This document describes a protocol for two parties to set up a Discreet Log Contract (DLC).
The following protocol assumes that both parties have already agreed on the contract terms (the possible outputs of the contract). Negotiation of the contract, or decisions on the underlying asset are thus not part of the exchanged information.
The two parties exchange a set of three messages, and terminates when the non-initiating party broadcasts the Fund Transaction to the Bitcoin network. The following figure gives a brief overview of the protocol:
+-------+ +-------+
| | | |
| |---- (1) offer --->| |
| | | |
| |<--- (2) accept ----| |
| A | | B |
| |---- (3) sign --->| |
| | | |
| | | (4) broadcast fund-tx
| | | |
+-------+ +-------+
The initiating party starts the protocol by sending an offer
message to the other party.
This message includes the following information:
- Contract information (a map defined below)
- Oracle information (optional)
- A's fund amount (satoshi)
- A's public keys
- A's addresses
- A's funding inputs
- Estimatesmartfee (satoshi/vbyte)
- CET CSV delay
- CET locktime (corresponding to the contract maturity date)
- Refund locktime
Contract information consists of a total value (sum of both outputs) and a map to be used to create CETs.
The map consists of:
message
- a_output
(satoshi)
where message
is the data on which the oracle will be providing a (set of) signatures, and a_output
represents the amount that A will receive for this outcome (B's outcome can be computed by substracting a_output
to the total value).
The interpretation of the message semantics is left to the application.
The oracle public key and R point(s) to use to build the CETs as well as meta information to identify the oracle to be used in the contract.
Example:
public_key
- R_point
1 - R_point
2 - meta data
The meta data can either be human readable for a user to be able to interpret it, or machine readable so that an application can interpret it and present it to the user.
If both parties already have this information, transmission is unnecessary.
How much A inputs into the contract.
The following public keys:
- Funding Public Key
- A's public key used in the multi-signature funding output
- Sweep Public Key
- A's public key used in the creation of the CETs output script.
The following addresses:
- Funding Change Address
- The address to use to send the change if the sum of A's inputs is greater than the fund amount plus the fees.
- Final Address
- The address to which funds will be sent in unilateral contract execution, refund and mutual closing transactions.
The set of UTXOs to be used as input to the fund transaction.
The fee rate to be used when computing fees for the different transactions.
The number to use as input to the CSV in the CETs.
The number to use as nLockTime
for the CET transactions.
This should correspond to the maturity date of the contracts, invalidating early CET broadcasting.
The locktime to be used for the refund transaction. It should be set at a later date than the maturity date of the contract.
After receiving the offer
message from A, and after validating the provided information, B creates and sends back an accept
message containing:
- B's fund amount (satoshi)
- B's public keys
- B's addresses
- B's inputs
- CET signatures
- Refund signature
How much B inputs into the contract.
The following public keys:
- Funding Public Key
- B's public key used in the multi-signature funding output
- Sweep Public Key
- B's public key used in the creation of the CETs output script.
The following addresses:
- Funding Change Address
- The address to use to send the change if the sum of A's inputs is greater than the fund amount plus the fees.
- Final Address
- The address to which funds will be sent in unilateral contract execution, refund and mutual closing transactions.
The set of UTXOs to be used as input to the fund transaction.
A set of signatures from B, one for each CET input.
A signature from B for the refund transaction input.
After receiving and validating the content of the offer
message, A replies with a sign
message containing:
- Fund transaction signatures
- CET signatures
- Refund signature
A set of signatures from A, one (in case of P2WPKH) or several (in case of multisig P2WSH) for each of A's input to the fund transaction.
A set of signatures from A, one for each CET input.
A signature from A for the refund transaction input.
Upon receiving the sign
message from A, B validates its content, signs the fund transaction and broadcasts it to the Bitcoin network.
This section describes how each party needs to validate the messages received. We distinguish between user validation, performed by the user (through a user interface), and machine validation, that can be done without user interaction.
- Contract Information: confirm that the contract information matches what was agreed upon.
- Oracle information: confirm that the oracle specified in the message matches what was agreed upon.
- A fund amount: confirm that the input amount matches what was agreed upon.
- Estimatesmartfee: confirm that it corresponds to what was agreed upon.
- CET CSV delay: confirm that it corresponds to what was agreed upon.
- Refund locktime: confirm that it corresponds to what was agreed upon.
- A fund amount: given this and B fund amount, need to validate that the amount incorporates the required fees for the CET or refund transaction as well as the closing transaction, and that the total input amount is greater than the payout amounts plus the fees to be paid.
- A public key: validate that the public key is well formed.
- Alice inputs: validate that the referenced outputs are in fact unspent and are either P2WSH or P2WPKH.
- B fund amount: confirm that the fund amount matches what was agreed upon.
- Bob public key: validate that the public key is well formed.
- Bob inputs: validate that the referenced outputs are in fact unspent and are either P2WSH or P2WPKH.
- CET signatures: validate that the signatures are valid for each of the CETs.
- Refund signature: validate that the signature is valid.
- Fund transaction signatures: validate that the signatures are valid for each of the provided inputs.
- CET signatures: validate that the signatures are valid for each of the CETs input.
- Refund signature: validate that the signature is valid for the refund transaction input.
At any point in the protocol up until the sending of the sign
message, both parties can safely decide to cancel the contract.
An empty cancel
message can be used to inform the other party of the desire to cancel the contract.
If one of the parties doesn't send a message after a given timeout, the other party should assume the contract to be canceled.
Timeouts should be proportional to the number of possible outputs of the contract, as the signing and verification of the CET signatures is expected to be the bottleneck.
After party A sends the sign
message, they cannot unilaterally cancel the contract anymore.
If they want to cancel the contract, for example because of not observing the fund transaction in the Bitcoin network, they can try to do so by broadcasting a transaction spending at least one of the UTXOs specified in the fund transaction.
If this transaction gets included in the blockchain prior to the fund transaction, the contract will be canceled as this will have rendered the fund transaction invalid.
In the event that the fund transaction gets included first, both parties will be bound to the contract.
Takatoshi Nakagawa Ichiro Kuwahara Thibaut Le Guilly Nadav Kohen