Bitlayer Research: Detailed Explanation of the "OP-DLC 2" Optimization Mechanism

Original Title: 《OP-DLC 2 : Great Truths are Always Simple》

Authors: mutourend & lynndell, Bitlayer Research Group

1. Introduction

Discreet Log Contract (DLC) is a contract execution framework based on oracles proposed by Tadge Dryja from MIT in 2018. DLC allows two parties to make conditional payments based on predefined conditions. The parties predefine possible outcomes and pre-sign, using these pre-signatures to execute payments when the oracle signs the outcome. Therefore, DLC achieves new decentralized financial applications while ensuring the security of Bitcoin deposits.

The previous article 《DLC Principle Analysis and Optimization Considerations》 summarized the advantages of DLC in terms of privacy protection, complex contracts, and low asset risk, and also analyzed the issues of key risk, decentralized trust risk, and collusion risk in DLC. It introduced decentralized oracles, threshold signatures, and optimistic challenge mechanisms into DLC to address various challenges it faces. Since DLC involves three parties: the oracle, Alice, and Bob, the exhaustive collusion attack among different participants is relatively complex, leading to relatively complex preventive strategies. Complex defense strategies are not perfect, do not conform to the principle of simplicity, and lack elegant simplicity.

In Bitcoin, any action by any participant must be realized through UTXO. Therefore, using a consensus mechanism to ensure UTXO correctness can resist arbitrary attacks. Similarly, in DLC, any action by any participant must be realized through CET (Contract Execution Transaction). Therefore, using an optimistic challenge mechanism to ensure CET correctness can resist arbitrary attacks. Specifically, after the oracle stakes 2 BTC, it can sign the CET. An optimistic challenge mechanism is added to the CET. If the CET is not challenged or successfully responds to a challenge, it is correct, can complete the settlement, the oracle releases the stake, and earns a fee; if the oracle attempts to act maliciously, anyone can successfully challenge it, and the CET will not be settled, the oracle loses the stake, and the oracle can no longer sign for the same CET. This conforms to the principle of simplicity and has elegant simplicity.

2. DLC Principle

Alice and Bob sign a betting agreement: betting whether the hash of the ξth block is odd or even. If it is odd, Alice wins the game and can withdraw the assets; if it is even, Bob wins the game and can withdraw the assets. Using DLC, the oracle transmits the information of the ξth block to construct conditional signatures so that the correct winning party wins all assets.

The elliptic curve generator is G, with order q. The key pairs for the oracle, Alice, and Bob are (z, Z), (x, X), (y, Y) respectively.

Funding Transaction (On-chain): Alice and Bob create a funding transaction together, locking 10 BTC each in a 2-of-2 multisig output (one public key X belongs to Alice, and one public key Y belongs to Bob).

Constructing CET (Off-chain): Alice and Bob create CET1 and CET2 to spend the funding transaction.

The oracle calculates the commitment R = k · G, then calculates S and S'

S := R - hash(OddNumber, R) · Z

S' := R - hash(EvenNumber, R) · Z

Then the new public keys for Alice and Bob are as follows:

PK\^{Alice} := X + S

PK\^{Bob} := Y + S'.

Settlement (Off-chain -> On-chain): When the ξth block is successfully generated, the oracle signs the corresponding CET1 or CET2 based on the hash of that block.

If the hash is odd, the oracle signs as follows:

s := k - hash(OddNumber, R) z

Broadcast CET1.

If the hash is even, the oracle signs:

s' := k - hash(EvenNumber, R) z

Broadcast CET2.

Withdrawal (On-chain): If the oracle broadcasts CET1, Alice can calculate the new private key and spend the locked 20 BTC:

sk\^{Alice} = x + s

If the oracle broadcasts CET2, Bob can calculate the new private key and spend the locked 20 BTC:

sk\^{Bob} = y + s'

The Bitlayer Research Group found: In the above process, any action must be realized through CET. Therefore, it is sufficient to use the optimistic challenge mechanism to ensure CET correctness to resist arbitrary attacks. Incorrect CETs will be challenged and not executed, while correct CETs will be executed. Additionally, the oracle needs to pay a price for malicious behavior.

The challenge program is f(t), and the CET should be constructed as follows:

s = k - hash(f(t), R) z.

Assuming the actual situation is that the hash of the ξth block is odd odd, i.e., f(ξ) = OddNumber, the oracle should sign CET1:

s := k - hash(OddNumber, R) z.

However, if the oracle acts maliciously and modifies the function value to Even, it signs CET2:

s' := k - hash(EvenNumber, R) z.

Thus, any user can thwart this malicious behavior based on f(ξ) ≠ OddNumber.

3. OP-DLC 2

OP-DLC includes the following 5 provisions:

• The oracle is composed of a consortium with n participants, any member of which can sign the CET. A stake of 2 BTC is required for the oracle to issue signatures and earn fees. If a member acts maliciously, they lose their stake. Other members can continue to sign CETs, ensuring that users can withdraw funds. Alice and Bob can also become oracles, truly trusting only themselves and minimizing trust.
• If the oracle acts maliciously and modifies the result, it will inevitably lead to the situation where f1(ξ) ≠ z1, f2(z1) ≠ z2. Therefore, any participant can initiate a challenge, i.e., conduct a Disprove-CET1 transaction.
• If the oracle honestly signs the CET, no participant can initiate a valid Disprove transaction. One week later, the CET can be correctly settled. Additionally, the oracle receives a reward of 0.05 BTC as compensation for the 1-week capital occupation of its staked 2 BTC and the fee for honestly signing the CET.
• Any participant can challenge Oracle_sign:
• If Oracle_sign is honest, no Disprove-CET1 transaction can be initiated, and the CET will be executed one week later. Additionally, the oracle's stake will be unlocked, and it will receive the fee;
• If Oracle_sign is dishonest, i.e., if anyone successfully initiates a Disprove-CET1 transaction and successfully spends the connector A output, then the signature of the oracle is invalid, it loses the staked 2 BTC, and in the future, this oracle cannot initiate the same result signature for this DLC contract, as the Settle-CET1 relying on the connector A output will become permanently invalid.
• The challenges in OP-DLC are Permissionless, meaning any participant can supervise whether the contracts within OP-DLC are executed correctly. Thus, it achieves minimal trust in the oracle. Compared to the Lightning Network, Alice and Bob can also operate offline. Because only honest signatures from the oracle will settle the CET, malicious oracles can be challenged and punished by anyone.

Advantages:

• High asset control, trust only oneself: Both Alice and Bob can become oracles and sign the CET. The optimistic challenge mechanism will thwart incorrect CETs, making malicious actions impossible. Therefore, OP-DLC allows users to trust only themselves. In BitVM, users must act as Operators and participate in all subsequent deposits to achieve self-trust. If a user acts as an Operator and only participates in a single UTXO deposit, that UTXO can be legally reimbursed by any of the other (n-1) Operators, meaning that the user's future withdrawals will still need to trust other Operators for reimbursement. The reimbursement authority of BitVM Operators is locked to each individual deposit UTXO.
• High capital utilization: If users only trust themselves, the required capital amount differs. In OP-DLC, users rely on their own withdrawals without needing to provide equivalent capital; whereas in BitVM, users need to provide equivalent capital first and then get reimbursed. This creates greater financial pressure.
• The signing oracle must be determined at the time of OP-DLC deposit, but users can also become oracles and sign for themselves.

Disadvantages:

• Withdrawal time requires 1 week: Essentially, both OP-DLC and BitVM have a time cost for capital that exists and is equivalent. OP-DLC withdrawals require a challenge period before funds can be accessed; if BitVM relies on users to provide upfront capital, then the equivalent upfront capital also needs to go through a challenge period before successful reimbursement. If BitVM relies on other Operators to provide upfront capital for quick withdrawals, it means that the Operator must incur the time cost of equivalent capital as a fee.
• The number of required pre-signed signatures grows rapidly and is linearly related to the number of CETs. A sufficient number of CETs are needed to enumerate all withdrawal results.

4. Conclusion

OP-DLC introduces the optimistic challenge mechanism into CETs, ensuring that incorrect CETs are not settled, and the corresponding malicious oracles lose their stakes; ensuring that correct CETs are executed, and the oracle's stake is unlocked while earning fees. This method can resist arbitrary attacks and possesses elegant simplicity.