Table of Links
-
Protocol
-
Security Analysis
A. Codes
B. Proofs
4 PROTOCOL
Due to the complexity of efficient holder collateral-free options, we elaborate on the protocol gradually. We first introduce the efficient transfer of an option in Section 4.1. Next, we outline how to achieve holder collateral-free cross-chain options in Section 4.2. Finally, we show the efficient, holder collateral-free option protocol.
4.1 Efficient Option Transfer Protocol
Option Initialization. Firstly, we illustrate an efficient option transfer protocol in an HTLC-based option. Assume Alice and Bob initialize an HTLC-based option as the holder and writer respectively. In this option, Alice locks π΄π π ππ‘π΄ on πΆβππππ΄, intending to transfer it to Bob if a preimage of π»(π΄) is presented before ππΈ + Ξ. Bob locks π΄π π ππ‘π΅ on πΆβππππ΅, intending to transfer it to Alice if a preimage of π»(π΄) is presented beforeππΈ, whereππΈ is the expiration time of this option. Alice owns the preimage π΄. In addition, Alice performs πΎππ¦πΊππ(1 π ) β (πππ΄, π ππ΄), which acts as a transfer key pair3 , which are used for DAPS and misbehavior detection. πππ΄ is recorded in both contracts. The transfer key is used by Alice when transferring ownership to another party. A signature generated by π ππ΄ can be used to replace the contract holder, the hashlock, and the new transfer public key. Similarly, Bob creates a transfer key and records it on chains. Alice and Bob agree in advance on a value (e.g., a 256-bit random number) to serve as the message address π recorded in the contracts for the DAPS. We take holder position transfer as an example to illustrate this transfer protocol.
4.1.1 Transfer Holderβs Position. Suppose Alice reaches an agreement with Carol to transfer the holder position on or before time ππ» , with a charge of π»ππππππΉππ on πΆβππππΆ. Carol performs πΎππ¦πΊππ(1 π ) β (πππΆ, π ππΆ) to generate a new transfer key pair. Carol deposits π»ππππππΉππ in πΆπππ‘ππππ‘πΆ. This contract requires a signature of π = (π, π), where message payload π = (Carol.ππππππ π , π»(πΆ), πππΆ), signed by π ππ΄ to unlock and transfer the π»ππππππΉππ to Alice. Besides, πΆπππ‘ππππ‘πΆ records π»(π΄), specifying that π»ππππππΉππ is refunded to Carol if Carol can reveal π΄ (meaning that Alice has exercised the option). Instead withdraw immediately, after Alice reveals a signature to redeem π»ππππππΉππ , she must wait for 3Ξ to elapse. We refer to this period as the Withdrawal Delay Period. The protocol consists of two phases, Figure 1 illustrates the position transferring process:
(1) Reveal Phase: Carol locks the transfer fee and Alice attempts to withdraw the transfer fee with her signature.
(2) Consistency Phase: Carol forwards the signature to replace the holder and Alice withdraws the transfer fee after the withdrawal delay period.
I. Reveal Phase.
(1) Alice generates signature by ππππ(π ππ΄,π) β ππ, where π equals to (π, (Carol.ππππππ π , π»(πΆ), πππΆ)).
(2) If Alice wants to transfer her option to Carol, Alice sends ππ in ContractπΆ by invoking the function reveal() and wait for 3Ξ (withdrawal delay period). If she does not like to complete the trade between Carol, she does not reveal ππ. The π»ππππππΉππ will be refunded to Carol after ππ» .
II. Consistency Phase.
(1) Carol4 forwards ππ to both πΆπππ‘ππππ‘π΄ and πΆπππ‘ππππ‘π΅ directly, attempting to call the function transferHolder() to replace the holder to Carol, the hashlock to π»(πΆ), and holderβs transfer public key to πππΆ.
(2) Alice calls withdraw() to obtain the π»ππππππΉππ in πΆπππ‘ππππ‘πΆ after the withdrawal delay period.
If all parties perform honestly, Alice is able to receive π»ππππππΉππ and holder is changed to Carol. However, there are possible contingent events or dishonest scenarios:
β’ If Alice exercises the option during the transfer process and reveals the preimage π΄ before ππ» , Carol can refund the π»ππππππΉππ from πΆπππ‘ππππ‘πΆ using π΄ during the withdrawal delay period.
β’ If different signatures with the same message address ππβ² β ππ, are submitted on πΆβππππ΄ and πΆβππππ΅ (e.g., if Alice submits two different signatures or sells the option to multiple parties), any one can call πΈπ₯π‘ππππ‘(ππ,πβ² , ππβ²,π, ππ) β π ππ΄ to get π ππ΄. π ππ΄ is the secret transfer key of Alice. Whoever gets π ππ΄ means that Alice misbehaves. We can use this as an evidence for fair settlement of funds.
β Carol can call reclaim() and obtain the π»ππππππΉππ with π ππ΄ during the withdrawal delay period.
β Bob can use π ππ΄ to claim both π΄π π ππ‘π΄ and π΄π π ππ‘π΅. If a signature has not been submitted, Bob can claim it anytime. If a signature has been submitted, Bob needs to send π ππ΄ within one Ξ after the signature submission.
β’ If Carol reveals ππ on only πΆπππ‘ππππ‘π΄ or πΆπππ‘ππππ‘π΅, Bob can forward the signature to the other contract.
Timeouts. The transfer contract must be created no later than ππ» β 3Ξ, and the reveal phase should be completed by ππ» β 2Ξ to ensure that the option can be transferred to Carol at ππ» . In the consistency phase, if any misbehavior occurs, it should be reported to the contract by ππ» + Ξ. If Bob does not claim assets on πΆβππππ΄ and πΆβππππ΅ with π ππ΄, then it implies transfer complete. Overall, a total transfer time of 4Ξ is required. In other words, the transfer protocol must initiate no later than ππΈ β 4Ξ. The unlocking condition for πΆπππ‘ππππ‘πΆ is summarized in Table 2.
4.1.2 How misbehaviors are handled securely in the protocol. Here we show how this protocol handles misbehaviour and protect each partyβs interests by ensuring a fair payoff for honest parties. A more rigorous analysis is shown in Appendix B.1. First, we consider each party acting maliciously on their own.
β’ If Alice provides two different signatures to different buyers, as shown in 1, Bob can extract π ππ΄ and submit it to obtain π΄π π ππ‘π΄ and π΄π π ππ‘π΅, and Carol can reclaim the transfer fee with π ππ΄. In that case, Bob does not lose his π΄π π ππ‘π΅ and Carol does not lose her transfer fee.
β’ If Alice revealsπ΄ at the same time during the transfer process, as shown in 2, Carol can use π΄ to reclaim π»ππππππΉππ. She does not lose anything. The option is exercised, and swap happens between Alice and Bob.
β’ If Alice or Carol publishes one signature exclusively on either πΆπππ‘ππππ‘π΄ or πΆπππ‘ππππ‘π΅, as shown in 3, Bob can forward this signature to another chain to make sure the hashlocks and option holders are consistent on two chains.
Next, we consider scenarios where collusion exists.
β’ If Alice and Bob collude, they can use π ππ΄ or π΄ to withdraw π΄π π ππ‘π΄ and π΄π π ππ‘π΅ as shown in 4. Carol can observe π ππ΄ or π΄ and withdraw π»ππππππΉππ during the withdrawal delay period.
β’ If Alice and Carol collude, they use two signatures to change the hashlock. During the withdrawal delay period, Bob can obtain π΄π π ππ‘π΄ and π΄π π ππ‘π΅ using the extracted π ππ΄, which is reduced to 1.
β’ If Bob and Carol collude, they cannot do anything harm. Since Alice will only reveal one valid signature, Alice will receive π»ππππππΉππ from Carol.
4.1.3 Transfer Writerβs Position. Transferring the writerβs position is similar but simpler because Bob does not possess the preimage of the hashlock. Bob, with the transfer key pair (πππ΅, π ππ΅), can sign the message π = (π, (Dave.ππππππ π , πππ· )) using π ππ΅ to collect the transfer fee, where πππ· is a new transfer key for Dave. Transferring writerβs position does not update the hashlock used in the option exercise. Thus, Aliceβs option is not influenced except the change of new option writer.
Authors:
(1) Zifan Peng, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China ([email protected]);
(2) Yingjie Xue, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China ([email protected]);
(3) Jingyu Liu, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China ([email protected]).
This paper is available on arxiv under CC BY 4.0 license.
[3] Logically, the transfer key is not used for receiving coins as "identities" in blockchains.
[4] Any party can forward this signature, as Alice may transfer ownership to any party.