Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Crypto Conditions
Stefan Thomas
A Solid Foundation for ILP
The Receipt
2
Connector gets receipt from ledger
3
Umm...
Connector passes on the receipt
4
Excuse me...
Connector passes on the receipt
5
What's that thing?
Ledger Needs to Decide
6
EXECUTEROLLBACK ?
Rollback on failure
7
EXECUTEROLLBACK
Execute on success
8
EXECUTEROLLBACK
What is success?
As a sender I want to be certain
As a sender I want to be certain
that my donation was received
As a sender I want to be certain
that the invoice was paid
As a sender I want to be certain
that my debt is settled
As a sender I want
non-repudiable
proof-of-settlement
The Receipt
15
● Signed by recipient
● Proves receipt-of-funds
● Non-repudiable
● Might have data attached
● Pre-agreed be...
How do we describe the receipt?
16
EXECUTEROLLBACK
How do we describe the receipt?
17
EXECUTEROLLBACK
How do we describe the receipt?
18
EXECUTEROLLBACK
Condition
19
● Describes some signed message
● Fulfilled by that message
?
Why Are Conditions so Important?
20
Why Are Conditions so Important?
21
EXECUTE
Why Are Conditions so Important?
22
EXECUTEROLLBACK
Conditions Must Be Bit-Perfect
23
EXECUTE EXECUTE
Others Have Done The Hard Part
24
Are Simple Signatures
Enough?
Single Signature Condition
Multi Signature Condition
2-of-3
Prior Art: Bitcoin Scripts
28
2 <K1> <K2> <K3> 3 CHECKMULTISIGVERIFY
● Forth-like language
● Many opcodes disabled
● Prima...
Other Ideas
29
● Pay-to-script-hash — Andresen
● Tree Signatures — Wuille
● Merkleized Abstract Syntax Trees (MAST) — Rubi...
Security vs Flexibility
Single
Signature
Turing
Completeness
Security vs Flexibility
Single
Signature
Turing
Completeness
Bit-perfect, standardized programming language
Security vs Flexibility
Single
Signature
Turing
Completeness
"ActiveX of blockchain"
Security vs Flexibility
Single
Signature
Turing
Completeness
?
Smart Oracles
010101
101010
010101
Smart Oracle
010101
101010
010101
Smart Oracle
010101
101010
010101
010101
101010
010101
Delegation
If Bob says yes,
then yes.
Single Signature
If Bob and Lina say yes,
then yes.
2-of-2 Multi Signature
If any two of Bob, Chandra, Lina say yes,
then yes.
2-of-3 Multi Signature
If Bob and (Chandra or Lina) say yes,
then yes.
2-of-3 Multi Signature?
Bob
Boolean Circuits
Chandra Lina
Boolean Circuits
ANDOR
Boolean Circuits
ANDOR
m
m-of-n
Boolean Circuits
n-of-n1-of-n
m
m-of-n
Boolean Circuits
n-of-n1-of-n
m
m-of-n
1 n
Putting it all together
Condition Types
Signatures Thresholds
Condition Types
Signatures Thresholds
Fulfillment
Signature Condition
CONDITION =
VARUINT BITMASK = 2
UINT256 HASH
VARUINT MAX_FULLFILLMENT_LENGTH
Signature Condition
CONDITION =
VARUINT BITMASK = 2
UINT256 HASH
VARUINT MAX_FULLFILLMENT_LENGTH
HASH = SHA256(
SHA256("ht...
Signature Condition
cc:1:Aml_0BgDRVk32fXTVMQ6V1SSKFrxAF7XHegeI16vTaexsgI
Signature Fulfillment
FULFILLMENT =
VARUINT BITMASK = 2
VARSTR MODULUS
VARSTR MESSAGE_PREFIX
VARSTR MESSAGE
UINT8[LENGTH(M...
Signature Fulfillment
cf:1:AoABYTEyNWNiZGFmNWI3NDk0MzQ5YjE2NGUxMmRjZTRiND
BkMTI4MTNkYTY1ZDM4YTEyOTNmZDFhOWMwMTk2YzJlZjRmYW...
Threshold Condition
CONDITION =
VARUINT BITMASK
UINT256 HASH
VARUINT MAX_FULLFILLMENT_LENGTH
Threshold Condition
CONDITION =
VARUINT BITMASK
UINT256 HASH
VARUINT MAX_FULLFILLMENT_LENGTH
HASH = SHA256(
SHA-256("https...
Threshold Condition
cc:1:AR9QCVepDTNSct6SGWTx6cWfLgBrp8tNqWIjylAiEy4vtAI
Threshold Fulfillment
FULFILLMENT =
VARUINT BITMASK
VARUINT THRESHOLD
VARUINT NUM_ELEMENTS
FOR EACH ELEMENT
VARUINT PARAMS...
Threshold Fulfillment
cf:1:AQICjYwvnzkRBOa8QDKcPC_c6Sh-LnKPfu-
COmv9j2e3ScuzAgKAAWExMjVjYmRhZjViNzQ5NDM0OWIxNjRlMTJk
Y2U0Y...
Merkle Circuits
Threshold Fulfillment
cf:1:AQICjYwvnzkRBOa8QDKcPC_c6Sh-LnKPfu-
COmv9j2e3ScuzAgKAAWExMjVjYmRhZjViNzQ5NDM0OWIxNjRlMTJk
Y2U0Y...
Threshold Fulfillment
cf:1:AQICjYwvnzkRBOa8QDKcPC_c6Sh-LnKPfu-
COmv9j2e3ScuzAgKAAWExMjVjYmRhZjViNzQ5NDM0OWIxNjRlMTJk
Y2U0Y...
Threshold Fulfillment
cf:1:AQICjYwvnzkRBOa8QDKcPC_c6Sh-LnKPfu-
COmv9j2e3ScuzAgKAAWExMjVjYmRhZjViNzQ5NDM0OWIxNjRlMTJk
Y2U0Y...
Recap
● Two Condition Types
○ Signature
○ Threshold
● Conditions are constant size
● Falsy branches can be omitted
● Compl...
Other Features
● Conditions can be generated from fulfillments
● Max fulfillment length in condition
● Extensible with new...
First Editor's Draft Coming Soon
Interledger.org
Upcoming SlideShare
Loading in …5
×

ILP Workshop: Cryptoconditions

1,068 views

Published on

A solid foundation for ILP. Presented on 2/25/2016 at Ripple headquarters in San Francisco, CA. Presenters include Stefan Thomas, Evan Schwartz, and Adrian Hope-Bailie.

Published in: Economy & Finance
  • Be the first to comment

ILP Workshop: Cryptoconditions

  1. 1. Crypto Conditions Stefan Thomas A Solid Foundation for ILP
  2. 2. The Receipt 2
  3. 3. Connector gets receipt from ledger 3 Umm...
  4. 4. Connector passes on the receipt 4 Excuse me...
  5. 5. Connector passes on the receipt 5 What's that thing?
  6. 6. Ledger Needs to Decide 6 EXECUTEROLLBACK ?
  7. 7. Rollback on failure 7 EXECUTEROLLBACK
  8. 8. Execute on success 8 EXECUTEROLLBACK
  9. 9. What is success?
  10. 10. As a sender I want to be certain
  11. 11. As a sender I want to be certain that my donation was received
  12. 12. As a sender I want to be certain that the invoice was paid
  13. 13. As a sender I want to be certain that my debt is settled
  14. 14. As a sender I want non-repudiable proof-of-settlement
  15. 15. The Receipt 15 ● Signed by recipient ● Proves receipt-of-funds ● Non-repudiable ● Might have data attached ● Pre-agreed before payment
  16. 16. How do we describe the receipt? 16 EXECUTEROLLBACK
  17. 17. How do we describe the receipt? 17 EXECUTEROLLBACK
  18. 18. How do we describe the receipt? 18 EXECUTEROLLBACK
  19. 19. Condition 19 ● Describes some signed message ● Fulfilled by that message ?
  20. 20. Why Are Conditions so Important? 20
  21. 21. Why Are Conditions so Important? 21 EXECUTE
  22. 22. Why Are Conditions so Important? 22 EXECUTEROLLBACK
  23. 23. Conditions Must Be Bit-Perfect 23 EXECUTE EXECUTE
  24. 24. Others Have Done The Hard Part 24
  25. 25. Are Simple Signatures Enough?
  26. 26. Single Signature Condition
  27. 27. Multi Signature Condition 2-of-3
  28. 28. Prior Art: Bitcoin Scripts 28 2 <K1> <K2> <K3> 3 CHECKMULTISIGVERIFY ● Forth-like language ● Many opcodes disabled ● Primary use case: m-of-n multi-signature
  29. 29. Other Ideas 29 ● Pay-to-script-hash — Andresen ● Tree Signatures — Wuille ● Merkleized Abstract Syntax Trees (MAST) — Rubin et al ● Script2 — Blockstream ● Smart Signatures — Allen et al ● State Channels — Coleman
  30. 30. Security vs Flexibility Single Signature Turing Completeness
  31. 31. Security vs Flexibility Single Signature Turing Completeness Bit-perfect, standardized programming language
  32. 32. Security vs Flexibility Single Signature Turing Completeness "ActiveX of blockchain"
  33. 33. Security vs Flexibility Single Signature Turing Completeness ?
  34. 34. Smart Oracles
  35. 35. 010101 101010 010101 Smart Oracle
  36. 36. 010101 101010 010101 Smart Oracle 010101 101010 010101 010101 101010 010101
  37. 37. Delegation
  38. 38. If Bob says yes, then yes. Single Signature
  39. 39. If Bob and Lina say yes, then yes. 2-of-2 Multi Signature
  40. 40. If any two of Bob, Chandra, Lina say yes, then yes. 2-of-3 Multi Signature
  41. 41. If Bob and (Chandra or Lina) say yes, then yes. 2-of-3 Multi Signature?
  42. 42. Bob Boolean Circuits Chandra Lina
  43. 43. Boolean Circuits ANDOR
  44. 44. Boolean Circuits ANDOR m m-of-n
  45. 45. Boolean Circuits n-of-n1-of-n m m-of-n
  46. 46. Boolean Circuits n-of-n1-of-n m m-of-n 1 n
  47. 47. Putting it all together
  48. 48. Condition Types Signatures Thresholds
  49. 49. Condition Types Signatures Thresholds
  50. 50. Fulfillment
  51. 51. Signature Condition CONDITION = VARUINT BITMASK = 2 UINT256 HASH VARUINT MAX_FULLFILLMENT_LENGTH
  52. 52. Signature Condition CONDITION = VARUINT BITMASK = 2 UINT256 HASH VARUINT MAX_FULLFILLMENT_LENGTH HASH = SHA256( SHA256("https://...#rsa-sha-256") VARSTR MODULUS VARSTR MESSAGE_PREFIX )
  53. 53. Signature Condition cc:1:Aml_0BgDRVk32fXTVMQ6V1SSKFrxAF7XHegeI16vTaexsgI
  54. 54. Signature Fulfillment FULFILLMENT = VARUINT BITMASK = 2 VARSTR MODULUS VARSTR MESSAGE_PREFIX VARSTR MESSAGE UINT8[LENGTH(MODULUS)] SIGNATURE VARUINT BYTES_UNUSED
  55. 55. Signature Fulfillment cf:1:AoABYTEyNWNiZGFmNWI3NDk0MzQ5YjE2NGUxMmRjZTRiND BkMTI4MTNkYTY1ZDM4YTEyOTNmZDFhOWMwMTk2YzJlZjRmYWRhN jI2OWNjYzFhNzdjMTZhYjc2NmRhMGU0NzYxYzQ4Mjc1Y2U4MzNm OGE5MzdkOWMyOWQzZDVlNmQyZTkMSGVsbG8gd29ybGQhFSBDb25 kaXRpb25zIGFyZSBoZXJlIUFLExFQC5PXoLli_CBpIEE0WOypkZ L7wCf_eIWExJJEmdrt00ubso94DO7gIOLUTh5sRCuij29Yos1b_ yE79gwA
  56. 56. Threshold Condition CONDITION = VARUINT BITMASK UINT256 HASH VARUINT MAX_FULLFILLMENT_LENGTH
  57. 57. Threshold Condition CONDITION = VARUINT BITMASK UINT256 HASH VARUINT MAX_FULLFILLMENT_LENGTH HASH = SHA256( SHA-256("https://...#threshold-sha-256") VARUINT THRESHOLD VARUINT NUM_ELEMENTS FOR EACH ELEMENT ELEMENT_CONDITION )
  58. 58. Threshold Condition cc:1:AR9QCVepDTNSct6SGWTx6cWfLgBrp8tNqWIjylAiEy4vtAI
  59. 59. Threshold Fulfillment FULFILLMENT = VARUINT BITMASK VARUINT THRESHOLD VARUINT NUM_ELEMENTS FOR EACH ELEMENT VARUINT PARAMS ELEMENT_CONDITION/FULFILLMENT
  60. 60. Threshold Fulfillment cf:1:AQICjYwvnzkRBOa8QDKcPC_c6Sh-LnKPfu- COmv9j2e3ScuzAgKAAWExMjVjYmRhZjViNzQ5NDM0OWIxNjRlMTJk Y2U0YjQwZDEyODEzZGE2NWQzOGExMjkzZmQxYTljMDE5NmMyZWY0Z mFkYTYyNjljY2MxYTc3YzE2YWI3NjZkYTBlNDc2MWM0ODI3NWNlOD MzZjhhOTM3ZDljMjlkM2Q1ZTZkMmU5DEhlbGxvIHdvcmxkIRUgQ29 uZGl0aW9ucyBhcmUgaGVyZSFBSxMRUAuT16C5YvwgaSBBNFjsqZGS - 8An_3iFhMSSRJna7dNLm7KPeAzu4CDi1E4ebEQroo9vWKLNW_8hO_ YMAA
  61. 61. Merkle Circuits
  62. 62. Threshold Fulfillment cf:1:AQICjYwvnzkRBOa8QDKcPC_c6Sh-LnKPfu- COmv9j2e3ScuzAgKAAWExMjVjYmRhZjViNzQ5NDM0OWIxNjRlMTJk Y2U0YjQwZDEyODEzZGE2NWQzOGExMjkzZmQxYTljMDE5NmMyZWY0Z mFkYTYyNjljY2MxYTc3YzE2YWI3NjZkYTBlNDc2MWM0ODI3NWNlOD MzZjhhOTM3ZDljMjlkM2Q1ZTZkMmU5DEhlbGxvIHdvcmxkIRUgQ29 uZGl0aW9ucyBhcmUgaGVyZSFBSxMRUAuT16C5YvwgaSBBNFjsqZGS - 8An_3iFhMSSRJna7dNLm7KPeAzu4CDi1E4ebEQroo9vWKLNW_8hO_ YMAA
  63. 63. Threshold Fulfillment cf:1:AQICjYwvnzkRBOa8QDKcPC_c6Sh-LnKPfu- COmv9j2e3ScuzAgKAAWExMjVjYmRhZjViNzQ5NDM0OWIxNjRlMTJk Y2U0YjQwZDEyODEzZGE2NWQzOGExMjkzZmQxYTljMDE5NmMyZWY0Z mFkYTYyNjljY2MxYTc3YzE2YWI3NjZkYTBlNDc2MWM0ODI3NWNlOD MzZjhhOTM3ZDljMjlkM2Q1ZTZkMmU5DEhlbGxvIHdvcmxkIRUgQ29 uZGl0aW9ucyBhcmUgaGVyZSFBSxMRUAuT16C5YvwgaSBBNFjsqZGS - 8An_3iFhMSSRJna7dNLm7KPeAzu4CDi1E4ebEQroo9vWKLNW_8hO_ YMAA
  64. 64. Threshold Fulfillment cf:1:AQICjYwvnzkRBOa8QDKcPC_c6Sh-LnKPfu- COmv9j2e3ScuzAgKAAWExMjVjYmRhZjViNzQ5NDM0OWIxNjRlMTJk Y2U0YjQwZDEyODEzZGE2NWQzOGExMjkzZmQxYTljMDE5NmMyZWY0Z mFkYTYyNjljY2MxYTc3YzE2YWI3NjZkYTBlNDc2MWM0ODI3NWNlOD MzZjhhOTM3ZDljMjlkM2Q1ZTZkMmU5DEhlbGxvIHdvcmxkIRUgQ29 uZGl0aW9ucyBhcmUgaGVyZSFBSxMRUAuT16C5YvwgaSBBNFjsqZGS - 8An_3iFhMSSRJna7dNLm7KPeAzu4CDi1E4ebEQroo9vWKLNW_8hO_ YMAA
  65. 65. Recap ● Two Condition Types ○ Signature ○ Threshold ● Conditions are constant size ● Falsy branches can be omitted ● Complex logic is delegated
  66. 66. Other Features ● Conditions can be generated from fulfillments ● Max fulfillment length in condition ● Extensible with new crypto primitives ● Required feature set in condition
  67. 67. First Editor's Draft Coming Soon Interledger.org

×