Bitcoin

Cross-chain atomic swaps

Getting your Trinity Audio player ready...

This post was first published on Medium.

The idea of atomic swap was first presented on the BitcoinTalk forums in 2013, which enables the exchange of coins between two blockchains.

Those swaps are atomic in the sense that either both parties receive the other’s coins, or they both keep their own. There is no possibility of one side cheating the other. It does not rely on any trusted third party and eliminates counterparty risk.

There are many use cases. For example, they can serve as a basis for non-custodial exchanges, where users keep control of their funds while being able to trade them.

Basics

A bitcoin address is like a locked mailbox with a deposit slot. When Bob sends bitcoins to Alice, he puts them in the slot of mailbox A, with Alice’s “address.” Only Alice has the key to open the mailbox and retrieve the coins.

bitcoin address is like a locked mailbox with a deposit slot

There are fancier locks than ones that can be opened by a simple private key. These locks are considered as Bitcoin smart contracts, which can stipulate arbitrarily complex locking conditions.

Hash locks

They can be unlocked by a secret code, like the PIN to unlock your phone. The secret is actually a value/preimage that hashes to a given value, which is displayed on the lock for everyone to see. The corresponding smart contract is a hash puzzle. Once the PIN/preimage is used to unlock, it is publicly visible on the blockchain.

Hash locks in line image

Time locks

These locks cannot be opened until a predetermined time has arrived, which is either UNIX epoch time (seconds since Jan-1–1970) or block height. The corresponding smart contract is called CheckLockTimeVerify.

Time locks in line image

Atomic Swap

Let us use these locks to swap Alice’s BSV coins and Bob’s BTC coins, based on a ratio they both agree.

Setup

Alice’s BSV coins and Bob’s BTC coins
setup

Alice puts BSV into Bob’s mailbox with a hash lock and she tells Bob the hash. Bob then puts BTC into Alice’s mailbox with the same hash lock. These two hash locks share the same PIN, which Alice generates and keeps hidden from Bob for now.

Swap

Example of a swap between Alice and Bob
swap

Alice uses her private key A and the secret PIN to open mailbox A to acquire BTC Bob deposits. Bob learns the PIN that Alice just revealed on the BTC blockchain. He can use the same PIN to open mailbox B, together with his private key B, and get BSV Alice deposits. They have swapped their coins without any third party.

Opening one mailbox effectively gives the other party the ability to open the other mailbox. Alice cannot open her mailbox without Bob opening his.

What if Alice or Bob aborts?

refund in line image
refund

If Bob does not put BTC into Mailbox A after Alice deposits BSV, her BSV is stuck. Similarly, if Alice does not enter her PIN after setup, Bob’s BTC coins are stuck, so are Alice’s BSV. This is where time lock comes in. Each mailbox has a fall-safe time lock, so coins can be refunded if nobody opens the lockbox in a timely fashion. For example, Bob can unlock Mailbox A with his key B after a certain time.

Note that Alice’s time lock on Mailbox B must be longer than Bob’s on Mainbox A. Otherwise Alice can wait till Mailbox B’s time lock expires, takes her BSV coins back and uses PIN to open Mailbox A to take Bob’s BTC deposit.

Hash Time-Locked Contracts (HTLC)

Atomic swap uses a smart contract called (HTLC), since it combines a hash lock with a time lock.

  • In BSV, HTLC can be implemented in sCrypt as below.

HLTC contract

There are two ways to call the contract, i.e., open the mailbox:

  1. unlock(): swap succeeds using PIN
  2. cancel(): swap does not happen and coins are refunded. this.ctx is ScriptContext that allows accessing locktime of the spending transaction.
  • In BTC, HTLC can be implemented as follows.

It also has two ways to unlock and uses OP_CHECKLOCKTIMEVERIFY in the time lock branch. Script is used instead of sCrypt, since BTC disables many opcodes.

Full Protocol Sequence

In summary, an atomic swap protocol between BSV and BTC can be executed following these steps.

  1. Alice generates a secure random number x and computes its hash: h = SHA256(x). Alice sends h to Bob.Alice locks up coins in a HTLC on BSV, which can be unlocked in one of the two ways: 1) a value that hashes to h and Bob’s signature; 2) Alice’s signature after, say, 24 hours. Alice deploys the contract by broadcasting a transaction to the BSV network.
  2. Bob locks up coins in a HTLC on BTC, which can be unlocked in one of the two ways: 1) a value that hashes to h and Alice’s signature; 2) Bob’s signature after, say, 48hours. Bob deploys the contract by broadcasting a transaction to the BTC network.
  3. Upon confirming Bob’s transaction, Alice claims the BTC by providing x and her signature.
  4. Bob, observing x on BTC, uses x and his signature to claim BSV.

In case Step 3 or 4 does not happen, both can take back their coins after time lock expires.

Generalization

We have demonstrated how to atomically swap coins across the BSV and BTC blockchains. Any two blockchains can support cross-chain atomic swaps, as long as they support HTLC, i.e., have the same hash function and support time locks. For example, the following swaps has been implemented:

Surprisingly, atomic swap is even possible on a blockchain without HTLC, such as Monero. Using advanced cryptography, atomic swaps may even be possible for any blockchain, as long as it can verify signatures.

[1] Diagrams are adapted from Cross-Chain Atomic Swapshttps://bcoin.io/guides/swaps.html

Watch: The Bitcoin Masterclasses: Why atomic swaps are necessary

YouTube video

New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.