The user who can create the Bitcoin transaction that redeems the coin back into the Bitcoin network is the one who holds the privkey that corresponds to the pubkey at the top of the coin's transcript in the off-chain system? If I understand correctly then the Bitcoin nodes cannot be completely oblivious to the off-chain system. So can you please elaborate on what exactly do the Bitcoin nodes verify when a user exits the off-chain system? You've mentioned in the first paragraph that this can be achieved as a soft-fork to Bitcoin, are you sure about that?
Basically the idea is that in this case the funds are
not spendable only by a privkey. Essentially the way it works is kinda like this:
- Make a transaction that tells the whole world that some funds are now only spendable if someone proves a certain computer program was run.
- Magic!
- Make a proof that computer program was run. (also magic)
- Show the rest of the Bitcoin world that proof, which shows why the funds are now allowed to move.
This is basically how Bitcoin already works... except normally to verify the computer program was run, currently all Bitcoin nodes actually run that program. With SCIP, they don't need to actually do that - just the proof that someone ran it is enough. Yes I know that sounds kinda crazy, but amazingly math actually lets you verify that someone ran a particular computer program honestly without actually running it yourself or seeing all the data it operated on.
Of course that program can be as simple as "Bob signed a message saying Alice deserves the funds now" or as complex as some multi-stage off-chain transaction thing where double-spends are prevented by a signing oracle that sees nothing more than some nonce values it timestamps.