Re-added bitcoin in the atomic swap section

Also added some minor clarifications on the setup and verification of `x*G` on other chain, as well as a more detailed section on how this would work on bitcoin.

doc/contracts.md

@@ -155,14 +155,18 @@ This contract can be trivially used for unidirectional payment channels.
 
 ## Atomic Swap
 
-TODO still WIP, mostly ability for Alice to check `x*G` is what is locked on
-the other chain. Check this would work on Ethereum (pubkey derivation).
+This setup can work on Bitcoin, Ethereum and likely other chains. It relies
+on a time locked contract combined with a check for 2 public keys. On Bitcoin
+this would be a 2-of-2 multisig, one public key being Alice's, the second
+being the hash of a preimage that Bob has to reveal. In this setup, we consider
+public key derivation `x*G` to be the hash function and by Bob revealing `x`,
+Alice can then produce an adequate signature proving she knows `x` (in
+addition to her own private key).
 
-Alice has grins and Bob has ether. They would like to swap. We assume Bob has
-a contract on the Ethereum blockchain that allows withdrawal either by Alice
-if she learns a hash pre-image `x`, or by Bob after time `Tb`. Alice is ready
-to send her grins to Bob if he reveals `x`. In this setup, we consider public
-key derivation `x*G` to be our hash function.
+Alice has grins and Bob has bitcoin. They would like to swap. We assume Bob
+created an output on the Bitcoin blockchain that allows spending either by
+Alice if she learns a hash pre-image `x`, or by Bob after time `Tb`. Alice is
+ready to send her grins to Bob if he reveals `x`. 
 
 First, Alice sends her grins to a multiparty timelock contract with a refund
 time `Ta < Tb`. To send the 2-of-2 output to Bob and execute the swap, Alice
@@ -174,7 +178,8 @@ and `rs*G` to Bob.
 2. Bob picks a random blinding factor `rr` and a random nonce `kr`. However
 this time, instead of simply sending `sr = kr + e * rr` with his `rr*G` and
 `kr*G`, Bob sends `sr' = kr + x + e * rr` as well as `x*G`.
-3. Alice can validate that `sr'*G = kr*G + x*G + rr*G`.
+3. Alice can validate that `sr'*G = kr*G + x*G + rr*G`. She can also check
+that Bob has money locked with `x*G` on the other chain.
 4. Alice sends back her `ss = ks + e * xs` as she normally would, now that she
 can also compute `e = SHA256(M | ks*G + kr*G)`.
 5. To complete the signature, Bob computes `sr = kr + e * rr` and the final
@@ -182,7 +187,19 @@ signature is `(sr + ss, kr*G + ks*G)`.
 6. As soon as Bob broadcasts the final transaction to get his new grins, Alice
 can compute `sr' - sr` to get `x`.
 
-TODO review this, see if it could work on other chains.
+### Notes on the Bitcoin setup
+
+Prior to completing the atomic swap, Bob needs to know Alice's public key. Bob
+would then create an outpout on the Bitcoin blockchain with a 2-of-2 multisig
+similar to `alice_pubkey secret_pubkey 2 OP_CHECKMULTISIG`. This should be
+wrapped in an `OP_IF` so Bob can get his money back after an agreed-upon time
+and all of this can even be wrapped in a P2SH. Here `secret_pubkey` is `x*G`
+from the previous section.
+
+To verify the output, Alice would take `x*G`, recreate the bitcoin script, hash
+it and check that her hash matches what's in the P2SH (step 2 in previous
+section). Once she gets `x` (step 6), she can build the 2 signatures necessary
+to spend the 2-of-2, having both private keys, and get her bitcoin.
 
 ## Hashed Timelocks (Lightning Network)