How Cross-Chain Transfer Protocols Ensure Safe and Smooth Transactions

Table of Links Abstract and Introduction Preliminaries Overview Protocol 4.1 Efficient Option Transfer Protocol 4.2 Holder Collateral-Free Cross-Chain Options Security Analysis 5.1 Option Transfer Properties 5.2 Option Properties Implementation Related Work Conclusion and Discussion, and References A. Codes A.1 Robust and Efficient Transfer Protocol A.2 Holder Collateral-Free Cross-Chain Options B. Proofs B.1 Transfer Protocol Proofs B.2 Option B.1 Transfer Protocol Proofs Lemma 9. The holder transfer procedure of Protocol 4.2.1 does not require Bob’s participation. Proof. It is evident that, Alice does not own the exercise secret, holder’s transfer is required to replace the holder address and transfer public key, and the inconsistency of two chains will not harm the interest of Bob. According to the Protocol 4.1, Bob cannot use the transfer private key of Alice, i.e. 𝑠𝑘𝐴 to claim assets. Therefore, during the reveal phase and consistency phase, Bob is not required to participate and not allowed to make any change on 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐴 and 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐵. Lemma 10. If Bob and Dave are conforming, then the writer transfer procedure of Protocol 4.2.1 does not require Alice’s participation. Proof. Obviously, honest Bob will not leak two signatures or 𝑠𝑘𝐵 and honest Dave will submit signature 𝜎𝑚 on both 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐴 and 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐵, Alice only needs to make operations when there is any dishonest party. Theorem 2. Protocol 4.2.1 satisfies liveness: If Alice, Bob, and Carol/Dave are conforming, then Alice/Bob will obtain Carol/Dave’s collateral, Carol/Dave will obtain Alice/Bob’s position, and Bob/Alice will retain their original position. Proof. By Lemma 9, Bob’s participation is not required during the holder transfer. If Alice and Carol are conforming, Carol will create 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐶 contract and lock her collateral using signature of Alice before 𝑇𝐻 − 3Δ. Alice will then reveal signature by 𝑠𝑘𝐴 and call𝑟𝑒𝑣𝑒𝑎𝑙() on𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐶 at𝑇𝐻 −2Δ. An honest Carol will forward the signature, setting the holder to Carol. Alice can then wait for 3Δ withdrawl delayed period to obtain the collateral, while the writers of𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐴 and𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐵 are still Bob, Bob maintains the writer’s position. During the process where Bob transfers his position to Dave, if both parties are conforming, Bob will not expose two different signatures. After 𝑇𝑊 + Δ, Bob will not be obstructed and will surely obtain Dave’s collateral. Meanwhile, Dave can submit 𝜎𝑚 between𝑇𝑊 −Δ and𝑇𝑊 to 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐴 and 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐵 to change the writer, Alice retaining the holder position. Theorem 3. Protocol 4.2.1 satisfies unobstructibility: Alice/Bob can transfer the position to another party even if Bob/Alice is adversarial. Proof. By Lemma 9, Bob’s participation is not required, it is evident that Bob cannot block the process of transferring a holder’s position. During Bob’s transfer to Dave, Alice can only obtain Bob’s collateral by two different messages signed with 𝑠𝑘𝐵 or the exercise secret. If Bob is honest, he will neither leak 𝑠𝐵, sign multiple messages nor leak exercise secret. Consequently, Alice cannot interrupt the transfer process. Proof. After 𝐴𝑙𝑖𝑐𝑒𝑖 transfers to 𝐴𝑙𝑖𝑐𝑒𝑖+1, the holder in the current option’s 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐴 and 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐵 is updated to Alice𝑖+1, and the transfer key is known only to 𝐴𝑙𝑖𝑐𝑒𝑖+1. Therefore, after a holder transfer, 𝐴𝑙𝑖𝑐𝑒𝑖+1 can transfer the position to 𝐴𝑙𝑖𝑐𝑒𝑖+2 by re-performing Protocol 4.2.1 with the transfer key of 𝐴𝑙𝑖𝑐𝑒𝑖+2. Similarly, after 𝐵𝑜𝑏𝑗 transfers to 𝐵𝑜𝑏𝑗+1 (holder Alice does not contest within Δ), the writer in the current option’s 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐴 and 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐵 is updated to Bob𝑗+1. At this point, only 𝑠𝑘 𝑗+1 𝐵 or its signatures can be used for the next transfer. 𝐵𝑜𝑏𝑗+1 can also transfer the position by re-performing Protocol 4.2.1 with the new transfer key. Lemma 11. Protocols 4.2.1 satisfy atomicity: If conforming Alice/Bob loses their position, she/he will be able to obtain Carol/Dave’s collateral. Proof. Following Theorem 2, in transferring the holder position, after Carol correctly escrows the collateral, Alice temporarily locks the holder position in both contracts using 𝐻(𝐶). If Carol uses 𝐶 to obtain the position before 𝑇𝐻 , then Alice will obtain Carol’s collateral at 𝑇𝐻 + Δ. If Carol does not reveal 𝐶 before 𝑇𝐻 , Alice will not receive Carol’s collateral. Similarly, in transferring the writer position, if Bob does not reveal his signature honestly, then Bob will lose the position and Dave can retrieve and will not lose the collateral. If honest Bob signs for a buyer Dave, the honest Dave will use the signature to obtain Bob’s position at 𝑇𝑊 . Bob will then obtain Dave’s collateral at 𝑇𝑊 + Δ. B.1.1 Safety. Proof. In the 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐴, the following elements are defined: • 𝑇𝐸: The expiration time of this option. • exercise_hashlock: The hash lock of this option, which is the hash of a secret value known only to the writer. • old_exercise_hashlock: The hash lock of this option, which is the hash of a secret value known only to the writer. • holder: The holder can call 𝑒𝑥𝑒𝑟𝑐𝑖𝑠𝑒 () to exercise the option before 𝑇𝐸. • guarantee: The writer’s asset, i.e. 𝐴𝑠𝑠𝑒𝑡𝐺 , which can be any asset mutually agreed upon by the holder and writer as guarantee. This can include tokens, NFTs, or any other type of asset. • writer: The writer can use the secret value to call 𝑟𝑒 𝑓 𝑢𝑛𝑑 () to retrieve the guarantee or retrieve it directly after 𝑇𝐸 + 2Δ. • collateral: The collateral that Alice must deposit if she decides to exercise the option to purchase Bob’s asset. • holder_transfer_public_key: the transfer key of Alice, 𝑝𝑘𝐴, used for verify the transfer signature of Alice to Carol. • writer_transfer_public_key: New transfer key of Dave, 𝑝𝑘𝐷 , used for verify the transfer signature of Dave to others. • old_writer_transfer_public_key: Old transfer key of Bob, 𝑝𝑘𝐵, used for verify the transfer signature of Bob to Dave, Within the period of one Δ, during which the transfer signature must be submitted to this contract, we still need to record the old transfer public key in case of Bob’s misbehavior. • writer_transfer_time: The writer transfer time, used for Alice to claim assets if there exits misbehavior of Bob. In the 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐵, there are other additional items: • collateral: The writer’s collateral, i.e.𝐴𝑠𝑠𝑒𝑡𝐵, it can be claimed by holder with preimage of hashlock. • holder: The holder can call 𝑒𝑥𝑒𝑟𝑐𝑖𝑠𝑒 () to exercise the option before 𝑇𝐸. • writer: The writer can call𝑟𝑒 𝑓 𝑢𝑛𝑑 () to retrieve the guarantee or retrieve it directly after 𝑇𝐸 + 2Δ. In the 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐷 , the following elements are defined: • T_W: The deadline for seller to reveal signature. • buyer: writer position buyer, i.e. Dave. • seller: writer position seller, i.e. Bob. • old_exercise_hashlock: The hashlock of exercise, if Bob reveals during the transfer, Dave is able to reclaim with preimage. • exercise_hashlock: The new hashlock of exercise, generated by Dave. • old_writer_transfer_public_key: Bob’s transfer public key, used for verify the signature of Bob. • writer_transfer_public_key: New transfer public key generated by Dave, used for replacing Bob’s key. • transfer_time: Used for record the time of transfer (the time reveal signature) and calculate the withdrawal delayed period. Take Bob transferring his position to Dave as an example, since Bob deposit 𝐴𝑠𝑠𝑒𝑡𝐺 and 𝐴𝑠𝑠𝑒𝑡𝐵 into the contracts, which is more complex. Transferring Alice’s position to Carol is more simple. By Lemma 11, if compliant Bob loses his position, he will at least obtain Dave’s collateral during the writer transfer process. If Dave is conforming, then if Bob acts maliciously on his own, Bob provides two different signatures to different buyers, Dave can reclaim the transfer fee with extracted 𝑠𝑘𝐵 since 𝐷 records old_writer_transfer_public_key i.e. 𝑝𝑘𝐵. If Bob reveals 𝐵 at the same time during transfer process, then Dave can use 𝐵 to reclaim 𝑊 𝑟𝑖𝑡𝑒𝑟𝐹𝑒𝑒 since 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐶 records old_exercise_hashlock i.e. 𝐻(𝐵). If Alice and Bob collude, they can use 𝑠𝑘𝐵 or 𝐵 to withdraw 𝐴𝑠𝑠𝑒𝑡𝐺 and 𝐴𝑠𝑠𝑒𝑡𝐵. Then, Dave can observe 𝑠𝑘𝐵 or 𝐵 and withdraw 𝑊 𝑟𝑖𝑡𝑒𝑟𝐹𝑒𝑒 during withdrawal delay period since 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐷 records transfer_time. If Alice is conforming, then If Bob provides two different signatures to different buyers, Alice can extract 𝑠𝑘𝐵 and submit it to obtain 𝐴𝑠𝑠𝑒𝑡𝐺 and 𝐴𝑠𝑠𝑒𝑡𝐵. If Bob or Dave publishes one signature exclusively on either 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐴 or 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐵, Alice can forward this signature to another chain to make sure the exercise secret hashlocks are consistent on two chains. If Bob and Dave collude, they use two signatures to change the hashlock. During the withdrawal delay period, Alice can obtain 𝐴𝑠𝑠𝑒𝑡𝐺 and 𝐴𝑠𝑠𝑒𝑡𝐵 using the extracted 𝑠𝑘𝐵. Transferring Alice’s position to Carol is simpler, as Alice does not deposit assets into the option contracts and cannot modify the exercise secret hashlock. Carol only needs to ensure consistency between the holders on the two chains. Otherwise, she can extract 𝑠𝑘𝐴 and refund the 𝐻𝑜𝑙𝑑𝑒𝑟𝐹𝑒𝑒 during the withdrawal delay period. Theorem 5. Protocol 4.2.2 satisfies isolation: Alice and Bob can simultaneously and separately transfer their positions to Carol and Dave, respectively. This means that transferring holder and the transferring writer can proceed concurrently. Proof. Suppose both Carol and Dave are interested in Alice’s and Bob’s positions, respectively. According to Lemma 9, Alice transferring to Carol does not require Bob’s involvement, hence Alice and Carol will not be interfered with. Similarly, it is known that during Bob’s transfer to Dave, by Lemma 10, if Bob and Dave are both compliant, Alice does not need to participate. Considering the case when Bob reveals two different signatures: (i) If Carol has already revealed the secret value 𝐶 of the transfer hash lock, then Carol becomes the new holder and can use two different signatures by 𝑠𝐵 to obtain 𝐴𝑠𝑠𝑒𝑡𝐵 and 𝐴𝑠𝑠𝑒𝑡𝐺 . (ii) If Carol has not revealed 𝐶 and will reveal it after Δ, Carol can simultaneously reveal𝐶 and call 𝑟𝑒𝑐𝑙𝑎𝑖𝑚() on both chains after Δ to obtain 𝐴𝑠𝑠𝑒𝑡𝐵 and 𝐴𝑠𝑠𝑒𝑡𝐺 . If Dave or Bob publishes 𝜎𝑚 on one single chain, Carol must forward 𝜎𝑚 to the other chain while revealing 𝐶. Authors: (1) Zifan Peng, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China (zpengao@connect.hkust-gz.edu.cn); (2) Yingjie Xue, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China (yingjiexue@hkust-gz.edu.cn); (3) Jingyu Liu, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China (jliu514@connect.hkust-gz.edu.cn). This paper is available on arxiv under CC BY 4.0 license. Table of Links Abstract and Introduction Preliminaries Overview Protocol 4.1 Efficient Option Transfer Protocol 4.2 Holder Collateral-Free Cross-Chain Options Security Analysis 5.1 Option Transfer Properties 5.2 Option Properties Implementation Related Work Conclusion and Discussion, and References Abstract and Introduction Abstract and Introduction Abstract and Introduction Preliminaries Preliminaries Preliminaries Overview Overview Overview Protocol 4.1 Efficient Option Transfer Protocol 4.2 Holder Collateral-Free Cross-Chain Options Protocol 4.1 Efficient Option Transfer Protocol 4.1 Efficient Option Transfer Protocol 4.2 Holder Collateral-Free Cross-Chain Options 4.2 Holder Collateral-Free Cross-Chain Options Security Analysis 5.1 Option Transfer Properties 5.2 Option Properties Security Analysis 5.1 Option Transfer Properties 5.1 Option Transfer Properties 5.2 Option Properties 5.2 Option Properties Implementation Implementation Implementation Related Work Related Work Related Work Conclusion and Discussion, and References Conclusion and Discussion, and References Conclusion and Discussion, and References A. Codes A. Codes A.1 Robust and Efficient Transfer Protocol A.2 Holder Collateral-Free Cross-Chain Options A.1 Robust and Efficient Transfer Protocol A.1 Robust and Efficient Transfer Protocol A.2 Holder Collateral-Free Cross-Chain Options A.2 Holder Collateral-Free Cross-Chain Options B. Proofs B. Proofs B.1 Transfer Protocol Proofs B.2 Option B.1 Transfer Protocol Proofs B.1 Transfer Protocol Proofs B.2 Option B.2 Option B.1 Transfer Protocol Proofs Lemma 9. The holder transfer procedure of Protocol 4.2.1 does not require Bob’s participation. The holder transfer procedure of Protocol 4.2.1 does not require Bob’s participation. Proof. It is evident that, Alice does not own the exercise secret, holder’s transfer is required to replace the holder address and transfer public key, and the inconsistency of two chains will not harm the interest of Bob. According to the Protocol 4.1, Bob cannot use the transfer private key of Alice, i.e. 𝑠𝑘𝐴 to claim assets. Therefore, during the reveal phase and consistency phase, Bob is not required to participate and not allowed to make any change on 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐴 and 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐵. Lemma 10. If Bob and Dave are conforming, then the writer transfer procedure of Protocol 4.2.1 does not require Alice’s participation. If Bob and Dave are conforming, then the writer transfer procedure of Protocol 4.2.1 does not require Alice’s participation. Proof. Obviously, honest Bob will not leak two signatures or 𝑠𝑘𝐵 and honest Dave will submit signature 𝜎𝑚 on both 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐴 and 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐵, Alice only needs to make operations when there is any dishonest party. Theorem 2. Protocol 4.2.1 satisfies liveness: If Alice, Bob, and Carol/Dave are conforming, then Alice/Bob will obtain Carol/Dave’s collateral, Carol/Dave will obtain Alice/Bob’s position, and Bob/Alice will retain their original position. Protocol 4.2.1 satisfies liveness: If Alice, Bob, and Carol/Dave are conforming, then Alice/Bob will obtain Carol/Dave’s collateral, Carol/Dave will obtain Alice/Bob’s position, and Bob/Alice will retain their original position. Proof. By Lemma 9, Bob’s participation is not required during the holder transfer. If Alice and Carol are conforming, Carol will create 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐶 contract and lock her collateral using signature of Alice before 𝑇𝐻 − 3Δ. Alice will then reveal signature by 𝑠𝑘𝐴 and call𝑟𝑒𝑣𝑒𝑎𝑙() on𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐶 at𝑇𝐻 −2Δ. An honest Carol will forward the signature, setting the holder to Carol. Alice can then wait for 3Δ withdrawl delayed period to obtain the collateral, while the writers of𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐴 and𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐵 are still Bob, Bob maintains the writer’s position. During the process where Bob transfers his position to Dave, if both parties are conforming, Bob will not expose two different signatures. After 𝑇𝑊 + Δ, Bob will not be obstructed and will surely obtain Dave’s collateral. Meanwhile, Dave can submit 𝜎𝑚 between𝑇𝑊 −Δ and𝑇𝑊 to 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐴 and 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐵 to change the writer, Alice retaining the holder position. Theorem 3. Protocol 4.2.1 satisfies unobstructibility: Alice/Bob can transfer the position to another party even if Bob/Alice is adversarial. Protocol 4.2.1 satisfies unobstructibility: Alice/Bob can transfer the position to another party even if Bob/Alice is adversarial. Proof. By Lemma 9, Bob’s participation is not required, it is evident that Bob cannot block the process of transferring a holder’s position. During Bob’s transfer to Dave, Alice can only obtain Bob’s collateral by two different messages signed with 𝑠𝑘𝐵 or the exercise secret. If Bob is honest, he will neither leak 𝑠𝐵, sign multiple messages nor leak exercise secret. Consequently, Alice cannot interrupt the transfer process. Proof. After 𝐴𝑙𝑖𝑐𝑒𝑖 transfers to 𝐴𝑙𝑖𝑐𝑒𝑖+1, the holder in the current option’s 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐴 and 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐵 is updated to Alice𝑖+1, and the transfer key is known only to 𝐴𝑙𝑖𝑐𝑒𝑖+1. Therefore, after a holder transfer, 𝐴𝑙𝑖𝑐𝑒𝑖+1 can transfer the position to 𝐴𝑙𝑖𝑐𝑒𝑖+2 by re-performing Protocol 4.2.1 with the transfer key of 𝐴𝑙𝑖𝑐𝑒𝑖+2. Similarly, after 𝐵𝑜𝑏𝑗 transfers to 𝐵𝑜𝑏𝑗+1 (holder Alice does not contest within Δ), the writer in the current option’s 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐴 and 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐵 is updated to Bob𝑗+1. At this point, only 𝑠𝑘 𝑗+1 𝐵 or its signatures can be used for the next transfer. 𝐵𝑜𝑏𝑗+1 can also transfer the position by re-performing Protocol 4.2.1 with the new transfer key. Lemma 11. Protocols 4.2.1 satisfy atomicity: If conforming Alice/Bob loses their position, she/he will be able to obtain Carol/Dave’s collateral. Proof. Following Theorem 2, in transferring the holder position, after Carol correctly escrows the collateral, Alice temporarily locks the holder position in both contracts using 𝐻(𝐶). If Carol uses 𝐶 to obtain the position before 𝑇𝐻 , then Alice will obtain Carol’s collateral at 𝑇𝐻 + Δ. If Carol does not reveal 𝐶 before 𝑇𝐻 , Alice will not receive Carol’s collateral. Similarly, in transferring the writer position, if Bob does not reveal his signature honestly, then Bob will lose the position and Dave can retrieve and will not lose the collateral. If honest Bob signs for a buyer Dave, the honest Dave will use the signature to obtain Bob’s position at 𝑇𝑊 . Bob will then obtain Dave’s collateral at 𝑇𝑊 + Δ. B.1.1 Safety . Safety Proof. In the 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐴, the following elements are defined: • 𝑇𝐸: The expiration time of this option. • exercise_hashlock: The hash lock of this option, which is the hash of a secret value known only to the writer. • old_exercise_hashlock: The hash lock of this option, which is the hash of a secret value known only to the writer. • holder: The holder can call 𝑒𝑥𝑒𝑟𝑐𝑖𝑠𝑒 () to exercise the option before 𝑇𝐸. • guarantee: The writer’s asset, i.e. 𝐴𝑠𝑠𝑒𝑡𝐺 , which can be any asset mutually agreed upon by the holder and writer as guarantee. This can include tokens, NFTs, or any other type of asset. • writer: The writer can use the secret value to call 𝑟𝑒 𝑓 𝑢𝑛𝑑 () to retrieve the guarantee or retrieve it directly after 𝑇𝐸 + 2Δ. • collateral: The collateral that Alice must deposit if she decides to exercise the option to purchase Bob’s asset. • holder_transfer_public_key: the transfer key of Alice, 𝑝𝑘𝐴, used for verify the transfer signature of Alice to Carol. • writer_transfer_public_key: New transfer key of Dave, 𝑝𝑘𝐷 , used for verify the transfer signature of Dave to others. • old_writer_transfer_public_key: Old transfer key of Bob, 𝑝𝑘𝐵, used for verify the transfer signature of Bob to Dave, Within the period of one Δ, during which the transfer signature must be submitted to this contract, we still need to record the old transfer public key in case of Bob’s misbehavior. • writer_transfer_time: The writer transfer time, used for Alice to claim assets if there exits misbehavior of Bob. In the 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐵, there are other additional items: • collateral: The writer’s collateral, i.e.𝐴𝑠𝑠𝑒𝑡𝐵, it can be claimed by holder with preimage of hashlock. • holder: The holder can call 𝑒𝑥𝑒𝑟𝑐𝑖𝑠𝑒 () to exercise the option before 𝑇𝐸. • writer: The writer can call𝑟𝑒 𝑓 𝑢𝑛𝑑 () to retrieve the guarantee or retrieve it directly after 𝑇𝐸 + 2Δ. In the 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐷 , the following elements are defined: • T_W: The deadline for seller to reveal signature. • buyer: writer position buyer, i.e. Dave. • seller: writer position seller, i.e. Bob. • old_exercise_hashlock: The hashlock of exercise, if Bob reveals during the transfer, Dave is able to reclaim with preimage. • exercise_hashlock: The new hashlock of exercise, generated by Dave. • old_writer_transfer_public_key: Bob’s transfer public key, used for verify the signature of Bob. • writer_transfer_public_key: New transfer public key generated by Dave, used for replacing Bob’s key. • transfer_time: Used for record the time of transfer (the time reveal signature) and calculate the withdrawal delayed period. Take Bob transferring his position to Dave as an example, since Bob deposit 𝐴𝑠𝑠𝑒𝑡𝐺 and 𝐴𝑠𝑠𝑒𝑡𝐵 into the contracts, which is more complex. Transferring Alice’s position to Carol is more simple. By Lemma 11, if compliant Bob loses his position, he will at least obtain Dave’s collateral during the writer transfer process. If Dave is conforming, then if Bob acts maliciously on his own, Bob provides two different signatures to different buyers, Dave can reclaim the transfer fee with extracted 𝑠𝑘𝐵 since 𝐷 records old_writer_transfer_public_key i.e. 𝑝𝑘𝐵. If Bob reveals 𝐵 at the same time during transfer process, then Dave can use 𝐵 to reclaim 𝑊 𝑟𝑖𝑡𝑒𝑟𝐹𝑒𝑒 since 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐶 records old_exercise_hashlock i.e. 𝐻(𝐵). If Alice and Bob collude, they can use 𝑠𝑘𝐵 or 𝐵 to withdraw 𝐴𝑠𝑠𝑒𝑡𝐺 and 𝐴𝑠𝑠𝑒𝑡𝐵. Then, Dave can observe 𝑠𝑘𝐵 or 𝐵 and withdraw 𝑊 𝑟𝑖𝑡𝑒𝑟𝐹𝑒𝑒 during withdrawal delay period since 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐷 records transfer_time. If Alice is conforming, then If Bob provides two different signatures to different buyers, Alice can extract 𝑠𝑘𝐵 and submit it to obtain 𝐴𝑠𝑠𝑒𝑡𝐺 and 𝐴𝑠𝑠𝑒𝑡𝐵. If Bob or Dave publishes one signature exclusively on either 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐴 or 𝐶𝑜𝑛𝑡𝑟𝑎𝑐𝑡𝐵, Alice can forward this signature to another chain to make sure the exercise secret hashlocks are consistent on two chains. If Bob and Dave collude, they use two signatures to change the hashlock. During the withdrawal delay period, Alice can obtain 𝐴𝑠𝑠𝑒𝑡𝐺 and 𝐴𝑠𝑠𝑒𝑡𝐵 using the extracted 𝑠𝑘𝐵. Transferring Alice’s position to Carol is simpler, as Alice does not deposit assets into the option contracts and cannot modify the exercise secret hashlock. Carol only needs to ensure consistency between the holders on the two chains. Otherwise, she can extract 𝑠𝑘𝐴 and refund the 𝐻𝑜𝑙𝑑𝑒𝑟𝐹𝑒𝑒 during the withdrawal delay period. Theorem 5. Protocol 4.2.2 satisfies isolation: Alice and Bob can simultaneously and separately transfer their positions to Carol and Dave, respectively. This means that transferring holder and the transferring writer can proceed concurrently. Protocol 4.2.2 satisfies isolation: Alice and Bob can simultaneously and separately transfer their positions to Carol and Dave, respectively. This means that transferring holder and the transferring writer can proceed concurrently. Proof. Suppose both Carol and Dave are interested in Alice’s and Bob’s positions, respectively. According to Lemma 9, Alice transferring to Carol does not require Bob’s involvement, hence Alice and Carol will not be interfered with. Similarly, it is known that during Bob’s transfer to Dave, by Lemma 10, if Bob and Dave are both compliant, Alice does not need to participate. Considering the case when Bob reveals two different signatures: (i) If Carol has already revealed the secret value 𝐶 of the transfer hash lock, then Carol becomes the new holder and can use two different signatures by 𝑠𝐵 to obtain 𝐴𝑠𝑠𝑒𝑡𝐵 and 𝐴𝑠𝑠𝑒𝑡𝐺 . (ii) If Carol has not revealed 𝐶 and will reveal it after Δ, Carol can simultaneously reveal𝐶 and call 𝑟𝑒𝑐𝑙𝑎𝑖𝑚() on both chains after Δ to obtain 𝐴𝑠𝑠𝑒𝑡𝐵 and 𝐴𝑠𝑠𝑒𝑡𝐺 . If Dave or Bob publishes 𝜎𝑚 on one single chain, Carol must forward 𝜎𝑚 to the other chain while revealing 𝐶. Authors: (1) Zifan Peng, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China (zpengao@connect.hkust-gz.edu.cn); (2) Yingjie Xue, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China (yingjiexue@hkust-gz.edu.cn); (3) Jingyu Liu, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China (jliu514@connect.hkust-gz.edu.cn). Authors: Authors: (1) Zifan Peng, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China (zpengao@connect.hkust-gz.edu.cn); (2) Yingjie Xue, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China (yingjiexue@hkust-gz.edu.cn); (3) Jingyu Liu, The Hong Kong University of Science and Technology (Guangzhou) Guangzhou, Guangdong, China (jliu514@connect.hkust-gz.edu.cn). This paper is available on arxiv under CC BY 4.0 license. This paper is available on arxiv under CC BY 4.0 license. available on arxiv