Oracle Address proposal #99
Comments
|
Looking at this retrospectively, i should probably encode the timestamp the same way Lightning invoices do rather than allocating a unique tag. Give me a 👍 on this comment if you agree EDIT:
|
|
Oracle and nonce should be encoded separately.
There is two distinct UX step:
Both steps are distinct, thus having a single address concatenating both the nonce and the oraclepubkey is useless, this is not how it will be actually used. |
So this is discussed on #93, maybe we can make the pubkey optional? Besides the pubkey encoding, do you have any other objections? What is your opinion on a signature? |
Given what you laid out, I think it is still fine to include the oracle public key. By including the pubkey you can have the user enter oracle address into the software and it can look up if that pubkey is considered trusted or not. If not then it can display a pop-up saying something like |
|
So I think that you need some way of referencing the oracle in the address ... otherwise it is just a random nonce, and including the oracle pubkey seems a sane way to do this. Furthermore, for both Nicolas' and Ben's considerations, it is vitally important to add the oracle's signature of this address as otherwise the entire concept of an address is useless and redundant. It could instead be replaced by communicating an oracle and that oracle's broadcast of the given event (whether that be a URI or otherwise) as there is no reason to trust someone's unsigned address for anything and you're going to have to go validate this data from the source if it is not covered by a signature. |
|
Furthermore, wrt #55 The descriptor's serialization should match that of the proposal, and a URI is missing from this proposal. |
|
Oooh, another neat thing might be to allow for an optional contract info TLV field, meaning that users could take the "address" broadcasted by an oracle and add a tag with their bet parameters on there and then pass that along as a full oracle + contract info |
No you don't. The nonce has been fetched from the oracle in some way (be it by pulling some event descriptor on their server, or via twitter) Basically right now in NDLC, I have events add "Olivia/EventName" "nonce" "outcome1" "outcomen"....When there is a oracle's feed, it would be something like oracle pull "Olivia"Your point is that we can replace events add "Olivia/EventName" "nonce" "outcome1" "outcomen"....with events add "EventName" "oracleAddress" "outcome1" "outcomen"....Not only the benefit is marginal, and only useful in the case there is no "oracle feed". On top of this, as @nkohen indicated, this because complex because what if the user think the event is from Olivia, but instead it is from another oracle that he trusts. It would add the event without warning that it is not the oracle he meant to, and the signature would not even help on that. |
Yes, if you are directly fetching it from their website/twitter/official source of information why not let the oracle rotate a key if they chose? This exact same concept applies to bitcoin addresses. If you are not receiving it from the oracle itself you ask the oracle if this information is real. If you are about to send money to a bitcoin address, you should ask the intended recipient if the address is actually owned by them.
I think we are all in agreement you should fetch oracle information directly from the oracle, this issue is about making it easier for user's to copy and paste this information into their wallet software. Just like with bitcoin addresses, your wallet software could make API calls out to an exchange/BTCPayServer to fetch addresses, but it's a lot easier in my opinion just to copy paste and this is what most users do.
The outcomes are encoded in the oracle address as well so it would just look like
if I understand what you are doing. Maybe we can even add the |
Because in this case we don't need DLC. The whole point of DLC is that the private key of the oracle get revealed if there is two outcomes attested. If you don't need this feature, the protocol can be considerably simpler, and I would agree with the rest of the point you make. But given DLC is done so that the oracle's identity is tied to the pubkey (so he has something big to lose if it is malicious), the identity is separate from the event. |
@nkohen @Christewart Mainly it looks fine to me, though one concern I have is if it is really a good idea to include the full outcome list in the address. I though it would commit to it so that a user could verify if outcomes given to him are certified by the oracle (like just a hash of the TLV).
@NicolasDorier I might be wrong, but I think an advantage of having an address scheme + a signature of the oracle tvalidating it is that you could validate that information given to you from a third party (e.g. your counter-party) is actually from an oracle.
That seems more like a UX concern, the application should probably display which oracle is being used in any case. |
The information should not be given by a third party in the first place. If it is delivered by a third party (say a future event aggregator), the best is a basic "event descriptor" which is signed by the public key of the oracle. This can be a file, no need of a string for that. But even with this case, the oracle need to reveal his own public key separately. Last point: The "Oracle|Nonce" address does not cover the case where there is multiple nonce for the same event, which you need for attesting a number. |
The motivation for this would be to have oracle information shared across the network instead of accessed directly on a server as it would greatly improve privacy. Hard to hide that you're doing an event on X when you explicitly request information on it. It's not a short term objective but I think it's good to keep it in mind. My understanding of the proposal is that the address would include the descriptor and signature over it inside the address, although I have reserved on this point and I might be misunderstanding. The multiple nonce issue can probably be solved, I don't see that as a big issue. |
This property still holds true even if you rotate keys (the fresh private key gets revealed)
As we have said in previous threads, the oracle needs to allow the ability to for users to validate that they own the private key associated pubkey. Thus a business such as an exchange or an individual will still have their identity tied to this lie. I still think it's regressive to punish all users of the oracle if they are incompetent in key management. If they are malicious, it will be cryptographically provable. Unfortunately there is no way to distinguish between incompetent and malicious as an external third party. |
|
Just chiming in. I agree with #99 (comment). I think oracles should have human readable identifiers. It's the software's job to associate the oracle id with the public key and parties engaging in the protocol shouldn't send the public key around to each other (or remember what they look like). My preference for oracle id is just a hostname -- from there you can gets its public key via https. I know that people here have expressed a preference for not making a http endpoint for an oracle mandatory (they could publish stuff through twitter for example). I guess that's fine but maybe Implementations can always have a manual way to add an oracle id + public key but I don't see the need for a standardized format here. How to specify/serialize and sign/verify the announcement data (i.e. nonce and other stuff) does need a specification though but that's a separate issue. |
|
One thing that came out of #101 is that there really is two different steps here:
|
Is it necessary to have the human readable part as |
I wanted to open this up as an issue before i do a formal writeup to get this in front of people to see what people think:
All code can be found here: https://github.com/Christewart/bitcoin-s-core/tree/2020-09-17-oracle-address
The address that I am generating is based off of @Tibo-lg 's 'event descriptor': https://github.com/discreetlogcontracts/dlcspecs/blob/ac046f44f610bc7335a2853178d58e7a8b90423d/Oracle.md#event-descriptor
Here is what an address would look like:
As you can see this is Bech32 encoded string that contains
oracle1between the HRP and payload (according to BIP173 this is the only separator)gp50v8mlfermwpqyc5hpm29733s20wxr0kv8czj75vuecp3ahp07jtsep5h72c90989kkzxpx0y29up0hq6mtnaw4sz5dgn25mnw7x0fe2e7wqmqdqqqqqqzl5zwcq0qgwd6kumne0q2vdkx7aty0y0qgwfskjmnege9q2xPayload breakdown
Here are the fields I currently have encoded in the payload
7b0fbfa723db820262970ed45f463053dc61becc3e052f519cce031edc2ff497)bf9582bca72dac2304cf228bc0bee0d6d73ebab0151a89aa9b9bbc67a72acf9c)[sunny, cloudy, rainy])2020-11-03or1604361600) in seconds since the epoch.Encoding/Decoding
For this initial work I've just coopted the Lightning Invoice encoding scheme. I've created new tagged fields according to the BOLT11 spec.
The new tags are
Each Tagged Field is of the form:
type(5 bits)data_length(10 bits, big-endian)data(data_lengthx 5 bits)g(1):data_length52. The 256 bit public key associated with the oracle.e(1):data_length52. The 256 bit nonce associated with the event the oracle is attesting to.0(1):data_lengthvariable. The outcomes that an oracle is attesting to such as[sunny, cloudy, rainy](we should probably add a size restriction?)m(1):data_length91. The maturation time encoded as seconds since epoch (same astimestamp) in LN Invoice.Finally from the address above here is the breakdown for each of the tags:
Schnorr Public Key
Schnorr Nonce
Outcomes
0qgwd6kumne0q2vdkx7aty0y0qgwfskjmneReasoning for choosing the LN invoice format
Including a signature on the address?
I'm not sure how I feel about this, you still need to validate the public key in some way, and as @nkohen mentioned can't do public key recovery from BIP340 signatures :-(.
The text was updated successfully, but these errors were encountered: