Adaptor point doc #158
Adaptor point doc #158
Conversation
nkohen
added
documentation
|
Currently this contains a detailed outline which I plan to turn into a specification tomorrow. |
nkohen
force-pushed
the
adaptor-point-doc
branch
from
2411ac2 to
a3474d5
Compare
|
NIT: I think "adaptor point" is not the right name since you can use them without using adaptor signatures. These points are the same thing if you are using non-adaptor sig DLCs. What about attestation points? |
Done. |
nkohen
force-pushed
the
adaptor-point-doc
branch
from
59337d8 to
7b79f4f
Compare
| is an oracle attestation of a specific message, `m` (or the sum of multiple such attestations). | ||
| The point `S` can be thought of as an encryption key to be used on the signature of the CET which corresponds to the | ||
| event where `m` is attested to so that this signature can only be used should this attestation be broadcast. | ||
| The key point is that `S` can be computed *in advance* given information in oracle announcements so that anticipation points |
There was a problem hiding this comment.
nit link oracle announcement
| is known as an adaptor signature. | ||
| This encryption is used to make signatures (and transitively, transactions) conditional on the scalar pre-image of this point becoming known. | ||
| Often times an adaptor point is assigned meaning through its functional use in a Bitcoin contracting scheme such as a DLC. | ||
| Specifically for DLCs, adaptor points always correspond to oracle attestations so that they are always attestation points and |
There was a problem hiding this comment.
I would bold this sentence to make sure it is not missed (i missed it my first time through :/)
|
Needs rebase, otherwise is this good to merge? AFAICT this is just extra documentation. I see it's still in "Draft" status. Any reason for that @nkohen ? |
| This means that in order to spend any execution branch of a DLC, one must reveal the scalar pre-image for a point. | ||
| As is described in this document, the points used for adaptor signing correspond to anticipations of all | ||
| possible oracle attestations such that exactly one adaptor secret is revealed, unlocking exactly one signature, | ||
| making exactly one Contract Execution Transaction (CET) valid for on-chain publication. |
There was a problem hiding this comment.
nit: it might be better to link to the glossary than to redefine acronyms every time?
| The point `S` can be thought of as an encryption key to be used on the signature of the CET which corresponds to the | ||
| event where `m` is attested to so that this signature can only be used should this attestation be broadcast. | ||
| The key point is that `S` can be computed *in advance* given information in oracle announcements so that anticipation points | ||
| (aka attestation points or sometimes adaptor points) can be used to construct a DLC and later the corresponding attestations |
There was a problem hiding this comment.
I feel there is a distinction between attestation point and adaptor point, as an adaptor point can be the sum of multiple attestation points.
| At a high level, this is done using the fact that oracle attestations, `s`, are validated against public key information in the usual way | ||
| by checking that `s*G` is equal to a point computed in another way from public information, thus this point can be used as an attestation point. |
There was a problem hiding this comment.
I feel this sentence is unclear.
| * [Multiple Oracle Attestation Points](#multiple-oracle-attestation-points) | ||
| * [Authors](#authors) | ||
|
|
||
| ## Disambiguation of Terms |
There was a problem hiding this comment.
This should be in the glossary IMHO.
|
|
||
| ## Disambiguation of Terms | ||
|
|
||
| * **CET** - A Contract Execution Transaction (CET) is a Bitcoin transaction which spends the DLC funding output as an input |
There was a problem hiding this comment.
I would remove the part about "funding output as an input" so we don't have to redefine things once we specify DLC channels.
| these two terms are occasionally used inter-changeably in these specifications. | ||
| * **Attestation Point** - Also known as an anticipation point, an Attestation Point is an elliptic curve point `S = s*G` such that its scalar pre-image, | ||
| `s`, is an oracle attestation (or sum of multiple oracle attestations). | ||
| These points can be computed without explicitly knowing the scalar pre-image using only an oracle's public announcement information. |
There was a problem hiding this comment.
I think it might be worth noting that it requires knowledge of the R value.
| These points can be computed without explicitly knowing the scalar pre-image using only an oracle's public announcement information. | ||
| These points are used in the DLC specification as Adaptor Points. | ||
| * **Adaptor Signature** - An Adaptor Signature is an encrypted (on-chain-valid) digital signature which is constructed by a signer with their key | ||
| along with an Adaptor Point, which is an encryption (public) key. |
There was a problem hiding this comment.
Better not to redefine, simply link to the adaptor point definition.
| These points are used in the DLC specification as Adaptor Points. | ||
| * **Adaptor Signature** - An Adaptor Signature is an encrypted (on-chain-valid) digital signature which is constructed by a signer with their key | ||
| along with an Adaptor Point, which is an encryption (public) key. | ||
| This signature can be validated without decryption so long as the verifier knows not only the message being signed and the signers public key, |
| along with an Adaptor Point, which is an encryption (public) key. | ||
| This signature can be validated without decryption so long as the verifier knows not only the message being signed and the signers public key, | ||
| but also the Adaptor Point used to encrypt the signature. | ||
| The adaptor signature can only be decrypted into a valid on-chain signature using knowledge of the scalar pre-image of the Adaptor Point. |
There was a problem hiding this comment.
Maybe worth introducing "adaptor secret"?
| * **Oracle Outcome** - TODO | ||
|
|
||
| TODO: Don't forget to link to this from Protocol and Messaging docs as well as the two Numeric Outcome docs. |
| Note that every adaptor point, attestation point, adaptor signature, and oracle outcome will map to some CET but that this mapping | ||
| is not one-to-one since multiple points/signatures/outcomes can map to the same CET if those outcomes result in equal payouts. | ||
| * **Adaptor Point** - An Adaptor Point is an elliptic curve point used as an encryption key for a signature so that the encrypted signature | ||
| is known as an adaptor signature. |
There was a problem hiding this comment.
Maybe better to add 2 definition
・the explanation of "the scalar pre-images" for oracle's each Attestation Points, these are included in oracle_attestation as signatures
・the explanation of "the scalar pre-image" for Adaptor Point that is used as an decryption key for adaptor signatures
Built on top of #157.
Fixes #156.
Adds a specification document for Adaptor Point computation and ordering.