Satoshi Nakamoto: Smart contracts? Bitcoin comes with

Preface: After writing this, I showed it to my programmer friends. 85% of them said their IQ was not high enough and that no normal person could read to the last paragraph. I can only say that I tried my best.

If you are Satoshi Nakamoto

If you are Satoshi Nakamoto in 2009, you have found a solution to the double payment problem, and now you have to design a transfer function for Bitcoin. What would you do? My design would be like this:

The sender sends a broadcast to the Bitcoin network, the content of which is as follows: "Transfer 1 BTC from address A to address B. Attach the signature of the private key of address A". Each node on the network receives the broadcast and verifies that the signature is legal. So 1 BTC is deducted from address A and 1 BTC is added to address B.

Simple and clear, right? I guess your design is probably similar to mine. Fortunately, neither you nor I are Satoshi Nakamoto. If it were such a design, the potential of Bitcoin would be greatly reduced, and we would not be able to see the booming development of the blockchain field today. Let's take a look at Satoshi Nakamoto's design:

The sender sends a broadcast to the Bitcoin network, the content of which is as follows: "I want to transfer 1 BTC, and I can provide a script that can be used as a key to open the lock on this 1 BTC; at the same time, I will add a new lock to this 1 BTC according to the recipient's request."

Each node on the network receives the broadcast, runs the script, and finds that it can indeed "unlock". So according to the sender's instructions, a "new lock" is put on the bitcoin, and the bitcoin has a new owner. When the recipient wants to use this 1 BTC, he only needs to provide a new script as the key to open the new lock.

At first glance, Satoshi Nakamoto's design seems very cumbersome and counterintuitive, but it makes a lot of sense. A script is a simple computer language, such as JavaScript. Bitcoin scripts can express very flexible content, far beyond the scope of one-to-one transfers. For example: A can stipulate that the recipient B and the guarantor C must sign at the same time to control a certain Bitcoin (secured transaction), or it can be controlled by any two signatures of B, C, and D (joint account); A can stipulate that B must wait one year before using a certain Bitcoin (delayed payment), or it can be stipulated that anyone can control it (spending money) or no one can control it (burning money). With this built-in script programming language, you can flexibly write a variety of agreements-which are actually simple smart contracts. The contract system written in Bitcoin script makes Bitcoin the first programmable currency in human history.

The real Satoshi Nakamoto said this

In 2010, after discovering Bitcoin’s built-in script system, someone posted on BitcoinTalk expressing surprise and confusion: “The Bitcoin script makes me a little nervous. It’s too complicated, and complexity is the enemy of security.” This person was none other than Gavin Andresen, who later became Satoshi Nakamoto’s successor. Satoshi Nakamoto responded to him like this:

The general idea is: I hope that Bitcoin will have a stable architecture in version 0.1, and no underlying changes will be needed in the future. In the process of designing Bitcoin in the past few years, I found that only by using the script system can I complete the various complex transaction types I want to support -担保交易,连带合同,第三方仲裁,多方签名, etc.

If it were today, perhaps Satoshi Nakamoto would directly say: "Bitcoin needs scripts, and with scripts, there are smart contracts."

Let me digress. This post is only 9 sentences long, but it can be regarded as an important dialogue in the history of blockchain technology development. You will find someone on the 8th floor asking "Does Bitcoin's script system mean that users can issue custom assets?" This person's ID is bytemaster, and later he founded BitShares, which can issue user-defined assets. Gavin on the 9th floor replied:

"I don't think you need scripts to do something like that. Just send a bitcoin to yourself, and then declare that transaction is the root transaction for My Valuable Asset."

This is probably the first time the concept of colored coins has been proposed.

The True Face of Bitcoin Script

After so much nonsense, let's get to the meat of the matter. Now please treat your brain as a stack-based interpreter and virtual machine to see how Bitcoin scripts actually work. The verification process of a typical Bitcoin standard transaction ( Pay-to-Public-Key-Hash ) requires the execution of a script like this:

 scriptPubKey: OP_DUP OP_HASH160 OP_EQUALVERIFY OP_CHECKSIG
(scriptPubKey is the script “lock” on 1 BTC mentioned in the previous analogy)
scriptSig: (scriptSig is the script "key" provided by sender A in the previous analogy)

After the script is executed, if the result is true, it means that the verification is successful and A has the right to control the bitcoin. The Bitcoin network will add a "new lock" to the bitcoin according to A's instructions, and the transfer is completed.

Limitations of Bitcoin Script

In order to keep Bitcoin forward-compatible and simple and stable, Bitcoin developers have imposed many restrictions on its scripts. For example, there are no loop statements in the scripts, and the Bitcoin core client currently only supports 5 fixed-mode scripts. This is partly due to historical baggage, and partly because the Bitcoin development team tends to be conservative and robust.

Some of you may know that we are developing a blockchain protocol for registering, managing and trading equity - Antshares. Antshares reuses the main architecture of Bitcoin, including the script system. On this basis, Antshares refers to the Bitcoin Improvement Proposal BIP12 proposed by Gavin Andresen and adds an OP_EVAL instruction. Let's first take a look at how the standard transaction (Pay-to-Script-Hash) under Antshares works:

 scriptPubKey: OP_DUP OP_HASH160 OP_EQUALVERIFY OP_EVAL
scriptSig:
redeemScript: OP_2 OP_3 OP_CHECKMULTISIG

Bitcoin Script + BIP12 = Turing Complete

The addition of the OP_EVAL instruction enables Ant to have a Turing-complete scripting system, which makes more complex smart contracts possible.

Turing completeness refers to a computing system that can compute every Turing Turing-computable function function. In other words, Turing completeness enables our script system to solve all computable problems. On the one hand, it brings powerful processing power; on the other hand, it also makes static analysis of scripts impossible: we can never know when the script will stop unless we actually execute it.

Every node in the Bitcoin network must execute the script in every transaction, which requires the design of the Bitcoin script system to be sufficiently streamlined. As a peer-to-peer electronic cash system, Bitcoin does not really need a more complex script system.

Xiaoyi adopts Turing-complete scripting solution and avoids the problems caused by Turing-completeness through the following two methods:

1. Limit the number of steps that each script can execute. Once the execution of the script exceeds the limit, it will be immediately judged as a verification failure. Since any node will first verify it before broadcasting the transaction, a script that exceeds the step limit will not affect all nodes in the entire network.

2. For transactions with many execution steps, higher fees are charged to reduce the number of denial of service attacks launched by constructing complex scripts.

After solving the problems caused by Turing completeness, Xiaoyi's script system can be applied to the following scenarios:

1. 智能合约: judge the conditions of the contract and automatically execute the contract terms when the conditions are met, such as equity pledge loans;

2. 更高级的权限管理: Use scripts to assign permissions to keys involved in signing, completing more sophisticated permission management than m-of-n;

3. 彩票: The script can cooperate with the strong random numbers in the Ant Blockchain to realize the lottery function;

4. 其它: Turing completeness means that any function you can think of can be implemented.