Threshold Scriptless Scripts - Extended Abstract

No Author Given
Scriptless Scripts [1] are a set of cryptographic protocols meant to execute
Bitcoin Scripts off-chain. Scriptless Scripts will be enabled once the protocol
adds support for Schnorr signatures, currently a pending proposal [2]. While it
is almost certain that in the future the Schnorr BIP will get accepted, Bitcoin is
currently using ECDSA signatures and will continue to support them alongside
Schnorr signatures. we ask the following question: Can we have Scriptless Scripts
in Bitcoin today?
We answer in the affirmative. To do so we use threshold ECDSA: A powerful tool
that gain interest from both industry [3] and academia [4–7] in the past couple
of years, yielding practical and secure multi party ECDSA protocols. We show
how the cryptographic primitives of Scriptless Scripts, i.e. Adaptor signatures,
Multi signatures, Multi Hop Locks (using [8]), are implemented for ECDSA and
can be used in Bitcoin today. We discuss challenges in working with threshold
ECDSA and compare between ECDSA and Schnorr Scriptless Scripts in terms
of security and performance.

In the second part of the talk we further explore off-chain threshold cryptogra-
phy as a drop-in replacement or enhancement to various existing use cases:
1. Key management with flexible governance off-chain: Utilizing verifiable se-
cret sharing schemes to have the access policy as any combination of And /
Or gates.
2. Trustless mixing: Relying on specific designs for distributed key generation,
threshold signing can mix n addresses to n fresh ones with cost of n + 1
on-chain transactions (less than two transactions per party).
3. Atomic Swaps: Based on a new primitive we call ”Juggling” we can achieve
similar guarantees as atomic swaps with any other chain. Juggling enables
gradual release of secret shares in a verifiable way and is based on verifiable
encryption of EC-DLog [9].
4. Layer two scaling solution: With the help of Private Set Intersection (PSI
[10]) we propose to add a layer between the two party channels network
and the PoW consensus layer. This layer will contain the intersection of all
mediators trusted by all parties in a multi hop chain. The mediating parties
will use a threshold mechanism for decision making.
We present the above ideas together with the appropriate security disclaimers,
initial numbers on performance and references to open source code. Finally, we
want to address practical challenges and open questions such as: the need for
distributed network layer, can some of the protocols work with only broadcast
channels? Can we obtain privacy between parties? And what happens to stan-
dards (i.e. BIP32 [11]) in a multi party setting.
Our overall goal in this talk is to spark awareness and encourage further research
for threshold cryptography in Bitcoin context.
References
1. https://github.com/apoelstra/scriptless-scripts/tree/master/md. Last visited:
April 2019
2. https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki. Last vis-
ited: April 2019
3. https://tokyo2018.scalingbitcoin.org/files/Day1/instantiating-scriptless-2p-ecdsa-
fungible-2-of-2-multisigs-for-todays-bitcoin.pdf. Last visited: April 2019.
4. Y. Lindell. Fast Secure Two-Party ECDSA Signing. In CRYPTO 2017, Springer
(LNCS 10402), pages 613-644, 2017.
5. R. Gennaro, S. Goldfeder. Fast Multiparty Threshold ECDSA with Fast Trustless
Setup ACM Conference on Computer and Communications Security (CCS), 2018.
6. Y. Lindell, A. Nof. Fast Secure Multiparty ECDSA with Practical Distributed Key
Generation and Applications to Cryptocurrency Custody. ACM Conference on Com-
puter and Communications Security (CCS), 2018.
7. J. Doerner, Y. Kondi, E. Lee, A. Shelat, Threshold ECDSA from ECDSA Assump-
tions: The Multiparty Case. Oakland SP’, 2019.
8. G. Malavolta, P. Moreno-Sanchez, C. Schneidewind, A. Kate, M. Maffei. Anony-
mous multi-hop locks for blockchain scalability and interoperability. In Network
and Distribued System Security Symposium (NDSS), 2019.
9. J. Camenisch, and V. Shoup. Practical verifiable encryption and decryption of dis-
crete logarithms. Advances in Cryptology CRYPTO 2003.
10. A. Kiss, J. Liu, T. Schneider, N. Asokan, B. Pinkas. Private set intersection for
unequal set sizes with mobile applications. PoPETs, 2017(4), 2017.
11. https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki. Last visited:
April 2019