Skip to content

Instantly share code, notes, and snippets.

@0xBEEFCAF3

0xBEEFCAF3/ZKCP-2WP.md

Last active October 13, 2023 13:45
Show Gist options
  • Save 0xBEEFCAF3/f40a3bc29f313b8c4faff80ccaf502cb to your computer and use it in GitHub Desktop.
Save 0xBEEFCAF3/f40a3bc29f313b8c4faff80ccaf502cb to your computer and use it in GitHub Desktop.
Download ZIP
Zero-Knowledge Contingent Payment Two Way Peg
Raw
ZKCP-2WP.md

The foundation of this protocol hinges on Zero Knowledge Proofs (ZKPs), which encompass a diverse array of systems and types.

In essence, a zero-knowledge proof (ZKP) for general computation is a cryptographic framework that empowers an individual to execute an arbitrary program, using a combination of publicly accessible and confidential inputs, and convincingly demonstrate to others that the program accepted these inputs, all without divulging any additional information about its operations or the concealed inputs.

Provided we assume that a ZKP system exists and that a buyer (an entity seeking to initiate a peg-in) and a seller (a node aiding the buyer in pegging in) can engage in secure, authenticated communication, then we can construct a trustless atomic peg to a sidechain.

Key Assumptions:

  1. The existence of a ZKP black box.
  2. The sidechain possesses the capability to perform introspection on transactions and its own blockchain.
  3. The buyer (referred to as "B") and the seller (referred to as "S") can communicate off-chain in an authenticated and encrypted manner, employing methods such as Tor, HTTPS, or Nostr.

Steps:

  1. B signals their intention to peg-in a certain amount of Bitcoin to S.
  2. S generates a Hashed Time-Locked Contract (HTLC) on the sidechain and broadcasts it. This HTLC may take the following form:
address = convert_to_address(recover_pk_from_sig(sig))

if sha256(x) == s && spender == B.address:
  assert(address, B.address)
  pay(l, B.address)
  return


if (tx.date - current_date) > T:
  assert(l, S.address)
  return
  1. B acknowledges the creation of the HTLC and ensures that it is a certain number of blocks deep.
  2. B devises a distinct program to assist S in verifying that they indeed possess an "x" that hashes to "s". This program can be formulated as follows:
# note Ex and Y are public params only k confidential
fn main(Ex, Y, k):
   assert(sha256(k) == Y)
   x = decrypt(Ex, k)
   assert(sha256(x) == s)

B communicates this program to S for the purpose of validating their possession of "x"

  1. S generates an ephemeral encryption key for a symmetric encryption algorithm, denoting it as "k."
  2. S encrypts the hash pre-image, Ex = encrypts(x, k) and hashes the key, Y = sha256(k).
  3. Ex, Y, S's public key, and the ZKP are subsequently conveyed to B.
  4. Utilizing the ZKP system, the seller demonstrates a composite statement:
    • Ex is an encryption of an input that satisfies B's program.
    • Y is the SHA-256 hash of the decryption key for Ex
  5. The buyer can now make the payment to the ZKCP Bitcoin Scriptpubkey, defined as follows:
OP_SHA256
<Y> OP_EQUAL
OP_IF
  <Seller Pubkey>
OP_ELSE
  <block_height+K> OP_CHECKLOCKTIMEVERIFY OP_DROP
  <Buyer Pubkey>
OP_ENDIF
OP_CHECKSIG
  1. S is now able to claim Bitcoin on-chain, but only after revealing the decryption key for "e_x."

This arrangement ensures that S receives Bitcoin, while B obtains sidechain Bitcoin, thus enabling a 1:1 pegged Bitcoin system, while allowing each party to refund themselves in a timely manner.

Resources: [0] Bitcoin Core - Zero Knowledge Contingent Payments Announcement

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment