What you need to know about disguised smart contracts


At the last conference Scaling Bitcoin at Stanford, which was held in November 2017, the head of research at Blockstream Andrew Poelstra described the concept of “ascriptive scripts”, which will unload the bitcoin blockchain, removing the smart contracts and performing them on the principle of (almost) ordinary transactions. How this will work, versed in our material.


The concept of smart contracts that commit the transaction subject to certain conditions, for the first time a well-known cryptographer and computer science researcher Nick Szabo in 1994. Subsequently, with the advent of cryptocurrencies, his ideas were modified and developed into a working system, and the most popular implementation platform smart contracts on Ethereum remains today.

Despite the fact that launched in 2015, many believe the first Ethereum platform smart contracts the core functionality of smart contracts has always supported and bitcoin.

“Bitcoin cool that you can not just transfer the coins, but also to set different conditions for their spending. You can search for the types of hashes to create multipurpose, to do cool stuff that make “smart contracts”,” said Poelstra.

Technically even the usual bitcoin transaction can be considered a smart contract, as the funds are transferred, provided that a valid cryptographic signature. More complex smart contracts, which are multipurpose or timlake, is used in decisions of the second level (for example, Lightning Network).

Problem with smart contracts

The use of smart contracts associated with network load and risk for the parties involved. So, as soon as the contract is complicated, and growing resource consumption over his (that is, the consumption of computing power and ultimately energy). This is particularly problematic because to perform each of the smart contract all nodes of the network, not just stakeholders.

This, in turn, means a lack of privacy: the entire network can learn the details of your smart contract. Further, if it contains the vulnerability, it can detect and to abduct in contract funds.

Another threat is that an alternative can interpret contract details a little differently, which complicate the achievement of consensus nodes.

The decision

Last year, during the conference, and Scaling of Bitcoin Stanford, Poelstra the concept of “ascriptive scripts”, by which it is possible to use smart contracts in bitcoin network, but it is completely remove them from the blockchain. Under Poelstra system contracts should no longer run the entire network — only the immediate parties to the transaction. However, the rest of the network to ensure that network rules are not violated and the transaction is valid, because the blockchain will “see” the smart contract as a regular transaction. “People can verify the state of the system, downloading all of the background data. A particular way possible to compress all transactions. Many of these excess, you don’t need all of them publicly to check,” says Poelstra.

In his presentation Spoelstra elaborated on two technologies — Mimblewimble and ascriptive scripts. But to explain them, he raised several more issues.

Confidential transactions and obligations

This system is one of the main developers of Bitcoin Core and former team member Blockstrem Gregory Maxwell. Everything is functioning as normal bitcoin transactions, but the amounts transferred are hidden and replaced by similar obligations (possible to confirm undisclosed values). Thus, the circuit of the same type of debt allows you to verify the transaction, that is, to check that the sum of the inputs equals the sum of outputs, while not revealing any specific financial information.

Scheme liabilities consists of the real transaction amount, and other “blinding” factors, which are used to cover the amount. “In order to make a transaction, you should know the amount of blinding factors for the input… This means that you can’t create a transaction without knowing the secret,” explains Poelstra.

Use only scheme liabilities as a blinding factor may not be sufficient for data protection. In real transaction inputs is that it came from someone, and outputs — that goes to someone else. “There are two unrelated and distrusting each other hand, are not supposed to know the blinding factors for each other. Because if you’re going to use here the same type of obligations (the sum of the inputs equals the sum of the outputs), you will have a problem since the owner would be to know the amount of blinding factor input and Vice versa… All the participants of a transaction will know all blinding factors, and because they have all the exits,” says Poelstra.


The Protocol MimbleWimble this problem is solved by adding a special output with a zero value called the “core” (kernel). The kernel can’t spend, making it impossible to compromising such a transaction, because to make a successful payment it is necessary to know the amount of the consumed outputs.

Multipurpose and scheme liabilities with a zero exit — two components of “magic MimbleWimble” as he calls it Poelstra.

MimibleWimble Poelstra was presented at the same conference Scaling of Bitcoin, but a year earlier in 2016. The authorship of the proposal is unknown — was published through a hidden using Tor the server and “reset” in the IRC channel bitcoin-wizards. “The author just threw him out a minute later and never returned, as far as we know,” said Poelstra.

White paper written under the pseudonym Tom Elvis Jedusor (name Volan de mort in French editions of the “Harry Potter”), and the author says that “called his creation “MimbleWimble” because it is used to prevent the blockchain to share user information” (in the book “Harry Potter and the deathly Hallows” “Mimblewimble” is a curse of tongues, which connects the language of the victim, not allowing to say a word).

MimbleWimble enhances privacy and scalability of bitcoin, but does not support scripts, i.e., the bits of code contained in the bitcoin transactions and are responsible for basic functions of smart contracts in bitcoin. Described Poelstra ascriptive scripts combine the functionality of scripts and MimbleWimble.

Ascriptive scripts

“Ascriptive scripts, [who] were developed for 2017 and still [being developed], is a very large-scale research project, it is a way to use the kernel and the kernel signature to set them without modifying the system so that the inspectors had to understand the new rules,” said Poelstra, explaining that members can choose a contract or a Protocol they want to accomplish, and the result of an honest execution, they will create a valid signature, so the blockchain and the miners will be able to confirm the validity of the signature, it is not having any specific details of the transaction.

“You lay out the rules and then publish an explicit proof that these regulations are respected, says Poelstra. Historically this came from the MimbleWimble… But in fact any system that supports signature Snorra or some other scheme signatures with linear data, can perform this technique ascriptive scripts”.

The idea that public blockchain needs to have the functionality of privacy, we have developed a number of projects, and many community members noted that the visibility of all transactions the blockchain makes it unattractive to financial institutions.

“Privacy is important to us and the interchangeability of public cryptocurrency in which every transaction is published and can be downloaded by everyone. And this is very bad for privacy and commercial confidentiality, especially if your funds are on the blockchain. This makes it difficult to do business when you disclose all your financial information, and it discredits any commercial use of this system. Using ascriptive scripts, we avoid the disclosure of contracts, because all that comes to chain public keys and signatures,” notes Poelstra.

Signatures play a key role in the mechanism ascriptive scripts: when someone puts a signature, it looks like ordinary confirmation of bitcoin transactions, but it contains a smart contract that is not stored on the blockchain, but is executed correctly when receiving this signature.

Multipurpose Snorre

They make it possible for such secrecy. This kind of signatures are not yet implemented in the bitcoin Protocol, but maybe their support will be added throughout the year.

Signature Snorra allow you to combine multiple signatures into one. So, there are a few interested parties, so you need to create a signature, which would be common for all of them. Each user has a public key. These keys are connected, and a single public key, then only need to create a steam room to it private signature.

“The philosophical point is that such multipoles already partly are ascriptively scripts in the sense that you can have a group of people, each of which has its own public key, and they merge them together to get a single key. They receive a single key and a single signature. External observers who are not involved in this, I don’t know how many people are involved, and that this involved more than one person. And they certainly don’t know the original value… You leave a share of the signature instead of the full signature, and it works — magically” — says Poelstra.

When generating multimedia Snorra using linear mathematics. Consider how this works in a very :

Private keys and signatures are numbers, and the latter are formed from the first. Since this is a simplified example, imagine that the private key is 10, and half signature Snorra formed from this key is 10,000. The second private key — 15, second half of the signature Snorra — 15,000. Based on these data, the signature will be Snorra 25,000 (10,000 + 15,000).

And since they are numbers, they can make mathematical calculations. For example, the difference between the values of two private keys in our case is 5,000 (15,000 – 10,000).

In practice, of course, is more complicated, but this is one example of a computation that allows to carry out linear mathematics of signatures Snorre.

Consider this mechanism for example, a particular smart contract. For example, a smart contract programmed so that when someone listens to a song, reward immediately forwarded to the contractor.

In this case, according to the conditions of a smart contract, the song will only be played if the performer will provide his signature to a server that stores the musical composition. In our simplified scenario, a “signature song” — 7000. And “student” wants to pay for her audition 1 bitcoin.

Both parties will create a normal bitcoin transaction that sends bitcoin from one listener to the contractor, provided that both provide their half of signature Snorra to create one whole signature.

A performer certainly knows what his signature looks like. For example, 8000. He also knows how the signature looks of songs: 7000. Possessing these data, it can calculate the difference between the two: 1000. This is called “signed conversion”, or the connecting signature.

From a technical point of view it works like this: “Instead of having to send its nonce R in the Protocol of multipoles, [participant] sends R + blinding factor T… [Himself] T it also sends. It’s weird because he’s not trying to hide nonce: everything he does is adjusts its value, which he knows… You get the signature, which is almost valid — it is valid, if you can adjust her secret value t, which knows only one side. If you know the signature conversion, knowledge of valid signatures with the same nonce (as the hashes are the same) is equivalent to knowledge of t”.

This signature adapter the performer transmits to the listener, and the listener can ascertain that this signature actually represents the difference between the half signature Snorra artist and signature songs. And this despite the fact that the listener has no access to both of these signatures (a typical example of the proof with zero disclosure).

Now, checking the signature in the adapter, the listener can provide his half of the signature Snorra artist. When the contractor uses this half to create a signature and transmits it to the bitcoin network, it automatically makes visible to the listener and his half of the signatures (8000).

Now, using half of the signature of the performer, the listener can deduct signed-adapter 1000 out of half of Snorra signature of the contractor. So he learns signed song — 7000 — can listen. In other words, transmitting a transaction that is 1 bitcoin, by automatically sells the signature song to the listener — this is a smart contract.

For the blockchain (and all reviewers), the transaction looks perfectly normal. No details about smart contract, except for the usual “settlement transaction” to pay for songs, not recorded on the blockchain. No one will ever know that this entry is made smart contract. In addition, no one except the two parties must not perform calculations in the framework of the contract or store the data on the blockchain.

Leave A Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.