Paper 2022/499

Cryptographic Oracle-Based Conditional Payments

Varun Madathil, North Carolina State University
Sri AravindaKrishnan Thyagarajan, NTT (Japan)
Dimitrios Vasilopoulos, IMDEA Software
Lloyd Fournier, none
Giulio Malavolta, Max Planck Institute for Security and Privacy
Pedro Moreno-Sanchez, IMDEA Software

We consider a scenario where two mutually distrustful parties, Alice and Bob, want to perform a payment conditioned on the outcome of some real-world event. A semi-trusted oracle (or a threshold number of oracles, in a distributed trust setting) is entrusted to attest that such an outcome indeed occurred, and only then the payment is successfully made. Such oracle-based conditional (ObC) payments are ubiquitous in many real-world applications, like financial adjudication, pre-scheduled payments or trading, and are a necessary building block to introduce information about real-world events into blockchains. In this work we show how to realize ObC payments with provable security guarantees and efficient instantiations. To do this, we propose a new cryptographic primitive that we call verifiable witness encryption based on threshold signatures (VweTS): Users can encrypt signatures on payments that can be decrypted if a threshold number of signers (e.g., oracles) sign another message (e.g., the description of an event outcome). We require two security notions: (1) one-wayness that guarantees that without the threshold number of signatures, the ciphertext hides the encrypted signature, and (2) verifiability, that guarantees that a ciphertext that correctly verifies can be successfully decrypted to reveal the underlying signature. We present provably secure and efficient instantiations of VweTS where the encrypted signature can be some of the widely used schemes like Schnorr, ECDSA or BLS signatures. Our main technical innovation is a new batching technique for cut-and-choose, inspired by the work of Lindell-Riva on garbled circuits. Our VweTS instantiations can be readily used to realize ObC payments on virtually all cryptocurrencies of today in a fungible, cost-efficient, and scalable manner. The resulting ObC payments are the first to support distributed trust (i.e., multiple oracles) without requiring any form of synchrony or coordination among the users and the oracles. To demonstrate the practicality of our scheme, we present a prototype implementation and our benchmarks in commodity hardware show that the computation overhead is less than 25 seconds even for a threshold of 4-of-7 and a payment conditioned on 1024 different real-world event outcomes, while the communication overhead is below 2.3 MB

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Network and Distributed System Security (NDSS)
oracle contractsthreshold cryptographywitness encryptionverifiable encryptionblockchain
Contact author(s)
vrmadath @ ncsu edu
t srikrishnan @ gmail com
dimitrios vasilopoulos @ imdea org
lloyd fourn @ gmail com
giulio malavolta @ hotmail it
pedro moreno @ imdea org
2023-01-18: last of 5 revisions
2022-04-28: received
See all versions
Short URL
Creative Commons Attribution


      author = {Varun Madathil and Sri AravindaKrishnan Thyagarajan and Dimitrios Vasilopoulos and Lloyd Fournier and Giulio Malavolta and Pedro Moreno-Sanchez},
      title = {Cryptographic Oracle-Based Conditional Payments},
      howpublished = {Cryptology ePrint Archive, Paper 2022/499},
      year = {2022},
      doi = {10.14722/ndss.2023.23024},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.