{"id":22927,"date":"2017-11-27T19:22:20","date_gmt":"2017-11-27T19:22:20","guid":{"rendered":"http:\/\/ci027cfe64c0062697"},"modified":"2017-11-27T19:22:20","modified_gmt":"2017-11-27T19:22:20","slug":"scriptless-scripts-how-bitcoin-can-support-smart-contracts-without-smart-contracts","status":"publish","type":"post","link":"https:\/\/bitcoinmagazine.com\/technical\/scriptless-scripts-how-bitcoin-can-support-smart-contracts-without-smart-contracts","title":{"rendered":"Scriptless Scripts: How Bitcoin Can Support Smart Contracts Without Smart Contracts"},"content":{"rendered":"
<\/div>
<\/figure>\n

Bitcoin\u2019s capacity is limited. Meanwhile, smart contracts can be resource intensive. So even though Bitcoin has always supported basic smart contract functionality, the two have never been a natural match.<\/p>\n

But a recent topic of research spearheaded by Blockstream<\/a> mathematician Andrew Poelstra could help fix this. Recently presented as key part of his presentation<\/a> at Scaling Bitcoin Stanford<\/a>, \u201cScriptless Scripts\u201d have the potential to completely move certain smart contracts off of Bitcoin\u2019s blockchain \u2014 while still leveraging all of Bitcoin\u2019s security.<\/p>\n

Bitcoin and Smart Contracts<\/h2>\n

Smart contracts, first proposed by digital currency veteran Nick Szabo in the 1990s, are essentially self-executing contracts. Most typically, they send money from someone to someone else if specific conditions are met. For example, if someone streams a song, a payment is automated from the streamer to the artist.<\/p>\n

While smart contracts are often associated with \u201csecond generation\u201d blockchains like Ethereum, Bitcoin has always supported basic smart contracts, too. In a way, any Bitcoin transaction is technically a smart contract: Funds are typically moved on the condition that a valid cryptographic signature is provided. Slightly more advanced smart contracts \u2014 such as multisig<\/a> and timelocks<\/a> \u2014 are used to enable second-layer protocols like the<\/a> Lightning<\/a> Network<\/a>.<\/p>\n

But there are problems with blockchain-based smart contracts. For one, as they grow more complex, they require more resources to execute. This is especially problematic because all nodes on the network need to execute the contract \u2014 not just the parties involved with the contract itself.<\/p>\n

This network-wide execution also means that the parties involved have no privacy regarding what their smart contract entails: The entire network will know exactly what it looks like. By extension, this is bad for fungibility as well. If the smart contract is unpopular for some reason, the funds involved \u2014 publicly visible on the blockchain \u2014 are tainted.<\/p>\n

As smart contracts become more complex, they can even become a security risk. Alternative software implementations might, for example, interpret details of contracts slightly differently, making it harder to keep all nodes on the network in consensus. And potential bugs in these smart contracts are public as well, which increases the chance of hacks.<\/p>\n

But Poelstra, among others, thinks that many of these problems can be solved by actually moving the bulk of contracts off of the blockchain. Instead of having all nodes on the network calculate the entire smart contract, only the parties involved with the contract should perform this function.<\/p>\n

The trick is to ensure that the rest of the network does still correctly enforce the outcome of the contract: The payment must only be made if the required conditions are met.<\/p>\n

Schnorr<\/h2>\n

Poelstra originally began researching \u201cScriptless Scripts\u201d (a phrase he also coined himself) in the context of the Mimblewimble<\/a> protocol. This stripped down version of Bitcoin offers more privacy and better scalability but does not support script: the bits of code embedded in Bitcoin transactions that allow for most basic smart contract features. <\/p>\n

So, Poelstra figured out how to get the utility offered by scripts without actually requiring them on the blockchain: Scriptless Scripts.<\/p>\n

The key to Scriptless Scripts is that (fairly) regular cryptographic signatures can indirectly reveal something that\u2019s not part of the transaction that includes the signature. In other words, when someone signs to validate an ordinary Bitcoin transaction, it holds that a smart contract that is not hosted on the blockchain still executes faithfully.<\/p>\n

This is made possible with Schnorr signatures<\/a>. These types of signatures are not yet implemented on the Bitcoin protocol, but it is possible that they could be deployed within a year or so from now.<\/p>\n

Schnorr signatures allow for signature aggregation; several signatures can be mathematically combined into a single signature. And, importantly for this use case, this math is \u201clinear.\u201d This basically means it\u2019s possible to perform relatively straightforward but very expressive math on these signatures.<\/p>\n

Oversimplified, it works something like this:<\/p>\n

Private keys and signatures are, of course, really just numbers, where the latter is derived from the former. Since this is a simplified example, let\u2019s say one private key looks like 10, and half of the Schnorr signature derived from that private key looks like 10000. And the other private key looks like 15, with the second half of the Schnorr signature looking like 15000. In this simplified example, the Schnorr signature would then look like 25000 (or 10000 + 15000).<\/p>\n

And since both halves of the signature are just numbers, it\u2019s possible to perform math between them. For instance, in this simplified example, the difference between these halves is 5000 (or 15000 \u2013 10000).<\/p>\n

While the reality is more complex, Schnorr\u2019s linearity allows for several of these kinds of math \u201ctricks.\u201d<\/p>\n

The Smart Contract<\/h2>\n

Now let\u2019s say that a streamer wants to listen to a song by an artist. The artist has the right to this song, and it will play for the streamer if (and only if) the artist’s signature is provided to a server where the song is hosted. Since we\u2019re simplifying, let\u2019s say that this \u201csong signature\u201d looks like 7000. The streamer is willing to pay the artist one bitcoin for this song signature, to listen to the song. (He wants to listen to the song really badly.)<\/p>\n

In this simplified example, the streamer and the artist can automate this trade by doing two things. First, they create a fairly normal Bitcoin transaction that sends one bitcoin from the streamer to the artist, if the streamer and the artist both provide their half of a Schnorr signature to create a full Schnorr signature. (In reality, this step requires some extra safety precautions to ensure no one loses money, but it is relatively simple.)<\/p>\n

The next step is where it gets a bit more complex.<\/p>\n

The artist knows what her half of the Schnorr signature looks like; since we\u2019re simplifying, let\u2019s say it looks like 8000. And she knows what her song signature looks like: 7000. As such, she can calculate the difference between these two: 1000. This is called the adaptor signature. The artist then hands this adaptor signature \u2014 1000 \u2014 to the streamer.<\/p>\n

Here\u2019s where the cryptographic magic happens.<\/p>\n

By modifying the ordinary signature verification method, the streamer can actually verify that the adaptor signature he just received (1000) is indeed the difference between the artist’s half Schnorr signature and her song signature \u2014 even though the streamer does not have access to either signature yet. (And thanks to cryptographic tricks called \u201czero-knowledge proofs,\u201d something like this can actually be done in a surprisingly broad range of scenarios, not just in signatures as this example portrays.)<\/p>\n

Now, having verified that the adaptor signature (1000) checks out, the streamer can, in turn, give his half of the Schnorr signature to the artist because once the artist uses the streamer\u2019s half to create a full signature and broadcasts this over the Bitcoin network, she automatically reveals her half of the Schnorr signature (8000) to the streamer as well.<\/p>\n

Using the artist\u2019s half of the Schnorr signature, the streamer can now subtract the adaptive signature: 1000. By subtracting the adaptive signature from the artist\u2019s half Schnorr signature (8000 \u2013 1000) the streamer indeed learns the artist\u2019s \u201csong signature\u201d: 7000. And now he can listen to the song.<\/p>\n

In other words, by broadcasting the transaction that pays her one bitcoin, the artist automatically sells the streamer the signature: a smart contract.<\/p>\n

From the perspective of the blockchain \u2014 that is, the rest of the world \u2014 the transaction is quite regular. Nothing about the smart contract, other than the \u201csettlement transaction,\u201d is ever recorded on the blockchain. No one will ever know that an underlying contract was executed \u2014 never mind what song the streamer listened to \u2014 and the contract-related data never needs to be calculated or stored by anyone other than the parties involved.<\/p>\n

To see Poelstra\u2019s Scaling Bitcoin presentation that includes Scriptless Scripts, \u201cUsing the Chain for What Chains Are Good For\u201d, click here<\/a>. An alternative, in-depth explanation of Scriptless Scripts was published by JoinMarket developer Adam \u201cWaxwing\u201d Gibson and can be found here<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

\u201cScriptless Scripts\u201d have the potential to completely move certain smart contracts off of Bitcoin\u2019s blockchain \u2014 while still leveraging all of Bitcoin\u2019s security.<\/p>\n","protected":false},"author":2509,"featured_media":22928,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[73,705,1279],"class_list":{"0":"post-22927","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technical","8":"tag-privacy","9":"tag-scaling","10":"tag-smart-contracts"},"author_data":{"id":2509,"name":"Aaron van Wirdum","nicename":"aaron-van-wirdum","avatar_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/12\/aaron-van-wirdum-96x96.jpg"},"featured_image_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/scriptless-scripts-how-bitcoin-can-support-smart-contracts-without-smart-contracts.jpg","_links":{"self":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/22927","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/users\/2509"}],"replies":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/comments?post=22927"}],"version-history":[{"count":0,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/22927\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media\/22928"}],"wp:attachment":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media?parent=22927"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/categories?post=22927"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/tags?post=22927"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}