15.謹慎的日誌合同 (15. Discreet Log Contracts)

字幕列表影片播放

The following content is provided under a Creative
Commons license.
Your support will help MIT OpenCourseWare
continue to offer high quality educational resources for free.
To make a donation or to view additional materials
from hundreds of MIT courses, visit MIT OpenCourseWare
at ocw.mit.edu.
TADGE DRYJA: OK.
So today, Discreet Log Contracts which is very linked
to Lightning Networks.
So if you didn't get the last two lectures,
this might not make that much sense.
So I hope-- but I think everyone here is like up
to date on these things.
So today, I'm going to talk about Discreet Log Contracts,
which is a paper I wrote last summer,
but it's evolved out of Lightning Network.
And I'll try to sort of explain how it--
hopefully, you'll see the connections and how you
can get from one to the other.
We'll talk about oracles, talk about anticipated signatures,
which has some fun math things, and talk
about building the Discreet Log Contracts themselves
and how that'll work.
OK, so conditional payments, I guess
you could call this smart contracts.
Smart contracts is a pretty vague term,
and it's used a lot in this sort of Bitcoin, blockchain,
Ethereum world.
And usually, it's pretty--
like, a lot of times, they use it as a buzzword
and it's like, oh, I'll put my land title in a smart contract
and then I can buy a house.
And a lot of times, it's used in ways
that make it seem as though you don't need a government anymore
or a judicial system anymore to enforce these contracts.
And in the case of something like Discreet Log Contracts,
that's kind of true.
Because what Bitcoin did and what
made people pretty impressed was that, hey,
you don't need a government to enforce
the scarcity of the currency that's being created.
So that's kind of cool.
But it doesn't mean that you can now use blockchain technology
to not need a government to enforce, say, rights
to property.
If you say, hey, this is my land and I've
got a smart contract that says my land is-- you know,
this is my land on the blockchain,
and then an army comes and says, well, we're taking your farm,
and you're like, no, it's on the blockchain,
and they don't really care.
So it's hard-- like, another way to think
about it is the only thing the Bitcoin network can do
is move Bitcoin, and the only thing
the Ethereum network can do is move Ethereum, to some extent.
It doesn't extend out to like, you know,
autonomous drones to shoot you if you trespass
or anything like that yet.
OK, so the simplest and, I think,
most straightforward and maybe the most useful type
of smart contract is a conditional payment where
it's basically, I'm going to pay you
based on some external data.
So I'm going to use the example of Alice and Bob
betting on tomorrow's weather.
If it rains, Alice gets a coin.
If it's sunny, Bob gets a coin.
And we need some kind of way to get this data, right.
OP_WEATHER is not in Bitcoin.
And I think, yeah, bet is a word that--
it's weird.
Like, when I'll meet with fancy rich people,
like who are in companies that come to the Media Lab--
no, I still use the word bet.
Like, to me, everything's a bet, right?
Insurance is a bet.
Like, if I buy car insurance, I'm betting GEICO or whatever.
Bet I'm going to crash my car.
And they're like, I bet you won't.
And then if I crash my car, they're like, aw, shoot,
and then they give you the money.
And if I get health insurance, I'm like,
I bet I'm going to get cancer.
And then they're like, bet you won't.
And then if I get cancer, I win and I
get a whole bunch of money.
Right.
Well, so they're offset by the fact
that you don't actually want to get cancer
and you don't want to crash your car.
And so the fact that you're betting that you will do it
means that, in the case that something bad happens,
you get a bunch of money to defer this cost.
But fundamentally, from the insurance company's perspective
and your perspective in this insurance contract,
it's a bet about whether you're going to do this or not.
And like almost all the financial contracts,
you can look at as bets, like derivatives and futures
and all those kinds of things.
OK, so to keep it simple for the example,
there's a very limited set of outcomes.
Right?
It's either rainy or sunny tomorrow,
and we don't know that it's going to-- what the weather is
going to be tomorrow yet, and we're going to bet the coin.
OK.
So yeah, we need oracles.
And I would argue that the Lightning Network
script is essentially a smart contract, right,
the this key now or this other key later.
In Lightning, however, we don't have external state.
Right?
There's no need to query a third party.
There's no need to query the outside world.
And all the data that is used in the channel
is generated by the participants of the channel themselves.
Right?
They're making up random keys, throwing them-- you know,
sending them to each other just so that they can negotiate over
the balances in that channel.
That said, they're probably exchanging something outside
of the scope of the system.
Right?
They're probably trading, you know,
I'll give you a little bit of Bitcoin for some cookies,
or something like that, and there's
some delivery of goods or services that's not in Bitcoin.
But for the state itself, it's all internal.
If we want external state, we need
some way to get that external state into our system.
Usually, this is called an oracle.
OK, so the simplest oracle would be two of three multisig,
and there are places that do this.
And it's not-- I don't want to say it's like a stupid idea.
It's actually quite powerful.
And Bitcoin enables it in ways that you couldn't necessarily
do before, but there's problems with it.
OK, so if you just say two of two multisig,
where Alice and Bob both put coins into a two--
you know, into a channel-like structure
where they both need to sign, and then
they can say, OK, well, at the end of the end of tomorrow,
whether it's sunny or rainy, we distribute the coins.
The problem is, it gets stuck if they disagree.
Right?
Also, rich players are at an advantage.
They can say, well, I think I'm right.
I'm fine not signing to get these coins out.
It works great with friends, sort
of gentlemen's agreement, ladies' agreement, or shake
hands.
OK, yeah, you're right.
It was sunny.
But Bitcoin is the currency of enemies,
so you want a third party to decide in the case of conflict.
There's a lot of, actually, interesting sort of game theory
things here where people have tried--
I've seen reports-- like, I've been
to talks where people are like, "Yeah, you
don't need an oracle.
You just agree on it without any outside influence."
And there's some fun things, some fun attacks,
where you can basically say, OK, Alice,
it rains, you win, but I'm not giving you the money.
And I can't get my money back either,
but here's what I'll do.
I'll sign a bunch of time locked transactions,
and if you want a little bit of your money,
you can take it right now.
If you want more of it, you just have
to wait weeks, months, years.
And then Bob can say, OK, it's up to you.
Right?
Like, how much of your money do you want back?
You can wait.
And so you're playing off the time value
of money, kind of thing.
Anyway, so I have seen many things where it's like,
you don't need an oracle.
Just have these two parties agree.
And like game theory, hand wave.
But I have never been convinced by them.
Like ultimately, if we're in a bet
and we don't trust each other, we
need some arbitrator to decide the outcome of the bet.
OK, so you have a third party, right.
You say, hey, we're going to bet on this weather,
and if there's a dispute, we nominate Jeff, over here,
and he's going to be the one that
decides whether it actually rained
or was sunny in order to determine who gets the money.
OK, so you have three keys, right?
You've got Alice and Bob who are in the bet and you've got--
oh, well, that wasn't how I thought--
Olivia, who is the oracle.
And if Alice and Bob are chill, they both sign
and they don't even contact Olivia.
Right, they're like, yep, it was rainy.
OK, you get the coins.
Don't even involve Olivia.
She doesn't have to deal with anything.
But if they fight and they're saying, you know,
this is totally not raining.
This is like, right now, this is not rain, right?
This doesn't count.
They're like, there's nothing.
It's basically sunny.
So if they fight about this, they can ask Olivia to sign.
Either of them can contact Olivia and say,
hey, my counterparty is either unresponsive or uncooperative.
Can you sign?
And then sign off on the fact that it is, in fact, raining.
I get the coins.
The problem is, let's say it's sunny,
and then Alice tells Olivia, hey, it's out.
Hey, it's Alice.
Say it's raining, and I'll give you 0.8 points.
Right.
I'm not supposed to get anything, but give me 0.2,
you get 0.8, win-win for both of us.
So the oracle can be influenced and bribed.
Right, so the problem here?
You've got interaction between the oracle and the participants
in the bet.
Two of three multi sig oracles, they see every contract.
Right?
The contract itself is essentially
not a smart contract, really, anymore because Olivia
has to know like the legal-ish looking terms of the contract,
right?
Olivia, the oracle, has to say, OK, in what case do I
side with Alice?
In what case do I side with Bob?
It could be programmatic, but it could also just
be a sheet of paper with a bunch of text on it,
and Olivia's an actual person and determines based on that.
Right, so this is just sort of a custodian arbitrator
kind of thing.
It's not that cool, like high-tech cryptography
kind of thing, really.
Yeah, and they also decide individually,
so they can equivocate.
So if everyone's betting on the weather,
they don't have to sign that it's sunny universally.
They can sign to sunny on this side and rainy on that side.
There's nothing you can do about that.
So I think what led me to think about these,
it'd be better if the oracle couldn't equivocate, right?
They can't deter-- you know, they
can't say two different things.
And it's even better if they never see the contracts,
but how do we do that?
OK, so any questions about the general setup of what we're
trying to accomplish here?
Bets?
And then you can have multiple-- you know,
lots of different types of bets.
But anyway, this is the essential problem.
How do we do this?
And like in Ethereum, most of the time, everything's
on chain, right.
The data sources are published on the Ethereum blockchain.
So you sort of have similar problems.
There's ideas of, OK, let's have a bunch of oracles,
and then you sort of take the average of all oracles.
There's different ways, but this thing
is, OK, make the oracles never see the contracts.
But how?
OK, and then how is going to be kind of complicated.
So remember these from last time?
Right.
These sign with this key, and you have to wait.
Sign with these two keys, and you get it immediately.
This kind of same exact script is like, so that will be used.
OK, and then a think I talked about this on the third class
about signatures, but we're going
to go more in-depth in Schnorr signatures here.
OK, so in Bitcoin, we've got this ECDSA elliptic curve.
In Bitcoin, you use ECDSA, Elliptic Curve Digital
Signature Algorithm, which is different than what
I'm going to explain.
But this aspect is the same, right?
The public keys are private keys times a generator point.
So we can do this without actually using the Bitcoin
signature algorithm.
We can use our own external signature algorithm,
and then use the keys generated by that in Bitcoin itself.
OK, so a and b lowercase, scalar.
Big A, big B, uppercase, they're points on the curve.
So what operations can we do?
I think this is review, but this was like months ago.
Regular numbers, you can do whatever you want.
They're regular numbers.
It's easy.
Add, subtract, multiply, divide, it's
literally in the software just like BigInt.add,
and the BigInt addition and mult-- you know, the BigInt
operations, if you actually look underneath at the code,
they're real simple.
You're just adding numbers.
So you can do whatever you want with these.
Points.
Points are a group.
They do not have two operations defined.
They only have one operation defined,
and we call that addition.
It's sort of-- like, you could call it something else.
Sometimes, they use a different symbol than plus,
but addition's sort of what we call it.
And it works the way you'd think addition would work, right?
You add these two things.
If you add A and B, and then subtract B,
you get back to A, things like that.
OK, so you can add and subtract, but you can't multiply
or divide.
Right?
These are not defined.
OK, and you can mix these things.
So you cannot add a point and a scalar.
That's also undefined.
So if you have like a point here, and you want to add 5,
it doesn't make sense.
However, you can multiply a point by a scalar.
And you can divide a point--
yeah.
You can divide that.
And the way you do that is you just,
in the actual elliptic curve, you-- to double a point,
you take the tangent.
So instead of drawing a line between two points,
you say, well, I'm drawing a line between this single point,
which basically means the tangent, as you sort of like--
things like limit as the spacing between those two points
goes to zero.
And then if you can double a point, if you can add A plus A,
then you can multiply by any arbitrary number by saying,
OK, I'll take 2A to be a tangent.
I'll take 4A to be the tangent of that.
I'll take it A to A to be the tangent of that.
And then you can add up, like you can do binary
decomposition-- and computers are real good at that--
and say, OK, I'm going to--
I need 5A, so I'm going to take A plus 4A.
Right.
Now-- oop, yeah.
So you can divide-- divide's a little annoying,
but you can do that.
OK, so you've got all these operations we can do.
You can do whatever you want with the scalars.
You can add points, subtract points, multiply these points
by scalars.
With this alone you can do-- and then, also, well, you
have to throw hash functions in there
for the stuff we're going to do, but you guys
know all about hash functions.
So with this and hash functions, you
can do like ridiculous amounts of stuff.
It's really kind of impressive.
Also, you can-- so yeah, part of the signature system
is you pick some random point G. Sometimes, in other systems,
you have G and H, two other points.
But the idea is everyone just agrees,
we've got some point G and everyone agrees on it.
OK, a nice property.
You can add keys that you can-- you know,
the addition sort of works--
addition in the scalar world works in the point world
as well.
Right?
So if you have a times G plus b times g,
and that's a point, that's equal to a plus b times g,
also going to be a point.
So that is what we're going to use.
And you can use this to share keys.
Right, I think I explained this last time.
If you know little a, but you don't know little b
you can't sign.
But if you learn both, you can sign for this, you know,
this summed pubkey.
So this is a way to like share keys.
OK.
Yeah, [INAUDIBLE].
Yeah, like OK.
Well, that's sort of out of order.
Anyway, Schnorr signatures, which
are going to go into Bitcoin probably
not even this year, maybe next year,
and there's a lot of cool things you can do with them.
I think I'm talking about that next week in the term.
Like, that's aggregation, right?
But the basic idea of a Schnorr signature, you've
got a public key that you've already told everyone.
Right, so before anything happens,
you pick a random private key little a, multiply it by G,
and then compute big A and tell that to the world either by
send-- having that as an output address in your Bitcoin script
or publishing it on a website.
You know, somehow, you propagate,
hey, this is my public key.
This is me.
OK, and then when you sign, you come up
with another private key, pretty much
the exact same as little a.
It's going to be called little k.
And then you compute R, which is k times the generator point.
So this R is pretty much the same idea as--
it's another public key, but this will only be used once.
And then to sign, you compute s, which is k, that thing you just
made up, minus the hash of the message the sign
concatenated with R times your private key.
OK, and then the signature is R and s.
And then for someone to verify this,
they know m, right, the message you're trying to sign.
They know your public key, big A. They know R
and s, your signature.
And they try to--
what they do is they just multiply both sides
of this equation by G. Right?
So you can you can do that, same as regular math,
multiply both sides by the same thing.
So they can't verify this because they don't know
little a, they don't know k.
But if you multiply it by G, well then you get s times G
equals k times G minus this hash times a times
G. Well, that is just your public key, right?
This is R. And this, you also know
because they gave you s, so you know
G. That is, you know s times G. So that's how you verify.
And it's-- like, there's all sorts of proofs about why you
can't forge these and stuff like that,
but it sort of makes sense.
Right?
If you're trying to forge a signature, and you say,
hey, I'm going to solve for s.
Right, well, I can't solve for s directly because I don't
know little a, I don't know k.
The problem is, I want to--
OK, I want to solve for one of these things.
I've basically got an equation where
I've got R minus the hash of R, and I can't tear those apart.
Right, like I need--
how do I-- OK, solve for R, but there's
like the hash of R and R on the same side of the equation.
I could try to move this so that,
OK, R equals the hash of R?
Like wait, how am I going to do that?
Right, so anytime you try to solve,
you're going to have an R and a hash of R in the same equation.
And, like, that seems impossible, right?
OK, so this is Schnorr signatures.
It works great.
It's got nice lots of nice properties.
Actually, all of this could work in ECDSA.
It's just that ECDSA is like really ugly and complicated.
But anyway, so what Discreet Log Contracts uses
is a fixed-R signature.
It's the exact same equation, but you sort of
move where R is considered.
So before, you'd say, the public key is A,
and now, my signature is R and s.
Now, we're just going to say, OK, make the public key
A and R, two points, and make the signature just s.
So same equation, everything's the same.
It's just that you generate k at the same time you're
generating A, and publish both A and R as your public key.
Right, no problem.
OK, the problem is you can only sign once.
That's why you don't usually do this.
There's no size difference.
Right, it's like, OK, well, your public key gets twice as big
and your signature gets half as big.
No net gain.
But you can only sign once, and why?
OK, I'm actually-- it looks kind of scary,
but it's actually not too bad.
So the idea is I sign.
I have an A and an R, and those don't change.
Right, so I have a little a and a k, and those don't change.
But I'm signing two different messages.
So the idea is I have signature 1, s1, which
is k minus the hash of message 1 concatenated
to R times my private key.
Signature 2 is k minus the hash of message 2
and R times my private key.
So I publish both of these signatures.
And then someone says, oh, I'm going to subtract these two
signatures from each other.
Right, so s1 minus s2, well, that
would be this top thing minus this thing, which
is k minus the hash of message 1 times a,
minus k plus the hash of message 2 times a.
The k's cancel out.
That's the important part here.
So k's are gone.
Cool, now I've got this s1 minus s2, which I can compute.
Right, s is just a scalar, s1 minus s2
takes like a millionth of a second on my computer to do.
Now, I've got this s-- you know, this thing
I know, s1 minus s2 equals the hash of message
2, R times little a, minus the hash of message 1, R, little a.
I don't know a little a, right, so I can't figure out this.
But I know what's on this side of the equation.
Right?
I know this sort of subtracted s.
What can I do here?
Well, I can factor out a, right, because a is multiplied
on both sides of this.
So now I can factor-- you know, put a little parentheses.
OK, this hash is message 2, R minus the hash of message 1,
R times the private key here.
And now, I can divide.
And well, this is the whole equation, right?
I divide out.
I divide by little a here.
The thing I know divided by a thing I don't know
equals a thing I know.
Right, so I can move things around and say, OK, well
then a is this thing I know, right, the difference
between the two signatures, divided by the difference
between these two hashes.
And those two hashes, also, I know.
Right?
I know what the messages are.
I know what the R value is.
It works.
So the big thing here is if you have the same k
value and the same a value, you can find their private key.
So normally, this is OK because k is different.
Right?
So you'd have k sub 1, k sub 2 here.
And then if you build this equation,
you've got these k's which do not cancel out
because you don't know what they are and you don't get anywhere
with this.
OK, but so if you do use the same k value,
you will lose your private key.
Fun fact, I first learned about this in 2011
from the PlayStation 3 code-signing thing.
And yeah, that was when I--
I think, because I started to get into Bitcoin
and, also, it was like, oh, PlayStation 3 got hacked.
Cool.
So Sony had a k-- like, they probably read up
on how to do this.
And they said, OK, k needs to be random,
so they just made a random number
and hardcoded it as the k that they used.
I don't think they realized that it has to be
random and different each time.
So it was just a single random k.
Yeah, there's other cases of this being a problem.
In bitcoin-blockchain.info, I believe, a couple of years ago,
had something where k was random,
but it was like only four bytes of randomness or something,
and so you'd end up getting some occasional k's that were
the same.
And then you could compute people's private keys.
There's a couple other things like that where if--
you know, so actually in practice, now, you
don't make k randomly in Bitcoin Core,
in most of the Bitcoin libraries.
You make k basically the hash of your private key
and the message so that it changes for each message.
And it's also got like secret information
so no one can figure it out.
That that's called RFC 6979, and it is safer
because you don't keep needing new randomness each time.
Oh, yes?
AUDIENCE: Is this presented for history's sake,
or are people still making this mistake?
TADGE DRYJA: I mean, will people?
Like, people have made it in very recent history.
I wouldn't be surprised if people
continue to make this mistake.
You know, a couple, two, three years ago, Blockchain.info
had this where the k's were the same.
It's not immediately-- you know, you
have to sort of look for it.
But yeah, people still make all sorts of mistakes like this.
There's-- elliptic curves are actually less, I think,
of a minefield then like RSA.
RSA has all sorts of like, I had no idea
that would break the security of the system, but it does.
Like, you know, in an RSA, you've
got p and q, two big prime numbers you
multiply to get your modulus n.
But if p minus 1 or n minus 1 is smooth,
which means has many small factors,
then you can break it and find their private key.
Like, I didn't know that until last year in a class.
I was like, really?
Oh, wow.
So there's all sorts of bad things that can happen.
In elliptic curves, it's kind of nice
in that your random numbers can really just be random numbers.
So it's not too-- it's not as bad.
But you do have to watch out for some of these things.
OK, so this new system, right, if your pubkey is A and R
and a message m, right, you cannot compute s.
So I know they're a public key.
Right, I know R. I know they're probably-- like,
I know this whole thing.
I can't compute s, right, because s
is in terms of k and little a.
I can compute s times G, though, because s times G is in terms
of R and big A, which I know.
Right, so you can't compute little s,
but you can compute s times G. So
s times G is computable for any given message.
So if someone publishes this new type of pubkey, A and R
together, I can say, OK, well, what
will it look like if you sign the message, sunny?
Right, if you just take the word sunny, stick it in here,
concatenate it with the R value you already told me,
hash that, multiply by your pubkey,
and then subtract that from your R value,
I'll get a point on the curve and I can compute that.
And I can compute that for any m I care
to throw into this equation.
So this is kind of neat, right?
I can compute a point on a curve for any message
that you have not yet signed.
And then the signature itself would be s.
This sort of is looking like a key pair, right?
So this is an unknown scalar, right.
I don't know what s is, but I can
compute s times G. This is a public key, private key, right?
This is the exact same setup.
So now we can use this for a third-party oracle
to sign messages.
And then when they sign the message,
they're revealing a private key to a public key
you've already computed.
So when I was making this, I definitely
didn't start with Schnorr signatures and do this.
I had my own crazy scheme, which had
like all these different equations and, like,
R was multiplied by this other hash
and there was all these things.
And then I was talking to people and eventually was like, wait,
you don't need all this.
This is just a Schnorr signature where I already
know the R. So OK, this is much nicer.
I don't have to write this whole crazy proof and stuff.
OK, so we can use this.
And we can use Olivia's signature, s,
as a private key in our transactions.
And we use s times G as a public key.
And then we can also do the fun stuff
where we mix with Alice and Bob's public keys.
Right?
So I can say that Alice's pubkey plus s times G is
the public key for this contract.
And Alice's private key plus s is
going to be the private key for this contract.
So I can say-- what we can do is we can say,
OK, I'm going to compute an address where
it's your pubkey plus the signature
of this oracle signing the word sunny times g,
and that's the pubkey for Alice's sunny pubkey.
Right?
Alice can only spend this if the oracle signs the word sunny
and she has her private key.
If the oracle signs the word rainy,
Alice doesn't know how to-- you know,
doesn't learn the private key.
Any questions about that part?
Make sense?
OK.
So this is kind of cool.
So what you can do, so quick recap Lightning,
you'd use the mechanism where you're adding these keys
to revoke old states, right.
You say, OK, if I give you this key,
you can now spend it immediately.
If I give you this key, you can now spend it immediately.
So we enforce that with the most recent one is the OK one
because if I broadcast on these old ones,
you can immediately get it.
In Discreet Log, I switch it around a bit.
I say, well, you know, it looks like a channel.
We both put money into here.
And then we build three different transactions
all at the same time, before we even do anything.
Before we actually fund this, we build these descendant
transactions.
And the idea is that the public keys in here--
this is Bob's public key, but it's also
got the sum, the sum of Bob's public key
plus the oracle's signature of the word sunny.
So if Bob broadcasts it, and the only way
he can immediately take his funds
is if the oracle assigned the word sunny,
and he knows that s value.
If he broadcasts it and then waits--
right, if he broadcasts it, but it's not actually sunny,
then Alice can take the money after a little while,
right, after a day.
You'd use the same timeout procedure
where, OK if I broadcast this and I know the key,
I immediately sweep it.
If I broadcast it and I don't know the key,
my counterparty can take everything after a day.
So yeah, all states are created at the start.
The validity is determined by the non-interactive oracle
signature.
So the oracle signs cloudy, which is, yeah.
And now, either party can broadcast
the cloudy transaction and then take their money immediately.
If anyone tries to broadcast, so if-- for example,
if Alice tries to broadcast rainy at this point,
the oracle has signed the word cloudy,
they're not going to sign the word rainy.
If they do sign the word rainy, they reveal their private key.
So if Alice broadcasts this, her money's stuck.
She doesn't actually have this key.
And then Bob just waits and then takes all of Alice's money.
So you know, from the network's perspective,
you can broadcast any of these transactions,
but you don't want to.
Because you don't know the key, it's not your funds.
OK, so yeah.
AUDIENCE: So the wait piece, how does
that-- so if in the case where it's cloudy, but Alice
signs the rainy key?
TADGE DRYJA: Alice broadcasts the rainy transaction?
Yeah.
AUDIENCE: Alice broadcasts [INAUDIBLE] transaction,
but doesn't have the proper signature of the oracle.
TADGE DRYJA: Yeah?
Do you just wait because you know?
Then Bob just waits because Alice's money--
yeah Alice, it's sending to Alice's public key
plus the oracle's signature publicly.
And Alice can't sign with that.
Right, she knows her private key,
but she doesn't know the oracle rainy private key.
So she can't sign with this to take the money.
So the money's just stuck here, but it's
got that timeout period, right?
It's--
AUDIENCE: OK, so before, there's no timeout?
TADGE DRYJA: Yeah, so the--
wait, did I have it here?
Yeah, it's the same script, right.
In Lightning, it's PubR or PubT and time, right?
There's a revocable one and a timeout one.
Yeah, so in Lightning, it's the opposite of Lightning.
Right, in Lightning, correct is to use the timeout.
Right, so in Lightning-- whoa.
What just happened?
OK.
In Lightning, I broadcast this.
I have to wait, right?
It's Alice's key that then takes a day, and then I can sweep it.
That's the correct thing that happens.
If I broadcast this, Bob can immediately
take it because I've already given him the private key.
It's the opposite in Discreet Log Contracts,
where if I broadcast the wrong thing, it's just stuck forever.
I'm never going to be able to get it,
and then my counterparty can get it after a day.
If I broadcast the right thing, my counterparty
can still get it after a day.
Right?
So if Alice broadcasts this, Alice
has to immediately spend this because, this Alice 5 Bitcoins
is also Bob's after a day.
So she needs to say, OK, I'm going to broadcast this,
and then immediately sweep the funds
to my own regular address.
So what's nice is that's like a better timing model.
Anyway, so in cases of fraud, the recoverable key
can be used, half the key revealed.
So that's in Lightning, right, and Lightning
broadcasts the most recent.
There is no PubR, right?
No one can sign this because you haven't revealed it.
And then the timing happens and sends.
So you broadcast your most recent state.
You wait a little while, and you don't actually have any rush.
You know you've never given PubR away, so you can just leave it,
and then time elapses.
So maybe the timeout is one day.
You don't have to spend it after that one day.
You can leave it for a week or a month,
and then later spend it because you're
really sure your counterparty is never
going to get this private key.
So that's the way Lightning works.
In Discreet Log Contracts, however, the timeout one
is the incorrect one, when you publish the wrong transaction.
Right, PubR is the oracle's signature
plus your own private key.
And PubT is just the other person gets it after a while.
So you should be able-- you know,
if you publish the right transaction,
you can immediately spend it.
If you publish the wrong transaction,
you'll never be able to spend it and your counterparty will,
tomorrow or next week.
So it's kind of a nicer model, I think,
because, in Lightning, you have to be watching your channels.
In Discreet Log Contract, nothing bad
can happen if you go offline.
So that's really nice, right?
In Lightning, you have to watch for fraud.
Old states could be broadcast and you've got to grab it.
In DLC, sweep it as soon as you want.
It's easier.
You have the software to do both at the same time.
There's no surprises.
So for example, in Lightning, this
is the current state, right?
Alice has nine coins.
Bob can, at any time, broadcast this transaction,
and Alice must respond and say, nope, that's wrong,
I'm taking all these nine coins.
And your software does that automatically, sure, but you
have to be online and you have to be watching the blockchain.
So surprises can happen.
And you know there's software I'm
working on called Watchtowers to anonymously outsource
watching this to other people and things like that.
But it's a downside, right?
Fraud could occur if you're offline.
In Discreet Log Contracts, fraud cannot occur.
Eh, I don't want to say that.
There's all sorts of things the oracle can do that's bad.
But the idea if I go offline--
right, I'm Alice, I enter into this contract about the weather
next week, but then I forget about it
and I just don't even sign into my computer for a month,
there's no risk that the wrong thing will happen,
you know, assuming the oracle is signing correctly.
Bob can't do anything bad, right?
If this is now endorsed by the oracle
as being the correct transaction,
if Bob broadcasts this or this, he can never take those coins.
Right?
It's just indefinitely stuck here.
Alice gets her coins with no restrictions,
and Bob's coins are just stuck there forever.
Right, he'll never learn this the key to sign with this.
And so Alice can come back in a week, come back in a month,
and say, oh, cool.
Bob broadcast the wrong thing, and now I can take these coins
at my leisure.
If Bob broadcasts the right thing
and then immediately takes his coins,
Alice's coins are still there.
Everything's fine.
So this is, I think, a nicer timing model
in that you don't have to be online quickly.
Also, it's nicer in that in Lightning,
if you're being honest and you broadcast
the correct transaction, you have to wait.
That's annoying, right?
The timeout could be a day or a week or something.
And maybe your counterparty-- you
know, if your counterparty's online and co-operative,
you don't have to use this transaction.
You can just say, hey look, I want to close out.
I've got nine.
You've got one.
Let's just build a transaction sending nine to me
and one to you, with no weird scripts or anything.
And then Bob can say, OK, sure, closing the channel.
Here we go.
And we just close it.
But if Bob's offline, which happens, Alice says, shoot,
I have to close this channel.
I want my nine coins.
I broadcast this, closing the channel,
and then I have to wait a few days.
And that's annoying, right?
That's not great.
Whereas, in Discreet Log Contracts, if you're doing
on it, let's say, I'm Alice.
Bob seems to be offline.
I can't contact him.
I'd say, OK, Bob, you're not there.
Fine, well, it was cloudy.
I broadcast this.
I immediately take my five coins.
I don't have to wait at all, and the software
does both of those at the same time.
So this is a nicer timing model than Lighting.
Yeah, no surprises and no waiting.
The only time you have to wait is if the other party--
you know, Alice would have to wait and if Bob broadcasts--
let's say, Bob broadcasts this.
Alice gets one coin immediately and nine coins
after a few days.
So Alice is like, well, I have to wait a little,
but, hey, I get all the money, even though I was only
supposed to get half.
Great.
There are some attacks where, for example,
let's say this was like zero or like 0.001,
like basically nothing, and the actual thing that
happened was it was raining.
And Bob's like, shoot, I got nothing.
right?
Fine, I'm just going to sign this.
You know-- sorry--
I'm just going to broadcast this,
where I get all the money.
I don't actually get all the money, right?
Alice is going to take this after a day.
But basically, I lost everything anyways, so fine.
Well, so that is an attack where if there's
almost no money on one side, Bob can be a jerk and say well
I'm going to broadcast the invalid transaction just
to prevent my counterparty from getting her money immediately.
She gets it all, but maybe all is
pretty close to what she would have gotten anyway,
so Bob has no real loss and Alice has no real gain there.
And then Alice has to waste some time waiting.
So that's an attack.
The easiest way to sort of mitigate
that is to have this kind of construction where it's like,
well, Bob still got one.
Even when Bob loses, he still gets one coin back.
Right, there's extra collateral in the contract.
And then he doesn't want to broadcast the wrong thing
to be a jerk.
Yes?
AUDIENCE: So if someone broadcasts a wrong--
the wrong transaction, the correct--
if he broadcasts the correct transaction, it doesn't matter?
TADGE DRYJA: If-- well, from the network's perspective,
right, so if I'm a miner looking at the Bitcoin network,
I have no idea what these things mean.
Right, it just says, you know, key one coin.
Other key, nine coins.
You know, I just see two different transactions
spending the same output.
So if you see Bob broadcast this transaction,
you actually do not want to broadcast this, probably,
because you'd rather have all the money instead of half,
even if it takes you some time.
But if you have-- you're saying, OK, I'm Alice.
I broadcast this, and then Bob broadcasts this right
after, you're like, oh shoot, that's a much
better transaction.
I would, you know, but you don't know
which is going to get in because the miners have no idea what's
going on.
AUDIENCE: It means [INAUDIBLE] going
to be that you get your money?
TADGE DRYJA: What, sorry?
AUDIENCE: It would be in the other case
where you used the attack you just
talked about, where people are broadcasting,
you get the money from it?
TADGE DRYJA: Oh, yeah.
Yeah, so if you see that Bob is being-- the actual outcome was
it was rainy.
Bob sees this, and has very little money at stake,
so Bob says, fine.
You know what?
Screw it.
I'm going to broadcast this just so Alice
gets her 0.001 right away, but has to wait
a long time for the 9.99.
Then Alice could say, uh uh uh.
I'm broadcasting this, and then immediately
try to spend it with a high fee.
You could do that.
AUDIENCE: If I were--
TADGE DRYJA: Yes?
AUDIENCE: --to be Alice, and it's cloudy,
then I would want to just wait, in case Bob made a mistake?
TADGE DRYJA: You could.
Yeah, you could hope that you're--
yeah.
So there's no rush, right?
The oracle signs it was cloudy.
You've both got those private keys.
You can just wait.
You know, there's no need to immediately broadcast it.
And once you broadcast this, you do
need to immediately spend the part that's
going to you because that also has
the clause that it can go to the other guy in a week, or a day.
So but, yeah, and you can just leave it here.
You could just leave it.
Don't broadcast anything.
And you're like, well, maybe he'll
screw up and broadcast the wrong thing
and then I'll get all the money.
It's probably not going to happen, but--
AUDIENCE: The oracle never--
so the oracle just goes quiet?
TADGE DRYJA: Ah, yeah.
So if the oracle--
there's all sorts of things the oracle can do that's bad.
So if the oracle never signs, none of these
will ever be valid, right?
So you should-- what the contract should have is
a timeout where if--
you know, so if we're betting on the price--
so we're betting on the weather tomorrow,
we can say, OK, well, by Monday, if the oracle
hasn't signed anything, we've got a time-locked transaction
that just gives us both back five coins.
Or, you know, it's a wash trade.
But, yeah, that can happen.
AUDIENCE: Set it to destroy the oracle.
TADGE DRYJA: Yeah, so hopefully the oracle doesn't do that.
OK.
But that's like, it's not the end of the world.
It's like, OK, the oracle's not there,
so we don't know how to execute this trade--
you know, this bet, so we just get our money back.
It didn't work, and we wasted time.
Oh, OK, so some scalability fun stuff.
You can do Discreet Log Contracts within a channel.
So let's say you've got a Lightning channel,
and if you want to cooperate-- if both parties cooperate,
no transactions get broadcast to the blockchain at all.
This is kind of cool.
OK so you've got these nested contracts.
So this is a Lightning channel, right?
And it's Alice has 10 coins, Bob has 20 coins,
and they've been making lots of different transactions.
This is, let's say, the 30th, 35th state of the transaction.
There's all sorts of transactions before this.
but they've all been revoked by sharing private keys.
And then you say, OK, well Alice has 10 coins, Bob has 20 coins.
Let's build a contract.
So we both decrement our balances by five,
and then we create a third output.
So this is a--
it's sort of like having an HTLC where you've got--
you know, as this-- sorry, these arrows don't really
line up the right way.
But you've got one transaction with three outputs.
Alice gets five coins.
Bob gets 15 coins.
And a new two of two multisig gets 10 coins.
From that, you build two different--
I should make colors or something.
Yeah, these are two different transactions.
This is all one transaction, sorry.
So from there, you say, OK, we're
going to build a Discreet Log Contract that's
an output in the channel.
And we don't-- you know, if we want to, we can broadcast
the whole thing.
Any of us at any time can say, OK,
I'm broadcasting this current state of the channel, which
is Alice five, Bob 15, Alice and Bob 10.
And then I have these transactions as well,
and I can broadcast either of those.
So if your counterparty becomes unresponsive,
you close the channel and close the contract.
But if the counterparty is cooperative,
then the oracle signs, OK, it was rainy.
This now becomes valid.
Both parties agree, yeah, Alice won nine coins.
Bob can be a jerk and just be unresponsive,
and then Alice is like, all right, fine.
Close the channel.
Spend-- you know, broadcast this transaction,
broadcast this transaction, take the nine coins.
Alice has to do three transactions in a row
to do that.
But if there's nine coins, you know, that's totally doable,
right?
You know, this to close, this to finalize the contract, and then
this the sweep the money to herself before Bob
tries to get it.
But if Bob's cooperative and says,
OK, yeah, you won this bet and, also, we
keep doing these contracts, we keep betting with each other,
this is the only valid one.
The other one I'm not going to broadcast.
I'll never get the money.
And then we say, well, Alice got nine.
Alice got plus nine.
Bob got plus one.
We just make a new state of the channel.
Right, so this was the old state, five, 15, 10.
We went up a level, and now the new state is Alice gets 14,
Bob gets 16, and then we revoke the old state.
So the contract was built. You know, all the different terms
of the contract were built. One of them
became known to be valid, and then
they basically deleted the whole thing
and they never touched the blockchain.
Right, they saw this was all descendent transactions
within a Lightning channel.
And now, we've got our new balances.
So we can keep doing this.
We can have like five of these at the same time
and then keep sequentially making all these contracts.
What's nice about this is no one ever sees anything.
Right, Alice and Bob know that they
were betting on the weather.
Nobody else can see that they were
making a bet at all, right?
There's no transaction that goes onto the blockchain.
In the worst-case scenario, a transaction
does go onto the blockchain.
And if you see this get broadcast,
the thing is, it's still not clear that it was a contract.
It could be a channel within a channel,
and there's reasons to do that.
You could say, OK, this is our cold channel
that we keep all the keys offline
and this is our hot channel that we
keep transacting very quickly.
And we can do some things like that,
so there's reasons to do this.
But the scripts themselves, if you broadcast the transaction,
look exactly the same as Lightning.
It's just key A and time or key B. So this is kind of cool,
I think.
OK, other-- oh yeah, I have [INAUDIBLE] Other cool things
you can do, you can split the R value
into an exponent and a mantissa.
So it's hard to explain.
OK, so let's say I did the example
with like sunny and rainy, right, but, in practice,
I think people are going to use this
for futures contracts, where there's
a bunch of different prices.
So you could say, OK, the price we'll
put the price on this axis.
Price is $1, $2, $3, $4, $5, for example.
And then Alice gets money here.
Bob gets money here.
And it can be like that, or something where at $1
Alice gets all the money; at $2, Alice gets most of it; at $3,
Bob gets most of it-- or half and half, things like that.
What might happen is that there's
like knock-in and knock-out, where if the price is $6 or $7
or something really high, well, all the money goes to Bob.
That's just how it is.
And like, you're not even sure the order of magnitude,
so it might actually go $1 and then $10.
Like, there might-- how do I do this?
There might be like orders of magnitude
where, OK, the current price of something we're betting on
is $20.
Right, so we actually only care about the range
from $10 to $30.
We only care about-- and then, like $20, it's Alice
and Bob get 50-50.
We might not care about what happens if it's $0.01
or what happens if it goes to $5,000.
We'll don't care.
Or we care, you know, but the thing is
if it goes to $30 or $5,000, the same outcome happens.
So what we can do is we can say, OK,
instead of just using one R value where the oracle signs
the price and we have to compute messages for all
the different prices and compute s times G for all
the different prices, they can say,
OK, well, we've got R exponent and R mantissa.
And mantissa is a weird word for the thing that's
behind the decimal point.
So then I can-- so exponent, you can
you say, OK, well, it's either 10 to the one or 10
to the two or 10 to the three or 10 to the four,
and I'm going to have an R value for that,
and I'm going to produce an s times G for that.
And then the mantissa could be like one, two, three, four,
da da da to nine, something simple like that.
So in some cases--
so, for example, in the case of 10 to the two,
10 to the three, 10 to the four--
we don't care about the mantissa.
Right?
If the exponent is 10 to the two, three, or four,
then Bob gets all the money, right away.
And if the exponent is 10 to the zero,
then Alice gets all the money.
We don't have to involve the mantissa at all.
But if the exponent is 10 to the one, then we actually care,
and we can just add the point.
So we say, OK, sG equals R 10 to the one minus the hash times A.
And then this is sG exponent.
And then, sG mantissa is R3 minus the hash times A.
And then we can just add these two points,
so we say sG exponent plus sG mantissa
equals the contract sG contract, and that's
what we put in our contract for the keys.
That way, we need the oracle to sign that the exponent is
10 to the one, and the number, you know, the base is three.
OK, it was $30.
So that way, it's a little extra data for the oracle to sign,
but pretty small, right, an extra 32 bytes.
And then we can potentially save on a lot
of these extra transactions out in areas that all end up being
the same result to us.
Any questions about that?
Does that sort of makes sense?
It's an optimization.
Right?
You don't have to do it, but it can lead to a lot less data.
Yeah?
AUDIENCE: So for the mantissa, the 1, 2, 3, 4?
TADGE DRYJA: Yeah?
AUDIENCE: Does that come from a specific decimal place?
TADGE DRYJA: Yeah.
Well, it's-- the idea is the actual number is going to be R
mantissa times Rx, you know, or 10 to the Rx, right?
So the actual-- so if the number was 20,
you say, OK, 10 to the one.
R exponent's 10 to the one.
R mantissa is two.
If the number was 5,000, you say, OK, 10 to the three, five.
And then you just release both of these.
And they're independent, so that the two users
can use them independently.
And the most likely case is we don't care about the mantissa,
we only care about the exponent.
So we're only-- some of our bets only deal with the magnitude
of the price.
You could also do bets where you're only
dealing with the mantissa, but that seems kind of silly,
where it's like, I don't care if it's $2 or $20 or $200.
But anyway, if the first digit of the price starts with two,
you know, is two, I win.
You could do that, but probably not as useful.
But yeah, and then in the extreme case,
the extreme version of this would
be to have bind-- you know, decompose
the number being signed into binary,
and then find every bit.
And then there's only two signatures
possible for every bit, and then the users
can sort of combine these things in any way they want.
More signature data, but it gives the users
a lot of flexibility.
OK.
multi-oracle, another thing you can do.
So the problem is, how trustworthy
is this are these oracles?
The oracles can cheat, right.
They can just easily sign that it's rainy when it's sunny.
That's publicly knowable, and if they have a reputation,
that hopefully hurts them.
But you are trusting the oracle to sign the right thing.
So maybe they want to use two oracles.
So that's totally doable.
Right, you have the oracle, the a oracle and the b oracle,
and you just add the two points that you come up with.
And then when they both release their s values,
you add those two s points, and you'll
get the private key, totally easy.
For n of m, there's no size increase.
Right?
You just-- you can pick 10 oracles,
add up all those things.
No one can tell.
And your transactions are still really small.
For n of m, it--
or usually, it's called m of n, huh?
Well, anyway, there's a size blow up
because you're going to say, OK, well, I want two of three,
and I have to make new transactions for all
these different combinations.
And so you end up having a lot of transactions.
For small things, like sunny or rainy, it's totally doable.
For things like where you're already hitting up
against limits where, oh, we have
to sign thousands of transactions
for all the possible different prices,
then this can get very costly.
Another downside to this is if they signed different things,
you get stuck.
Right?
So if we say, OK, we're going to use Thomson Reuters oracle
and Bloomberg oracle and we're going
to use their price of oil, and then one of them signs,
oh, it's $50.03 and the other signs that it's $50.
05, shoot.
We can't-- you know, we just used the same value for all
these sG points to build all the combined points.
Now, we don't have a match, so we cannot build the point--
the private key that we're looking for.
So this contract either reverts.
So that's another reason why you might
want to decompose it this way.
You could have a construction where you say,
OK, we're using Bloomberg and Thomson Reuters,
but for Thomson Reuters we're only using the exponent
and for Bloomberg we're using both.
So the idea is if there's a case where the exponent is
different between Bloomberg and Thomson Reuters,
our contract fails.
But if the case is their exponent is the same,
then we just go with the actual precise price from Bloomberg.
So in case Thomson Reuters gets hacked and they say,
oh, the price of oil is $50 million a barrel
and that could cause contracts to go the wrong way,
then that's sort of a safety catch on there.
So there's all sorts of things you can do like that.
I don't know how this will actually work out.
Will there be lots of different oracles?
My guess is no.
You kind of want them to be reputable.
And you can't really make money doing it.
And it's really scalable and cheap to be an oracle because,
like, all you're doing is signing things.
So it feels like the kind of thing
that once you have a-- you know, once you get some momentum,
you're just going to be this monopoly
and everyone's going to use the same oracle.
But who knows?
Yeah, oracle problems, so yeah, oracles can lie.
They can also-- they can they can equivocate.
Right, they can sign two different things,
but then they reveal their private key.
So you might want them to post coins
on the blockchain with their A, you know,
that's got their regular public key A, so that if they ever
do sign two of the same message, then they lose their money
and everyone can try to grab it.
Yeah, what are the other things?
Oh, I was going to talk about novation.
We have time.
Yeah, so another thing that people
like to do with these types of contracts
is enter into contracts and then sort of sell their position
in the contract.
So for example, if we were in a contract about the weather,
and I look outside, I'm like, oh, it's
definitely going to be rainy, so the oracle
is going to sign about the weather as of noon.
I'm like, it's 11 o'clock.
It's going to be rainy.
I want to sort of lock in my profit.
And it's not exactly sure yet, so there may still
be some value to the sunny position,
but it's looking pretty grim for the sunny position.
I might just contact my counterparty
and say, hey, let's close early.
Right?
I don't need the entire profit, but give me
90% of it because it's, you know, pretty rainy.
And they might agree to do that, but a better way to do it
would be to say, I'm going to let
someone else take my position.
So for example, if you have--
so if you've got like Alice and Bob are in a contract.
And then there's like Alice gets nine, Bob gets one for sun.
And then Alice gets one, Bob gets nine for rain.
And then they say, OK, let's just do it early.
Bob might not be cooperative.
Alice wants to say, let's just get out of it right now,
at some, at one of--
you know, a little bit less than this.
Bob says, no, I want to keep holding it through.
What Alice wants to do is say, look,
I'm going to replace myself with Carol.
Alice finds some other person, Carol, to now
have a Carol-Bob transaction where
it's the same exact contract.
So it'd be Carol nine, Bob one and Carol one,
Bob nine for sun and rain.
So what's nice about this is, from Bob's perspective,
nothing changes except the counterparty's public key,
which Bob doesn't care about.
Right?
So Alice can say, hey, Bob let's switch this transaction.
You have the same exact payout based
on the same exact signatures from the oracle,
so it's no change to you.
It's just that my public key is going
to change because it's actually going to be someone else.
And then Bob-- that way, Bob's software
can automatically do it.
This is still interactive in that Bob's keys have to sign.
Right, Bob needs to make a new signature spending from here
to go into this new two of two output, so that's new.
So their computer has to be on and they have to sign,
but you can make the computer software do it automatically
because there's no user interaction needed
in that it's like, hey, your position didn't change.
And then probably put in something
where Alice pays Bob a little extra, right.
Alice gives Bob a dollar or two to incentivize him to leave
his computer on to collect fee.
You know, essentially, it's like,
oh, if I leave my computer on and my counterparty wants
to novate and switch with someone else,
I might make a buck.
And my position doesn't change, so cool.
So that is doable.
I do not look forward to programming
that because that now has three different computers talking
to each other and they all have to do messages
in the right sequence and stuff, and that's not the most fun
part of programming.
But yeah, so anyway, so that's the idea of this.
What are some use cases?
I can think of some, but there's all sorts of other ideas.
I think it can be pretty useful.
You could do currency futures.
So I think one of the biggest would be dollar futures.
So right now, in CME, I think, or CBOT or one
of those Chicago kind of places, or both of them,
you can do Bitcoin futures which are
dollar-settled Bitcoin futures.
Right, so you get a bunch of dollars
based on the price of Bitcoin.
Yeah, so you can say, I want 10 Bitcoins
for delivery on next week.
And then you don't get the 10 Bitcoins,
but you get however many dollars those 10
Bitcoins are worth based on some exchange price
that they agree on.
You know, we're going to use the average
of these different exchanges and stuff.
With DLC, you could do sort of the inverse of that, where
I have Bitcoins I entered into a contract
where I have dollars being delivered--
or, sorry, I have Bitcoins, you know,
the dollar value being delivered.
So the idea is I have $10,000 worth of Bitcoin being
delivered to me on Friday, so if the price of Bitcoin goes up,
I get fewer of them.
If the price of Bitcoins goes down I get more of them
such that the amount of Bitcoin I receive on Friday
has a value of $10,000.
And that's a pretty straightforward Discreet Log
Contract ability, right?
You just need to know the price of a--
it actually ends up being a lot easier
to think of Bitcoin as the main currency
and then dollars as the asset being traded.
So you sort of want to know the price of a dollar in Bitcoins,
or how many Satoshi is a dollar's worth,
and then you build your contract from there.
And so if the price of a dollar goes up,
you get more of these things.
So one side will say, OK, I've got $10,000 worth of Bitcoin
coming on Friday.
The other side basically says, I get whatever's
left in this contract.
And that other side is essentially
like a more volatile Bitcoin.
So if the price of bitcoin goes up, great.
Also, you get more of them.
And if the price of Bitcoin goes down,
you're really screwed because your Bitcoin's worth less
and you lose most of them.
But I feel like people will want to do that.
Like there will be people who are
like, cool, double-volatile Bitcoin.
You know, where do I sign up?
And there's also going to be people
who are like, I think Bitcoin is cool,
but I want to anonymously and trustless--
trustless, except for the oracle--
you know, not so trustfully short it.
Right, I want to say, OK, I'm not--
I sort of don't have a Bitcoin position anymore.
However, it's not the same in that you don't
know who your counterparty is.
It's fully collateralized at the outset,
so if the price of-- you know, if both parties put in 10-- you
know, both parties put in 10 coins,
20 Bitcoins is all that's ever coming out of this contract.
Right?
You can't say, hey, I want to do like a margin call.
You need to put like 40 more coins in this contract
because the price went down.
Your counterparty just will say, no, I'm not.
So there's sort of bounded loss and gain
for both parties at the outset.
Also, because you have no idea who your counterparty is,
right, you can do this totally anonymously.
It's-- I don't want to say it's trustless,
because you are trusting the oracle to report the correct
price, but your counterparty, you don't trust at all.
Right?
You have no idea who they are.
You assume everything they're telling you is a lie,
you know, like they're trying to hack you, stuff like that.
So I think currency futures would be a big one, where
people can then buy and sell.
Stocks might be a big one.
There's a lot of issues there with insider trading
because if you can, now, anonymously
trade stock futures, I don't know,
that's probably something people might
want to do who shouldn't be doing it.
But it's hard to enforce because these oracles have
no idea that anyone is actually making contracts.
And if you look on the blockchain,
you never see the contracts.
Or you might sort of be like, well,
is this a Lightning Network channel that closed or is this
a Discreet Log Contract that just executed?
It just looks like keys.
You can't-- oh, that's an important part.
Given, even if you're the oracle and you know what you signed,
the fact that you're adding these two points
means that unless you knew the original Alice key,
you wouldn't be able to tell, oh,
that's Alice's key plus my key.
Right, because you don't know what Alice's key was.
It never existed independently.
Or, oh, Alice and Bob knew it, but you didn't as the oracle.
And so no one will-- the oracles won't
know what contracts are being executed, even after the fact.
You can, however, prove that you used--
you know, if you want to.
If you're Alice, you can say, hey, this was my contract.
I can show you all the terms.
And you can prove it by signing a message with the Alice
private key and then also showing that it's, you know,
this is my public key and I added it to the oracle's thing.
Yeah commodities, sports, there's all sorts of fun things
you can do with it.
It's pretty general, conditional payments
based on any number or element from a predetermined set.
Cool, so any questions about this?
Yes?
AUDIENCE: So, if the public policymakers wanted to see
this, they absolutely couldn't?
It is [INAUDIBLE] encrypted?
TADGE DRYJA: You could talk to the oracles
because they'll probably be publicly-known entities.
And so you could say, hey, oracles, don't sign--
don't sign messages.
I mean, yeah, but the actual counterparties A and B,
if it's like OTC, if it's just Alice and Bob
sort of talking to each other, hey, let's build this contract.
We both trust Bloomberg.
Their prices are correct.
It's-- you can't see that this happened at all.
AUDIENCE: Does Bloomberg have to be complicit [INAUDIBLE]??
TADGE DRYJA: Bloomberg has to--
so some oracle, someone, somewhere,
has to be saying, look, I'm going to sign the price of oil.
That's it.
AUDIENCE: Even if they disagree to, right?
TADGE DRYJA: Oh, yeah.
Yeah.
So well, so yeah, most of these transactions never happen.
If Alice and Bob see that the oracle signed,
they don't have to actually broadcast it.
But they do need the oracle's public key, first,
to build the contract.
So as you could try to regulate public oracles,
but that seems like--
AUDIENCE: Assume Bloomberg's bringing in, assume that--
TADGE DRYJA: Yeah, yeah.
But, so the question is--
AUDIENCE: --they have somebody sitting
in the Cayman Islands who's got a software program that
grabs the Bloomberg fee?
TADGE DRYJA: Yeah.
The issue there is the signatures
are sort of usable by anyone.
You could say, OK, well, Bloomberg charges money
to provide these signatures and these public keys.
But if those get out, everyone knows, oh, these
are Bloomberg signatures.
You know, these are--
this is the Bloomberg data.
We can now execute trades using this data.
And we do have-- so this eliminates
the trust between counterparties,
but doesn't eliminate the oracle trust.
But the thing is, the oracle trust
is sort of the easy problem.
Right?
There's not too many cases of--
you know, if you have some OTC contracts and you say,
oh, we're using the price according to Bloomberg
or the price according to the Wall Street Journal
or whatever, generally that works.
So yeah, so what you can do is, I think the place
that people will try to regulate is the matchmaking area where,
if it's OTC, and Alice just calls up
Bob and Alice is in the Cayman Islands
and Bob is in British Virgin Islands,
or whatever-- are those the same thing?
I don't know.
They say, hey, I want to short oil.
Oh, I want to go long oil.
OK, and we just build our contract between our two
computers, and Bloomberg has no idea we're doing this.
No one else in the world has any idea we're doing this,
and we have this smart contract.
But in most cases, people will not
know who they're wanting to trade with, right?
They want some kind of exchange where we can meet and say, hey,
I want to short Bitcoin.
You know, I want dollars.
And someone says, oh, cool I want double-volatile Bitcoin.
Let's meet, and let's make this a contract.
Those exchanges will probably be more regulated, I guess.
You could sort of say, hey, we need
you to KYC all your exchange participants.
But even then, like if you wanted,
so similar to Altcoin's stuff now, you could say,
I'm operating an exchange out of wherever.
And you can't operate an oracle out of wherever, really,
because people won't trust it.
But you could say, I'm operating an exchange out of Hong Kong.
We don't KYC anyone.
Maybe we'll get shut down in a year.
But anyway, you can use the Bloomberg data feed
and enter into these contracts.
So yeah, it makes enforcement hard.
Yes?
AUDIENCE: It strikes me that the hole
here, from the public policy side,
is that even oracles are semi-regulated,
and there's been tons of fraud in oracles
for hundreds of years.
TADGE DRYJA: Really?
AUDIENCE: Oh, and massive.
TADGE DRYJA: But they seem so useful.
AUDIENCE: You trust too much.
TADGE DRYJA: So people--
AUDIENCE: And you're a Bitcoin Core developer.
TADGE DRYJA: Yeah, I just figured
that the financial system figured that out,
so it's whatever.
No.
AUDIENCE: Yeah, sure.
Wicked loads of fraud lots of years.
I used to run the Commodity Futures Trading Commission,
so we did gold, currency, interest rates.
TADGE DRYJA: So there, was it that the spot market
itself was being manipulated?
Or the spot market says the price price is $50,
the oracle says it's $80?
AUDIENCE: we would take what the oracle was
publishing only because you're long or short a position.
TADGE DRYJA: But then, wouldn't you just sort
of sue people and say, hey, look this oracle was wrong,
like obviously the spot price was this?
It's not as--
AUDIENCE: We could [INAUDIBLE].
It's often hard to say what is this spot price.
TADGE DRYJA: Right.
AUDIENCE: And sometimes, you come in at different places.
Besides, it seems like the holes,
the holes here, is not so much around the oracles, which there
could be big holes like, somebody could just
become an aggregator of the oracles
because the CMA takes four prices,
but somebody sitting in the Cayman Islands
could say we're going to just take the same four prices right
[INAUDIBLE].
And being crypto, settle.
If it's fiat, settle.
Just travel more ways to get into the on-ramps and off-ramps
to the banking system.
But and that's why you're seeing a lot of exchanges having
a hard time getting, basically, deposit accounts in banks
because the banking regulators around the globe
are trying to regulate on-ramps and off-ramps,
but it's harder for crypto and crypto exchange.
TADGE DRYJA: Yeah, crypto crypto, start a computer.
Yeah, you've got it.
You don't have to ask.
Yeah.
AUDIENCE: And you could have it, and you know,
so over-the-counter Cayman Islands aggregator oracles,
and somebody could do single-stock futures that are
banned in this country, so--
TADGE DRYJA: Really?
AUDIENCE: Single-stock futures.
TADGE DRYJA: Well, options aren't, right?
AUDIENCE: Options aren't.
TADGE DRYJA: So, oh, I didn't say,
you want to make options contracts with this,
you just don't give the data to one side.
It's basically the same construction, but like, now,
Alice has the option to broadcast the transaction
and Bob doesn't.
But so you can make options with this--
or futures, I mean.
AUDIENCE: But you're not trying to subvert public policy norms.
This could be a gray technology, or do you
think that is useful for subverting public policy norms?
[LAUGHTER]
TADGE DRYJA: I think it has both use cases.
One of the big ones will be sort of similar to Bitcoin, where
it's like, hey, I can do these things that maybe I'm not--
you know, people don't want me to do.
And in some cases, the don't want
me to do is just like scale in terms of like,
OK, I'm some guy in Thailand, and I want to go long Apple.
And probably, you can legally do that.
But if you've got like a couple hundred bucks
and you're in some random country
and you want to go long, some US equity,
that's not really feasible.
Right?
Maybe you can open accounts.
Maybe you can try to open a foreign account.
Like it's-- there's a lot of friction.
And so with this kind of thing, it's
like, hey, we've got a Bitcoin.
I trust this price oracle.
OK, I'll do it with like a couple hundred
bucks worth of bitcoin.
That said, there's also cases where it's like, OK,
I work at Foxconn in Shenzhen and I
think the Apple iPhone 11 is not going
be any good, so I'm going to short Apple
using this kind of technology.
So there will be good and bad things.
You could also-- it could also be useful in cases between
actual regular legal Wall-Streety kind of people,
maybe not-- where--
then again, it's good where you've
got like not a lot of trust between your counterparties,
but you do trust some kind of oracle feed.
And the other thing is-- like, I have talked
to this sort of Wall-Streety people,
and they don't really like it because they're like, wait,
there's no leverage.
Right?
You have to put all the money you're going
to get in at the beginning.
And they always want to have it like super-leveraged.
You can crank up the slope.
So you can say, OK, we both put 10 Bitcoins in,
but a small difference in price, right,
so like a 5% movement in a price will
like make all the money go to one side or the other,
so we hit the knock-in and knock-out really soon.
So you can do that, which is kind of like leverage.
But fundamentally, it's only the Bitcoins that
go into the contract come out.
So yeah, I don't know how this will be regulated.
I'm working-- there's a company in Japan who's
interested in building this technology.
There's like-- it's a brokerage that's making this stuff.
I'm working on it with some other people.
We'll see.
I don't know how it will be.
Maybe people won't like it.
It's-- yeah.
AUDIENCE: I mean, it seems to me like that's
one of the big things that Bitcoin's missing.
So if the financial system is for distributing
risk and [INAUDIBLE] the risk, right now,
I don't really do that with Bitcoin.
It's kind of just a transactions channel.
TADGE DRYJA: Yeah.
AUDIENCE: So this--
TADGE DRYJA: I think it'll be cool.
AUDIENCE: --be logically, kind of the next step.
TADGE DRYJA: Yeah, oh I think this'll be cool.
I think people would use it.
I just, you know, it's a lot of work to program
and I don't, yeah, have enough time.
But there's other people starting to get--
I don't know, it's weird.
It's sort of like Lightning was like three years ago,
and some people were like, oh, cool.
And then eventually, people were like,
oh, this is a really big deal, and let's all work on it.
And it might be the same with this,
where like no one really cares and then, eventually, people
will be like, oh, hey we should build this and use it and start
companies and things like that.
So hopefully, people will get into it.
I think it's a pretty nice construction
for these kinds of things.
It competes-- there's things like Augur, which is--
I don't think is the best idea.
It, like the Augur, the idea is the oracle is sort of everyone,
and like everyone votes on what these outcomes
for different things were.
But yeah, I don't know.
I don't know how far along they are in terms of their software.
But that was also like two or three years ago.
And this could be applied more broadly,
like where anytime you have Ethereum-type smart contracts
or something where you want some external oracle who
then can sign things.
And then you can use it in a way where the oracle's signature
doesn't show up after the fact.
So anyway, any questions?
Sounds good?