Hello ZmnSCPxj, On 11/06/2020 12:51, ZmnSCPxj wrote: > Good morning Chris, and bitcoin-dev (but mostly Chris), > > > I made a random comment regarding taint on bitcoin-dev recently: > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-June/017961.html > >> For CoinSwap as well, we can consider that a CoinSwap server could make >> multiple CoinSwaps with various clients. >> This leads to the CoinSwap server owning many small UTXOs, which it at some >> point aggregates into a large UTXO that it then uses to service more clients >> (for example, it serves many small clients, then has to serve a single large >> client that wants a single large UTXO for its own purposes). >> This aggregation again leads to spreading of taint. > > I want to propose some particular behaviors a SwapMarket maker can engage in, > to improve the privacy of its customers. > > Let us suppose that individual swaps use some variant of Succinct Atomic Swap. > Takers take on the role of Alice in the SAS description, makers take on the > role of Bob. > We may be able to tweak the SAS protocol or some of its parameters for our > purposes. > > Now, what we will do is to have the maker operate in rounds. > > Suppose two takers, T1 and T2, contact the sole maker M in its first ever > round. > T1 and T2 have some coins they want to swap. > They arrange things all the way to confirmation of the Alice-side funding tx, > and pause just before Bob creates its own funding tx for their individual > swaps. > The chain now shows these txes/UTXOs: > > 42 of T1 ---> 42 of T1 & M > 50 of T2 ---> 50 of T2 & M > 100 of T1 ---> 100 of T1 & M > > 200 of M - > > Now the entire point of operating in rounds is precisely so that M can > service multiple clients at the same time with a single transaction, i.e. > batching. > So now M provides its B-side tx and complete the SAS protocols with each of > the takers. > SAS gives unilateral control of the outputs directly to the takers, so we > elide the fact that they are really 2-of-2s below: > > 42 of T1 ---> 42 of T1 & M > 50 of T2 ---> 50 of T2 & M > 100 of T1 ---> 100 of T1 & M > > 200 of M +--> 11 of M > +--> 140 of T1 > +--> 49 of T2 > > (M extracted 1 unit from each incoming coin as fee; they also live in a > fictional universe where miners mine transactions out of the goodness of > their hearts.) > Now in fact the previous transactions are, after the SAS, solely owned by M > the maker. > Now suppose on the next round, we have 3 new takers, T3, T4, and T5, who > offer some coins to M to CoinSwap, leading to more blockchain data: > > 42 of T1 ---> 42 of T1 & M > 50 of T2 ---> 50 of T2 & M > 100 of T1 ---> 100 of T1 & M > > 200 of M -+-> 11 of M > +-> 140 of T1 > +-> 49 of T2 > > 22 of T3 ---> 22 of T3 & M > 90 of T3 ---> 90 of T3 & M > 11 of T4 ---> 11 of T4 & M > 50 of T4 ---> 50 of T4 & M > 20 of T5 ---> 20 of T5 & M > > In order to service all the new takers of this round, M takes the coins that > it got from T1 and T2, and uses them to fund a new combined CoinSwap tx: > > 42 of T1 ---> 42 of T1 & M -+--+-> 110 of T3 > 50 of T2 ---> 50 of T2 & M -+ +-> 59 of T4 > 100 of T1 ---> 100 of T1 & M -+ +-> 14 of T5 > +-> 9 of M > 200 of M -+-> 11 of M > +-> 140 of T1 > +-> 49 of T2 > > 22 of T3 ---> 22 of T3 & M > 90 of T3 ---> 90 of T3 & M > 11 of T4 ---> 11 of T4 & M > 50 of T4 ---> 50 of T4 & M > 15 of T5 ---> 15 of T5 & M > > That transaction, we can observe, looks very much like a batched transaction > that a custodial service might produce. > > Now imagine more rounds, and I think you can begin to imagine that the magic > of transaction batching, ported into SwapMarket, would help mitigate the > blockchain size issues that CoinSwap has. > > Makers are expected to adopt this technique as this reduces the overall cost > of transactions they produce, thus they are incentivized to use this > technique to increase their profitability. > > At the same time, it spreads taint around and increases the effort that chain > analysis must go through to identify what really happened. > > Regards, > ZmnSCPxj >
Would it be fair to summarize the idea in this way: CoinSwappers can slow down the CoinSwap process which will give an opportunity for makers to use batching. _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev