Timed Commitment

Assume that Alice wants to choose a secret s, and reveal it after some time – while guaranteeing that the revealed value corresponds to the chosen secret (or paying a penalty otherwise). This can be obtained through a timed commitment, a protocol with applications e.g. in gambling games, where the secret contains the player move, and the delay in the revelation of the secret is intended to prevent other players from altering the outcome of the game.

Intuitively, Alice starts by exposing the hash of the secret, i.e. h = H(s), and at the same time depositing some amount deposit in a transaction. The participant Bob has the guarantee that after the date dateLock, he will either know the secret s, or he will be able to redeem deposit BTC.

The transactions of the protocol are shown below, where create a fictional transaction A_funds redeemable by Alice.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
package tc

// definitions
const fee = 0.00113 BTC
const secret = 42
const hash = hash160(secret)
const deposit = 10 BTC
const dateLock = 2018-04-10

// Alice and Bob's private keys
const kA = wif:cSthBXr8YQAexpKeh22LB9PdextVE1UJeahmyns5LzcmMDSy59L4
const kB = wif:cQtkW1zgFCckRYvJ2Nm8rryV825GyDJ51qoJCw72rhHG4YmGfYgZ

// tx with your funds, redeemable with kA
transaction A_funds { input = _ output = 20 BTC: fun(sigma) . versig(kA; sigma)}

transaction T_commit {
    input = A_funds: sig(kA)
    output = deposit - fee:
        fun(x,s:int) . hash160(s) == hash && versig(kA;x)
            || after date dateLock : versig(kB;x)
}

transaction T_reveal {
    input =  T_commit: sig(kA) secret
    output = deposit - fee*2: fun(x) . versig(kA;x)
}

transaction T_timeout {
    input = T_commit: sig(kB) 0
    output = deposit - fee*2: fun(x) . versig(kB;x)
    timelock = after date dateLock
}

compile T_commit T_reveal T_timeout

Alice starts by putting the transaction T_commit on the blockchain. Note that within this transaction Alice is committing the hash of the chosen secret: indeed, h is encoded within the script of the output of the transaction. This transaction can be redeemed either by Alice by revealing the secret, or by Bob, but only when the date dateLock has passed. This constraint is encoded in the script with the expression after date dateLock : ....

After T_commit appears on the blockchain, Alice chooses whether to reveal the secret, or do nothing. In the first case, she must put the transaction T_reveal on the blockchain. Since it redeems T_commit , she needs to write in its witness both the secret s and her signature, so making the former public.

In this smart contract, Bob waits for the T_commit to appear in the blockchain. If, after date dateLock, Alice has not published T_reveal yet, Bob can proceed to put T_timeout on the blockchain, writing his own signatures in the witness. Otherwise, Bob retrieves T_reveal from the blockchain, from which he can obtain the secret.