Original Post by Alex Coventry
- Cryptographic scheme where a group of signers can construct one signature
- Almost all calculations can be done by the signers before submitting to Ethereum.
- Consensus between signature participants is established independently of Ethereum.
- Chainlinks security can scale with no improvement in Eth throughput.
- Allows contracts to depend on larger observation sets.
- A group of participants can all agree and collectively sign it, off chain.
- With adjustments to Schnorr signatures Chainlink is able to reduce the cost of on-chain verification.
- Uses Vitalik Buterins “ecrecover trick” for abusing Eth authentication infrastructure to reduce on-chain verification cost to 15k gas.
- Uses kyber cryptography library (project of DEDIS group) for threshold signature scheme.
- Plans to setup p2p network between oracles through which they can negotiate and construct threshold signatures.
What would the world be like if even strangers could be trusted to keep their commitments? How much collaboration and mutual aid go unrealized because it’s simply too hard to trust our commitments to each other? At Chainlink, we aim to find out, because our goal is to help people craft secure smart contracts which faithfully respond to real-world outcomes.
A smart contract on a blockchain like Ethereum’s can reliably reward or punish a participant as soon as their behavior has been proven. When operating correctly, that’s a much cheaper and safer form of enforcement than contract law. But to enforce commitments to real-world behavior which people actually care about, a smart contract needs trustworthy reports of relevant real-world events. For example, today you can make a smart contract reward solutions to certain math problems, but an insurance contract concerning real-world risks like drought needs to trust someone to tell it when the drought has happened.
It’s relatively easy to set up smart contract which responds when someone posts a transaction reporting a real-world event, but by itself that’s an unreliable arrangement. As more and more value comes to depend on the outcome of that report, the incentive to corrupt it grows enormous. So we need a way to make it more expensive, ideally impossible, for any adversary to influence the report.
In some sense, this can be seen as a generalization of the goals of Bitcoin’s original consensus mechanism, and Bitcoin contains the kernel of the solution: To address the “double spend” problem, Bitcoin needs trustworthy observations of which Bitcoin transactions are valid, and the solution was a distributed consensus which weights participation by the “skin in the game” demonstrated by winning the proof-of-work lottery.
Chainlink’s current approach to real-world events is for a group of “oracles” to each report their observations to a smart contract which imputes an aggregate value. The more diverse this group is, the more observers an adversary has to suborn to corrupt the outcome, so the more secure the system becomes. The trouble is, having everyone report to the blockchain individually is quite expensive. Historically, on Ethereum, there have been 25 days when naive reports of this sort probably cost more than $1.50. So if you wanted confirmations from 2,000 participants, that might have cost over $3,000 on those days! A group committing to provide 2,000 verifications every day for a year could potentially face hundreds of thousands of dollars in gas costs, which would be feasible only for extremely high-margin contracts. Even at today’s prices, the total gas for a year of such reports would cost thouands of dollars.
At the same time, if you actually needed a specific group of 2,000 observers to confirm a report, any one of them could hold up the confirmation of a real-world observation by failing to send in their confirmation. So to ensure reports go through, we really want an arbitrary subset to confirm, say 2,000 out of 2,500. That way, 500 reports could fail, and the consensus value would still make it to the blockchain.
If this sounds a lot like multisig contracts, it is, but the gas costs of confirming a transaction in existing multisig wallets scale linearly in the number of participants. In this post, I’m going describe threshold signatures, a cryptographic scheme where an arbitrary group of signers can construct one signature, as long as there are sufficiently many of them. This enables a huge efficiency gain, because almost all the calculation can be done by the signers before submitting to Ethereum, and what they actually end up submitting is very concise..
Our current best threshold signature scheme (described in this post) requires about 15k gas to confirm. This means, for instance, that the $3,000 data point I mentioned earlier would only cost about $2, a 1,500-fold savings (and at current gas/ETH prices, the cost would be a bit over one cent, vs about $17 for validation of a 2,000-strong quorum, using the current framework.)
The fact that consensus between signature participants is established independently of Ethereum (with very concise on-chain verification) also means that Chainlink’s security can scale with no improvement in Ethereum’s throughput. This will allow contracts to depend on much larger observation sets, because any sufficiently large subgroup of participants can all agree on an observed value and collectively sign it, off-chain. The limiting factor will become the cost of off-chain communication between participants during constructions of the shared private key and the signatures (both of which grow as the square of the number of participants.) And it’s likely possible to scale to an effective consensus even beyond that limit, using other methods we’ve been developing, and might discuss in a future blog post.