Succinct Atomic Swaps with Ruben Somsen

Ruben Somsen (Developer)

[00:00:00] Ruben Somsen: Hey, everyone. Happy Halvening. Today, I've got a special technical presentation for you. basically what we're going to do is cut atomic swaps in half. So I called this succinct atomic swaps, but first let me tell you a little bit about my motivation. so basically, you know, I think Bitcoin is a very important technology.

And we need to find ways in order to utilize it at its maximum potential without, sacrificing de-centralization. So in order to do that, you know, you need to come up with some smart ways to basically do more with less, and that's the kind of protocol designed that I tried to come up with, so in line with that, I came up with this.

Basically, what we're going to do is we're going to take atomic swaps, which are a protocol where you have maybe a UTXO on two chains and you want to swap them, or maybe on the same chain. So you could think about like Bitcoin to Litecoin, or even to Bitcoin, UTXOs where you want privacy. And that's why you swap them.

And normally the protocol as [00:01:00] it works today is. For transactions. So you have a preparation transaction on the first chain, then you have another preparation transaction on the other chain, which is generally a multisig in both cases. And then you have some kind of time lock and they do a swap. So we are taking that and we are  basically.

Bringing it down to only two transactions and you might think, well, how the hell is that possible? Well, you're going to find out. So, let's get started. Basically. We start with Alice who has, let's say some Bitcoins and a Bitcoin blockchain. And she wants to, you know, prepare this for, for transfer, for swap with Bob.

So what she does is she locks it up. Alice's key, Bob's key and they'll lock it up together, but she's not actually sending her Bitcoins yet. So this is a transaction that's going to be on the blockchain, this, so this is basically an output that is locked and it can be unlocked by Alice and Bob's signature.

but she hasn't actually sent it yet. So before we actually put this on the blockchain, we make some preparatory. [00:02:00] transactions. And the first one is actually almost the same. It's again, Alice and Bob. However, this one has a one day time lock and this is a time lock that's on the transaction level, meaning that this transaction cannot even go to the blockchain until one day has passed.

And from this transaction, we actually create a transaction where the money goes back to Alice and that's necessary because. If Allice sends this to the blockchain and then Bob just doesn't do anything. Alice needs some kind of way to get her money back. And this one has a actual relative time lock, meaning that first, the transaction in the middle that you see here has to go to the blockchain  and then this transaction where Alice gets her money back can be sent to the blockchain, basically two days from starting this whole process. And there's a little star there that she might have noticed. Well, does the  star mean? it is actually an adapter signature, meaning that if this transaction, if Alice wants to broadcast this, because remember both Alice and Bob put a signature on it.

[00:03:00] Bob's signature is only valid. If Alice reveals the secret to Bob, and this is a kind of something that adapter signatures can do. So basically what you have to remember here is if this transaction ever goes to the blockchain, Alice is revealing a secret, which we call AS here. So then finally we have this other transaction that shouldn't ever go to the blockchain, unless Alice is just completely not paying attention, where Bob simply gets the money.

the only reason for this one is to make sure that Alice actually does something and doesn't just sit on it and does, does nothing. So basically at this point, we have a guarantee that either Alice gets her money back and she reveals the secrets or Bob gets the money. And Alice, you know, knowing that she will actually respond in time and, and get her money back in time is ready to send this to the blockchain.

So now this first transaction goes on chain and now it's Bob's turn. Bob, knowing that he will either learn a secret or get the money, he [00:04:00] just locks it up on the other chain. Let's say Litecoin, with two, two keys, Alice's secret and Bob 's secrets. So. What that means is that if the, a, the top transaction, the top, the Bitcoin, atomic swap here,  the Bitcoin side, that goes to the blockchain, like this then AS, Alice's secret is revealed to Bob and Bob gets his money back on the Litecoin chain on the one in the bottom.

So because of this guarantee, you know, basically Bob, is secure and just locking up his money with these two keys with no time lock whatsoever. And from this point on, we actually had to swap, well, how do we do that? we actually create another transaction where the money simply goes to Bob, but again, it's an adapter signature and this time it's Alice who wants Bob to reveal secrets in order to send this transaction to the blockchain.

So what that means is that Bob can now claim the money at the top, but he has to reveal Bob's secret to Alice. And if he actually goes ahead and does that and [00:05:00] sends this to the blockchain. Now, you know, Bob has the Bitcoins at the top and Alice at the bottom, he, she learns a BS: Bob's secret. So now Alice has control of the bottom transaction.

Bob has control of the top, a transaction. However, you know, we're doing three transactions here, not two. So what's going on here? Well, first I gotta say three transactions is already better than what we have today because we have four transactions right now. So this is already an improvement we can do even better.

Well, how do we do that? Well, we just don't send that transaction to the blockchain, but instead Bob gives Bob's secret to Alice and now, you know, basically Alice has control over the coins on the Litecoin side, and Alice does the same thing, gives Alice's key to Bob. And now Bob has control over the Bitcoin, so that at the top.

So, you know, they can do this. And now they, basically in, in, in two transactions, they both have control over the money, but there is one caveat. Which is that this transaction still exists. [00:06:00] So there's still a possibility for Alice to actually send this transaction to the blockchain and reclaim the top Bitcoins.

However, because of the way we have to time locks constructed. Bob can just simply be online and pay attention and respond if Alice ever tries to do this. Because she first has to sent the middle transaction to the block blockchain, and then that final refund transaction, where Alice would get her money back.

So when the second transaction here in the middle, this Alice plus Bob, and the one day lock, if that one goes to the blockchain, Bob simply responds. And since Bob knows both keys a and B, he can just go ahead and send it to himself at that point. So there's this online requirements where Alice can't get the money if Bob's paying attention and we assume or hope that, Alice doesn't try, this is basically very similar to kind of how a lightning network works.

and if that it indeed the case, then we basically did an atomic swap in two transactions. So the negative is while the [00:07:00] online requirements for one of the two parties in this case, Bob and there is this, state. So you have to remember the secrets that you are, you learn during the process and this, this, this is different from running a regular Bitcoin wallets, where you do a backup once, and then you have all your money.

In this case, you actually have to, make sure you, you back up the secrets or you, you definitely have them in case something goes wrong with your phone or whatever device you're using. so that's, you know, a little bit more, work that you have to do there, but that's a very similar to kind of how the lightning network works, today as well.

and you know, it's, it's a good compromise considering what you get in return is, you know, only two transactions instead of four. So it works today. Yeah, that's a good, good thing. well you can do this with Multisig and Schnorr, and that will be the most efficient way of doing it, without any, weird math that you have to do.

but recently Lord, Lloyd Fournier, he came up with a way to [00:08:00] do a single signer,  adapter signature, and that, basically allows you to do this, today. so. if you utilize that kind of a technique, then you can basically do adapter signatures with, single signatures on the bitcoin blockchain today.

So that's really cool. Lloyd also helped me out with, kind of reviewing, this, adapter, sorry, this atomic swap, succinct atomic swap protocol that I created. So, I want to thank him for that. and well, obviously, you know, the other advantage here is that it's two transactions, not four. So that's great.

It's scriptless. So you don't really have anything huge going to the blockchain. It really is literally just either in the case of Multisig, one, signature and in the case of ECSA two signatures going through to the blockchain per transaction. And it's asymmetric, meaning that's one of the chains only has one transaction going on chain at any time, even if the protocol fails.

And that's nice because if one of the two chains is more [00:09:00] expensive to use, you know, let's say you go from Litecoin to Bitcoin and you want to kind of have Bitcoin be the. the, you know, the place where only one transaction takes place and that's more efficient. the other thing is that what I already mentioned is that one of the two chains doesn't require a time lock.

So that might be good if there's some, you know, blockchains out there that don't really have, any scripting whatsoever, including time locks. And the lastly, there is something called payswap, which might be kind of a useful to do a with this protocol. So payswap is an idea by, ZmnSCPxj on the Bitcoin mailing list where you basically have a payment where you sent a full output to one person and the change, which is normally inside of the same transaction.

Is actually an atomic swap. So I might be sending 1.5 Bitcoin to somebody for buying something. And in a, another transaction that's seemingly [00:10:00] unrelated. That person sends me back 0.5 because they only intended to send one Bitcoin, let's say. And so the nice thing about this is that now you don't really have any, Connection between the amounts, right?

Because the amounts are different now. So it's not, not as obvious as if you were to do an atomic swap where the amounts are the same. So you do a payment and atomic swap in one, and that gives you an additional amount of privacy. And this protocol wasn't very practical before because it required four transactions.

but now you could, maybe do it in two transactions or at least three, if you don't want the  online requirements. So, the last thing is that maybe, and I'm not sure about this. Maybe we could use this to swap in and out of lightning in one single transaction. So the way that would work is imagine you have a lightning, a route from Alice to Bob, to Carol.

And basically what you want to do is you want to create a payment from Alice to Carol, where depending on whether the payment goes through or not, either [00:11:00] Allice's, secret is revealed or Carol secret is revealed. And this is not really how lightening works today. So it is a change and it's kind of an open question whether or not this is actually possible or whether there's some kind of thing that makes it impossible to do this over routing.

I'm not sure what the answer is there. if it is possible, that will be really cool. you could basically, you know, make a payments, on chain and have a lightening payment go through, on the other end and make that be atomic. So both things go through or neither, both in and out of lighting.

So hopefully that works, but, I'll need some feedback on that. So please let me know if you are, you know, willing to look into this and think it may or may not work. So, if you want to learn more, this has kind of a, you know, a brief overview of how it worked. but I have a full writeup on tiny.cc/atomicswap, where you'll find the details of this protocol, as well as all of my other work.

maybe most famously, my work on state chains. I also have some writeups on [00:12:00] blind merged mining, or at least a variance that uses, basically kind of a fee bidding structure. Where only the highest paying person gets you put his hash into the blockchain. That's kind of interesting and a perpetual one way peg, which is kind of a way to do sort of something along the lines of side chains.

but without having, kind of the store of value, property that you're used to from Bitcoin. So it's a little, kind of an interesting little thing that I'm hoping to present about, at, at Bitcoin 2020, the conference in San Francisco. This will hopefully happen in a couple of months, but we'll see what happens to, you know, the, the whole situation right now is a little, tricky.

So, we'll see what happens, but you might be able to find me there. And if I do go there and you go there as well, I'll see you there. Thank you very much for listening and have a nice day.