Protocol
Security Analysis
A. Codes
B. Proofs
Due to the complexity of efficient holder collateral-free options, we elaborate on the protocol gradually. We first introduce the efficient transfer of an option in Section 4.1. Next, we outline how to achieve holder collateral-free cross-chain options in Section 4.2. Finally, we show the efficient, holder collateral-free option protocol.
Option Initialization. Firstly, we illustrate an efficient option transfer protocol in an HTLC-based option. Assume Alice and Bob initialize an HTLC-based option as the holder and writer respectively. In this option, Alice locks ๐ด๐ ๐ ๐๐ก๐ด on ๐ถโ๐๐๐๐ด, intending to transfer it to Bob if a preimage of ๐ป(๐ด) is presented before ๐๐ธ + ฮ. Bob locks ๐ด๐ ๐ ๐๐ก๐ต on ๐ถโ๐๐๐๐ต, intending to transfer it to Alice if a preimage of ๐ป(๐ด) is presented before๐๐ธ, where๐๐ธ is the expiration time of this option. Alice owns the preimage ๐ด. In addition, Alice performs ๐พ๐๐ฆ๐บ๐๐(1 ๐ ) โ (๐๐๐ด, ๐ ๐๐ด), which acts as a transfer key pair3 , which are used for DAPS and misbehavior detection. ๐๐๐ด is recorded in both contracts. The transfer key is used by Alice when transferring ownership to another party. A signature generated by ๐ ๐๐ด can be used to replace the contract holder, the hashlock, and the new transfer public key. Similarly, Bob creates a transfer key and records it on chains. Alice and Bob agree in advance on a value (e.g., a 256-bit random number) to serve as the message address ๐ recorded in the contracts for the DAPS. We take holder position transfer as an example to illustrate this transfer protocol.
4.1.1 Transfer Holderโs Position. Suppose Alice reaches an agreement with Carol to transfer the holder position on or before time ๐๐ป , with a charge of ๐ป๐๐๐๐๐๐น๐๐ on ๐ถโ๐๐๐๐ถ. Carol performs ๐พ๐๐ฆ๐บ๐๐(1 ๐ ) โ (๐๐๐ถ, ๐ ๐๐ถ) to generate a new transfer key pair. Carol deposits ๐ป๐๐๐๐๐๐น๐๐ in ๐ถ๐๐๐ก๐๐๐๐ก๐ถ. This contract requires a signature of ๐ = (๐, ๐), where message payload ๐ = (Carol.๐๐๐๐๐๐ ๐ , ๐ป(๐ถ), ๐๐๐ถ), signed by ๐ ๐๐ด to unlock and transfer the ๐ป๐๐๐๐๐๐น๐๐ to Alice. Besides, ๐ถ๐๐๐ก๐๐๐๐ก๐ถ records ๐ป(๐ด), specifying that ๐ป๐๐๐๐๐๐น๐๐ is refunded to Carol if Carol can reveal ๐ด (meaning that Alice has exercised the option). Instead withdraw immediately, after Alice reveals a signature to redeem ๐ป๐๐๐๐๐๐น๐๐ , she must wait for 3ฮ to elapse. We refer to this period as the Withdrawal Delay Period. The protocol consists of two phases, Figure 1 illustrates the position transferring process:
(1) Reveal Phase: Carol locks the transfer fee and Alice attempts to withdraw the transfer fee with her signature.
(2) Consistency Phase: Carol forwards the signature to replace the holder and Alice withdraws the transfer fee after the withdrawal delay period.
I. Reveal Phase.
(1) Alice generates signature by ๐๐๐๐(๐ ๐๐ด,๐) โ ๐๐, where ๐ equals to (๐, (Carol.๐๐๐๐๐๐ ๐ , ๐ป(๐ถ), ๐๐๐ถ)).
(2) If Alice wants to transfer her option to Carol, Alice sends ๐๐ in Contract๐ถ by invoking the function reveal() and wait for 3ฮ (withdrawal delay period). If she does not like to complete the trade between Carol, she does not reveal ๐๐. The ๐ป๐๐๐๐๐๐น๐๐ will be refunded to Carol after ๐๐ป .
II. Consistency Phase.
(1) Carol4 forwards ๐๐ to both ๐ถ๐๐๐ก๐๐๐๐ก๐ด and ๐ถ๐๐๐ก๐๐๐๐ก๐ต directly, attempting to call the function transferHolder() to replace the holder to Carol, the hashlock to ๐ป(๐ถ), and holderโs transfer public key to ๐๐๐ถ.
(2) Alice calls withdraw() to obtain the ๐ป๐๐๐๐๐๐น๐๐ in ๐ถ๐๐๐ก๐๐๐๐ก๐ถ after the withdrawal delay period.
If all parties perform honestly, Alice is able to receive ๐ป๐๐๐๐๐๐น๐๐ and holder is changed to Carol. However, there are possible contingent events or dishonest scenarios:
โข If Alice exercises the option during the transfer process and reveals the preimage ๐ด before ๐๐ป , Carol can refund the ๐ป๐๐๐๐๐๐น๐๐ from ๐ถ๐๐๐ก๐๐๐๐ก๐ถ using ๐ด during the withdrawal delay period.
โข If different signatures with the same message address ๐๐โฒ โ ๐๐, are submitted on ๐ถโ๐๐๐๐ด and ๐ถโ๐๐๐๐ต (e.g., if Alice submits two different signatures or sells the option to multiple parties), any one can call ๐ธ๐ฅ๐ก๐๐๐๐ก(๐๐,๐โฒ , ๐๐โฒ,๐, ๐๐) โ ๐ ๐๐ด to get ๐ ๐๐ด. ๐ ๐๐ด is the secret transfer key of Alice. Whoever gets ๐ ๐๐ด means that Alice misbehaves. We can use this as an evidence for fair settlement of funds.
โ Carol can call reclaim() and obtain the ๐ป๐๐๐๐๐๐น๐๐ with ๐ ๐๐ด during the withdrawal delay period.
โ Bob can use ๐ ๐๐ด to claim both ๐ด๐ ๐ ๐๐ก๐ด and ๐ด๐ ๐ ๐๐ก๐ต. If a signature has not been submitted, Bob can claim it anytime. If a signature has been submitted, Bob needs to send ๐ ๐๐ด within one ฮ after the signature submission.
โข If Carol reveals ๐๐ on only ๐ถ๐๐๐ก๐๐๐๐ก๐ด or ๐ถ๐๐๐ก๐๐๐๐ก๐ต, Bob can forward the signature to the other contract.
Timeouts. The transfer contract must be created no later than ๐๐ป โ 3ฮ, and the reveal phase should be completed by ๐๐ป โ 2ฮ to ensure that the option can be transferred to Carol at ๐๐ป . In the consistency phase, if any misbehavior occurs, it should be reported to the contract by ๐๐ป + ฮ. If Bob does not claim assets on ๐ถโ๐๐๐๐ด and ๐ถโ๐๐๐๐ต with ๐ ๐๐ด, then it implies transfer complete. Overall, a total transfer time of 4ฮ is required. In other words, the transfer protocol must initiate no later than ๐๐ธ โ 4ฮ. The unlocking condition for ๐ถ๐๐๐ก๐๐๐๐ก๐ถ is summarized in Table 2.
4.1.2 How misbehaviors are handled securely in the protocol. Here we show how this protocol handles misbehaviour and protect each partyโs interests by ensuring a fair payoff for honest parties. A more rigorous analysis is shown in Appendix B.1. First, we consider each party acting maliciously on their own.
โข If Alice provides two different signatures to different buyers, as shown in 1, Bob can extract ๐ ๐๐ด and submit it to obtain ๐ด๐ ๐ ๐๐ก๐ด and ๐ด๐ ๐ ๐๐ก๐ต, and Carol can reclaim the transfer fee with ๐ ๐๐ด. In that case, Bob does not lose his ๐ด๐ ๐ ๐๐ก๐ต and Carol does not lose her transfer fee.
โข If Alice reveals๐ด at the same time during the transfer process, as shown in 2, Carol can use ๐ด to reclaim ๐ป๐๐๐๐๐๐น๐๐. She does not lose anything. The option is exercised, and swap happens between Alice and Bob.
โข If Alice or Carol publishes one signature exclusively on either ๐ถ๐๐๐ก๐๐๐๐ก๐ด or ๐ถ๐๐๐ก๐๐๐๐ก๐ต, as shown in 3, Bob can forward this signature to another chain to make sure the hashlocks and option holders are consistent on two chains.
Next, we consider scenarios where collusion exists.
โข If Alice and Bob collude, they can use ๐ ๐๐ด or ๐ด to withdraw ๐ด๐ ๐ ๐๐ก๐ด and ๐ด๐ ๐ ๐๐ก๐ต as shown in 4. Carol can observe ๐ ๐๐ด or ๐ด and withdraw ๐ป๐๐๐๐๐๐น๐๐ during the withdrawal delay period.
โข If Alice and Carol collude, they use two signatures to change the hashlock. During the withdrawal delay period, Bob can obtain ๐ด๐ ๐ ๐๐ก๐ด and ๐ด๐ ๐ ๐๐ก๐ต using the extracted ๐ ๐๐ด, which is reduced to 1.
โข If Bob and Carol collude, they cannot do anything harm. Since Alice will only reveal one valid signature, Alice will receive ๐ป๐๐๐๐๐๐น๐๐ from Carol.
4.1.3 Transfer Writerโs Position. Transferring the writerโs position is similar but simpler because Bob does not possess the preimage of the hashlock. Bob, with the transfer key pair (๐๐๐ต, ๐ ๐๐ต), can sign the message ๐ = (๐, (Dave.๐๐๐๐๐๐ ๐ , ๐๐๐ท )) using ๐ ๐๐ต to collect the transfer fee, where ๐๐๐ท is a new transfer key for Dave. Transferring writerโs position does not update the hashlock used in the option exercise. Thus, Aliceโs option is not influenced except the change of new option writer.
Authors:
(1) Zifan Peng, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China (zpengao@connect.hkust-gz.edu.cn);
(2) Yingjie Xue, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China (yingjiexue@hkust-gz.edu.cn);
(3) Jingyu Liu, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China (jliu514@connect.hkust-gz.edu.cn).
This paper is available on arxiv under CC BY 4.0 license.
[3] Logically, the transfer key is not used for receiving coins as "identities" in blockchains.
[4] Any party can forward this signature, as Alice may transfer ownership to any party.