Assume
- The cryptocurrency of Blockchain 1 is COIN1
- The cryptocurrency of Blockchain 2 is COIN2
- Bob wants to exchange 'a' amount of COIN1 for 'b' amount of COIN2.
- Alice wants to exchange 'b' amount of COIN2 for 'a' amount of COIN1.
In order for this method to work, Blockchain 1 needs to support branching and hashlock while Blockchain 2 only need to support multi-sig. It would also be ideal if ECC multiply (CPRKV) is supported on Blockchain 1. If that is not the case, cut-and-choose or combined-hash-sig can be used instead. For more information on CPRKV, please refer to https://github.com/TierNolan/bips/blob/cpkv/bip-cprkv.mediawiki
Use cases:
Bitcoin + CPRKV <-> Any CryptoCurrency with MultiSig feature.
0.Secret generation
Alice generate a
Bob generate b,c
1.Bob pays X COIN1 to
OP_IF
signed by Alice && gave c of cG
OP_ELSE
signed by Bob && gave b of bG
OP_ENDIF
equals
OP_IF
<c public key> CPRKV 2DROP <Alice's public key> CHECKSIG
OP_ELSE
<b_public key> CPRKV 2DROP <Bob's public key> CHECKSIG
OP_ENDIF
X should be a lot more valuable than the value of the COIN1 or COIN2 being traded.
2.Alice pays Y COIN2 to
OP_2 <a public key> <b public_key> OP_2 OP_CHECKMULTISIG
3.Bob pays Z COIN1 to
OP_IF
signed by Bob && gave b of bG and gave c of cG
OP_ELSE
signed by Alice && gave a of aG
OP_ENDIF
equals
OP_IF
<b public key> CPRKV 2DROP <c public key> CPRKV 2DROP <Bob's public key> CHECKSIG
OP_ELSE
<a public key> CPRKV 2DROP <Alice's public key> CHECKSIG
OP_ENDIF
-
Bob refuses to pay deposit.
Nothing has been sent to either chain, so no harm done. -
Alice refuses to bail-in.
Bob can reclaim his X straight-away. Bob does not need to wait like the CLTV method.
Releasing b has no effect since there was no bail-in by Alice, so the key is never used. -
Bob refuses to bail-in
If Bob reclaims his deposit, then Alice will have both private keys(a and b) and can reclaim her bail-in. Bob has an incentive to claim his deposit because otherwise his large fund of coins(X) will be locked (especially on exchange sites, you wouldn’t want a lot of your money to be locked). -
Alice refuses to claim her COIN1 / Bob wants to cancel the exchange
Bob can reclaim his X straight-away. Bob does not need to wait like the CLTV method.
To prevent Alice from taking his deposit. Bob needs to claim X first, wait for it to be verified, then claim Z. After Bob reclaimed his deposit, Alice can get her COIN2 back. (Bob has an incentive to claim) -
Bob refuses to claim his COIN2 He loses his COIN2 when he reclaims his deposit. Alice already has his COIN1 by this point. He has an incentive to complete this step.
-
Bob decides to do a ‘race-condition’ attack
After Alice took Z, Bob decides to do a race attack to get his Z back. To do this, he needs to release b and c, which allows Alice to attack back. Both, at this point, has all the keys and secrets needed to do race attacks and claim each other money. Economic-wise, it is not a good idea for Bob to do an attack. He is putting his large sum of money (X) at stake. Bob can only gain Y, while Alice can gain X plus Z. There is no incentive for Bob to do this. Consider when 1BTC = 1LTC, X = 1000, Y=1 and Z = 1. Bob can only gain 1BTC/LTC at most, while having the possibility of losing his 1001BTC. -
Bob refuses to claim his deposit.
He has an incentive to complete this step.