Cross Chain Atomic Swaps in the Absence of Time via
Attribute Verifiable Timed Commitments
Yacov Manevich
University of Haifa, Israel
[email protected]
[email protected]
Abstract—A Hash Time Lock Contract (HTLC) is a protocol
that is commonly used to exchange payments across different
blockchains. Using HTLC as a building block for cross
blockchain atomic swaps has its drawbacks: The notion of
time is handled differently in each blockchain, be it private
or public. Additionally, if the swap ends up aborted, the
funds are locked in escrow until the safety timeout expires.
In this work we formulate a new cryptographic primi-
tive: Attribute Verifiable Timed Commitment which enables to
prove that a timed commitment commits to a value which
possesses certain attributes. Using our cryptographic prim-
itive, we describe a new cross chain atomic swap protocol
that operates without blockchain derived time and unlike
the state of the art, all parties can instantly abort the swap
without waiting for the safety timeouts to expire.
In order to prove in zero knowledge that a secret
committed to using a timed commitment has a claimed hash
value, we employ the ”MPC in the head” technique by Ishai
et al. and implement our zero-knowledge proof protocol and
evaluate its performance. As part of our techniques, we
develop a novel and efficient procedure for integer Lower-
Than validation in arithmetic circuits which may be of
independent interest.
Index Terms—Cryptography, Blockchain, Zero-Knowledge
Proofs, Cross Chain Swaps, Multi-Party Computation
1. Introduction
Blockchains are distributed systems that replicate
transactions among distrusting and sometimes opposing
parties. While it is common practice to exchange assets or
currency among participants of the blockchain, engaging
in a similar deal across different blockchains is a more
involved matter, in which the exchange needs to take place
in both blockchains, and ideally without utilizing a trusted
third party. Such a protocol is called a cross chain atomic
swap.
1.1. Cross Chain Swaps
An atomic swap protocol ensures that if all parties
comply with the protocol, a swap takes place and each
party exchanges its asset with what the counter-party
offers in return. On the other hand, if some party strays
from the protocol then the swap ends up aborted, and
the system state is left intact. In blockchains, a common
solution for atomic swaps is having each party use a Hash
Time Lock Contract.
Adi Akavia
University of Haifa, Israel
A Hash Time Lock Contract (HTLC) is a technique
of payment in which a depositor can pay a recipient
funds by placing them in an escrow state that can be
claimed by the recipient only if the latter presents a pre-
image of a cryptographic hash function in a transaction.
To prevent the funds from being held in escrow for ever,
each HTLC has a time limit (a timeout) after which the
funds are returned to the depositor. We outline the standard
technique of performing a cross chain atomic swap using
HTLC in Section 3.1 in the preliminaries.
1.1.1. Timeouts. An HTLC has a timeout up to which the
funds are locked. This is needed in order to enforce that
a party will not be able to spend the funds it deposited
in escrow while claiming the funds of the counter-party.
A downside of using HTLCs as the building block of
atomic swaps is that in case the swap ends up aborted
(for example, the initiator of the swap has a change of
heart) then the funds of both parties are stuck in escrow
until their corresponding timeouts expire.
1.1.2. Blockchain Derived Time. Each blockchain
(whether it is permissionless or permissioned) has its own
different time management and some like Hyperledger
Fabric [12], [34] don’t even have such. This poses as
an obstacle for using HTLCs as an effective building
block for cross blockchain swaps. In particular, in some
blockchains it is not possible to make a transaction valid
only during a certain time frame, or to derive the time from
the blockchain height. Therefore, we ask the following
question:
Can we build a protocol for cross blockchain atomic
swaps without using the blockchain as a source of time?
We answer the question in the affirmative by intro-
ducing a new cryptographic primitive which disposes the
need to rely on blockchain derived time in cross chain
atomic swaps.
1.2. Our Contribution
1.2.1. AVTC. We introduce a new cryptographic primitive
that we call an Attribute Verifiable Timed Commitment
(AVTC). In layman’s terms, a timed commitment [15] is
a commitment that can be forcibly opened by the receiver
without interaction with the sender (committer) by invest-
ing a predefined amount of sequential computation. An
AVTC can be thought of an enhanced timed commitment
where the receiver can be convinced by the sender that
the committed secret possesses some attribute, as part of
the reception of the commitment.
Our main contribution is the AVTC cryptographic
primitive. To construct an AVTC, we augment the timed
commitment with an interactive zero knowledge proof for
arbitrary properties of the value that is committed to. Our
construction prioritizes minimizing computation time for
both the prover and verifier and leverages the ”MPC in
the head” technique of Ishai et al [30], and entails a novel
technique for Lower-Than validation in arithmetic circuits
that doesn’t require bit decomposition, which may be of
independent interest. We implement the zero-knowledge
proof of AVTC in C and evaluate its performance under
different security configurations.
1.2.2. Blockchain time-agnostic swap. Our second con-
tribution is a novel cross chain atomic swap protocol that
operates without blockchain time, which is made possible
by using AVTC in a black box manner. We show that
our protocol is not only “blockchain agnostic”, but has an
additional beneficial property: our protocol allows parties
to instantly abort the swap if both parties cooperate, while
the current state of the art requires parties to wait until the
timeouts expire, keeping their funds idly locked in escrow
in the meanwhile. The downside of our protocol is that in
case the parties do not cooperate in the abort procedure,
they need to invest a moderate (several dozens of minutes
to a couple of hours) time period of serial computation,
whereas in the standard cross chain swap it is sufficient
to wait that same time period.
1.3. Overview of Our Techniques
Our cross chain atomic swap protocol entails replacing
the time based reclamation condition of the HTLC with
revealing a pre-image of a hash function. More specif-
ically, each party gives the counter-party an AVTC and
a hash. The counter-party escrows its funds with the
reclamation condition of revealing the pre-image of the
hash, which it can open only after a predetermined amount
of computation steps. The AVTC primitive ensures that the
hash pre-image can indeed be revealed after investing the
computation steps, which prevents a malicious party from
causing the counter party’s funds to be locked in escrow
forever.
Our AVTC primitive is realized by the timed com-
mitment technique of Boneh and Naor, coupled with an
interactive zero knowledge proof between both parties of
the swap. The zero-knowledge proof of the AVTC is based
on the ”MPC in the head” technique of Ishai et al. [30]. In
the zero-knowledge proof, we perform efficient modular
exponentiation by employing a novel technique for LSB
extraction, which straightforwardly leads to an efficient
comparison protocol. The LSB extraction’s salient prop-
erty is the prover acting as a dealer and distributing among
the parties blinded plaintext shares of all bits but the LSB
itself.
1.4. Paper Organization
The paper is organized as follows: In Section 2 we
discuss related work in cross chain atomic swaps and
time based cryptography. In Section 3 we outline the
state of affairs regarding Hash Time Lock Contracts, give
an introduction to Boneh and Naor’s timed commitment
scheme, and briefly explain the transformation from multi-
party computation to zero knowledge proofs (“MPC in the
head”), in sections 4 and 5 we describe our protocol for
cross chain atomic swap and explain our proposed AVTC
primitive. We conclude our work in Section 6.
2. Related Work
2.1. Blockchain Based Time Derivation
In this section we discuss different approaches for
time that exist in blockchains, as well as time-related
cryptography.
2.1.1. Permissionless Blockchains. Time in permission-
less blockchains is often calculated at a very coarse
grained level, a fact that forces the parties to have high
timeouts (several hours at best): Bitcoin: The median time
of the last 11 blocks [4], where a block is created on
average once per 10 minutes. Ethereum: In Ethereum, the
block timestamp is set by the node that mined the block,
and the validity rules dictate that the timestamp should
be monotonously ascending and each block’s timestamp
is earlier than 15 minutes into the future from the current
time.
2.1.2. Permissioned Blockchains. Permissioned
blockchains block production rate varies according
to the transaction load [34], therefore it is impossible
to correlate a number of blocks produced with time.
There are no standards of how the notion of time is
defined in permissioned blockchains: Tendermint: In
Tendermint [10], applications can define a “locktime”
which is the number of blocks passed after contract
creation. However this compromises the safety in the
event of an system outage in which no blocks are
being created. Hyperledger Fabric: Blocks do not carry
timestamps [12]. Mitra et al. [34] proposed a mechanism
to assign timestamps to the blocks by modifications to
post consensus validation. Sawtooth: In Hyperledger
Sawtooth [8], there is no block timestamp by default,
but the nodes can be configured to artificially inject a
“Blockchain Info” transaction that contains a timestamp,
at the beginning at every block (see [9]).
2.1.3. Scientific Literature. There have been several
proposals for cross chain swaps that do not fully de-
pend on blockchain based time derivation. Deneuville
et al. [47] proposed an asymmetric protocol in which
one blockchain can verify transactions being put on the
second blockchain, however, one of the blockchains still
relies on blockchain derived time. Interledger [6] proposed
a protocol based on connector entities that have access
to both blockchains, and is also time reliant for escrow
release.
2.2. Time Based Cryptography
The main time-based cryptographic primitive that is
used in our work, is the ”Timed Commitment” of Boneh
and Naor [15], and is explained in Section 3.2 . We give
an overview on other cryptographic primitives that possess
time-related guarantees.
2.2.1. Verifiable Delay Functions. Proofs that verify a
computation took a certain amount of steps have been
studied in the past in the context of Verifiable Delay
Functions (VDF) [14] [38] [46].
Replacing AVTC with a VDF is possible, however it
would take away an important advantage of our protocol:
interoperability. In our protocol, the computations done in
the blockchain are invocations of hash functions, and the
heavy lifting is done in the application layer. In contrast,
using a VDF would require the blockchain software to be
able to validate the VDF proof, which requires introducing
new software into the blockchain validation mechanisms,
thus hindering adoption and making it impossible to be
integrated to conservative blockchains.
2.2.2. Timed Fair Exchange of Signatures. Garay et
al. [22] and Boneh at al. [15] both proposed interactive
protocols for timed fair exchange of signatures. Those
protocols, however, do not protect the counter-party from
a malicious abort that wastes computation time that is
linear in the total protocol runtime.
2.2.3. Multi-Party Timed Commitment. Doweck and
Eyal [21] constructed a Multi-Party Timed Commitment
(MPTC) that enables several parties to jointly commit to
a secret to be later opened by a designated party via
brute-force computation. The MPTC primitive of [21]
does not allow one to prove an attributes the committed
secret, unlike our AVTC primitive. The MPTC commit-
ment brute-force opening is trivially parallelizable, unlike
our AVTC primitive which is not (under number-theoretic
assumptions, see Definition 5). Consequently, we note
that in our cross-chain atomic swap protocol, our AVTC
primitive cannot be substituted with an MPTC because we
require that the commitment brute-force opening cannot
be done via parallel computation, as it would harm the
security of our atomic swap protocol.
2.2.4. Gage Time Capsules. Almashaqbeh, Benhamouda,
et al. [11] constructed a Gage Time Capsule (GaTC) which
allows a party to commit to a value that others are able to
reveal at a designated total computational cost, and that
computation is expected to be parallelized among different
parties which are incentivised to try out different random
decommitment values, and claim a monetary reward in
exchange for their work. While their primitive (GaTC)
seems similar to our AVTC primitive, we note the salient
differences:
• Brute-forcing a GaTC can be parallelized, and thus,
parties with access to parallel computing power gain
significant advantage over others. In contrast, brute-
forcing an AVTC cannot be parallelized (under number-
theoretic assumptions, see Definition 5), and this prop-
erty is crucial to the security of our novel cross-chain
atomic swap protocol described in Section 4.
• The GaTC zero-knowledge proof does not prove any
attribute of the secret that is committed to. Rather, it
contains only a proof of opening. In contrast, our AVTC
primitive, proves that a committed secret, possesses an
attribute of the committer’s choice.
• The GaTC committer does not prove to a counter-party
that the commitment can be opened within a timely
manner. Rather, it assumes a semi-honest model on the
committer of the GaTC. In contrast, our AVTC primitive
only assumes number theoretical assumptions (see Def-
inition 5), and protects against malicious committers by
enforcing honest behavior via zero-knowledge proofs.
We note that the authors of [11] mention this and state
that their semi-honest committer assumption can be
eliminated by using zero-knowledge proofs.
• A party that opened a GaTC can prove in zero-
knowledge that it did so. While our technique doesn’t
focus on such an ability, we note that our technique can
be trivially extended to facilitate that. Indeed, a party
that has forcefully extracted the input for F (as depicted
in Figure 2) has the required information to play as the
prover of the AVTC.
2.2.5. Homomorphic Time-Lock Puzzles (HTLP).
Malavolta et al. [33] constructed variations of time-lock
puzzles that each is homomorphic to an operation1 such as
addition in ZN or multiplication in JN (where JN denotes
elements in Z∗N with Jacobi symbol +1).
As in the timed commitment, the HT LP has a setup
phase that generates public parameters. However, in the
timed commitment the sender proves to the receiver that
the forced open (denoted as Solve in HTLP) indeed
yields the committed value within the claimed number of
computation steps. As we’ll see below, it is not the case
in HTLP. We elaborate on one of the variations of HTLP,
Linearly Homomorphic Time Lock Puzzle (LHTLP) as it
is used as a building block for higher level applications
which we discuss later in this section. A Linearly Ho-
momorphic Time Lock Puzzle (LHTLP) is a tuple of the
four algorithms below:
λ
• pp ← Setup(1 , T ) On input of security parameter λ,
hardness parameter T outputs public parameters pp.
• Z ← Gen (pp, s): Output a puzzle Z for a solution s.
• s ← Solve (pp, Z): Recovers s from Z .
• Z ← Eval (⊕, pp, Z1 , ..., Zn ): Outputs Z s.t ∀{Zi ←
Pn
Gen (pp, si )}ni=1 : Solve (pp, Z) = i=1 si (mod N )
where N is specified in pp.
Setup samples a safe modulus2 N , samples g ∈ JN
T
and computes h = g 2 and outputs pp = (T, N, g, h). If h
was not honestly constructed then Solve will not output
the s that was used as input to Gen. We elaborate on
this in Section A in the Appendix. The authors of [33]
do mention that the setup should be executed by a trusted
party.
2.2.6. Verifiable Timed Signatures. Thyagarajan et al.
[44] constructed a Verifiable Timed Signature (VTS) prim-
itive for common elliptic curve based signature schemes
such as ECDSA [31]. It allows a sender to commit to a
receiver on a signature and later the receiver can forcefully
recover the signature without interaction with the sender
by executing serial computation. Unlike our AVTC prim-
itive (Definition 10), the VTS construction is an ad-hoc
protocol suitable only for signatures, and cannot be used
for any arbitrary attribute as in our AVTC primitive.
The VTS construction is based on the Linearly Homo-
morphic Time-Lock Puzzle (LHTLP) primitive of Mala-
volta et al. [33] and its high-level idea is as follows: First,
1. The work also shows that a fully homomorphic time lock puzzle
is feasible assuming indistinguishability obfuscation.
2. A safe modulus is a product of two primes p = 2p0 +1, q = 2q 0 +1
where p0 , q 0 are also prime
the sender ”encrypts” the signature with secret shares gen-
erated with t-out-of-n Shamir’s secret-sharing [42]. Then,
it commits to each share with the LHTLP primitive by
locking each share in a LHTLP puzzle. The sender and the
receiver then engage in a cut-and-choose protocol where
the receiver asks to open t − 1 puzzles and invokes Gen
itself to verify the puzzles sent to it were indeed correctly
constructed. Additionally there is also a range proof that
proves that the time-lock puzzles contain ”small” values.
As noted in our discussion on the Homomorphic Time-
Lock Puzzle (HTLP), without a trusted setup assumption,
even when validating the Gen operation via cut-and-
choose as done in the VTS construction, a malicious
sender may fool the receiver into accepting signatures that
can never be opened without interaction with the sender. In
contrast, our AVTC primitive enjoys a transparent setup.
2.2.7. Universal Atomic Swaps: Secure Exchange of
Coins Across All Blockchains. A parallel work to ours by
Thyagarajan et al. [43] that appeared online in December
2021 deals with performing cross-chain atomic swaps
by substituting blockchain derived time with using the
Verifiable Timed Signature (VTS) (Section 2.2.6) also
by Thyagarajan et al. [44]. The high level idea of their
scheme is that the escrow account on each blockchain
is initialized with a public key so that its corresponding
private key is secret shared between the two counter-
parties. Then, to swap the funds the parties engage in a
secure two-party computation protocol to produce a sig-
nature (done for each blockchain in parallel). To withdraw
from the swap, the parties recover signatures on withdraw
transactions prepared as part of the prepare phase.
We note that unlike our solution which relies on
the blockchain being able to verify hash puzzles as part
of its transaction validation logic (an ability that some
blockchains like Monero, lack), the technique of Thya-
garajan et al. does not require that, as the time based
cryptography locks a signature and not a hash pre-image.
It is not clear how the authors address the issue we raise
in Section 2.2.5 regarding the trusted setup assumption
of the HTLP and VTS primitives that the construction of
[43] relies on.
2.3. LSB extraction in Multi-Party Computation
The AVTC primitive we construct uses the ”MPC in
the head” zero-knowledge framework (see Section 3.3).
An important part of our computation uses LSB extraction
of a secret-shared value.
The current state of the art in MPC enables one to
extract the LSB [19], [32], [37] but with polynomial
complexity in the binary representation length of elements
in the underlying field. Such techniques are expensive
to be used in the ”MPC in the head” approach that we
employ for our zero-knowledge proof, since they blow up
the proof size when the field in use is thousands bits long.
There are also techniques [18], [40] that allow to extract
the LSB with a constant communication complexity, how-
ever only for values known to be significantly small. In
our protocol, unfortunately, the verifier cannot trust the
prover to uphold any such invariant.
We devise a novel MPC protocol tailored for zero-
knowledge from MPC techniques that extracts an LSB in
constant complexity, by making the prover compute the
LSB itself, but having the verifier validate the prover.
3. Preliminaries
3.1. Hash Time Lock Contracts
A Hash Time Lock Contract (HTLC) [39] is a tech-
nique of payment in which a depositor can pay a recipient
a part of its funds by placing them in an escrow state that
can be claimed by the recipient only if it presents a pre-
image of a cryptographic hash function in a transaction.
To prevent the funds from being held in escrow for ever,
each HTLC has a time limit (a timeout) after which the
funds are returned to the depositor.
HTLCs are often used as a building block for atomic
cross chain swaps, in which Alice can atomically ex-
change her coins in blockchain A with Bob’s coins in
blockchain B. In order for a cross chain atomic swap to
be useful, it needs to possess both safety and liveness
properties [29]:
Definition 1 (Safety). For every execution, either both
parties claim each other’s funds, or no party claims the
counter-party’s funds.
Definition 2 (Liveness). For every execution, no asset of
some party is locked in escrow forever.
Below we give the well known HTLC based cross
chain atomic swap protocol of [28]:
1) Alice randomly selects a secret s ← {0, 1}λ for some
security parameter λ and publishes a transaction on
blockchain A with a hash lock of h = H(s) and a
time lock of T + ∆ for some ∆ > 0.
2) Bob publishes a similar transaction on blockchain B
with a hash lock of h (while not knowing s) and a
time lock of T .
3) Alice publishes a transaction on blockchain B which
includes s0 ∈ H−1 (h) and as a result claims Bob’s
coins to her account.
4) Bob, having seen a pre-image s0 such that H(s0 ) =
h , publishes a transaction on Alice’s blockchain that
claims Alice’s coins to his account.
We note that Alice sets a time lock T+∆ compared to T
for Bob, because had Alice put her funds in escrow for an
equivalent or shorter period of time than Bob - she could
have first claimed Bob’s funds into her account and then
raced Bob on blockchain A and reclaimed her funds back
before Bob had a chance to claim them.
While HTLCs are powerful tools that allow atomic
exchange of assets between two or more blockchains, a
major limitation in the protocol stems from its safety: If
a party put its funds in escrow for a time period T , even
if both parties agree to abort the swap, they have to wait
until T time passes.
3.2. Timed Commitments
R
Notations and definitions: We denote by ← X a
uniform random selection from a set X and denote λ ∈ N
to be a security parameter. Let  : N → R be a
negligible function if for every positive polynomial P :
1
∃N ∈ N s.t ∀n > N :  (n) < P (n) .
Definition 3 (Commitment scheme). A protocol between
a sender S and a receiver R with two steps:
λ
• Commit(x, 1 ): S has input x, and outputs to R a
string C ∈ {0, 1}λ and to S a decommitment string d ∈
{0, 1}λ . We denote by (d, C) ←< S(x, 1λ ), R(1λ ) >
the experiment in which S and R interact.
• Open: R has C and is given x, d by S . R accepts or
rejects. We denote by R (C, x, d) ∈ {0, 1} its output.
A commitment scheme has two security properties:
• Hiding: For any receiver R which chooses {x0 , x1 } ⊂
R M ∈ {0, 1}∗ to commit to.
{0, 1}λ and is given C = Commit (xb ) on xb ←
{x0, x1 } and outputs b = 0 or b = 1, it holds that:
P r R x0 , x1 , 1λ = b − 12 =  (λ) for a negligible .


λ q1 , q2 , .., qr are the first r primes, with a typical setting
• Binding: For any C ∈ {0, 1} there is at most
one x ∈ {0, 1} such that ∀x0 6= x, ∀d0 :
λ
P r [R(C, x0 , d0 ) = 1] =  (λ) for a negligible .
Dan Boneh and Moni Naor [15] describe an enhanced
commitment primitive called a “Timed commitment” that
has a third step:
• Forced Open(C), in which the receiver can invest mod-
erate computation power and time in order to open the
commitment C to yield x without any interaction with
the sender. The number of computation steps required
to execute the forced open step is set by the committer
as part of the commit step.
We formally define a timed commitment below:
Definition 4 (Timed Commitment [15]). A timed com-
mitment scheme hCommit, Open, F Openi is a triplet of
PPT algorithms that satisfy: Given a string x ∈ {0, 1}l ,
a difficulty level k ∈ N, a committer computes a
cryp-
tographic commitment (C, d) ← Commit x, k, 1λ and
convinces the receiver that C can later be opened without
interaction with the committer via m ← F Open (C, k) by
executing 2k serial computation steps 3 , or by having x
revealed to the receiver via m ← Open (C, x, d).
The timed commitment primitive, possesses the addi-
tional following two properties:
• Soundness: The committer proves to the verifier that
the forced open step indeed yields the committed value
within the claimed number of computation steps.
• Serial computation: No parallel algorithm can ob-
tain information about the committed string in time
significantly less than it takes to compute successive
squarings. In particular, it relies on the Generalized BBS
assumption.
BBS assumptionE[15] For k ∈ N
Definition 5. Generalized D
R 2k
and g ← ZN , let Wg,k = g 2 , g 4 , ..., g 2 . The element
2k+1
g2 is computationally indistinguishable from a random
quadratic residue for any parallel random access machine
whose running time much less than 2k .
Aside from the Generalized BBS assumption needed
for the serial computation constraint, the hiding property
relies on the Quadratic residuosity assumption [13].
3.2.1. The timed commitment protocol. We next elab-
orate on the timed commitment protocol as it appears in
[15]. We also include a full proof for the zero-knowledge
3. The value k for k ∈ N is a difficulty parameter chosen by the
committer.
proof sub-protocol of timed commitment in Section C,
which was not provided in [15].
Setup(1λ ). Let λ be a security parameter. The committer
(also called the sender) picks P, Q: two λ-bit primes s.t
P ≡ Q ≡ 3 (mod 4), and publishes their product N =
P · Q to the receiver.
Commit(M, T ). The Committer (sender) receives as input
T = 2k for some k ∈ N that determines the difficulty
of the forced open phase by the receiver, and a message
1) The sender picks h ← Zλ at random
r n
2) The sender computes g = h(Πi=1 qi ) mod N where
of r being 128.
3) The sender sends the receiver h, g and the latter
verifies them by computing Q = Πri=1 qiλ and then
g = hQ (mod N )
2k
4) The sender, knowing P, Q computes u = g 2 mod N
k
by computing a = 22 mod φ(N ) followed by u =
a
g (mod N ).
5) The sender hides M ’s bits by XOR-ing them with
LSBs of successive roots of u mod N , more formally:
2k −i
Si = Mi ⊕ g 2 mod N where Mi denotes the i-th
bit of M . The commitment string is defined as:
C = hS, h, g, ui
and is sent to the receiver.
6) The sender proves that u is constructed properly, mean-
ing that the receiver can indeed open the commitment
in time T by computing repeated squaring modulo N
2k
starting from g and until u = g 2 . This is done by
constructing the following vector W of length k :

2i 2k
W = g 2 , g 4 , g 16 , g 256 , ..., 22 , ..., g 2 (mod N )
followed by proving in Zero Knowledge for each i ∈
[k] that for each adjacent pair (ai , bi ) ∈ W : (g, ai , bi )
2
is of the form (g, g x , g x ) for some x. This protocol,
as well as its proof, can be found in Section B.
Open. Denote |M | as the bit length of M . The sender
2k −|M |
sends the receiver
r
vλ 0 = h2 and the receiver com-
putes v = (v 0 )Πi=1 qi which is the 2|M | ’th root of u (taking
square roots |M | times from hu yields v ). Nowi the receiver
|M |−i
can compute: [M ]i = [S]i ⊕ v 2 mod N by repeated
modular squaring starting from v .
Forced-Open(C ). In case the sender never opens the com-
mitment for the receiver, the receiver can compute (with
some effort) the committed value M by first computing
2k −|M |
v = g2 (mod N ) by using 2k −|M | squaring modulo
N to obtain v and proceed as in the open step.
3.3. Zero Knowledge Proofs From Secure Multi-
party Computation
We assume the reader is familiar with secret-sharing
based multi-party computation schemes such as GMW
[26], namely that multiplication a scalar and addition
can be done by every party as a local computation, but
multiplication, secret share reconstruction and distribution
requires communication among parties.
Ishai, Kushilevitz, Ostrovsky and Sahai proved in [30]
that Zero Knowledge Proofs can be built from semi-honest
MPC protocols in the following manner: Let L ∈ N P
and RL its corresponding witness relation. Given x ∈ L
and a witness w such that (x, w) ∈ RL and an MPC
protocol that computes RL (x, w) ∈ {0, 1}, one can build
a zero knowledge proof where the prover proves in zero
knowledge that indeed x ∈ L as follows:
1) Let P1 , ..., Pn be n parties. The L
prover splits w into n
random shares wi such that w = i∈[n] wi and assigns
each party i private input wi .
2) The prover simulates the MPC protocol for all n parties
“in the head” and maintains records of views and
message transmissions for all parties.
3) The prover commits to the views and message trans-
missions using a statistically binding commitment and
sends them to the verifier.
4) The verifier randomly asks the prover to reveal the
commitments for a subset of the parties.
5) The prover complies and reveals the requested infor-
mation.
6) The verifier validates the commitments revealed and
checks the consistency of the views and message trans-
missions, and accepts or rejects accordingly.
This result has a strong implication: Given (x, w) ∈ RL ,
the construction of a multiparty protocol where w is secret
shared among the parties and the circuit checks whether
(x, w) ∈ RL is a scheme to construct a zero knowledge
proof for membership in L.
4. Cross Chain Atomic Swaps in the Absence
of Time
We describe a novel protocol for cross chain atomic
swaps that utilizes our Attribute Verifiable Timed Com-
mitment (AVTC) primitive. Unlike the state of the art, our
protocol operates without blockchain derived time.
Our protocol’s main difference from the standard cross
chain atomic swap described in the literature in Section
3.1 is that we have each party give the other party a hash
puzzle that can be opened in a timely manner. Each party,
escrows its funds in a way that reclaims the funds back
to the party only if the hash puzzle solution is revealed.
By changing the reclamation condition to a hash veri-
fication, we also give the parties a way to immediately
reclaim their funds in escrow. While it is possible to
construct a condition with the state of the art’s HTLC
based swap, it would require adding a multi-signature
condition to the script which would take more space and
computation overhead, hence will increase the cost of
using such a transaction.
4.1. AVTC as a Time Based Hash Puzzle
Consider a puzzle encoded as a string y so that to solve
it, one needs to find a hash pre-image x such that y =
H(x) where H is a cryptographic hash function. A time
based hash puzzle is a puzzle that has an additional way
of finding the pre-image x, and this way requires a certain
number of computation steps. Indeed, a time based hash
puzzle would fit our needs perfectly: Verifying a solution
of a time based hash puzzle requires only a single hash
invocation on the candidate solution. In addition, a hash
puzzle takes up minimal storage space in the blockchain.
Our realization of a time based hash puzzle is via our
Attribute Verifiable Timed Commitment (AVTC) primitive
that enables a sender to commit to a value M and to
prove to a receiver that the message M committed to is
a hash pre-image of a specified hash. The receiver can
open the commitment without interaction with the sender
by executing a predefined number of computation steps
(where the number of steps is set by the sender). We define
the AVTC time based hash puzzle here, and in Section 5
we generalize the AVTC primitive to any functionality.
Definition 6. AVTC Timed Based Hash Puzzle Let λ
be a security parameter and H be a cryptographic hash
function. An AVTC time based hash puzzle is defined by
four operations:
1) P ub, P riv ← Setup(1λ ): The sender obtains private
parameter P riv , both sender and receiver obtain P ub.
2) (C, y, π) ← Commit(P riv, T, M ): Given the setup’s
private parameters, a difficulty level T and a message
M , the sender produces a commitment C , a string y =
H (M ) and a proof π that y = H(M ).
3) M ← Open(C, P ub): The sender reveals the message
M to the receiver.
4) M ← F orceOpen(C, P ub): The receiver reveals the
message M without interaction with the receiver, by
investing T computation steps.
Security model and assumptions. We model the world
as an interaction between two mutually distrusting and
potentially malicious parties. Each party has an incentive
to deceive the counter-party and has no repercussion if
caught cheating. We further assume that a party cannot
deny the counter-party from transacting on the blockchain
indefinitely, but only for a certain known time period. We
make the standard requirement that our cryptographic hash
function is pre-image resistant [41]. We assume the parties
are probabilistic polynomial time Turing machines.
4.2. The Cross Chain Atomic Swap Protocol
We lay out our protocol by describing an interaction
between two parties: Alice and Bob, where Alice pays
Bob a fee sum on blockchain BCA in exchange for Bob
paying Alice sum on BCB . The protocol consists of two
phases:
1) Prepare: Puts transactions on the blockchains in
preparation for the swap.
2) Either Swap: Transact on both blockchains for each
party to claim its payment, or Withdraw: Cancel the
swap and have each party reclaim the escrow.
Notations: We next elaborate on each of these steps.
Let λ be a security parameter and T = 2d be a difficulty
level, typically d ∈ [30, 50]. We denote appending transac-
tion X to blockchain BCA as BCA X . We denote Alice
m
sending a message m to Bob as A → B and similarly,
m
Bob sending m to Alice as B → A. For succinctness,
we omit specifying P ub and P riv produced in the Setup
phase.
Prepare. In steps 1-2 in the prepare phase (depicted in
Figure 1), Alice produces a timed commitment CA for a Prepare
uniformly random hash pre-image a, and sends the other
R
party (Bob) CA and the hash A = H (a) along with proof 1: Bob: b ← {0, 1}λ , B = H(b),
that A = H (F orceOpen (CA )). The proofs are verified (CB , πB ) = Commit (b, T + ∆) , B
(B,CB ,πB )
→ A
by both parties in step 3, and each party aborts the protocol R
if the proof verification fails. Then, in step 4 Alice initiates 2: Alice: a ← {0, 1}λ , A = H(a),
(A,CA ,πA )
the HTLC by selecting a uniformly random secret x and (CA , πA ) = Commit (a, T ) , A → B
publishing its hash y in step 5 on BCA by publishing a 3: Alice: Verify πB ; Bob: Verify πA
transaction that guarantees: R
4: Alice: x ← {0, 1}λ , y = H(x)
1) If Bob appends a transaction that reveals H−1 (y) 5: Alice: BCA hB, y, sumi
before Alice appends a transaction that reveals b0 ∈ 6: Bob: BCB hA, y, sumi
H−1 (B) then Bob claims sum to itself on BCA .
2) If Bob hadn’t appended a transaction that reveals
H−1 (y) and Alice appended a transaction that revealed Swap
b0 ∈ H−1 (B) then Alice claims back sum on BCA . 1: Alice: BCB hxi
Finally, in step 6, Bob finishes the prepare step by 2: Bob: BCA hxi
appending a transaction on BCB which guarantees:
1) If Alice appends a transaction which reveals H−1 (y)
before Bob appends a transaction which reveals a0 ∈ Withdraw(cooperative)
H−1 (A), then Alice claims sum to herself on BCB . a
2) If Alice did not append a transaction which revealed 1: Alice: A → B
H−1 (y) and Bob appended a transaction which re- 2: Bob: BCB hai
b
vealed a0 ∈ H−1 (A), then Bob claims back sum on 3: Bob: B → A
BCB . 4: Alice: BCA hbi
Swap. Alice appends a transaction to BCB which reveals
x and thus claims sum from Bob, just as done in HTLC. WithdrawAlice (non-cooperative)
Bob, having now seen x s.t x ∈ H −1 (y), appends a
transaction that reveals x to BCA and thus claims sum 1: Alice: b ← F orceOpen (CB )
from Alice. 2: Alice: BCA hbi

Withdraw. As in the standard HTLC based cross chain

swap, since Alice initiated the swap she sampled x (line 4
in Prepare) and therefore in order to withdraw from the
swap, Alice must not commence the Swap phase.
The withdraw procedure can be cooperative where the
parties exchange information, or non-cooperative where
no information exchange takes place.
Cooperative withdraw. If one of the parties decides to
abort the swap, first Alice reveals a to Bob and then
Bob reveals b to Alice. Each of the parties can reclaim
its escrow funds by transacting on its blockchain and
revealing the pre-image a or b.
Non-cooperative withdraw. If either party wants to
withdraw the funds in escrow without consent from the
counter-party, it needs to recover b (for Alice) or a (for
Bob) by computing sequentially for a time period that is
T + ∆ for Alice, and T for Bob.
Realistic parameter selection. The difficulty level T
that Commit is executed with corresponds to some se-
rial execution time. Setting T = 230 amounts to ∼ 20
minutes on a modern Intel i7 CPU. The execution time
of F orceOpen should be carefully picked according to
transaction confirmation time and its correlated probability
of transaction reversal [23]. If the confirmation time is
lower than the time it takes to compute F orceOpen then
the safety of our protocol is impaired
The difficulty level T of the time based hash puz-
zle should be large enough so that after both Alice
WithdrawBob (non-cooperative)
1: Bob: a ← F orceOpen (CA )
2: Bob: BCB hai
Figure 1: The phases of our cross chain atomic swap
(and Bob) put their hash puzzles (lines 5-6 in Prepare)
on blockchain A (and B ), Bob cannot race Alice and
forcefully open a and withdraw his funds in escrow on
blockchain B before Alice’s swap transaction (line 1 in
Swap) is confirmed on blockchain B . Otherwise, once
Alice releases the swap transaction that reveals x in her
attempt to claim Bob’s funds in escrow on blockchain
B , Bob can claim Alice’s tokens on blockchain A while
preventing Alice from claiming his funds on blockchain
B . Similarly, if ∆ in the difficulty level T +∆ is too small,
if the swap wouldn’t end up taking place and Bob will try
to withdraw his funds in escrow, Alice might forcefully
recover b and reclaim her funds in escrow on blockchain A
and race Bob’s withdraw transaction.To guarantee Bob has
enough time for his withdraw transaction to be confirmed
on blockchain B , ∆ should be large enough.
Safety boundaries in a mutually distrusted setting.
Whether the swap ends up taking place or not, it is
possible to safely execute our protocol without having to
execute F orceOpen. We show that by setting ∆ > T
and showing a schedule where none of the parties exe-
cute the F orceOpen and argue why the safety property
 (Definition 1) is preserved.
0: Bob and Alice execute steps 1-3 in Prepare (nothing
is written on chain yet)
∆ ∆
2 If Alice’s steps 4 and 5 in Prepare occur later than 2
: network.
then Bob refuses to proceed to step 6 in Prepare and
Alice never claims his funds.
3T 3T
4 : If Bob’s step 6 in Prepare occurs later than 4 then
Alice refuses to proceed to Swap and Bob never claims
her funds. Else, Alice proceeds to step 1 in Swap
and claims Bob’s funds before time T (where he can
reclaim them).
T : If Alice and Bob decide to withdraw, then as per
step 1 in Withdraw(cooperative), Alice gives Bob
a first. If Alice fails to do so before time T then
Bob can start executing Withdraw(non-cooperative)
which ends before T + ∆ (since ∆ > T ), hence if
Alice chooses to perform Swap during that time, she
cannot also withdraw her funds in escrow.
4.3. Cross Chain Atomic Swap Protocol Analysis
We prove that our protocol satisfies the safety and
liveness properties from the preliminaries:
Theorem 7 (Safety). Either both parties claim each oth-
ers’ funds, or no party claims the counter-party’s funds.
Proof. Assume in contradiction that one of the parties
claims the counter-party’s funds, and split to cases:
1) Alice claims Bobs’ funds: Claiming Bob’s funds in-
volves in revealing H −1 (y) to Bob. If Bob couldn’t
claim Alice’s funds on BCA then it is due to Alice
forcefully opening Bob’s timed commitment to obtain
b, however she needs twice the time than Bob to open
his commitment to b, hence Bob had sufficient time to
open Alice’s commitment to a and reclaim back his
funds, preventing Alice from claiming his funds ⇒ in
contradiction to Alice claiming Bob’s funds.
2) Bob claims Alice’s funds: To claim Alice’s funds,
Bob has to see H −1 (y) which is only revealed by
Alice as part of her claiming Bob’s funds. If Alice
reveals H −1 (y) early enough (before Bob has time
to forcefully open Alice’s commitment and extract a)
then it is too late because Alice already claimed his
funds.
Theorem 8 (Liveness). No asset of some party is forever
locked in escrow.
Proof. Either no party aborts, and then the swap com-
pletes, or some party aborts. If some party aborts, then
both parties can reclaim their funds in escrow after a
period of time: If Alice decides to abort after the prepare
phase, then she can open her commitment to reveal a to
Bob which makes him reclaim his funds in escrow, after
which Bob can reveal b to Alice to make her reclaim her
funds as well. In any case if any of the parties refuses to
reveal the commitment, the counter-party can forcefully
open it by investing a moderate computation time and
thus reclaim back the funds in escrow.
4.3.1. Calculating the Commitment String Length.
An important question that comes to mind, is, how long
should be the hash pre-image prefix committed to by the
AVTC primitive? However, a hash can be brute-forced
with parallel computation. We show in Section F that
having 128 bits of pre-image prefix thwarts even an adver-
sary with hashing power equivalent to the entire Bitcoin
5. Attribute Verifiable Timed Commitment
Recall, the timed commitment scheme of Boneh and
Naor (Section 3.2) allows Alice to commit to a secret, and
to prove to Bob that the commitment can be opened by
performing a certain amount of computation.
In this section, we show a novel cryptographic primi-
tive that allows Alice to prove to Bob arbitrary attributes
of the secret in zero knowledge. That is, the committer
(Alice) plays the role of a prover, and the receiver (Bob)
of a verifier. When enhancing the timed commitment
with our cryptographic primitive, the receiver accepts the
commitment only if the secret committed to possesses
attributes agreed by both parties. Hereupon we denote
our novel primitive AV T C which stands for Attribute
Verifiable Timed Commitment.
In Section 5.1 we formally define what the AVTC
primitive entails. Then in Sections 5.2 and 5.3 we dive into
the construction of the components of the AVTC primi-
tive and analyze its security. In Section 5.4 we discuss
evaluation of our publicly available implementation.
5.1. Definition of AVTC
In this section we give our definition for the AVTC
primitive. The Timed Commitment satisfies both the hid-
ing and binding properties of a cryptographic commitment
scheme (see Section 3.2 in preliminaries), with the excep-
tion that it holds only for adversaries limited in the number
of their execution steps to be 2k .
Definition 9 (Values that satisfy F ). Let F : {0, 1}∗ →
{0, 1} be a predicate. We define the language which
informally means ”all values which satisfy F ” as LF =
{x F (x) = 1}.
An AVTC for a predicate LF is a timed commitment
augmented with a zero knowledge proof that the commit-
ted value satisfies F
Definition 10 (Attribute Verifiable Timed Commitment
(AVTC) for F ). Let F : {0, 1}∗ → {0, 1} be a
predicate. An AVTC for LF is a triplet of algorithms:
hCommit, Open, F Openi that are as in the Timed Com-
mitment (Definition 4), but with an enhanced Commit op-
eration that also
guarantees that given a commitment C ←
Commit x, 1λ accepted by the receiver, it holds that
x ∈ LF . Denote the probability that the receiver R accepts
that C commits to x ∈ LF as P r [hS (x) , R (C)i = 1]. Let
λ be a security parameter and  be a negligible function,
S
and denote V iewR (C) the view of the receiver with input
C engaging with the sender. The following properties hold:
• Completeness: Let x ∈ LF . Then:
P r [hS (x) , R (C)i = 1] = 1.
• Soundness: Let x ∈ / LF . Then:
∃ s.t: P r [hS (x) , R (C)i = 1] < (λ).
• Zero Knowledge: For every receiver R: ∃ PPT simula-
S M
tor M such that ∀x ∈ LF : V iewR (C) ≡s V iewR (C).
 Algorithm 1: Validating (x, w) ∈ RL
5.2. AVTC Construction Overview √
l+1
Input: Witness w = 2 u
We prove the following theorem: 1: x = {}
// Initial squaring to ensure z ∈ QRN
Theorem 11 (AVTC). For every predicate F : {0, 1}∗ → 2: z = w 2 (mod N )
{0, 1}, there exists an AV T C scheme for LF as defined // Concatenate XOR of LSBs
in Definition 10. 3: for i=0 to l − 1 do
To prove the theorem, we first give a high level 4: x = x|| (z0 ⊕ Si )
overview of the AVTC construction. Then, in the follow- 5: z = z 2 (mod N )
ing sections, we deep dive into its components and analyze 6: end for
them. 7: if F(x) = 1 ∧ z = u then
8: Accept
9: else
5.2.1. AVTC Protocol. Our starting point for AVTC is the
timed commitment primitive of Boneh and Naor (Section 10: Reject
11: end if
3.2). We extend its construction to an AVTC by augment-
ing it with a zero knowledge proof for a predicate F of Algorithm 1: Lines 3-6 in correspond to (a) which opens
the committed value. the commitment C = hS, h, g, ui where line 7 ensures
A timed commitment C of a secret x ∈ {0, 1}l is of that successive squaring results in u. As a by-product of
R
the form C = hS, h, g, ui where: h ← ZN , g is determin- opening the commitment we obtain x and in line 7, F is
k
istically computed 4 from h and u = 22 (mod N ), and applied on x to prove (b)
the string S = S1 , ..., Sl is defined as:
 k 
22 −i
Si = xi ⊕ LSB g (mod N )

Our protocol involves three proofs:

1) Proving that N is a product of two Blum primes 5 . In
Section 5.3.1 it is explained why we enforce a special
requirement on the modulus N .
2k
2) Proving that u = g 2 (mod N ), which convinces
the receiver that it can open the commitment without
interaction with the sender within the desired number
of computation steps.
3) Proving that C opens to x s.t F (x) = 1.
In order to prove (1), we employ the scheme of
Goldberg et al [25] which yields a non-interactive zero-
knowledge proof for a Blum integer. It can be done in
a one time setup phase before the AVTC protocol takes
place, and the non-interactive proof can be published on Figure 2: A simple AVTC circuit that verifies an attribute
a public bulletin board or on the blockchain. F on a 3-bit sized message m with a commitment string
Our protocol for (2) follows the technique of Boneh s. Values in blue are secret input, while values in yellow
and Naor as mentioned in Section 3.2 and is found in the are public input.
appendix in Section 4 along with a complete proof.
5.2.2. Proving C Opens To x Such That F (x) = 1. The
In order to prove (3), we prove the following two
starting point for our zero knowledge proof that (a), (b)
statements in zero knowledge: 6
hold is Algorithm 1 that verifies (a), (b) when x is given
(a) ∀i ∈ {1, ..., l} : 
√
2i
 as secret input to the prover, and C is given to both the
2l+1
xi ⊕ Si = LSB u (mod N ) prover and verifier. Afterwards, we translate Algorithm
1 to an MPC-friendly algorithm by identifying how each
(b) F (x1 ||x2 ||...||xl ) = 1
step in Algorithm 1 can be computed efficiently. Lastly,
Our construction for both (a) and (b) is done as a we build a circuit that will be used to produce a zero-
single zero-knowledge proof that is based on the MPC- knowledge proof using the ”MPC in the head” framework.
in-the-head technique of [30].
In the rest of this subsection we give a high level 5.2.3. Circuit Building Blocks and Configuration. We
overview of the construction of the zero-knowledge proof construct a layered circuit (seen in Figure 2) which is
for (a) and (b). Then, in Section 5.3 we elaborate all sub- comprised of three main building blocks:
protocols we employ in a top-down manner. • Squaring modulo N
• LSB extraction
4. We refer the reader to Section3.2 in the
 preliminaries, and specifi-
Π128 q λ • Field converstion and computation of F
cally remind the reader that g = h i=1 i (mod N ) where {qi }ri=1
are the first r primes and λ is a security parameter.
Our circuit executes the open phase of the timed
5. A Blum prime is a prime such that P ≡ 3 (mod 4) commitment by successively squaring (modulo N ) secret
6. We denote || as the concatenation operation, and for X ∈ {0, 1}∗ shares until a public value u is reached (line 7 in Algo-
we denote Xi as the i’th bit of X rithm 1). Each step involves extracting the LSB (while
secret-shared) and feeding it into another black-box circuit
which computes the desired attribute F (as seen in Figure
2). We choose an arithmetic circuit over a prime field
p and require that p > N 2 + n · 2µ for some security
parameter µ (i.e µ = 100) and number of parties n. 7
In case F is most efficiently computed using a boolean
circuit, we also perform share conversion from arithmetic
shares to boolean shares.
5.2.4. Squaring Modulo N . We devise Algorithm 2
which verifies that two secret shared values [a] and [b]
are congruent modulo N by verifying that the equality
[a] = [b] + [t] · N holds, for some t < N . Since the equal-
ity needs to hold modulo N but the circuit’s arithmetic
operations are modulo p we require that p > N 2 .
5.2.5. LSB Extraction. Each squaring and modulo re-
duction step in the layered circuit is followed by LSB
extraction which is then XOR-ed and fed to a component
that computes F . Our novel technique for LSB extraction
is shown in Section 5.3.5.
5.2.6. Computation of F . Once we have extracted each
bit of the committed message x, we forward it into a
component which validates that F (x) = 1. However,
this component might often be implemented as a circuit
in a different field, such as a boolean circuit. To that
end, we shall convert our arithmetic shares of bits into
boolean shares via Algorithm 6 which is based on the
share conversion technique of [20].
5.2.7. Construction Overview Summary. The AVTC
protocol builds on top of Boneh and Naor’s timed com-
mitment scheme [15] and its main distinguishing part is a
zero-knowledge proof that the commitment is opened to
a value that satisfies the predicate. We use the MPC-in-
the-head technique of Ishai et al. [30] which we bootstrap
with an MPC protocol in the semi-honest setting.
In the next subsection, we will deep dive into each
of the components of the aforementioned MPC protocol,
discuss our design choices and analyze our scheme.
5.3. AVTC Component Design
In this section we explain in detail our AVTC con-
struction, namely its low level building blocks, and give
reasoning behind each design choice. We first describe in
our design choice for efficiently opening the timed
commitment in the arithemtic circuit while retaining the
binding property. Then, we dive into the details of the
design of the circuit’s subcomponents and analyze them.
5.3.1. Opening a Timed Commitment with a Circuit.
We recall the timed commitment (Section 3.2) encoding:
2k
C = hS, h, g, ui where u = g 2 (mod N ) for a difficulty
r λ
parameter k , and g = hΠi=1 qi where qi are all primes
less than some upper bound r. We wish to prove that the
secret x that we commit to, indeed satisfies F (x) = 1.
A straightforward way of achieving this, is to execute
the Open phase of timed commitment in our arithmetic
circuit, extract the committed value x, and then compute
7. In Section 5.3.5 we show why p > N 2 + n · 2µ is required
F on x. To prevent the prover from equivocating by sup-
plying a different root than of what was used to compute
the commitment string C , the timed commitment technique
of Boneh and Naor entails the sender sending the receiver
2k −|x|
v 0 = h2 and
r λ
the receiver computing v = (v 0 )Πi=1 qi
√
|x|
which yields 2 u, which is then successively squared to
obtain the bits of x.
Proving integrity of the exponentiation of v 0 by
Πi=1 qiλ in a cicruit is quite expensive, as the current
r
state of the art [19] utilizes bit decomposition which is
computationally expensive. Therefore, we would like to
side-step it while retaining binding to the committed value.
To that end, we seek out a method that allows the sender
of the commitment to convince the receiver that there is
a single 2|x| root of u without proving integrity of the
expensive exponentiation over v 0 which is done in the
Open phase in the original paper of Boneh and Naor [15].
We leverage the fact that our modulus N is a product
of two Blum primes, 8 and also prove to the verifier using
the scheme of Goldberg et al [25] that it is indeed the
case. We mention the following theorem which will help
us prove that the committer can only prove F(x) = 1 for
the same x that the timed commitment committed to.
Theorem 12. Let N be the product of two Blum integers,
and let a ∈ QRN . Then a has exactly one square root in
QRN .
Proof. Theorem 9 in [13].
√
|x|+1
Let w = 2 u (mod N ) be a witness used in our
zero knowledge proof for which we prove that succes-
sively squaring and reduction modulo N starting from
w yields u. Indeed, the intermediate value in our zero
knowledge proof that is obtained √ after taking w and
|x|
squaring it (modulo N ) once is 2 u, which is clearly in
QRN , hence (by Theorem 12) there is a single 2|x| root
of u. As we shall see next, the binding
√ property easily
|x|
follows from the uniqueness of 2 u:
√
|x|+1
Corollary 13. Let u ∈ QRN , w = 2 u (mod N ).
 2i |x|+1
The series w (mod N ) ∈ QRN i=1 is unique.
Proof. By construction, every element in the series is
in QRN , therefore by Theorem 12, for 1 ≤ i ≤ |x|
i
every such element w2 is a unique square root of another
2i+1
element w also in QRN where for i = |x| + 1 we get
u itself.
Hence, the√witness to the zero knowledge proof is go-
|x|+1
ing to be 2 u, and the prover will prove that repeated
squaring modulo N starting from the witness, reaches u
in |x| + 1 iterations.
5.3.2. Squaring and Modulo Reduction. Reducing a
secret shared number modulo N is an expensive oper-
ation because it either requires bit decomposition [36]
(decomposing the number to shares of bits), or employing
schemes that require random bitwise sharing [35]. Both bit
decomposition and bitwise sharing in a field big enough to
contain our modulus N means thousands of shares each
thousands bits in size. We sidestep this inefficiency by
recalling that our circuit only needs to validate the
8. A Blum prime is a prime such that P ≡ 3 (mod 4)
Algorithm 2: SquareModNExtractLSB
Input: [xi ] (from previous hlayer) and pre-computed:
x2 −(x2i % N )
i
 
I1 = x2i % N , I2 = i N
  

Output: x2i % N (to next layer), LSB x2i % N to
sub-circuit which computes F .
1: [a] = [xi ] · [xi ]   4: end if
2: [b] = I1 // hx2i % N pre-computed
2 2
i
x −(xi % N )
3: [t] = I2 // i N pre-computed
4: [y] = [a] − [b] − [t] · N
5: y = Reveal([y])
6: if y 6= 0 then
7: abort
8: end if
9: z = V erif yLowerT han ([b] , N )

10: w = V erif yLowerT han [a] , N 2
11: u = LessT hanHalf Order ([t] · N )
12: if z · w · u 6= 1 then
13: abort
14: end if
15: [b0 ] = ComputeLSB ([b])
16: Forward [b] to next level
17: Forward [b0 ] towards computation of F
computation, and the prover is free to pre-compute all
intermediate values of the computation and feed them into
the circuit as secret shared inputs.
Specifically, instead of computing a mod N , the
prover pre-computes b (denoted as I1 in Algorithm 2)
and t (denoted as I2 in Algorithm 2) such that it holds
that: b = a − t · N , and both b and t are given as input to
the parties, which verify that the equality [a] = [b]+[t]·N
holds.
At a first glance, validating that [a] = [b] + [t] · N
seems trivial. However, the hardness lies in ensuring that
a cheating prover doesn’t secret share b, t that satisfy the
condition but make the computation secretly overflow the
field p of the circuit. By initializing the secret shared
values b, t with numbers that overflow the finite field p, a
cheating prover may manipulate the LSBs extracted from
each layer in the circuit and make the verifier think that
a committed value has an attribute that it doesn’t posses.
Therefore, we additionally make Algorithm 2 ensure that:
1) b < N
2) a < N 2
3) t · N < p2
Ensuring (1), (2) is done via Algorithm 3 and ensuring
(3) is done via Algorithm 4, where both are comparison
algorithms and are possible to be computed efficiently
thanks to our novel LSB extraction algorithm.
Algorithm 2’s correctness immediately follows from
the following lemma:
Lemma 14. For an equality a = b + t · N where
{a, b, t, N } ⊂ Zp for p > 4 and N 2 < p, if b < N ,
a < N 2 and [t] · N < p2 then there is a single b that
satisfies the equality.
Proof. Assume in contradiction there are b, b0 , t, t0 that
satisfy the equality, i.e a = b + t · N and a = b0 + t0 · N .
Then it holds that b + t · N = b0 + t0 · N , thus we
√
get:
(F) b−b0 = N ·(t0 − t). Since N 2 < p, so N < p < p2 ,
therefore b < N < p2 and thus b + t · N < p. And since
Algorithm 3: VerifyLowerThan
Input: [v] , u
Output: 1 if v < u, otherwise aborts
1: a = LessT hanHalf Order ([v])
2: if a 6= 1 then
3: abort
5: [w] = p − [v]
6: [x] = [w] + u
7: b = LessT hanHalf Order ([x])
8: if b 6= 1 then
9: abort
10: end if
11: return 1
Algorithm 4: LessThanHalfOrder
Input: [v]
Output: 1 if v < p2 , otherwise aborts
1: [w] ← 2 · [v]
2: [b] ←ComputeLSB ([w])
3: b ← Reveal ([b])
4: if b 6= 0 then
5: abort
6: end if
7: return 1
a < N 2 , then a < p as well. Therefore, both sides of
the equality do not overflow p and (F) holds over N,
meaning that without loss of generality, b > b0 and t0 > t.
It follows that t0 − t ≥ 1, thus b − b0 > N ⇒ b > N in
contradiction to the fact that b < N .
5.3.3. Validating Lower-Than. We give a novel and effi-
cient construction to a secure Multi-Party protocol which
validates that a secretly shared value is lower than a public
value. Our protocol doesn’t doesn’t require edaBits like
the recent work of [32] and unlike the aforementioned
state of the art, has constant rounds. The protocol uses
Algorithm 4 in a black box manner for validating that
a secret shared value is less than p2 . The protocol and
Algorithm 4 both draw on the ideas from [18] and [37].
The protocol (Algorithm 3) receives as input a secret
shared value [v] and a public constant u < p2 and returns
1 if and only if [v] < u, otherwise aborts.We prove its
correctness:
Lemma 15. For every u < p2 , Algorithm 3 returns 1 if it
is input with [u] < u, otherwise it aborts.
Proof. Algorithm 3 checks if [v] > p2 . If so, then v > u,
therefore it aborts. Otherwise, both v and u are smaller
than p2 , therefore (F) v > u ⇔ u − v (mod p) > p2 . In
lines 5 − 6 we compute [x] = u − [v] (mod p) and then
check if it’s less than p2 (line 7). If it is the case, then it
follows from (F) that v < u.
5.3.4. Validating that a value is less than p2 . We show
how to validate that [v] < p2 . The protocol relies on the
fact that if v < 12 p then multiplying it by 2 yields a
number that is less than p, and then there is no wrap-
around p and the LSB of the result becomes 0 for an odd
p. The protocol is shown in Algorithm 4 and uses the
ComputeLSB protocol.
 smaller than the field size. Our protocol immediately leads
to constant round efficient comparison validation protocols
in arithmetic circuits and do not require bit decomposition
or binary share assisted schemes.
Notations: We denote [x] to be a secret sharing
of x among n parties. When referring to an operation
done by  every party, we shall
denote ∀i ∈ [n]. Let
S = 2 · α α ∈ 0, 2|N |+µ−1 : be the set of legal
blinded plaintext shares in our algorithm.
The technique: For simplicity, we first describe the
technique for a semi-honest 1-secure setting (which as-
sumes parties do not collude), as shown in Figure 3. A
modification to a semi-honest k-secure case, where parties
may collude appears later on. In the offline phase, the
prover first represents v as a sum of an even number a
and the LSB of v denoted by b: v = a+b (line 1). Then, it
splits a into n shares a(1) +a(2) +...+a(n) < p and it splits
Figure 3: The prover secret-shares v into plaintext shares b into bits such that: b(1) ⊕b(2) ⊕...⊕b(n) (line 2). Finally,
and then blinds each share with a blinding factor given to it statistically hides each share a(i) with an even uniformly
one of the remaining two parties (1-secure MPC). R
random variable r(i) ← {2 · x x ∈ (0, 2|N |+µ−1 )}
(line 3) where |N | is the number of bits in N , n is the
Algorithm 5: ComputeLSB Algorithm number of parties and µ is a security parameter such that
Input: [v] p > N 2 + n · 2µ . Similarly, it blinds each share b(i) with a
Output: [v0 ], the LSB of v random bit e(i) . The prover sets each party i’s input (line
Offline phase (performed by the prover): 4) to be the following plaintext shares: a(i) + r(i) ; r(i+1) ;
1: Set a = v − v0 and b = v0 b(i) ⊕ e(i) ; e(i+1) .
2: Set a = a(1) + a(2) + ... + a(n) where ∀i : a(i) is even, For a k-secure MPC protocol, each share a(i) is
and set b = b(1) ⊕ b(2) ⊕ ... ⊕ b(n) blinded with k blinding factors, e.g in a 2-secure MPC
3: ∀i ∈ [n] : protocol with 3 parties, the share a(1) is blinded with r(1,2)
R R
r(i) ← {2 · x x ∈ (0, 2|N |+µ−1 )}; e(i) ← {0, 1} which is given to party 2 and with r(1,3) which is given
4: ∀i ∈ [n] :
to party 3.
Give party i :< a(i) + r(i) ; r(i+1) ; b(i) ⊕ e(i) ; e(i+1) > In the online phase, each party verifies that its
plaintext share is in the appropriate range (line 5) and
Online phase (performed by the blinding factor for a(i) is even, and secret shares

the simulated parties): the blinded share and the blinding factor among all
5: ∀i ∈ [n] : If  a(i) + r(i)
, r(i+1) 6⊆ S, abort
6: ∀i ∈ [n] : If b(i) ⊕e(i) , e(i+1) 6⊆ {0, 1} abort
parties
 (i) (lines   7-10),
 after which
  the parties compute
a + r(i) , ri+1 , bi ⊕ e(i) , ei+1 and finally ex-
7: ∀i ∈ [n] : a(i) + r(i) = SecretShare a(i) + r(i)
tract the sharings of the LSB (line 11) after which they
 
jointly validate the plaintext shares given to them in the
8: ∀i ∈ [n] : r(i+1) = SecretShare r(i+1)
offline phase (lines 12-15).
9: ∀i ∈ [n] : b(i) ⊕ e(i) = SecretShare
b(i) ⊕ e(i)
10: ∀i ∈ [n]L: e(i) = SecretShare (i)
 Ln e (i) 
n (i) (i) 5.3.6. LSB extraction security proof. We formally prove
11: [v0 ] = i=1 Pnb ⊕ e ⊕  i=1P e  
n the correctness and privacy of the LSB extraction protocol.
12: [z] = [v] − i=1 a(i) + r(i) + i=1 r(i) − [v0 ] We give three theorems and prove them in Section D. For
13: z = Reconstruct ([z]) simplicity of notation, we set the number of parties to be
14: if z 6= 0 then three.
15: abort
16: end if Definition 16 (ComputeLSB protocol). Let → −
x =
17: return [v0 ] (x0 , x1 , x2 ) be shares distributed by a dealer and define
3 3
the LSB extraction functionality f : (Zp ) → (Zp ) where
→
−
fi ( x ) is the output of party i, and let π to be the LSB
5.3.5. Extracting the LSB of a Secret Shared Value. extracton protocol (Algorithm 5) and V IEWiπ (→ −
x ) the
We describe our novel protocol LSB extraction protocol view of party i during the execution of π .
shown in (Algorithm 5). The protocol extracts the LSB
of a secret shared value v and is suited to the MPC in Theorem 17 (LSB extraction completeness). On input [v]
the head setting where a prover, knowing v , can act as a with an honest dealer, ComputeLSB outputs [v0 ] (secret
dealer and distribute shares in an offline phase before the shares of the LSB of v ) and never aborts.
online phase takes place among the parties. At the end Theorem 18 (LSB extraction privacy). There exists a PPT
of the online phase, parties obtain a secret sharing of the S such that for a single party j ∈ {0, 1, 2}:
LSB of v , [v0 ].  semi-honest
{S (xj , fj (→
−
x ))} ≡s V IEWjπ (→
−
x)
Our contribution: We construct a novel constant-
round protocol for LSB extraction of a secret shared value Theorem 19 (LSB extraction soundness). ComputeLSB
that is claimed (but not known, as in [18], [40]) to be always either aborts or correctly extracts [v0 ].
Algorithm 6: BooleanizeLSB
Input: [v0 ]
Output: [v0 ]B
  
p {ij∈[λ] ← {0,1,2}}
1: ∀i ∈ [n] : [ri ] = SecretShare Rand n+1
2: ∀i ∈ [n]L: [bi ]B = SecretShare ([ri % 2])
3: [b]B =
P i∈[n] [bi ]B
4: [r] = i∈[n] [ri ]
5: [x] = [r] + [v0 ]
6: x = Reconstruct ([x])
7: [v0 ]B = LSB(x) ⊕ [b]B
Combining the three theorems above yields that an
honest prover distributes plaintext shares in a fashion that
ensures that the verifier always accepts, and the output to
the next gate in the circuit is indeed the LSB of the secret
shared input value.
Additionally, the protocol achieves statistical zero
knowledge, since the view of every single semi-honest
party participating in the protocol is statistically indistin-
guishable from the simulated view.
Lastly, if the dealer is dishonest, the MPC protocol of
the LSB extraction always aborts. It immediately follows
that the LSB extraction protocol does not degrade the
soundness of the zero knowledge proof, as the probability
of a cheating prover to commit to an incorrect protocol
execution does not depent on whether it entails an LSB
extraction or not.
5.3.7. Conversions between different fields. After ex-
tracting the LSB of each layer in our circuit, we show
in Algorithm 6 how to convert it from a sharing modulo
p to the domain of the predicate F . Since our predicate
of choice in our cross chain swap protocol (Section 4)
is SHA256 comparison, we explain how we convert the
arithmetic sharing to a boolean sharing, and denote the
shares in the target domain as [·]B . Our technique follows
[20], and its main idea is to produce masking factors in
both the arithmetic domain and the boolean domain such
that the LSB of both masking factors is identical (lines
1-2). Then, the masking factor in the arithmetic domain,
masking the secret shared LSB (line 5), is revealed (line
6) and the LSB is used to cancel out the mask in the
arithmetic domain (line 7).
5.3.8. Instantiating the MPC Protocol To Be Used In
The ”MPC In The Head” Framework. We instantiate an
MPC protocol using a semi-honest 2-secure9 GMW [26]
where the arithmetic part of our circuit uses an arithmetic
GMW, and the boolean part of our circuit for computing
F uses a boolean GMW. Our conversion from an MPC
protocol to a zero-knowledge proof using the ”MPC in
the head” framework follows [30] and it is outlined in
Section 5.3.9. We elaborate on our salient difference from
the state of the art, the secure multiplication, as secret
sharing and addition are done in the standard manner.
To multiply [z] = [x] · [y], we use an Oblivious Linear
Evaluation (OLE) oracle O: Every pair of parties i, j use
9. A 2-secure protocol can withstand collusion of two parties out of
the remaining three
Prover Verifier
Round 1
R
{C (ij )}j∈[λ]
Round 2
{Vj ← F(s)}j∈[λ]
{C (v)}v∈Vj , j∈[λ]
Round 3
{ij }j∈[λ]
Round 4
{vi , vi0 ∈ Vj }j∈[λ]
Verify:
(*) Commitments
(**) views
Figure 4: The MPC in the head interactive protocol
the OLE oracle O to compute blinded products of each
party’s inputs:
1) Every party i samples a random value ri,j ∈ Zp for
each party j 6= i and sends the share xi and ri,j to O.
2) party j sends to O the share yj
3) The OLE oracle O sends party j si,j = xi · yj + ri,j .
Afterwards, [z] is defined by having the blinding fac-
Pn sent by party i, subtracted: zi = xi + yi +
tors
j=1,j6=i (sj,i − ri,j ). When simulating O, the prover
commits to the inputs and outputs of O. When verifying
the multiplication gate, the prover reveals two views to
the verifier, and the latter verifies they are consistent with
the commitments. Note, that since we employ a 2-secure
GMW, the prover reveals to the verifier the views of two
out of the three parties. Thus, we only need to reveal
the de-commitment of the party which its view is not
revealed, as the verifier can compute the expected de-
commitments of the rest of the parties. This saves us sig-
nificant bandwidth, as our de-commitments are elements
in Zp and have thousands of bits each. In each iteration,
the verifier opens two out of the three views committed
by the prover, therefore the probability of the
verifier
λ
accepting an incorrect proof with λ rounds is 31 . Since
our zero-knowledge protocol is interactive, k doesn’t need
to be large, as in the honest-verifier non-interactive zero-
knowledge, because the prover cannot use computation to
predict the verifier’s challenge.
5.3.9. Obtaining Zero-Knowledge From MPC. We de-
scribe an interactive protocol (Figure 4) between the
sender of the commitment, playing as the prover, and the
receiver of the commitment, playing as the verifier. Denote
vi as the view of party i ∈ {0, 1, 2} in an MPC protocol
executed on secret input s.
The view includes private input, random tape, and
incoming messages received during the protocol from
foreign parties.S Denote C a commitment operation and
define Vj = i∈{0,1,2} {vi } as the union of all views
in the j ’th simulation of MPC protocol and let λ be a
security parameter. The zero knowledge proof is a four
round protocol:
Round 1: The verifier samples λ indices uniformly at

random and commits to them using a perfectly hiding
commitment, and sends the commitment to the prover.
Round 2: The prover simulates the MPC protocol for F
on secret input s, λ times and commits (using a perfectly
binding commitment) to each view (of each party) sep-
arately, and sends the λ triplets of commitments to the
verifier.
Round 3: The verifier decommits the vector of λ indices
{ij }j∈[λ] sent in the first round.
Round 4: The prover checks the decommitments of the
verifier, and then replies with the views that correspond
to other two remaining requested indices {{0, 1, 2} \
{ij }}j∈[λ] . The verifier then: (*) verifies that the com-
mitments match the received views, (**) simulates the
execution of each party that its view was sent by the
verifier. Specifically, the verifier ensures that the messages
that the party should send, match the commitments on the
received messages of the other parties.
5.3.10. Zero knowledge Proof For Membership In LF .
After proving the correctness and privacy of our LSB
extraction protocol (Sections 5.3.5, 5.3.6), as well the
correctness and privacy of all other algorithms instantiated
with the GMW [26] scheme, we can now prove our
main result for this section, Theorem 11. The proofs of
completeness, soundness and zero-knowledge are found
in Section E.
5.4. Evaluation
We implement the AVTC zero-knowledge proof used
for our cross chain atomic swap protocol from Section 4,
which requires proving in zero knowledge that an AVTC
commitment string, commits to a SHA256 pre-image. We
re-use code from ZKBoo [24] for the SHA256 circuit,
and implement the AVTC arithmetic circuit and share
conversion in 3,500 lines of C code available online [1].
We use the GNU MP library [5] for our arithmetic
share addition and multiplication, and OpenMP [7] for
parallel processing of soundness amplification. We exper-
iment on an Intel i7 2.6Ghz with 12 cores and 32GB
RAM with different numbers of rounds for soundness
amplification, and in each configuration we compute the
network bandwidth sent from the prover to the verifier
(see Table 1 and Section G) and estimate the latency for
a 300 Mbps network.
5.5. Comparison to Other Schemes
In this section we discuss alternative options for
our AVTC implementation. We consider other interac-
tive Zero-Knowledge proofs and also non-interactive ones
such as ZK-SNARKs and discuss trade-offs.
5.5.1. Lowering the network bandwidth. A recent
promising zero-knowledge proof scheme that has both fast
proving time and low bandwidth is [45]. It is a flavor
of ”MPC in the head” where the prover and verifier run
a two-party MPC protocol (with malicious security) and
unlike the original ”MPC in the head”, they only do a
single pass over the circuit. However, the protocol assumes
a designated verifier because a preliminary setup phase
must take place between the prover and verifier prior to
Prover Verifier Total Network
#Rounds Security
time time bandwidth Latency
26 240 7.8s 4.9s 577 MB 15s
19 230 5.5s 3.2s 421 MB 11s
13 220 3.3s 2s 288 MB 8s
TABLE 1: Performance evaluation of AVTC where the
attribute F is the SHA2 256 function
the protocol. In contrast, the standard ”MPC in the head”
approach enables the prover to pre-compute the views of
the parties and their commitments long before it comes
into interaction with the verifier, and then when the verifier
asks for opening of the commitments just send the pre-
computed de-commitments.
5.5.2. Quantitative comparison to ZK-SNARKs. Gen-
eral purpose zero-knowledge proof systems vary from
simulations of MPC protocols (fast proving time, but high
bandwidth) to non-interactive arguments of knowledge
(slow proving time, low bandwidth). The analysis of [3]
compared different systems and showed that the Groth16
[27] scheme is the fastest in both prover time and verfier
time, having an order of magnitude difference from the
slowest scheme (Bulletproofs [17]) in their analysis.
To that end, we implement [2] AVTC with the Groth16
ZK-SNARK library of Gnark [16] instantiated with the
BN-254 curve. In particular, we implement gadgets for
4096 bit number addition and 4096 bit number multi-
plication and then use them in the successive modular
squaring using pre-computed hints similar to Algorithm
2 in Section 5.3.2. Finally, the LSBs of each layer are
fed into a SHA256 gadget we implemented. We bench-
mark the Groth16 implementation on an AWS c5a.8xlarge
machine with a 64GB RAM and 32 CPUs. The time it
takes to run the trusted setup of the 14 million constraints
circuit is 3 minutes and 38 seconds. The prover runs in 54
seconds and verifier in 1.4 milliseconds. The large number
of constraints is due to the need to represent 4096 bit
numbers as arrays of smaller numbers (we pick 120 bit
words), since the order of the BN-254 curve is only 254
bits long. However, we use hash pre-images of only 96 bits
in the Groth16 in contrast to 128 bits in the ”MPC-in-the-
head” AVTC. The reason is that the more bits in the hash
pre-image, the more layers of successive modular squaring
we have. Unlike in our ”MPC-in-the-head” construction
where the number of iterations is the dominating factor,
in the Groth16 ZK-SNARK it is the depth of the circuit.
6. Conclusions
In this work we explored whether cross chain atomic
swaps based on Hash Timed Lock Contracts can be con-
structed without reliance on a time source, and answered
the question in the affirmative by providing a protocol
which replaces the well known blockchain based timeouts
used for safety with timed commitments. We enforced
honest party behavior for our protocol via our novel AVTC
primitive, which allows to prove arbitrary attributes for
Boneh and Naor’s timed commitment.
While there is plenty of room for efficiency improve-
ments in our construction, as it requires substantial net-
work bandwidth, we make up for it in minimal prover
time, and in not requiring a trusted setup.
References
[1] AVTC MPC in the head implementation. https://github.com/
AVTC-paper/AVTC-MPC.
[2] AVTC ZK-SNARK implementation. https://github.com/
AVTC-paper/AVTC-SNARK.
[3] Benchmarking zero-knowledge proofs with isekai:
https://sikoba.com/docs/skor isekai benchmarking 201912.pdf.
[4] Bitcoin time locks: https://github.com/bitcoin/bips/blob/master/bip-
0113.mediawiki.
[5] GMP library. https://gmplib.org/.
[6] Interledger https://interledger.org/interledger.pdf.
[7] OpenMP library. https://www.openmp.org/.
[8] sawtooth: https://sawtooth.hyperledger.org/.
[9] sawtooth: https://sawtooth.hyperledger.org/faq/transaction-
processing/#why-is-there-no-timestamp-in-a-transaction-header-or-
block.
[10] Tendermint htlcs: https://github.com/nomic-io/htlc.
[11] G. Almashaqbeh, F. Benhamouda, S. Han, D. Jaroslawicz,
T. Malkin, A. Nicita, T. Rabin, A. Shah, and E. Tromer. Gage
mpc: Bypassing residual function leakage for non-interactive mpc.
Proceedings on Privacy Enhancing Technologies, 2021:528 – 548,
2021.
[12] E. Androulaki, A. Barger, V. Bortnikov, C. Cachin, K. Christidis,
A. D. Caro, D. Enyeart, C. Ferris, G. Laventman, Y. Manevich,
S. Muralidharan, C. Murthy, B. Nguyen, M. Sethi, G. Singh,
K. Smith, A. Sorniotti, C. Stathakopoulou, M. Vukolic, S. W.
Cocco, and J. Yellick. Hyperledger fabric: A distributed operating
system for permissioned blockchains. CoRR, abs/1801.10228,
2018.
[13] L. Blum, M. Blum, and M. Shub. A simple unpredictable pseudo
random number generator. SIAM J. Comput., 15(2):364–383, May
1986.
[14] D. Boneh, B. Bünz, and B. Fisch. A survey of two verifiable delay
functions. IACR Cryptol. ePrint Arch., 2018:712, 2018.
[15] D. Boneh and M. Naor. Timed commitments. In Advances in
Cryptology - CRYPTO 2000, 20th Annual International Cryptology
Conference, Santa Barbara, California, USA, August 20-24, 2000,
Proceedings, pages 236–254, 2000.
[16] G. Botrel, T. Piellard, Y. E. Housni, I. Kubjas, and A. Tabaie.
Consensys/gnark: v0.6.4, Feb. 2022.
[17] B. Bünz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, and
G. Maxwell. Bulletproofs: Short proofs for confidential transac-
tions and more. In 2018 IEEE Symposium on Security and Privacy
(SP), pages 315–334, 2018.
[18] O. Catrina and S. de Hoogh. Improved primitives for secure
multiparty integer computation. In J. A. Garay and R. De Prisco,
editors, Security and Cryptography for Networks, pages 182–199,
Berlin, Heidelberg, 2010. Springer Berlin Heidelberg.
[19] I. Damgård, M. Fitzi, E. Kiltz, J. B. Nielsen, and T. Toft. Un-
conditionally secure constant-rounds multi-party computation for
equality, comparison, bits and exponentiation. In Theory of Cryp-
tography Conference, pages 285–304. Springer, 2006.
[20] I. Damgård and R. Thorbek. Efficient conversion of secret-
shared values between different fields. IACR Cryptol. ePrint Arch.,
2008:221, 2008.
[21] Y. Doweck and I. Eyal. Multi-party timed commitments. ArXiv,
abs/2005.04883, 2020.
[22] J. A. Garay and C. Pomerance. Timed fair exchange of standard
signatures. In R. N. Wright, editor, Financial Cryptography, pages
190–207, Berlin, Heidelberg, 2003. Springer Berlin Heidelberg.
[23] A. Gervais, G. O. Karame, K. Wüst, V. Glykantzis, H. Ritzdorf,
and S. Capkun. On the security and performance of proof of work
blockchains. In Proceedings of the 2016 ACM SIGSAC Conference
on Computer and Communications Security, CCS ’16, page 3–16,
New York, NY, USA, 2016. Association for Computing Machinery.
[24] I. Giacomelli, J. Madsen, and C. Orlandi. Zkboo: Faster zero-
knowledge for boolean circuits. In 25th USENIX Security Sympo-
sium (USENIX Security 16), pages 1069–1083, Austin, TX, 2016.
USENIX Association.
[25] S. Goldberg, L. Reyzin, O. Sagga, and F. Baldimtsi. Efficient
Noninteractive Certification of RSA Moduli and Beyond, pages
700–727. 11 2019.
[26] O. Goldreich, S. Micali, and A. Wigderson. How to play any
mental game. In Proceedings of the Nineteenth Annual ACM
Symposium on Theory of Computing, STOC ’87, page 218–229,
New York, NY, USA, 1987. Association for Computing Machinery.
[27] J. Groth. On the size of pairing-based non-interactive arguments.
Cryptology ePrint Archive, Report 2016/260, 2016. https://ia.cr/
2016/260.
[28] M. Herlihy. Atomic cross-chain swaps. In Proceedings of the 2018
ACM Symposium on Principles of Distributed Computing, PODC
’18, pages 245–254, New York, NY, USA, 2018. ACM.
[29] M. Herlihy, B. Liskov, and L. Shrira. Cross-chain deals and
adversarial commerce. Proc. VLDB Endow., 13(2):100–113, Oct.
2019.
[30] Y. Ishai, E. Kushilevitz, R. Ostrovsky, and A. Sahai. Zero-
knowledge from secure multiparty computation. In Proceedings of
the Thirty-ninth Annual ACM Symposium on Theory of Computing,
STOC ’07, pages 21–30, New York, NY, USA, 2007. ACM.
[31] D. Johnson, A. Menezes, and S. Vanstone. The elliptic curve digital
signature algorithm (ecdsa). Int. J. Inf. Secur., 1(1):36–63, aug
2001.
[32] E. Makri, D. Rotaru, F. Vercauteren, and S. Wagh. Rabbit: Efficient
comparison for secure multi-party computation. IACR Cryptol.
ePrint Arch., 2021:119, 2021.
[33] G. Malavolta and S. Thyagarajan. Homomorphic Time-Lock Puz-
zles and Applications, pages 620–649. 08 2019.
[34] A. Mitra, C. Gorenflo, L. Golab, and S. Keshav. Timefabric:
Trusted time for permissioned blockchains. 2021.
[35] C. Ning and Q. Xu. Multiparty computation for modulo re-
duction without bit-decomposition and a generalization to bit-
decomposition. In M. Abe, editor, Advances in Cryptology - ASI-
ACRYPT 2010, pages 483–500, Berlin, Heidelberg, 2010. Springer
Berlin Heidelberg.
[36] C. Ning and Q. Xu. Constant-rounds, linear multi-party computa-
tion for exponentiation and modulo reduction with perfect security.
In D. H. Lee and X. Wang, editors, Advances in Cryptology
– ASIACRYPT 2011, pages 572–589, Berlin, Heidelberg, 2011.
Springer Berlin Heidelberg.
[37] T. Nishide and K. Ohta. Multiparty computation for interval,
equality, and comparison without bit-decomposition protocol. In
International Workshop on Public Key Cryptography, pages 343–
360. Springer, 2007.
[38] K. Pietrzak. Simple verifiable delay functions. In 10th innovations
in theoretical computer science conference (itcs 2019). Schloss
Dagstuhl-Leibniz-Zentrum fuer Informatik, 2018.
[39] J. Poon and T. Dryja. The bitcoin lightning network: Scalable
off-chain instant payments, 2016.
[40] T. I. Reistad. Multiparty comparison - an improved multiparty
protocol for comparison of secret-shared values. In SECRYPT,
2009.
[41] P. Rogaway and T. Shrimpton. Cryptographic hash-function basics:
Definitions, implications, and separations for preimage resistance,
second-preimage resistance, and collision resistance. In B. Roy
and W. Meier, editors, Fast Software Encryption, pages 371–388,
Berlin, Heidelberg, 2004. Springer Berlin Heidelberg.
[42] A. Shamir. How to share a secret. Commun. ACM, 22(11):612–613,
nov 1979.
[43] S. A. Thyagarajan, G. Malavolta, and P. Moreno-Sánchez. Univer-
sal atomic swaps: Secure exchange of coins across all blockchains.
Cryptology ePrint Archive, Report 2021/1612, 2021. https://ia.cr/
2021/1612.
[44] S. A. K. Thyagarajan, A. Bhat, G. Malavolta, N. Döttling, A. Kate, Appendix B.
and D. Schröder. Verifiable timed signatures made practical. In 2k
Proceedings of the 2020 ACM SIGSAC Conference on Computer Proving that u = g 2 (mod N )
and Communications Security, CCS ’20, page 1733–1750, New
York, NY, USA, 2020. Association for Computing Machinery. We describe the protocol executed as part of the
[45] C. Weng, K. Yang, J. Katz, and X. Wang. Wolverine: fast, scalable, Commit phase of AVTC which convinces the receiver
and communication-efficient zero-knowledge proofs for boolean that the commitment can be forcefully opened in 2k se-
and arithmetic circuits. In 2021 IEEE Symposium on Security and k

Privacy (SP), pages 1074–1091. IEEE, 2021.

quential steps. Recall, the prover can compute u = g 2 by
k
computing the exponent e = 22 (mod φ (N )) and then
[46] B. Wesolowski. Efficient verifiable delay functions. In Annual
International Conference on the Theory and Applications of Cryp- u = g e (mod N ). In contrast, the receiver, not knowing
tographic Techniques, pages 379–407. Springer, 2019. the factorization of N , has to resolve to 2k successive
[47] J.-Y. Zie, J.-C. Deneuville, J. Briffaut, and B. Nguyen. Extending squaring and modulo reductions.
atomic cross-chain swaps. In Data Privacy Management, Cryp- The prover is going to send the verifier a vector W of
tocurrencies and Blockchain Technology, pages 219–229. Springer, the form
2019. k
2i 2k 2i
  
W = g 2 ,g 4 ,g 16 ,g 256 ...,g 2 ,...,g 2 (mod N )= g 2 (mod N )
i=1
Appendix A. along with a zero knowledge proof that for every two
LHTLP construction consecutive elements a, b in W it holds that: ∃x a =
We elaborate on our observation from Section 2.2.5 on g x (mod N ) ∧ b = ax (mod N ), or alternatively: ∃x a =
2
the trusted setup requirement of the Homomorphic Time- g x (mod N ) ∧ b = g x (mod N ).
Lock Puzzles (HTLP) by going into details on the Linear The proof convinces the verifier that the last element in
2k
Homomorphic Time-Lock Puzzle (LHTLP) construction W is indeed the desired u = g 2 mod N , and is computed
and showing that a setup phase that is executed dishonestly from g by repeated squaring followed by modulo reduc-
2k−1
leads to incorrect recovery of the puzzle. The construction tions of N . Note that the receiver learns g 2 , however
of the LHTLP is as follows:  2k−1 22 k−1
2k−1 2k−1 2k
·2
λ


• Setup 1 , T : Sample two safe primes p, q and set
g2 = g2 = g2 ≡(mod N ) u.
R Therefore, given the vector W , the receiver still needs
N = p · q , and sample ḡ ← Z∗N and set g =
T to perform an exponential (2k−1 ) number of squarings
−ḡ 2 (mod N ). Compute h = g 2 and output pp = followed by modulo reduction by N .
(T, N, g, h). Let λ be a security parameter and denote [λ] =
R 2 ∗
• Gen (pp, s): Let r ← {1, ..., N } and compute u = {0, 1, .., λ} and q the order of g ∈ ZN . Observe the in-
s

g (mod N ), v = h ·(1 + N ) mod N 2 and output
r r·N
teractive zero knowledge protocol of Boneh and Naor for
Z = (u, v). inclusion in L = {(ai , bi ) ∃x s.t ai = g x (mod N ) ∧ bi =
T 2
• Solve(pp, Z = (u, v)): Let
w =
u2 (mod N ). Output g x (mod N )}:
v · w−N mod N 2 − 1 · N −1


s=
n
• Eval (⊕, pp, {Zi = (ui , vi )}i=1 ): Let ū
=
Qn
u (mod N ) v̄ =
Qn 2 Prover Verifier
i=1 i , i=1 vi mod N and
output Z = (ū, v̄). R
ci ← [λ]
At a first glance, the Homomorphic Time Lock Puzzle
(HTLP) construction seems similar to the Timed Commit- Ci = Commit (ci ) (Step 1)
ment primitive devised by Boneh and Naor (see Definition R
4). We note however, an important difference: In the timed αi ← Zq
commitment, the sender proves to the receiver that the
forced open (called Solve in HTLP) indeed yields the (Step 2) zi = g αi , wi = aα
i
i

committed value within the claimed number of compu-

tation steps. It is not the case in LHTLP (or any of the ci = DeCommit (Ci ) (Step 3)
other variations of HTLP). Moreover, even if Gen was i−1
computed honestly by the sender, or that the receiver (Step 4) yi = ci · 22 + αi (mod q)
verifies the correct computation of Gen via an interactive ?
proof, there is no guarantee that the Setup phase was g yi · a−c
i
i
= zi (∗)
constructed correctly. Indeed, in the LHTLP construction, ayi i · b−ci ?
= wi (∗∗)
T T i
the Solve operation computes w = u2 = g r·2 via
successive modular squaring and then if h was constructed
T
Figure 5: Proof that ∃x ai = g x (mod N ) ∧ bi =
honestly in the Setup phase, then h = g 2 and then 2
g x (mod N )
T s
v = g r·2 ·N · (1 + N ) which fits the aforementioned
w. However, if h was not honestly constructed in Setup Each step of the protocol depicted in Figure 5 is
then Solve will not output the s that was used as input executed in parallel for all i ∈ [k]:
to Gen. The authors of [33] do mention that the Setup Step 1:The verifier samples {ci }i∈[k] ∈ [λ] uniformly at
should be executed by a trusted party. We note that unlike random, and sends a commitment to each ci using an
the HTLP where the Setup phase outputs T, N, g, h, the perfectly hiding commitment scheme to the prover.
Setup phase of the the timed commitment outputs only Step 2:The prover, in turn, samples {αi }i∈[k] and sends
the modulus N . zi , wi for all i ∈ [k].
Step 3:The verifier decommits to all {ci }i∈[k] and the From (1) and (3) we get
prover aborts if one of the decommitments turn out to be 0 −c0i 0 c −c0i
false. g yi · a−c
i
i
= g yi · ai ⇒ g yi −yi = ai i . (5)
Step 4:Finally, the prover sends yi , and the verifier checks
and from (2) and (4) we get:
that conditions (*) and (**) hold. A formal proof of the
protocol, which wasn’t included in the original paper of y0 −c0i y −yi0 c −c0i
ayi i · b−c
i
i
= ai i · bi ⇒ ai i = bi i (6)
Boneh and Naor, can be found in the next subsection.
Denote γ = yi − y 0 and δ = ci − c0i , thus from (5)
Appendix C. we get g γ = aδi and from (6) we get aγi = bδi . Thus,
−1 −1

Proof for the Boneh-Naor Zero Knowledge g γ = aδi ⇒ g γ·δ = ai and aγi = bδi ⇒ aγ·δ i = bi .
Protocol Denote β = γ · δ −1 (mod q). Hence  g β
= ai and aβi =
2
bi , so (g, ai , bi ) = g, g β , g β , thus (ai , bi ) ∈ L in
C.1. Completeness contradiction to the assumption.

Observe the interaction between an honest prover C.3. Zero Knowledge

and a verifier for an arbitrary i ∈ [1, k]: First the
prover sends zi = g αi and wi = aα i
i and finally sends We show that the protocol in Figure 5 satisfies the
2i−1
y i = ci · 2 + αi (mod q). The verifier computes: zero-knowledge property. For this purpose we construct a
i−1 i−1 ci
yi −ci
g · ai = g ci ·22 +αi −ci
· ai = g 22
· g · a−c
αi i
= simulator S that upon receiving input (ai , bi ) ∈ L pro-
i
2i−1
duces a view that is indistinguishable from the verifier’s
c
(ai ) i ·g αi ·a−c
i
i
= zi , and ayi i ·b−c
i
i
= aici ·2 +αi −ci
·bi = view in a run with an honest prover, or more formally:

 2i−1 22i−1 ·ci +αi  2i ci  2i−1 αi V iewVP ∗ (ai , bi ) x∈L ≡s {S (ai , bi )}.
g2 ·b−ci
i
= g2 · g2 ·b−c
i
i
= 1) The simulator sets the random tape T̂ of V ∗ by
−ci
bci i ·aα
i ·bi
i
= wi as required, therefore it always accepts randomly sampling from {0, 1}τ where τ denotes an
the proof. upper bound on the running time of V ∗
2) The simulator waits for the commitments given in step
C.2. Soundness 1 by the verifier
R
3) The simulator samples αi ← ZN and sends zˆi =
αi αi
Let (ai , bi ) for some i ∈ [1, k] such that @x ai = g , ŵi = ai .
2
g (mod N )∧bi = g x (mod N ) and assume in contradic-
x 4) The simulator waits for the decommitments from the
tion that ∀i ∈ [1, k] a cheating prover P ∗ can send (zi , wi ), verifier
get a challenge ci and then send yi and convince the 5) The simulator rewinds the verifier to right after its first
verifier that (ai , bi ) ∈ L with non negligible probability. step
Define the following set C : 6) The simulator samples yˆi ∈ ZN uniformly at random
n o and computes
−c y −c
C= ci |∃yi s.t g yi ·ai i =zi ∧ai i ·bi i =wi ∧(ai ,bi )∈L
/
zˆi = g yˆi · a−c
i
i
, ŵi = ayiˆi · b−c
i
i

The set C , informally, is the set of all challenges from an

honest verifier ci such that there exists a response from 7) The simulator sends zˆi , ŵi , waits for the decommit-
the prover yi such that the verifier accepts a tuple (a, b) ment to ci from the verifier
not in L. 8) The simulator sends  yˆi
Let’s split into cases in accordance to C ’s cardinality: We next show that V iewVP ∗ (ai , bi ) x∈L ≡s {S (ai , bi )}.
• |C| = 0: By definition, we get complete soundness. The view of the verifier V ∗ consists of the public input
• |C| = 1: To cheat, the prover will guess ci , pick yi (a, bi ), its random tape T, and the messages received M,
and send zi = g yi · a−c i
i
and wi = ayi i · b−c
i
i
and the or more formally: V iewVP ∗ = h(ai , bi ) , T, Mi.
verifier would accept. In that case, the probability of The messages M sent by the real prover in Figure 5 are
the prover to convince the verifier of (ai , bi ) ∈/ L is 1q , zi , wi in step (2) and yi in step (4), while M̂ consists of
because it needs to guess the challenge ci which has q zˆi , ŵi sent in steps (3),(7) and of yˆi sent in step (8).
∗
(the order of g ∈ ZN ) different possibilities despite the First, observe that the only message sent in the pro-
verifier picking ci ∈ [λ], and every challenge is selected tocol that is related to the public input (ai , bi ) is the first
uniformly at random. message containing wi = ai αi . The simulator sends this
0
• |C| > 1: There are at least 2 such challenges: ci 6= ci . message twice (before and after rewinding) in steps (3)
We’ll see that if that is the case, then ∀i ∈ [1, k] : and (6). We will show that the first time the simulator
(ai , bi ) ∈ L in contradiction to the assumption. sends the message (zˆi , ŵi ) in step (3), its joint distribution
The following equations hold: with the public input distributes statistically close to the
joint distribution of the corresponding first message and
(1) g yi · a−c
i
i
= zi public input in the real protocol. The last message sent in
(2) ayi i · b−c i
= wi the protocol (both by the real prover and the simulator)
i
is independent of the public input. We will show that
0 −c0i
(3) g yi · ai = zi the last message (step 8) the simulator sends distributes
statistically close to the corresponding message sent by the
yi0 −c0i
(4) ai · bi = wi real prover. For the second message sent by the simulator,
and corresponds to the first message sent in the real As we’ve shown that h(ai , bi ) , T, Mi ≡s
protocol, we will show that the exponents are statistically h(ai , bi ) , T̂, M̂i, we conclude that:
close, and conclude that the messages are also statistically
V iewVP ∗ (ai , bi ) x∈L ≡s {S (ai , bi )}

close.
Statistically close messages: We show that the messages
sent by the simulator in steps (3) and (8) are statistically
close to their corresponding messages in the real protocol: Appendix D.
R
• Step (3) (zˆi , ŵi ) ∈ ZN × ZN since αi ← ZN and zˆi = Proofs for AVTC sub-protocols
α
g αi , ŵi = ai i , while the real prover sends (zi , wi ) ∈
Z∗N × Z∗N . The messages are therefore picked in the Proof of Theorem 17 ((LSB extraction completeness)).
same manner in both the simulated protocol and the real An honest dealer distributes only even plaintext shares
protocol, except from the distributions the exponents are and even blinding factors in lines 1-4, therefore the
sampled from. Therefore we will show that: ZN ≡s Z∗N . parties do not abort in lines 5,6. Furthermore, an honest
i
y −c
• Step (7): Notice that zˆi = g i · ai i , ŵi = (zˆi )
22
while dealer distributes plaintext shares and blinding factors
αi 22
i such that for each blinding factor, there exist a plaintext
zi = g and wi = (zi ) . Therefore, the pairs zi , wi share that was built using that blinding factor (line 4). It
2i
and zˆi , ŵi distribute like zi and zˆi . Since ai = g 2 , follows that in line 13, [z] opens to zero, and the protocol
2i
zˆi = g yi −ci ·2 . If we showthat ∆ (UN , UN ∗
) is negli- does not abort. Finally, from construction of the plaintext
2i
 shares of the LSB and its blinding factors, the parties
gible, it will follow that ∆ zi = g , zˆi = g yi −ci ·2
αi
actually compute a secret sharing of the LSB in line 11,
is also negligible. To see why, assume in contradiction and the protocol outputs it in line 17 since it does not
there exists a distinguisher D othat distinguishes between abort.
2i
n
{g αi }αi ∈U ∗ and g yi −ci ·2 ∗
. We can use D to
N yi ∈UN
build a distinguisher D0 that distinguishes UN from UN ∗
: Proof of Theorem 18 (LSB extraction privacy). The sim-
Upon input x, the distinguisher D0 returns D (g x ). ulator S evaluates the circuit of Algorithm 5 backwards,
• Step (8): The simulator sends yˆi ∈ ZN picked uni- starting from the shares of [v0 ] of parties i and j . Note
formly at random while the real prover sends a yi ∈ Z∗N that the only place where secret shares are reconstructed,
also picked uniformly at random. Note that yi , yˆi are is when z is revealed to be zero. Therefore, in line 13, the
independent of the public input, and the correlation be- simulator S samples three random shares z1 , z2 , z3 and
tween yˆi and zˆi and ŵi sent after rewinding is identical has each party broadcast the its share. Then, to simulate
to the correlation of yi with zi , wi in the corresponding line 12 :
real protocol. Therefore, as in step (3), it will suffice to n h
X i X n h i
show ZN ≡s Z∗N . [z] = [v] − a(i) + r(i) + r(i) − [v0 ]
We denote a random variable that is sampled from ZN i=1 i=1
∗
as UN , similarly UN is sampled from Z∗N . We now next the simulator first samples v and then samples blinded
∗
the indistinguishably of the random variables UN and UN . plaintext shares and blinding values such that:
∗
We are interested in measuring ∆ (UN , UN ) (the statistical n  n
distance between ZN and Z∗N ). X  X
0=v− a(i) + r(i) + r(i) − v0
N −1
∗ 1 X i=1 i=1
∆ (UN , UN )= P r [a ∈ ZN ] − P r [a ∈ Z∗N ] ≤ (i) (i)


2 a=0 where a + r is a single value.
 1
=N 0 Afterwards, the simulator S secret-shares the blinded
1 X z }| { z }| { plaintext shares and blinding values, and adds to the
≤ P r [a ∈ ZN ] − P r [a ∈ Z∗N ] + incoming messages of parties i and j the secret shares
2

a∈ZN \Z∗
N accordingly.
1

1
=N = φ(N )
X z }| { z }| {
+ P r [a ∈ ZN ] − P r [a ∈ Z∗N ] 
 = (F)
Proof of Theorem 19 (LSB extraction soundness).
a∈Z∗
N
Assume in contradiction that the protocol does not abort
in spite of a dishonest dealer. It follows from lines 5,6
Notice that: that for every party, a(i) + r(i) is even, and b(i) + e(i)
is a bit. Since each blinding factor r(i+1) is even and
|Z∗N | = φ (N ) = (P − 1)·(Q − 1) = P ·Q−(P + Q)+1 e(i+1) is a bit, it follows that a(i) is even and e(i) is a
while |ZN | = P ·Q, therefore, ∗ bit. Furthermore it follows from line 5 that there is no
 ZN \ Z Q − 1.
N = P +  overflow in the additions in line 12 since p > N 2 + n · 2µ .
1 P +Q−1 1 1
Thus: (F) = 2 · N  + φ (N ) · φ(N ) − N = Since we assumed the protocol didn’t abort, [z] was

1 P +Q−1 φ(N ) reconstructed to reveal zero in line 13 and there was no
2 · N +1− N = ().
overflow (otherwise zero cannot be revealed). However,
Notice that φ(N
N
)
= P ·Q−(PN+Q)+1 = 1 − P +Q−1N , hence in line 12 the parties added and subtracted even values
φ(N ) P +Q−1 P +Q−1
1− N = N ⇒ () = N . which did not change the LSB of the result, therefore
Recall that both P and Q are λ bits of size. Hence, the LSB of [v] had to be [v0 ] which is returned, in
P +Q−1
N ≈ 2−λ , thus ∆ (UN , UN
∗
) is negligible, and there- contradiction to how a dishonest dealer should have
∗
fore ZN ≡s ZN as claimed. operated.

Appendix E.
AVTC scheme for every predicate
Proof of Theorem 11 (Completeness). If the sender and
receiver are honest, then indeed x, the secret input that
F is evaluated on, has the required attribute, and every
simulation of the MPC protocol of F on x will always
yield F(x) = 1. Furthermore, all commitments open
correctly by both the sender and the receiver, and views
are consistent with the messages sent due to the prover
honestly emulating all executions of F , therefore the
receiver accepts.
Proof of Theorem 11 (Soundness). Since x ∈ / LF , the
sender cannot simulate the MPC protocol of F honestly,
and thus it has to cheat at at least a single party simulation
among the n simulations. Observe that the sender commits
to views in round 2, and reveals views selected by the
verifier in round 4. The probability that a cheating sender
will cheat in one of the three party simulations which the

λgoing to ask to reveal in round 4 for all λ
receiver is not
indices is 13 , which is negligible for a large enough λ.
Proof of Theorem 11 (Zero Knowledge). We describe a
S(x) M
simulator M and show that: V iewR ≡s V iewR . The
simulator M uses an auxiliary function F to construct the
views and outgoing messages for each party i:
1) M receives a vector of commitments for indices from
the verifier, sent in round 1.
2) M sends a commitment to zeroes in round 2.
3) Verifier decommits to indices {ij }j∈[λ] it sent.
4) M rewinds the verifier back to right after round 1.
5) ∀j ∈ [λ], M sends to R in round 2:
{C (F ((ij − 1)mod 3)) , C (F ((ij + 1)(mod 3))) , C (0)} protocol is incentivised to find a pre-image for of a
6) M Receives indices sent in round 3, and decommits
to views and outgoing messages forged by F.
The construction of F is defined for the other two parties
that are not i, meaning parties i − 1 and i + 1 that
their view and outgoing messages are forged. Their output
depends on the action performed by the party (gate type,
or operation), the input to that action (gate input, private
input) as well as the random tape. We define each action’s
output by emulating the protocol backwards gate by gate:
Share reconstruction: The public output F(x) for which
the verifier accepts, is split into three uniformly random
shares si−1 mod 3 , si , si−1 mod 3 and let the parties of the
views i − 1, i + 1 send their shares to each other. This
is possible thanks to the fact that F emulates the MPC
protocol backwards, so the gates that define the shares of
the output reconstruction have not yet been defined at this
stage.
Multiplication: We recall the definition of the OLE based
multiplication gate: To multiply [z] = [x] · [y], we use an
Oblivious Linear Evaluation (OLE) oracle O: Every pair
of parties i, j use the OLE oracle O to compute blinded
products of each party’s inputs:
1) Every party i samples a random value ri,j ∈ Zp for
each party j 6= i and sends the share xi and ri,j to O.
2) party j sends to O the share yj
3) The OLE oracle O sends party j : si,j = xi · yj + ri,j .
Afterwards, [z] is defined by:
n
(F) zi = xi + yi +
X
(sj,i − ri,j )
j=1,j6=i
For a party j ∈ {i − 1, j + 1} and w.l.o.g j = i + 1,
upon having a share zj that is a result of a multiplication
gate, we sample its inputs xj , yj ∈ Zp , sample the random
tape entry rj,i−1 to be sent to party i − 1 and then do the
same for party i − 1. Then, we compute the OLE outputs
to parties j, i − 1 and sample random values for the OLE
with party i (its view is not revealed) such that (F) holds.
Secret sharing: Let sj be a share that is in possession of
party j ∈ {i − 1, i + 1} at some point in the backward
evaluation. By definition, the share was sent by a party
in {j + 1, j − 1}. We split into two cases: (i) The share
was sent by party i which its view isn’t revealed. In that
case, we add sj to the incoming messages of j . (ii) The
share was sent by the remaining party, one that is not
i and also not j and its view is revealed. In that case,
we sample a random value s0 according to its domain
(it might be a plaintext share, or a regular share in Zp )
and then split s0 into three parts: {s01 , s02 , sj } such that
s01 + s02 + sj = s0 (mod p), and then we set the output
of the gate whose output is used as input to the secret
sharing operation, and recursively call F .
LSB extraction: The LSB extraction involves additions
(local operations), secret sharing, multiplications and
share reconstructions, which were all defined previously
for F.
Appendix F.
Hash Pre-Image Prefix Length
A malicious party in our cross-chain atomic swap
cryptographic hash H with the secret prefix of length d,
as it can then claim its funds in escrow faster than the
specified timeout, and then claim both the counter party’s
funds and not lose its own funds in escrow.
Security model and assumptions: We assume a
model where malicious parties are computationally bound.
Specifically, we assume that any malicious party that
participates in the cross-chain atomic swap protocol, has
hashing power less or equal to the entire hashing power
of the Bitcoin network. We also put an upper bound to
the delay used for any of the two parties in our protocol,
which will be a single day.
We are only interested in protecting honest parties that
follow the protocol, therefore we assume that they sample
their pre-image prefix uniformly at random from {0, 1}d
as dictated by our protocol (see Section 4). We assume the
standard cryptographic assumption on the hash function
[41] we use, in particular that it is pre-image resistant,
and let its input be 256 bits.
Analysis: Denote the daily hashing rate of a malicious
party to be r. For simplicity, we model the computation
by giving the malicious party oracle access to R:
R : N → {(x, H0 (x)) x ∈ {0, 1}d }
256−d
z}|{
0
where H (x) = H(x|| 0..0 ), a function that pads the in-
put with zeroes and then applies H. Informally, R receives
a number r ∈ N and then outputs r zero-padded pairs of
pre-image prefixes and hashes, where each padding is of 600
length 256 − d.
We need to ensure that d will be large enough so

Network bandwidth (MB)

that with high probability, none of the unique pre-image
prefixes guessed by a malicious party during an upper
bound time limit of a day, is the one sampled by the party 500
that produced the AVTC commitment. We note that even
though we require a suffix of 256 − d zeroes, we do not
make it easier for an adversary to attack our scheme, as
any adversary that can find a pre-image with a hash with 400
a specific suffix of zeroes, finds a pre-image in the general
case. The malicious party sends its daily hashing rate r to
R and receives back r distinct pairs: {(xi , H0 (xi ))}ri=1 .
The probability that one of the pairs matches the hash that Proof size
revealing its pre-image releases the escrow, is 2rd . 300
Bitcoin average hash rate is 140 exa-hashes per sec- 14 16 18 20 22 24 26
ond. If we upper bound the timeouts to a day, it sums up
Number of rounds
to 140 ∗ 1018 · 60 · 60 · 24 = 283 double hash operations
per day, or 284 hash operations per day. Hence, if we take Figure 7: Network bandwidth of SHA256-AVTC
d = 128 then the probability of a malicious party that has
access to a hashing rate that is equal to the entire Bitcoin
84
network, is: 22128 = 2−44 . We show further measurements of our ”MPC in the
head” implementation of the SHA256 AVTC. We measure
Appendix G. the performance (proving time and verification time) in
Figure 6. The bandwidth sent from the prover to the
Extended experiments verifier (in the de-commitment phase) as a function of
with the number of rounds is shown in Figure 7. The
correlation is linear since for every round, the prover de-
commits all secret shares and OLE inputs/outputs in two
7 of three views.4

6
time (seconds)

2 Prover
Verifier

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
Number of rounds
Figure 6: Performance measurement of SHA256-AVTC