paint-brush
How Efficient Transfer Protocols Enable Collateral-Free Cross-Chain Optionsโ€‚by@escholar
New Story

How Efficient Transfer Protocols Enable Collateral-Free Cross-Chain Options

tldt arrow

Too Long; Didn't Read

Efficient transfer protocols facilitate collateral-free cross-chain options by leveraging HTLC-based setups, ensuring fair outcomes through secure misbehavior handling mechanisms.
featured image - How Efficient Transfer Protocols Enable Collateral-Free Cross-Chain Options
EScholar: Electronic Academic Papers for Scholars HackerNoon profile picture
0-item
  1. Abstract and Introduction

  2. Preliminaries

  3. Overview

  4. Protocol

    4.1 Efficient Option Transfer Protocol

    4.2 Holder Collateral-Free Cross-Chain Options

  5. Security Analysis

    5.1 Option Transfer Properties

    5.2 Option Properties

  6. Implementation

  7. Related Work

  8. Conclusion and Discussion, and References


A. Codes

B. Proofs

4 PROTOCOL

Due to the complexity of efficient holder collateral-free options, we elaborate on the protocol gradually. We first introduce the efficient transfer of an option in Section 4.1. Next, we outline how to achieve holder collateral-free cross-chain options in Section 4.2. Finally, we show the efficient, holder collateral-free option protocol.

4.1 Efficient Option Transfer Protocol

Option Initialization. Firstly, we illustrate an efficient option transfer protocol in an HTLC-based option. Assume Alice and Bob initialize an HTLC-based option as the holder and writer respectively. In this option, Alice locks ๐ด๐‘ ๐‘ ๐‘’๐‘ก๐ด on ๐ถโ„Ž๐‘Ž๐‘–๐‘›๐ด, intending to transfer it to Bob if a preimage of ๐ป(๐ด) is presented before ๐‘‡๐ธ + ฮ”. Bob locks ๐ด๐‘ ๐‘ ๐‘’๐‘ก๐ต on ๐ถโ„Ž๐‘Ž๐‘–๐‘›๐ต, intending to transfer it to Alice if a preimage of ๐ป(๐ด) is presented before๐‘‡๐ธ, where๐‘‡๐ธ is the expiration time of this option. Alice owns the preimage ๐ด. In addition, Alice performs ๐พ๐‘’๐‘ฆ๐บ๐‘’๐‘›(1 ๐œ† ) โ†’ (๐‘๐‘˜๐ด, ๐‘ ๐‘˜๐ด), which acts as a transfer key pair3 , which are used for DAPS and misbehavior detection. ๐‘๐‘˜๐ด is recorded in both contracts. The transfer key is used by Alice when transferring ownership to another party. A signature generated by ๐‘ ๐‘˜๐ด can be used to replace the contract holder, the hashlock, and the new transfer public key. Similarly, Bob creates a transfer key and records it on chains. Alice and Bob agree in advance on a value (e.g., a 256-bit random number) to serve as the message address ๐‘Ž recorded in the contracts for the DAPS. We take holder position transfer as an example to illustrate this transfer protocol.


4.1.1 Transfer Holderโ€™s Position. Suppose Alice reaches an agreement with Carol to transfer the holder position on or before time ๐‘‡๐ป , with a charge of ๐ป๐‘œ๐‘™๐‘‘๐‘’๐‘Ÿ๐น๐‘’๐‘’ on ๐ถโ„Ž๐‘Ž๐‘–๐‘›๐ถ. Carol performs ๐พ๐‘’๐‘ฆ๐บ๐‘’๐‘›(1 ๐œ† ) โ†’ (๐‘๐‘˜๐ถ, ๐‘ ๐‘˜๐ถ) to generate a new transfer key pair. Carol deposits ๐ป๐‘œ๐‘™๐‘‘๐‘’๐‘Ÿ๐น๐‘’๐‘’ in ๐ถ๐‘œ๐‘›๐‘ก๐‘Ÿ๐‘Ž๐‘๐‘ก๐ถ. This contract requires a signature of ๐‘š = (๐‘Ž, ๐‘), where message payload ๐‘ = (Carol.๐‘Ž๐‘‘๐‘‘๐‘Ÿ๐‘’๐‘ ๐‘ , ๐ป(๐ถ), ๐‘๐‘˜๐ถ), signed by ๐‘ ๐‘˜๐ด to unlock and transfer the ๐ป๐‘œ๐‘™๐‘‘๐‘’๐‘Ÿ๐น๐‘’๐‘’ to Alice. Besides, ๐ถ๐‘œ๐‘›๐‘ก๐‘Ÿ๐‘Ž๐‘๐‘ก๐ถ records ๐ป(๐ด), specifying that ๐ป๐‘œ๐‘™๐‘‘๐‘’๐‘Ÿ๐น๐‘’๐‘’ is refunded to Carol if Carol can reveal ๐ด (meaning that Alice has exercised the option). Instead withdraw immediately, after Alice reveals a signature to redeem ๐ป๐‘œ๐‘™๐‘‘๐‘’๐‘Ÿ๐น๐‘’๐‘’ , she must wait for 3ฮ” to elapse. We refer to this period as the Withdrawal Delay Period. The protocol consists of two phases, Figure 1 illustrates the position transferring process:


(1) Reveal Phase: Carol locks the transfer fee and Alice attempts to withdraw the transfer fee with her signature.


(2) Consistency Phase: Carol forwards the signature to replace the holder and Alice withdraws the transfer fee after the withdrawal delay period.


I. Reveal Phase.


(1) Alice generates signature by ๐‘†๐‘–๐‘”๐‘›(๐‘ ๐‘˜๐ด,๐‘š) โ†’ ๐œŽ๐‘š, where ๐‘š equals to (๐‘Ž, (Carol.๐‘Ž๐‘‘๐‘‘๐‘Ÿ๐‘’๐‘ ๐‘ , ๐ป(๐ถ), ๐‘๐‘˜๐ถ)).


(2) If Alice wants to transfer her option to Carol, Alice sends ๐œŽ๐‘š in Contract๐ถ by invoking the function reveal() and wait for 3ฮ” (withdrawal delay period). If she does not like to complete the trade between Carol, she does not reveal ๐œŽ๐‘š. The ๐ป๐‘œ๐‘™๐‘‘๐‘’๐‘Ÿ๐น๐‘’๐‘’ will be refunded to Carol after ๐‘‡๐ป .


II. Consistency Phase.


(1) Carol4 forwards ๐œŽ๐‘š to both ๐ถ๐‘œ๐‘›๐‘ก๐‘Ÿ๐‘Ž๐‘๐‘ก๐ด and ๐ถ๐‘œ๐‘›๐‘ก๐‘Ÿ๐‘Ž๐‘๐‘ก๐ต directly, attempting to call the function transferHolder() to replace the holder to Carol, the hashlock to ๐ป(๐ถ), and holderโ€™s transfer public key to ๐‘๐‘˜๐ถ.


(2) Alice calls withdraw() to obtain the ๐ป๐‘œ๐‘™๐‘‘๐‘’๐‘Ÿ๐น๐‘’๐‘’ in ๐ถ๐‘œ๐‘›๐‘ก๐‘Ÿ๐‘Ž๐‘๐‘ก๐ถ after the withdrawal delay period.


If all parties perform honestly, Alice is able to receive ๐ป๐‘œ๐‘™๐‘‘๐‘’๐‘Ÿ๐น๐‘’๐‘’ and holder is changed to Carol. However, there are possible contingent events or dishonest scenarios:


โ€ข If Alice exercises the option during the transfer process and reveals the preimage ๐ด before ๐‘‡๐ป , Carol can refund the ๐ป๐‘œ๐‘™๐‘‘๐‘’๐‘Ÿ๐น๐‘’๐‘’ from ๐ถ๐‘œ๐‘›๐‘ก๐‘Ÿ๐‘Ž๐‘๐‘ก๐ถ using ๐ด during the withdrawal delay period.


โ€ข If different signatures with the same message address ๐œŽ๐‘šโ€ฒ โ‰  ๐œŽ๐‘š, are submitted on ๐ถโ„Ž๐‘Ž๐‘–๐‘›๐ด and ๐ถโ„Ž๐‘Ž๐‘–๐‘›๐ต (e.g., if Alice submits two different signatures or sells the option to multiple parties), any one can call ๐ธ๐‘ฅ๐‘ก๐‘Ÿ๐‘Ž๐‘๐‘ก(๐‘๐‘˜,๐‘šโ€ฒ , ๐œŽ๐‘šโ€ฒ,๐‘š, ๐œŽ๐‘š) โ†’ ๐‘ ๐‘˜๐ด to get ๐‘ ๐‘˜๐ด. ๐‘ ๐‘˜๐ด is the secret transfer key of Alice. Whoever gets ๐‘ ๐‘˜๐ด means that Alice misbehaves. We can use this as an evidence for fair settlement of funds.


โ€“ Carol can call reclaim() and obtain the ๐ป๐‘œ๐‘™๐‘‘๐‘’๐‘Ÿ๐น๐‘’๐‘’ with ๐‘ ๐‘˜๐ด during the withdrawal delay period.


โ€“ Bob can use ๐‘ ๐‘˜๐ด to claim both ๐ด๐‘ ๐‘ ๐‘’๐‘ก๐ด and ๐ด๐‘ ๐‘ ๐‘’๐‘ก๐ต. If a signature has not been submitted, Bob can claim it anytime. If a signature has been submitted, Bob needs to send ๐‘ ๐‘˜๐ด within one ฮ” after the signature submission.


โ€ข If Carol reveals ๐œŽ๐‘š on only ๐ถ๐‘œ๐‘›๐‘ก๐‘Ÿ๐‘Ž๐‘๐‘ก๐ด or ๐ถ๐‘œ๐‘›๐‘ก๐‘Ÿ๐‘Ž๐‘๐‘ก๐ต, Bob can forward the signature to the other contract.


Timeouts. The transfer contract must be created no later than ๐‘‡๐ป โˆ’ 3ฮ”, and the reveal phase should be completed by ๐‘‡๐ป โˆ’ 2ฮ” to ensure that the option can be transferred to Carol at ๐‘‡๐ป . In the consistency phase, if any misbehavior occurs, it should be reported to the contract by ๐‘‡๐ป + ฮ”. If Bob does not claim assets on ๐ถโ„Ž๐‘Ž๐‘–๐‘›๐ด and ๐ถโ„Ž๐‘Ž๐‘–๐‘›๐ต with ๐‘ ๐‘˜๐ด, then it implies transfer complete. Overall, a total transfer time of 4ฮ” is required. In other words, the transfer protocol must initiate no later than ๐‘‡๐ธ โˆ’ 4ฮ”. The unlocking condition for ๐ถ๐‘œ๐‘›๐‘ก๐‘Ÿ๐‘Ž๐‘๐‘ก๐ถ is summarized in Table 2.


Table 2: Unlocking conditions of transferring position from Alice to Carol, where ๐‘‡ and ๐‘‡๐‘… are current time and the time that Alice reveals the signature.


4.1.2 How misbehaviors are handled securely in the protocol. Here we show how this protocol handles misbehaviour and protect each partyโ€™s interests by ensuring a fair payoff for honest parties. A more rigorous analysis is shown in Appendix B.1. First, we consider each party acting maliciously on their own.


โ€ข If Alice provides two different signatures to different buyers, as shown in 1, Bob can extract ๐‘ ๐‘˜๐ด and submit it to obtain ๐ด๐‘ ๐‘ ๐‘’๐‘ก๐ด and ๐ด๐‘ ๐‘ ๐‘’๐‘ก๐ต, and Carol can reclaim the transfer fee with ๐‘ ๐‘˜๐ด. In that case, Bob does not lose his ๐ด๐‘ ๐‘ ๐‘’๐‘ก๐ต and Carol does not lose her transfer fee.


โ€ข If Alice reveals๐ด at the same time during the transfer process, as shown in 2, Carol can use ๐ด to reclaim ๐ป๐‘œ๐‘™๐‘‘๐‘’๐‘Ÿ๐น๐‘’๐‘’. She does not lose anything. The option is exercised, and swap happens between Alice and Bob.


โ€ข If Alice or Carol publishes one signature exclusively on either ๐ถ๐‘œ๐‘›๐‘ก๐‘Ÿ๐‘Ž๐‘๐‘ก๐ด or ๐ถ๐‘œ๐‘›๐‘ก๐‘Ÿ๐‘Ž๐‘๐‘ก๐ต, as shown in 3, Bob can forward this signature to another chain to make sure the hashlocks and option holders are consistent on two chains.


Next, we consider scenarios where collusion exists.


Figure 1: Alice transfers holder position to Carol. The red dashed lines represent malicious activities, illustrated in Section 4.1.2.


โ€ข If Alice and Bob collude, they can use ๐‘ ๐‘˜๐ด or ๐ด to withdraw ๐ด๐‘ ๐‘ ๐‘’๐‘ก๐ด and ๐ด๐‘ ๐‘ ๐‘’๐‘ก๐ต as shown in 4. Carol can observe ๐‘ ๐‘˜๐ด or ๐ด and withdraw ๐ป๐‘œ๐‘™๐‘‘๐‘’๐‘Ÿ๐น๐‘’๐‘’ during the withdrawal delay period.


โ€ข If Alice and Carol collude, they use two signatures to change the hashlock. During the withdrawal delay period, Bob can obtain ๐ด๐‘ ๐‘ ๐‘’๐‘ก๐ด and ๐ด๐‘ ๐‘ ๐‘’๐‘ก๐ต using the extracted ๐‘ ๐‘˜๐ด, which is reduced to 1.


โ€ข If Bob and Carol collude, they cannot do anything harm. Since Alice will only reveal one valid signature, Alice will receive ๐ป๐‘œ๐‘™๐‘‘๐‘’๐‘Ÿ๐น๐‘’๐‘’ from Carol.


4.1.3 Transfer Writerโ€™s Position. Transferring the writerโ€™s position is similar but simpler because Bob does not possess the preimage of the hashlock. Bob, with the transfer key pair (๐‘๐‘˜๐ต, ๐‘ ๐‘˜๐ต), can sign the message ๐‘š = (๐‘Ž, (Dave.๐‘Ž๐‘‘๐‘‘๐‘Ÿ๐‘’๐‘ ๐‘ , ๐‘๐‘˜๐ท )) using ๐‘ ๐‘˜๐ต to collect the transfer fee, where ๐‘๐‘˜๐ท is a new transfer key for Dave. Transferring writerโ€™s position does not update the hashlock used in the option exercise. Thus, Aliceโ€™s option is not influenced except the change of new option writer.


Authors:

(1) Zifan Peng, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China (zpengao@connect.hkust-gz.edu.cn);

(2) Yingjie Xue, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China (yingjiexue@hkust-gz.edu.cn);

(3) Jingyu Liu, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China (jliu514@connect.hkust-gz.edu.cn).


This paper is available on arxiv under CC BY 4.0 license.

[3] Logically, the transfer key is not used for receiving coins as "identities" in blockchains.


[4] Any party can forward this signature, as Alice may transfer ownership to any party.