[dlc-dev] Oracle attestations can be simplified and be more much more efficient
Lloyd Fournier
lloyd.fourn at gmail.com
Tue Jan 26 02:30:11 CET 2021
Hi list,
I want to expand on a nuance of the performance improvement. Since it only
saves ecmults when computing the anticipation points. it won't have much of
an effect on the performance of binary digit decomposition. If you have a
16 bit number you will have 16 R values and do 32 ecmults. With this
proposal above you will instead only have to do 16 ec additions which would
make it ~20 times faster.
But let's say we have 1k CETs for this event in binary digit decomposition
then you will have to do a few thousand EC additions to produce the
encryption key for each CET signature (each of the CETs takes <16
additions). The time it takes to do these additions will make the
performance improvement offered by speeding up the anticipation point
calculation relatively insignificant. The performance improvement is mostly
felt when you have a single R value with many possible outcomes (i.e. not
binary digit decomposed).
Having said that I still think this is a good idea since it is simpler to
implement and doesn't require maintaining a mangled BIP340 function to
produce the anticipation point. This idea can be implemented with
libsecp256k1's public API.
Cheers,
LL
On Tue, Dec 29, 2020 at 1:23 PM Lloyd Fournier <lloyd.fourn at gmail.com>
wrote:
> Merry Christmas list,
>
> A Schnorr signature has the form (R, s) where
> 1. R = r *G for some secret nonce r
> 2. s = r + c*x where c = H(R || X || m) for a message m and some hash
> function H
>
> The original DLC paper suggests re-using this structure but with R
> published upfront (in what we call the *announcement*) to create a list of
> anticipation points computed like P = R + c_i * X where c_i = H(R || X ||
> m_i) where m_i indicates the i'th possible outcome of the event.
>
> I make the claim that c_i need not be the result of a hash function. c_i
> can instead simply be set to i. So to attest to the 3rd outcome set c_i = 2
> and the oracle reveals s = r + 2 * x.
>
> == Security
>
> The only security property required for the point anticipation scheme is
> that (i) it reveals no information other than the list of points (zero
> knowledge) (ii) if the oracle reveals the secrets for two points then they
> lose their secret key (no equivocation).
> Clearly (i) holds since R is still just a random point.
> (ii) holds for the same reason as in the original -- two different c_i and
> c_j reveals x = (s_i - s_j) / (c_i - c_j). The change from hash of message
> to index is irrelevant.
>
> == Impact
>
> The main specification change would be to make outcome descriptors
> describe an ordered list of outcomes rather than a set of strings. e.g. the
> enumeration descriptor would simply assign the index to each outcome.
>
> The benefits of applying the above idea are:
> 1. It would reduce the time taken to compute the list of anticipation
> points to ~1/12 of the time currently taken since you can avoid doing any
> ec multiplications. You can incrementally add X to each previous value
> (starting with R) to get the next anticipation point. In the current
> protocol you have to verify ECDSA adaptor signatures so this would still
> lead to a time reduction of 1/2 to 1/3 since it removes 2/3 of the ecmults
> (depends a lot on implementation).
> 2. In the future you could capture the full speedup by not doing adaptor
> signatures and just putting each outcome in its own Taproot branch and
> using OP_CTV to enforce the outcome.
> 3. It removes arbitrary structure from the scheme and is easier to specify
> and implement (no need to talk about tagged hashes or to have a BIP340
> implementation).
> 4. It gets rid of all concerns about utf8 and message encoding since
> outcomes are represented by integers.
>
> The downsides are mostly rhetorical:
> 1. We couldn't talk about "signing the outcome" because that's not what
> we're doing anymore (actually we were never really doing that but it was at
> least not too much of a lie since there was at least a signature at the end
> of it). I don't have an idea about the best way to talk about it yet.
> 2. The oracle's attestation could no longer provide useful information by
> itself. I liked the idea that systems who didn't care about DLCs could
> still use the oracles to get info about the world just from the signature
> and the message it signed. You can still use oracles in this way here but
> you *must* have the announcement with the attestation data to figure out
> what was attested to.
>
> Let me know your thoughts and hope you have a good break.
>
> Cheers,
>
> LL
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailmanlists.org/mailman/private/dlc-dev/attachments/20210126/bab4415b/attachment.htm>
More information about the dlc-dev
mailing list