In a recent post, I discussed Schnorr signatures. Schnorr signatures represent a new way to sign and verify transactions that have some surprisingly powerful properties. Schnorr signatures are smaller than ECDSA and can be combined, known as signature aggregation. This allows multiple inputs to share a signature resulting in gains in privacy and scalability.
Exploring the mathematical properties of Schnorr signatures further, Andrew Poelstra from Blockstream, found that the signatures themselves could be constructed and modified in special ways to enforce various agreements between parties. Spending conditions are introduced, yet completely hidden from the blockchain. Only the involved parties know of the terms of the contract or that a contract even exists. To the rest of the world, the transactions look completely ordinary and indistinguishable from a normal spend. Poelstra dubbed this new methodology “Scriptless Scripts.”
One of the most exciting things about cryptocurrencies is their ability to remove intermediaries from all kinds of transactions. In the traditional world, brokers, banks, insurance, trust, and title companies all act to provide trust to transactions. If two parties don’t trust each other, then the intermediary gets involved as a trusted third party. These third parties take a cut of the transaction and introduce a potential point of failure.
A blockchain can replace intermediaries and act as a trust anchor for parties wishing to transact. Assets can be held and transferred according to programmable logic that the network evaluates. This logic is called a script, defined as “an automated series of instructions carried out in a specific order.” Bitcoin has a scripting language based on an old programming language called Forth, while Ethereum has Solidity which compiles to Ethereum Virtual Machine (EVM) code.
Currently, smart contracts need the entire network to obtain and execute the encoded logic. Having everyone execute the script is simple and easy to understand. However, it is less efficient than pushing execution off the blockchain to the interested parties. It is also fundamentally less private since the logic itself is made public. Executing smart contract logic off-chain is precisely the goal of many approaches including Plasma, Lightning, and scriptless scripts.
Note: In Bitcoin, there is work being done to conceal branches of the contract that turn out to be irrelevant to the final result such as MAST (Merkelized Abstract Syntax Trees).
Scriptless scripts was born out of necessity when Poelstra was investigating MimbleWimble. MimbleWimble is such a constrained platform that it does not support scripts at all. The entire blockchain functions only on signatures and commitments that represent spendable coins. Without scripts, Poelstra wanted to find a way to introduce rudimentary smart contract functionality.
To have smart contracts using only signatures, we take advantage of signature aggregation within Schnorr. Aggregation is a property we get from Schnorr signatures because they are linear. This means they can be added and subtracted and the result is a valid signature corresponding to the same addition or subtraction of the public keys. This is not the case with the ECDSA signatures that Bitcoin currently uses. With ECDSA, adding and subtracting signatures results in gibberish.
To visualize what’s happening in Schnorr, consider the following (simplified) example:
pubkey1 + pubkey2 + pubkey3 = pubkeyY
signature1 + signature2 + signature3 = signatureY
We attach bitcoin to pubkey Y, which is not a key anyone has access to, but really the summation of pubkeys 1,2, and 3. Signatures from each of the keys 1,2, and 3 can be summed to create a signature for pubkey Y, and the blockchain won’t be any wiser that there was actually three keys involved in creating the signature. It will look just like an ordinary signature from pubkey Y, but the network accepts it as authorizing the spend.
In order to implement smart contracts in this scriptless world, the spending conditions are not enforced by the blockchain, but rather enforced by the parties themselves. Only once the parties within the contract agree that the conditions have been met will they collaborate and sign the finalizing transaction. To the blockchain, it looks like an ordinary signature and only the participants know what’s going on.
One simple but powerful application of these ideas is to create a cross chain atomic swap. This can be done with adaptor signatures which allow for the trustless exchange of assets. An adaptor signature is a signature offset by a value that once combined with the true signature, allows the recipient to compute the sender’s private key. The adaptor signature can be verified as authentic but does not reveal anything until the true signature is published. These adaptor signatures allow us to achieve atomicity in cross chain atomic swaps. The holder of the adaptor signature can rest assured they will be able to claim their coins if their counterparty claims their coins.
The (simplified) process goes like this. Alice and Bob want to swap coins. First Alice and Bob both deposit coins into 2-of-2 addresses with Alice and Bob as signers. Alice uses an ephemeral or one time private key because she will be providing it to Bob as part of the process. Alice provides Bob an adaptor signature which Bob finds convincing. Bob knows that when Alice publishes her signature claiming her coins, he will know enough information to compute her private key and retrieve his coins. So Bob signs a transaction releasing Alice’s coins. Alice signs her half and broadcasts the transaction to receive her coins. This allows Bob to compute her key and sign a transaction to claim his coins.
Scriptless scripts scale better than standard smart contracts because the enforcement and execution of the terms of the contract happen off chain. By pushing this execution to the people that care about it, communal computing resources are spared the burden of storing contract data and executing terms and conditions.
Privacy is also improved by having the terms of the contract hidden from the public. The terms are known only by the parties within the contract, and what’s visible is indistinguishable from other coins and transactions. This gives us a property known as deniability which means that the transactions are indistinguishable from ordinary transactions to a neutral observer.
TariLabs: Introduction to Scriptless Scripts
Spencer Bogart: Crypto Innovation Spotlight 2: Scriptless Scripts
Adam Gibson: Flipping the scriptless script on Schnorr