Placeholder Image

字幕列表 影片播放

  • The following content is provided under a Creative

  • Commons license.

  • Your support will help MIT OpenCourseWare

  • continue to offer high quality educational resources for free.

  • To make a donation or to view additional materials

  • from hundreds of MIT courses, visit MIT OpenCourseWare

  • at ocw.mit.edu.

  • TADGE DRYJA: OK.

  • So today, Discreet Log Contracts which is very linked

  • to Lightning Networks.

  • So if you didn't get the last two lectures,

  • this might not make that much sense.

  • So I hope-- but I think everyone here is like up

  • to date on these things.

  • So today, I'm going to talk about Discreet Log Contracts,

  • which is a paper I wrote last summer,

  • but it's evolved out of Lightning Network.

  • And I'll try to sort of explain how it--

  • hopefully, you'll see the connections and how you

  • can get from one to the other.

  • We'll talk about oracles, talk about anticipated signatures,

  • which has some fun math things, and talk

  • about building the Discreet Log Contracts themselves

  • and how that'll work.

  • OK, so conditional payments, I guess

  • you could call this smart contracts.

  • Smart contracts is a pretty vague term,

  • and it's used a lot in this sort of Bitcoin, blockchain,

  • Ethereum world.

  • And usually, it's pretty--

  • like, a lot of times, they use it as a buzzword

  • and it's like, oh, I'll put my land title in a smart contract

  • and then I can buy a house.

  • And a lot of times, it's used in ways

  • that make it seem as though you don't need a government anymore

  • or a judicial system anymore to enforce these contracts.

  • And in the case of something like Discreet Log Contracts,

  • that's kind of true.

  • Because what Bitcoin did and what

  • made people pretty impressed was that, hey,

  • you don't need a government to enforce

  • the scarcity of the currency that's being created.

  • So that's kind of cool.

  • But it doesn't mean that you can now use blockchain technology

  • to not need a government to enforce, say, rights

  • to property.

  • If you say, hey, this is my land and I've

  • got a smart contract that says my land is-- you know,

  • this is my land on the blockchain,

  • and then an army comes and says, well, we're taking your farm,

  • and you're like, no, it's on the blockchain,

  • and they don't really care.

  • So it's hard-- like, another way to think

  • about it is the only thing the Bitcoin network can do

  • is move Bitcoin, and the only thing

  • the Ethereum network can do is move Ethereum, to some extent.

  • It doesn't extend out to like, you know,

  • autonomous drones to shoot you if you trespass

  • or anything like that yet.

  • OK, so the simplest and, I think,

  • most straightforward and maybe the most useful type

  • of smart contract is a conditional payment where

  • it's basically, I'm going to pay you

  • based on some external data.

  • So I'm going to use the example of Alice and Bob

  • betting on tomorrow's weather.

  • If it rains, Alice gets a coin.

  • If it's sunny, Bob gets a coin.

  • And we need some kind of way to get this data, right.

  • OP_WEATHER is not in Bitcoin.

  • And I think, yeah, bet is a word that--

  • it's weird.

  • Like, when I'll meet with fancy rich people,

  • like who are in companies that come to the Media Lab--

  • no, I still use the word bet.

  • Like, to me, everything's a bet, right?

  • Insurance is a bet.

  • Like, if I buy car insurance, I'm betting GEICO or whatever.

  • Bet I'm going to crash my car.

  • And they're like, I bet you won't.

  • And then if I crash my car, they're like, aw, shoot,

  • and then they give you the money.

  • And if I get health insurance, I'm like,

  • I bet I'm going to get cancer.

  • And then they're like, bet you won't.

  • And then if I get cancer, I win and I

  • get a whole bunch of money.

  • Right.

  • Well, so they're offset by the fact

  • that you don't actually want to get cancer

  • and you don't want to crash your car.

  • And so the fact that you're betting that you will do it

  • means that, in the case that something bad happens,

  • you get a bunch of money to defer this cost.

  • But fundamentally, from the insurance company's perspective

  • and your perspective in this insurance contract,

  • it's a bet about whether you're going to do this or not.

  • And like almost all the financial contracts,

  • you can look at as bets, like derivatives and futures

  • and all those kinds of things.

  • OK, so to keep it simple for the example,

  • there's a very limited set of outcomes.

  • Right?

  • It's either rainy or sunny tomorrow,

  • and we don't know that it's going to-- what the weather is

  • going to be tomorrow yet, and we're going to bet the coin.

  • OK.

  • So yeah, we need oracles.

  • And I would argue that the Lightning Network

  • script is essentially a smart contract, right,

  • the this key now or this other key later.

  • In Lightning, however, we don't have external state.

  • Right?

  • There's no need to query a third party.

  • There's no need to query the outside world.

  • And all the data that is used in the channel

  • is generated by the participants of the channel themselves.

  • Right?

  • They're making up random keys, throwing them-- you know,

  • sending them to each other just so that they can negotiate over

  • the balances in that channel.

  • That said, they're probably exchanging something outside

  • of the scope of the system.

  • Right?

  • They're probably trading, you know,

  • I'll give you a little bit of Bitcoin for some cookies,

  • or something like that, and there's

  • some delivery of goods or services that's not in Bitcoin.

  • But for the state itself, it's all internal.

  • If we want external state, we need

  • some way to get that external state into our system.

  • Usually, this is called an oracle.

  • OK, so the simplest oracle would be two of three multisig,

  • and there are places that do this.

  • And it's not-- I don't want to say it's like a stupid idea.

  • It's actually quite powerful.

  • And Bitcoin enables it in ways that you couldn't necessarily

  • do before, but there's problems with it.

  • OK, so if you just say two of two multisig,

  • where Alice and Bob both put coins into a two--

  • you know, into a channel-like structure

  • where they both need to sign, and then

  • they can say, OK, well, at the end of the end of tomorrow,

  • whether it's sunny or rainy, we distribute the coins.

  • The problem is, it gets stuck if they disagree.

  • Right?

  • Also, rich players are at an advantage.

  • They can say, well, I think I'm right.

  • I'm fine not signing to get these coins out.

  • It works great with friends, sort

  • of gentlemen's agreement, ladies' agreement, or shake

  • hands.

  • OK, yeah, you're right.

  • It was sunny.

  • But Bitcoin is the currency of enemies,

  • so you want a third party to decide in the case of conflict.

  • There's a lot of, actually, interesting sort of game theory

  • things here where people have tried--

  • I've seen reports-- like, I've been

  • to talks where people are like, "Yeah, you

  • don't need an oracle.

  • You just agree on it without any outside influence."

  • And there's some fun things, some fun attacks,

  • where you can basically say, OK, Alice,

  • it rains, you win, but I'm not giving you the money.

  • And I can't get my money back either,

  • but here's what I'll do.

  • I'll sign a bunch of time locked transactions,

  • and if you want a little bit of your money,

  • you can take it right now.

  • If you want more of it, you just have