One of the more interesting presentations at the Scaling Bitcoin workshop at Stanford University over the weekend wasMIT Digital Currency InitiativeResearch Scientist Tadge Dryja’s talk on discreet log contracts. Through this type of smart-contracting system, Bitcoin smart contracts that rely on the use of an oracle can potentially be made more secure than they are today, and the less-trusted oracles can also be used off-chain by way of the Lightning Network.
What are Smart Contracts?
During his talk, Dryja described a smart contract as a “payment conditional on some external data”. He also indicated that another way to view this kind of conditional payment is as a sort of bet.
The example smart contract used by Dryja throughout his talk was Alice and Bob betting on tomorrow’s weather. Dryja explained that, in this type of smart contract, an entity outside of the Bitcoin network is needed to share the data related to the weather. This entity is known as an oracle.
The simplest way this sort of bet is implemented on Bitcoin today is by way of a 2-of-3 multisig address where the oracle can sign a transaction in favor of the winning party (Alice or Bob).
Simple 2-of-3 Multisig Has Some Problems
Some problems can arise when a simple 2-of-3 multisig setup is used for a bitcoin-based bet on some real-world event.
“These things work great with friends, but bitcoin is the currency of enemies,” said Dryja.
First of all, the oracle can become unresponsive. If this happens the funds in the multisig address will be stuck unless the two parties in the bet can agree on a transaction to sign together. Additionally, the oracle can be easily corrupted by one of the parties in the bet.
An oracle can also choose different outcomes for different bets. While the oracle may say the weather is sunny for Alice and Bob’s bet, the oracle could choose a different outcome, such as rain, for another smart contract.
“They have a lot of power, and it’d be better if you could have an oracle system where they couldn’t equivocate and even better if they weren’t aware of the contracts that people were using based on their data,” explained Dryja.
A Better System for Smart Contract Oracles
To deal with some of the issues associated with oracles in Bitcoin smart contracts, Dryja has proposed a solution called discreet log contracts.
Without getting into the technical details, discreet log contracts would have Alice and Bob first send funds to a mutual, 2-of-2 multisig address. New transactions would then be pre-signed in a manner that sounds somewhat similar to the Lightning Network, of which Dryja was a co-author.
Once the oracle signs a message with the outcome of the bet, the winner of the bet is able to broadcast the transaction that provides them with their winnings. The oracle’s message is combined with some of the winner’s own data before hitting the blockchain, which is what prevents the oracle from knowing when their data is used.
Because the data is provided by the oracle in an off-chain manner, it is not in any way connected to a specific smart contract on the Bitcoin blockchain. All contracts that use a specific oracle will execute in the same way, and different results cannot be applied to different contracts on the network.
“You are trusting this oracle, but it’s somewhat limited by the fact they can’t equivocate and they don’t have visibility,” explained Dryja. “[The oracle] doesn’t necessarily know Alice and Bob are entering this contract.”
Later, Dryja indicated that it’s possible to further remove trust from this setup by using multiple oracles at the same time. The possible outcomes associated with a particular bet are also effectively limitless.
Placing Bets Via the Lightning Network
Dryja went on to explain that this setup can also work via the Lightning Network, and no information regarding the smart contract would hit the blockchain if the two parties cooperated with each other.
“There’s very little incentive to try to be a jerk,” Dryja added.
According to Dryja, moving these bets to the Lightning Network would be beneficial from both a scalability and privacy perspective. Nobody but the counterparties would see the smart contracts in the Lightning channel, and Dryja claimed the process is still “pretty anonymous” in a situation wherethe blockchain is needed to resolve a dispute.
Money can also be refunded to both parties in a situation where the oracle disappears or doesn’t do their job properly.
Those who wish to invest in Dryja’s idea directly will be disappointed, as he concluded his talk by saying, “There’s no token, and there’s no ICO. Sorry (not sorry).”