles, DLC can achieve a higher degree of trustlessness and reliability, ensuring that contract execution relies entirely on the objectivity of predetermined conditions.
Schnorr threshold signature can realize a decentralized oracle. Schnorr threshold signatures have the following advantages:
· Enhanced security: Through the management of decentralized keys, threshold signatures reduce the risk of single points of failure. Even if the keys of some participants are leaked or attacked, the entire system is still safe as long as the set threshold is not exceeded.
· Distributed control: Threshold signature realizes distributed control of key management. No single entity has all the signing power, thus reducing the risk of excessive concentration of power. Come risk.
· Improved availability: Only a certain number of oracle nodes need to agree to complete the signature, which improves the flexibility and availability of the system. Even if some nodes are unavailable, it will not affect the reliable operation of the overall system.
· Flexibility and scalability: The threshold signature protocol can set different thresholds as needed to adapt to various security requirements and scenarios. In addition, it is also suitable for large-scale networks and has good scalability.
· Accountability: Each oracle node generates signature fragments for messages based on private key fragments, and other participants can use the corresponding public key The shards verify the correctness of the signature shards to achieve accountability. If correct, the signature fragments are accumulated to generate a complete signature.
Therefore, the Schnorr threshold signature protocol plays an important role in improving the security, reliability, flexibility, scalability and accountability of decentralized oracles. Has significant advantages.
3.3 Coupling decentralization and key management
In key management technology, the oracle has a complete key z. Based on the complete key z and the increment ω, using BIP32, it can derive a large number of child keys z+{ω }^{(1)} and grandchild keys z+ω ^{(1)}+ω ^{(2)}. For different events, the oracle can use different grandchild private keys z+ω ^{(1)}+ω ^{(2)} to generate corresponding signatures σ for the corresponding event msg.
In the decentralized oracle application scenario, there are n participants, and t+1 participants are required to perform threshold signatures. Among them, t. The n oracle nodes each have a private key shard z_i, i=1,...,n. These n private key shards z_i correspond to a complete private key z, but the complete private key z never appears from beginning to end. Under the premise that the complete private key z does not appear, t+1 oracle nodes use private key shards z_i, i=1,...,t+1 to generate signature shards σ_i' for message msg', and the signature shards σ_i' are merged into a complete signature σ '. The verifier can verify the correctness of the message signature pair (msg',σ ') using the complete public key Z. Since t+1 oracle nodes are required to jointly generate the threshold signature, it has higher security.
However, in the decentralized oracle application scenario, the complete private key z does not appear, and BIP32 cannot be used directly for key derivation. In other words, the oracle decentralization technology and key management technology cannot be directly coupled.
The paper Distributed Key Derivation for Multi-Party Management of Blockchain Digital Assets proposes a distributed key derivation method in the threshold signature scenario. The core idea of the paper is that according to the Lagrange interpolation polynomial, the private key shard z_i and the complete private key z satisfy the following interpolation relationship
Adding increment ω to both sides of the above equation, the following equation is obtained
This equation shows that the private key shard z_i plus the increment ω still satisfies the interpolation relationship with the complete private key z plus the increment ω. In other words, the sub-private key shard z_i+ω and the sub-key z+ω satisfy the interpolation relationship. Therefore, each participant can use the private key shard z_i plus the increment ω to derive the sub-private key shard z_i+ω, which is used to generate the sub-signature shard, and the corresponding sub-public key Z+ω ⋅ G can be used to verify the validity.
However, enhanced vs. non-enhanced BIP32 needs to be considered. Enhanced BIP32 takes the private key, chain code and path as input, calculates SHA512, and outputs the delta and sub-chain code. Non-enhanced BIP32 takes the public key, chain code and path as input, calculates SHA512, and outputs the delta and sub-chain code. In the case of threshold signatures, the private key does not exist, so only non-enhanced BIP32 can be used. Or use homomorphic hash functions, there is enhanced BIP32. However, the homomorphic hash function is different from SHA512 and is not compatible with the original BIP32.
3.4 OP-DLC: Minimizing Oracle Trust
In DLC, Alice and Bob The contract between them is executed based on the result of the oracle signature, so the oracle needs to be trusted to a certain extent. Therefore, the correct behavior of the oracle machine is a major prerequisite for the operation of DLC.
In order to distrust oracles, there have been studies on executing DLC based on the results of n oracles to reduce dependence on a single oracle.
· The "n-of-n" model means using n oracles to sign a contract and executing the contract based on the results of the n oracles. This model requires n oracles to all sign online. If an oracle goes offline or has disagreements about the results, it will affect the execution of the DLC contract. The trust assumption is that all n oracles are honest.
· The "k-of-n" model means using n oracles to sign a contract and executing the contract based on the results of k oracles. If more than k oracles collude, it will affect the fair execution of the contract. In addition, when using the "k-of-n" model, the number of CETs that need to be prepared is C_n^k times that of a single oracle or the "n-of-n" model. The trust assumption is that at least k oracles out of n oracles are honest.
Increasing the number of oracle machines does not achieve the distrust of oracle machines. Because when the oracle does something evil, the injured party in the contract has no appeal channel on the chain.
Therefore, this section proposes OP-DLC, which introduces the optimistic challenge mechanism in DLC. Before n oracles participate in setting up DLC, they need to pledge in advance to build an OP game on the permisssionless chain and promise not to do evil. If any oracle acts evil, Alice or Bob, or any other honest oracle or other third-party honest observer, can initiate a challenge. If the challenger wins the game, the evil oracle will be punished on the chain and its deposit will be forfeited. In addition, OP-DLC can also be signed using the "k-of-n" model. where k can even be 1. Therefore, the trust assumption is reduced to that as long as there is an honest participant in the network, an OP challenge can be launched to punish the evil oracle node.
When settling OP-DLC based on Layer2 calculation results:
· If the oracle uses the wrong If the result signature damages Alice's interests, Alice can use Layer2 to correctly calculate the results and challenge the OP game on the permisssionless chain where the oracle is pledged in advance. Alice wins the game, punishes the evil oracle, and makes up for the loss;
· In the same way, Bob, other honest oracle nodes, and third-party honest observers can all initiate challenges . However, to prevent malicious challenges, the challenger also needs to stake.
Therefore, OP-DLC enables oracle nodes to supervise each other, minimizing oracle trust. This mechanism only requires one honest participant and has a fault tolerance rate of 99%, which better solves the risk of oracle collusion.
3.5 OP-DLC + BitVM dual bridge
When DLC is used for cross-chain bridge, Fund allocation is required when the DLC contract is settled:
· Needs to be pre-set through CET. This means that the DLC’s fund settlement granularity is limited, such as the Bison network’s 0.1 BTC granularity. There is a problem: Users’ asset interactions in Layer 2 should not be limited to the fund granularity of DLC CET.
· When Alice wants to settle her Layer2 assets, user Bob's Layer2 assets will be forced to be settled to Layer1. There is a problem: Each Layer2 user should be able to freely choose to deposit and withdraw funds without being affected by the deposits and withdrawals of other users.
· Alice and Bob negotiate the cost. There is a problem: both parties are required to be willing to cooperate.
Therefore, in order to solve the above problems, this section proposes OP-DLC + BitVM dual bridge. This solution allows users to deposit and withdraw money through BitVM's permissionless bridge, and also deposit and withdraw money through the OP-DLC mechanism, achieving change at any granularity and improving capital liquidity.
In OP-DLC, the oracle is the BitVM Alliance, Alice is an ordinary user, and Bob is the BitVM Alliance. When setting up OP-DLC, in the CET built, the output to user Alice can be spent immediately on Layer1, and in the output to Bob, a "DLC game that Alice can participate in the challenge" is constructed and a timelock locking period is set. When Alice wants to withdraw money:
· If the BitVM Alliance acts as an oracle and signs correctly, Alice can withdraw money on Layer1. However, Bob waits for the lock-in period to expire before he can withdraw money on Layer1.
· If the BitVM Alliance acts as an oracle and cheats, Alice's interests will be damaged. However, Alice can challenge Bob's UTXO. If the challenge is successful, Bob's amount can be forfeited. Note: One of the other BitVM Alliance members can also initiate a challenge, but Alice is most motivated to initiate a challenge because her interests are harmed.
· If the BitVM Alliance acts as an oracle and cheats, Bob's interests will be damaged. However, an honest member of the BitVM Alliance can challenge the "BitVM Game" and punish cheating oracle nodes.
In addition, when user Alice wants to withdraw money from Layer2, but the preset CET in the OP-DLC contract does not have a matching amount, Alice can choose the following method :
·Withdraw money through BitVM, which is advanced by BitVM operator at Layer1. The BitVM bridge assumes an honest participant in the BitVM consortium.
·Withdraw money through a certain CET in OP-DLC, and the remaining change is advanced by the BitVM operator in Layer1. OP-DLC withdrawals will close the DLC channel, but the remaining funds in the DLC channel will be transferred to the BitVM Layer1 fund pool without forcing other Layer2 users to withdraw funds. OP-DLC bridge trust assumes that there is an honest participant in the channel.
· Alice and Bob negotiate the cost without the participation of the oracle machine, requiring Bob's cooperation.
Therefore, OP-DLC + BitVM dual bridge has the following advantages:
· Using BitVM Solve the problem of DLC channel fund change, reduce the number of CET settings, and are not affected by CET fund granularity;
· Combine OP-DLC bridge and BitVM bridge , providing users with a variety of withdrawal and deposit channels, and change at any granularity;
· Set the BitVM alliance to Bob and the oracle, and use the OP mechanism to make the oracle Minimize machine trust;
· Introducing the withdrawal balance of the DLC channel into the BitVM bridge fund pool to improve fund utilization.
4. Conclusion
DLC appeared before Segwit v1 (Taproot) was activated and has Realize the integration of DLC channel and Lightning Network, and extend DLC to update and execute continuous contracts within the same DLC channel. With the help of technologies such as Taproot and BitVM, more complex off-chain contract verification and settlement can be achieved within DLC, while combined with the OP challenge mechanism, minimization of oracle trust can be achieved.
References
1.Specification for Discreet Log Contracts
2.Discreet Log Contracts
3.Scaling DLC Part1: Off-chain Discreet Log Contracts
4.Scaling DLC Part2: Free option problem with DLC
5.Scaling DLC Part3: How to avoid free option problem with DLC
6.Lightning Network
7.DLC on Lightning
8.DLC Private Key Management Part 1
9. DLC Private Key Management Part 2: The Oracle's private keys
10.DLC Key Management Pt 3: Oracle Public Key Distribution
11.BitVM: Compute Anything on Bitcoin
12.BitVM 2: Permissionless Verification on Bitcoin
13.BitVM Off-chain Bitcoin Contracts
14.BIP32 BIP44
15.Schnorr signature16.FROST: Flexible Round-Optimized Schnorr Threshold Signatures17.A Survey of ECDSA Threshold Signing18.Distributed Key Derivation for Multi-Party Management of Blockchain Digital Assets19.Segregated Witness20.Optimistic Rollup21.Taproot
Original link
Welcome to join the rhythmic BlockBeats official community:
Telegram subscription group: https://t.me/theblockbeats
Telegram communication group: https://t.me/theblockbeatsApp
Twitter official account: https://twitter.com/BlockBeatsAsia
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
US Senator Cynthia Lummis posts 'laser eye' picture on social media
Data: USDC circulation increased by approximately 5.5 billion in the past 7 days
Fidelity FBTC had a net inflow of $186.1 million yesterday