📅 Original date posted:2021-02-13
📝 Original message:
Good morning Nadav,
> Hey ZmnSCPxj,
>
> Your earlier post about how to accomplish ORing points without verifiable encryption was super interesting.
>
> I think this contains a clever general NOT operation where you double the payment and use the point as a condition for the "cancellation payment." This is actually very similar to something that is used in my PTLC DLC scheme where many payments are failed in most cases :) But nice to add it to the toolkit, especially as a way to not use ORs for the price of over-collateralization which is acceptable in many use cases.
Indeed, specifically this point of De Morgan Theorem transformation should probably be emphasized.
More generally, all Boolean logic can be converted to one of two standard forms.
* sum-of-products i.e. `||` over `&&`
* product-of-sums i.e. `&&` over `||`
For example an XOR can be converted to the sum-of-products form:
A ^ B = (!A && B) || (A && !B)
If we have any complicated Boolean logic, we can consider to always use some kind of product-of-sums form.
So for the example case, escrow service is the logic:
SELLER && (BUYER || ESCROW)
The above is a standard product-of-sums form.
Any sums (i.e. `||`) can be converted by De Morgan Theorem to product, and the payment can be a reversal instead.
SELLER && !(!BUYER && !ESCROW)
The `!(a && b && ...)` can be converted to a reversal of the payment.
The individual `!BUYER` is just the buyer choosing not to claim the seller->buyer direction, and the individual `!ESCROW` is just the escrow choosing not to reveal its temporary scalar for this payment.
And any products (i.e. `&&`) are trivially implemented in PTLCs as trivial scalar and point addition.
So it may actually be possible to express *any* Boolean logic, by the use of reversal payments and "option not to release scalar", both of which implement the NOT gate needed for the above.
Boolean logic is a fairly powerful, non-Turing-complete, and consistent programming language, and if we can actually implement any kind of Boolean logic with a set of payments in various directions and Barrier Escrows we can enable some fairly complex use-cases..
For example, a simple DLC binary oracle can provide two points in such a way that it can only reveal one scalar of those two points (e.g. it has a persistent public key `P`, and two temporary points `H` and `T` such that `H = T + P`, and it can only safely reveal either `h` or `t`.).
Based on the outcome of a coin flip (or other input from the mythical "real world"), it reveals either one or the other scalar.
Then we can use either point as part of any `!Oracle` or `Oracle` Boolean logic we need.
>
> One comment to make though, is that this mechanism requires the atomic setup of multiple payments otherwise Seller -> Buyer will be set up after which Buyer may keep the free option and not set up the payment in return. Luckily with barrier escrows we can do atomic multi-payment setup to accomplish this!
For this particular use-case, I think it is safe to just use the order "Seller->Buyer, then Buyer->Seller" rather than add a barrier escrow.
Remember, the entire setup presumes that both Buyer and Seller can tr\*st the Escrow to resolve disputes, and the Seller->Buyer payment requires BUYER && ESCROW.
If the buyer never makes the Buyer->Seller payment presumably the Escrow will take that into consideration during dispute resolution and not release the ESCROW scalar to the Buyer.
And if the Buyer->Seller payment (which requires only SELLER scalar) is claimed "early" by the Seller before handing off the item, the Escrow is tr\*sted to consider this also (it is substantially the same as the Seller providing substandard goods) and release the ESCROW scalar.
Of course in the most general case above where we could potentially do any arbitrary logic it probably makes most sense to use a Barrier escrow as well to ensure atomicity of the setup.
Regards,
ZmnSCPxj
ZmnSCPxj [ARCHIVE] /
npub1g5…3ms3l
2023-06-09 13:02:01
in reply to nevent1q…e3fk
Author Public Key
npub1g5zswf6y48f7fy90jf3tlcuwdmjn8znhzaa4vkmtxaeskca8hpss23ms3lPublished at
2023-06-09 13:02:01Event JSON
{
"id": "a94141e093b21449faab2067d0692d219e551c802078499b80b4a264395b7750",
"pubkey": "4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861",
"created_at": 1686315721,
"kind": 1,
"tags": [
[
"e",
"314d09df8983f36a6cfef295360e46d7142fc01ed765a13fbdab5e1db6b5c415",
"",
"root"
],
[
"e",
"41904e8cc567a8010649d43d0b414d357e6a328d53654a12ed6aa1bfa34db6d6",
"",
"reply"
],
[
"p",
"4640dfa33a2404507c1177a87aa949fcec805be1e1599e1df9bc823c35f5e208"
]
],
"content": "📅 Original date posted:2021-02-13\n📝 Original message:\nGood morning Nadav,\n\n\u003e Hey ZmnSCPxj,\n\u003e\n\u003e Your earlier post about how to accomplish ORing points without verifiable encryption was super interesting.\n\u003e\n\u003e I think this contains a clever general NOT operation where you double the payment and use the point as a condition for the \"cancellation payment.\" This is actually very similar to something that is used in my PTLC DLC scheme where many payments are failed in most cases :) But nice to add it to the toolkit, especially as a way to not use ORs for the price of over-collateralization which is acceptable in many use cases.\n\nIndeed, specifically this point of De Morgan Theorem transformation should probably be emphasized.\n\nMore generally, all Boolean logic can be converted to one of two standard forms.\n\n* sum-of-products i.e. `||` over `\u0026\u0026`\n* product-of-sums i.e. `\u0026\u0026` over `||`\n\nFor example an XOR can be converted to the sum-of-products form:\n\n A ^ B = (!A \u0026\u0026 B) || (A \u0026\u0026 !B)\n\nIf we have any complicated Boolean logic, we can consider to always use some kind of product-of-sums form.\nSo for the example case, escrow service is the logic:\n\n SELLER \u0026\u0026 (BUYER || ESCROW)\n\nThe above is a standard product-of-sums form.\n\nAny sums (i.e. `||`) can be converted by De Morgan Theorem to product, and the payment can be a reversal instead.\n\n SELLER \u0026\u0026 !(!BUYER \u0026\u0026 !ESCROW)\n\nThe `!(a \u0026\u0026 b \u0026\u0026 ...)` can be converted to a reversal of the payment.\nThe individual `!BUYER` is just the buyer choosing not to claim the seller-\u003ebuyer direction, and the individual `!ESCROW` is just the escrow choosing not to reveal its temporary scalar for this payment.\nAnd any products (i.e. `\u0026\u0026`) are trivially implemented in PTLCs as trivial scalar and point addition.\n\nSo it may actually be possible to express *any* Boolean logic, by the use of reversal payments and \"option not to release scalar\", both of which implement the NOT gate needed for the above.\nBoolean logic is a fairly powerful, non-Turing-complete, and consistent programming language, and if we can actually implement any kind of Boolean logic with a set of payments in various directions and Barrier Escrows we can enable some fairly complex use-cases..\n\nFor example, a simple DLC binary oracle can provide two points in such a way that it can only reveal one scalar of those two points (e.g. it has a persistent public key `P`, and two temporary points `H` and `T` such that `H = T + P`, and it can only safely reveal either `h` or `t`.).\nBased on the outcome of a coin flip (or other input from the mythical \"real world\"), it reveals either one or the other scalar.\nThen we can use either point as part of any `!Oracle` or `Oracle` Boolean logic we need.\n\n\u003e\n\u003e One comment to make though, is that this mechanism requires the atomic setup of multiple payments otherwise Seller -\u003e Buyer will be set up after which Buyer may keep the free option and not set up the payment in return. Luckily with barrier escrows we can do atomic multi-payment setup to accomplish this!\n\nFor this particular use-case, I think it is safe to just use the order \"Seller-\u003eBuyer, then Buyer-\u003eSeller\" rather than add a barrier escrow.\nRemember, the entire setup presumes that both Buyer and Seller can tr\\*st the Escrow to resolve disputes, and the Seller-\u003eBuyer payment requires BUYER \u0026\u0026 ESCROW.\nIf the buyer never makes the Buyer-\u003eSeller payment presumably the Escrow will take that into consideration during dispute resolution and not release the ESCROW scalar to the Buyer.\n\nAnd if the Buyer-\u003eSeller payment (which requires only SELLER scalar) is claimed \"early\" by the Seller before handing off the item, the Escrow is tr\\*sted to consider this also (it is substantially the same as the Seller providing substandard goods) and release the ESCROW scalar.\n\nOf course in the most general case above where we could potentially do any arbitrary logic it probably makes most sense to use a Barrier escrow as well to ensure atomicity of the setup.\n\n\nRegards,\nZmnSCPxj",
"sig": "5509078b104c9d134c6dc267be9fa0e9a7be6717f5686e3da07a51e7986192a71c933cf3b156fc785331247f424f76ab4fb9883330061d19cb1bdc5c02bbc71e"
}