Discreet log contract is a conditional payment mechanism invented by Tadge Dryja, co-author of the Bitcoin Lightning Network paper and a member of MIT’s Digital Currency Initiative team. The paper was written in 2017.
Currently conditional payments on blockchains like Bitcoin and Ethereum are done through “smart contracts” where the conditions are coded in limiting language like Bitcoin’s Script or a turing complete language like Solidity and this code is deployed on chain. The chain will later execute this code along with other inputs provided and then transfer the funds to one of the participants. This requires the chain to know the conditions, hence anyone in the world can learn the conditions. Also the chain has to execute these conditions, thus spend resources. Discreet log contracts aim to solve these problems by not putting these conditions on the chain but only require a signature from a pre-decided public key to decide where to transfer the funds. This pre-decided key can be of an oracle which is expected to act honestly and publish a signature on the correct message. The oracle does not have to be privy to the details of the contract. Nor does it have to publish its signature on the blockchain.
Discreet log contracts are suitable in cases where 2 mutually distrusting parties bet on the results of a public event like a sporting event, election or price of a commodity or currency. Here the sporting event’s broadcast channel or a news channel or the stock market feed will act as an oracle. The signature published by the oracle will be on the message which will be the result of the event.
Discreet log contracts require Schnorr signature but the Schnorr signature does not happen on chain, thus they can be used with Bitcoin today. The signature is generated off-chain and the signature reveals a secret that will be used to create a private key that will end up controlling funds.
Schnorr signatures. The key idea of discreet log contracts is based on Schnorr signatures. This is how it works (using ellpitic currves):(i) G and h are protocol parameters (hence known to everyone). G is generator of the group and h is a hash function.(ii) The signer chooses a secret key x and computes public key X. X = xG.(iii) To sign a message m, the signer generates a secret nonce k and publishes a commitment to the nonce, say R. Here R = kG. R is called the commitment.(iv) The signer hashes together the message and the public nonce to create a challenge c. c = h(m||R)(v) The signer then calculates s = k - cx. The signature on m is (R, s). s is called the response (to the challenge)(vi) To verify the signature, compute sG and check whether it is equal to R - cX. This works since sG = (k - cx)G = kG - cxG = R - cX.
In Discreet Log Contracts, the oracle uses the Schnorr signature but in a different way. Rather than publishing the commitment to the nonce, R in the signature, the oracle publishes it before it even decides what message to sign. Say the oracle intends to publish its signature on the outcome of an event that will happen in future. It has a long term public key X, it chooses a nonce secret nonce k, computes a commitment to the nonce as R(=kG) and publishes R. (X, R) is a one time public key. Now if someone knew the signature, he could create a “special public key”, Y (hence a Bitcoin address) involving the signature whose private key only he knows. Thus if someone expected the oracle to publish a signature on message b, he can take his private-public keys p and P(=pG) and create Y as(i) sG = R - h(b, R)X(ii) Y = P + sGWhen the oracle publishes signature s, the owner of P will create know the private key of Y, since Y = P + sG = pG + sG = (p + s)G. Any funds transferred to Y before the oracle published the signature can be claimed by the owner of P. This is the key idea of discreet log contracts.
Example
Alice and Bob now both create a transaction each where they transfer the money from funding transaction F to their “special public key”. This “special public key” is generated assuming that the oracle with publish the signature on their preferred outcome. So Alice’s special public key Aₐ will assume that oracle will publish signature on a and Bob’s special public key B_b will assume that oracle will publish signature on b.Note there were more than 2 possible outcomes, Alice and Bob will create more of these transactions. These transactions are called contract execution transactions._Alice creates “special public key” A_ₐ(i) s_ₐ_G = R - h(a, R)X(ii) _A_ₐ = A + s_aGBob creates “special public key” B_b(i) s_bG = R - h(b, R)X(ii) B_b = B + s_bG
Discreet log contracts are an interesting idea. Though the need to trust an oracle sounds like a limitation, this trust can be diffused among several oracles. This can be done by not demanding just one oracle to publish a signature, but several. Alice and Bob can decide on, say, 3 news channels (as oracles) and agree that 2 out of 3 news channels agree on an outcome for that outcome to be considered acceptable. Schnorr signatures help here as they can be used to construct threshold signatures. Each oracle will have its own private-public keypair. The oracles will then engage in an interactive protocol to publish the commitment and later the signature.
Here is the spec for Discreet Log Contracts from DCI’s github.