Poster presentation at the 2nd International Workshop on Cryptocurrencies and Blockchain Technology - CBT'18, Barcelona, Spain, 2018.

1. Multisignatures
for
Cryptocurrency-backed Tokens*
Alexei Zamyatin, Dominik Harz, Joshua Lind,
Panayiotis Panayiotou, Arthur Gervais, William Knottenbelt
*An extension of the XCLAIM protocol.

2. XCLAIM: Cryptocurrency-backed Tokens:
1) Lock with Issuer
2) Prove lock to Chain relay
3) Issue tokens
ISSUER
(Non-trusted &
collateralized 3rd
party)
h7 = H(h5,h6)
h5 = H(h1,h2) h6 = H(h3,h4)
h4h3h2LOCK TX
Chain relay
verifies TX
inclusion proof and
informs treasury
Treasury contract
issues Bitcoin-backed
ERC20 tokens
In three steps to interoperability (E.g. Bitcoin-backed tokens on Ethereum)

3. Multisignature Locks: Improving Safety
Multisig
Lock
Prove
Confirm
Issue
Lock
Use e.g. Bitcoin 2-of-2 multisignatures to make theft by the Issuer impossible

4. State of Development
Working paper: „XCLAIM: Interoperability with Cryptocurrency-backed Tokens“
Implementation: Alpha version deployed on Ethereum Ropsten Testnet
3 Versions (without multisignatures):
• Trustless using custom implementation of BTC Relay
• 2 performance optimizations via Intel SGX
First demo @ Scaling Bitcoin 2018!

5. Challenges
Fungibility of
tokes cannot be
guaranteed
Substantial
amount of data
stored on
Ethereum
Fund freeze
still possible!
1.0 1.0
2.0
+ vs.
X
+
1.01.0
Optimizations
Issuer signs all TX only when token is
redeemed
(P2WSH - BIP141 Segregated
Witness required)
Reduce Waiting
Times
Reduce Costs /
Transactions
UTXO grouping scheme:
optimistic reduction of required TX to
O(1). However: interactive protocol!
(A, I)
(A, I) (B, I)
(C, I)(B, I)(D, I)
1.01.0
1.0 0.70.3
2.0
(A, I)
(D, I) (B, I)
0.31.0
2.0
(C, I)
0.7
BTC transactions = 3
BTC transactions = 1
BUT: Requires additional
signature from A!
Improve Incentives
against fund freezing
Additional collateral on
Bitcoin:
|
start
Collateralized
commit
Issue aborted
Insufficient
collateral
btc locked in
HTLC
btc locked
with Issuer
Trade
tokens
Redeem
requested
btc
released
Redeem failed,
eth reimbursed
Token States
NONE
PENDING
ISSUE
REIMBURSED
REDEEMED
PENDING
REDEEM
ISSUED
Trade
Ethereum
Chain
Relay
Treasury
Contract
2) Bob creates and signs 𝑇𝑟𝑒𝑑𝑒𝑒𝑚
𝑏𝑡𝑐
, which pays
him the correct amount of btc from the multisig
6) Issuer signs and publishes 𝑇𝑥 𝑟𝑒𝑑𝑒𝑒𝑚 (𝐵𝐼)
𝑏𝑡𝑐
spending
from 𝑇𝑥𝑙𝑜𝑐𝑘 (𝐵𝐼)
𝑏𝑡𝑐
paying Bob the correct amount of btc
4) The contract burns
the 𝑏𝑡𝑐 𝑒𝑡ℎ and emits an
“unlock” event
BOB ISSUER
3) Bob publishes 𝑇𝑏𝑢𝑟𝑛
𝑒𝑡ℎ
in which he marks his
𝑏𝑡𝑐 𝑒𝑡ℎ for redemption and provides 𝑇𝑟𝑒𝑑𝑒𝑒𝑚
𝑏𝑡𝑐
𝑝𝑘𝐼
𝑏𝑡𝑐𝑝𝑘 𝐵
𝑏𝑡𝑐
𝑝𝑘𝐼
𝑒𝑡ℎ
𝑝𝑘 𝐵
𝑒𝑡ℎ
1) Bob generates
Bitcoin key pair
5) Issuer sees
unlock event
X
X
XEthereum
Bitcoin
Chain
Relay
Treasury
Contract
Result: Bob replaces Alice in a new mutilsig with the Issuer, spending from the old
multisig output. State not yet updated publicly.
4) Contract makes Bob
owner of 𝑏𝑡𝑐 𝑒𝑡ℎ and allows
Alice to withdraw the
locked eth
ALICE BOB
5) Alice publishes 𝑇 𝑤𝑖𝑡 ℎ𝑑𝑟𝑎𝑤
𝑒𝑡ℎ
withdrawing 𝑒𝑡ℎ
𝑝𝑘 𝐵
𝑏𝑡𝑐𝑝𝑘 𝐴
𝑏𝑡𝑐
𝑝𝑘 𝐵
𝑒𝑡ℎ
𝑝𝑘 𝐴
𝑒𝑡ℎ
1) Alice creates and signs 𝑇𝑙𝑜𝑐𝑘 (𝐵𝐼)
𝑏𝑡𝑐
, which
replaces herself by Bob in the multisig lock
2) Alice publishes 𝑇𝑜𝑓𝑓𝑒𝑟
𝑒𝑡ℎ
, which invokes the token
transfer in the treasury contract.
3) Bob publishes 𝑇𝑡𝑟𝑎𝑑𝑒
𝑒𝑡ℎ
,
locking 𝑒𝑡ℎ in the treasury
Ethereum
Bitcoin
Chain
Relay
Treasury
Contract
3) Alice publishes 𝑇𝑝𝑟𝑜𝑜𝑓
𝑒𝑡ℎ
, submitting 𝑇𝑙𝑜𝑐𝑘
𝑏𝑡𝑐
for
verification to the chain relay functionality of the
contract
2) Alice publishes 𝑇𝑥𝑙𝑜𝑐𝑘 (𝐴𝐼)
𝑏𝑡𝑐
which locks btc in a multisig with
the Issuer
4) The chain relay verifies 𝑇𝑙𝑜𝑐𝑘
𝑏𝑡𝑐
is included
in Bitcoin’s main chain for at least 𝑡 𝑐𝑜𝑛𝑡𝑒𝑠𝑡
5) Confirms inclusion to
treasury
ALICE ISSUER
6) Contract issues 𝑏𝑡𝑐 𝑒𝑡ℎand
declares Alice as owner
𝑝𝑘𝐼
𝑏𝑡𝑐
𝑝𝑘 𝐴
𝑏𝑡𝑐
𝑝𝑘𝐼
𝑒𝑡ℎ𝑝𝑘 𝐴
𝑒𝑡ℎ
1) Alice generates
Ethereum key pair
Precond.: Issuer has
collateral locked in
treasury
RedeemIssue
Protocols
Bitcoin
More details
on the
poster…
…and in the
paper!
Cryptology eprint
archive 2018/643