For anybody not a secret that the throughput of the Bitcoin blockchain is already very limited, and smart contracts are very intensively used resources. Therefore, despite the fact that bitcoin has always supported the basic functions of smart contracts, these two never approached each other.
However, solution of this problem can help a recent study mathematics Blockstream Poelstra Andrew (Andrew Poelstra), which was presented to them at the conference Scaling Bitcoin Stanford. The proposal called Scriptless Scripts has all chances to move individual smart contracts from the Bitcoin blockchain, while maintaining security.
Bitcoin and smart contracts
Smart contracts, first proposed by veteran digital currency Nick Szabo in the 90-ies, in fact, represent samolyotnaya contracts. They usually send money between parties in certain conditions.
While smart contracts are often associated with «second generation» of blockchains like Ethereum, Bitcoin has also kept simple smart contracts. To some extent, technically every Bitcoin transaction is a smart contract means usually moved provided that a valid cryptographic signature. A little more advanced smart contracts, such as multisig (multipoles) and timelocks (temporary blocking), used for the protocols in the second layer like a Lightning Network.
However, based on the blockchain smart contracts, there are some problems. For example, with increasing complexity, for their implementation requires more resources. This is particularly problematic because to perform the contract required all nodes in the network, not just the parties of the contract.
Such a General implementation, which means that participants of the contract is no confidentiality concerning results of the smart contract: that is, this will be known to the entire network. In addition, it is bad for interoperability. If for some reason the smart contract is not popular reputation to lose and participating funds, publicly displayed in the blockchain.
As smart contracts become more complex, they start to pose a security risk. For example, alternative applications may interpret the details of the contracts a little differently, which complicates the preservation of consensus among all network nodes. Potential errors in the smart contracts are also public, and it increases the risk of hacker attacks.
According to Poelstra, all these problems can be solved by moving certain group contracts outside of the blockchain. In this case, the smart contract will not be executed by all nodes in the network, but only its direct participants.
The challenge to the rest of the network is properly performed, the result of the contract payment will be processed under defined conditions.
Poelstra began to study Scriptless Scripts in the context of the Protocol Mimblewimble. This simplified version of bitcoin offers increased privacy and better scaling, but does not support scripts embedded in the transaction code snippets that provide the basic characteristics of the smart contract. Poelstra figured out how to get scripts offered by opportunities without requiring them in the blockchain: Scriptless Scripts (ascriptive scripts).
The essence of the solution Scriptless Scripts is that permanent cryptographic signature can indirectly say something that is not part containing the signed transaction. In other words, when someone signs a confirmation of a normal transaction of bitcoin, it is implied that the smart contract outside of the blockchain, right will do it.
This is achieved through the signatures Snorre (Schnorr signatures). This type of signature is not yet implemented in the bitcoin Protocol, however, it is possible that approximately in a year it will be used.
Signature Snorra allow the grouping of signatures, that is, multiple signatures can be mathematically combined into one. And, importantly for this scenario, the math is «linear». Essentially, this means that you can run in such signatures is relatively straightforward, but very expressive mathematics.
In simplified form it works this way:
Private keys and the signatures are just numbers, and the latter is obtained from the previous one. Since this is a simplified example, assume that one private key looks like a 10 and half Snorra signature derived from the private key, looks like 10 000. The other private key is 15, and the second half signature Snorra – 15 000. In this simplified example, the signature Snorra will continue to look like 25 000 (or 10 000 + 15 000).
Because both halves of the signatures are just numbers, between them there is a possibility of settlement. Thus, in our simplified example, the difference between the two halves is equal to USD 5,000 (or 15 000 – 10 000).
Although in reality everything is much more complicated, the linearity of Snorra provides some of these mathematical «tricks».
Now suppose that the streamer wants to hear a song by a certain artist. The contractor has the right to this song, and it will be played for streamer only when the signature of the artist will be available on the server where you stored the song. Suppose that the «signature song» looks like a 7 000. To listen to the song, the streamer wants to pay the contractor for signature songs 1 BTC (guess he really wants to hear it!).
In this simplified example, the streamer and the contractor can automate deal with two things. First, they create a normal bitcoin transaction that sends bitcoin from one streamer to the contractor, if the streamer, and the contractor will provide its own half-signature Snorra, recreating thus, a full signature. (In reality, this step requires compliance with additional security measures that protect against loss of money, but it is relatively simple).
In the next phase, things get a little complex. The contractor knows what it looks like its half of signature Snorra; suppose it to be 8 000. He knows also how does the song — 7 000. Thus, the contractor can calculate the difference between two values of -1000. This difference is called transition signature. Then the contractor passes this transitional signature – 1000 streamer.
And here begins the real cryptographic magic.
Changing the usual method of verification of the signature, the streamer actually can confirm that the transient signature, which he had just received (1000), indeed represents the difference between the half signature Snorra artist, and his signature songs — despite the fact that the streamer does not yet have access to any of these signatures. (And thanks to cryptographic tricks called «the proof with zero disclosure» (zero-knowledge proofs), something like this actually can be done in a surprisingly large number of scenarios, which is not limited to signatures in the presented example).
Now, after checking confirmation of the transition labels (1000), streamer, in turn, can give the contractor more than half of the signatures Snorra because as soon as the contractor uses half of the streamer to create a full signature and transmit it over the network of bitcoin, it also will automatically open the half signature Snorra (8000) streamer.
Using half of Snorra signature of the artist, the streamer can now subtract the transient signature: 1000. Subtracting the transient signature of half of Snorra signature of the contractor (8000 – 1000), streamer learns signed song — 7000. Now, finally, he can listen to a song.
In other words, transmitting the transaction, transmitting to him one bitcoin, by automatically sells the streamer signed smart contract.
From the point of view of the blockchain (or the rest of the world) the transaction is quite correct. Information about smart contract (excluding estimated transaction) is not recorded in the blockchain. No one will know that the contract was executed (no matter what song were you listening to the streamer), and referring to the contract information will not be able to read or save no one except the participants of the contract.