Hello ZmnSCPxj,
You say "A taker can be a surveillor as well", as though that's simple
and easy to achieve. In reality there are many defenses against that.
Defending against the attack of a malicious taker aborting at the last
step is the purpose of the podle commitments which joinmarket has
implemented since 2016. This was in response to this attack actually
taking place. Another important point is that this attack cant happen
secretly, it is very obvious to everyone operating a maker that it
happens. The podle defense means that an attacker doing this will
constantly have to spend money on miner fees to create new UTXOs. Here's
a writeup with links to other blog posts about the whole thing:
https://gist.github.com/chris-belcher/00255ecfe1bc4984fcf7c65e25aa8b4b
As well as podle as mitigation, the multiple mixdepths in the joinmarket
wallet also helps a lot because it's not trivial for an attacker to
actually learn all the UTXOs in all 5 mixdepths, which is necessary for
the attack to work.
Mitigation in Teleport works in a slightly different way: takers can
only see UTXOs or transactions belonging to the maker once they have
already gotten their own transaction confirmed. So if they were to abort
the protocol early they would not only have spent miner fees but also
waste their own time waiting for the OP_CSV timeout.
It's worth remembering that the fidelity bond UTXOs are not linked to
any resulting coinjoin or coinswaps on-chain.
Yes linking the two identities (joinmarket maker and teleport maker)
together slightly degrades privacy, but that has to be balanced against
the privacy loss of leaving both systems open to sybil attacks. Without
fidelity bonds the two systems can be sybil attacked just by using about
five-figures USD, and the attack can get these coins back at any time
when they're finished.
Regards
CB
On 13/05/2022 13:44, ZmnSCPxj wrote:
Good morning Chris,
Hello waxwing,
A user sacrifices X amount of time-value-of-money (henceforth TVOM)
by committing in Joinmarket with FB1. He then uses the same FB1 in
Teleport, let's say. If he gets benefit Y from using FB1 in Joinmarket,
and benefit Z in Teleport, then presumably he'll only do it if
(probabilistically) he thinks Y+Z > X.
But as an assessor of FB1 in Joinmarket, I don't know if it's also
being used for Teleport, and more importantly, if it's being used
somewhere else I'm not even aware of. Now I'm not an economist I admit,
so I might not be intuit-ing this situation right, but it fees to me
like the right answer is "It's fine for a closed system, but not an open
one." (i.e. if the set of possible usages is not something that all
participants have fixed in advance, then there is an effective Sybilling
problem, like I'm, as an assessor, thinking that sacrificed value 100 is
there, whereas actually it's only 15, or whatever.)
I don't entirely agree with this. The value of the sacrifice doesn't
change if the fidelity bond owner starts using it for Teleport as well
as Joinmarket. The sacrifice is still 100. Even if the owner doesn't run
any maker at all the sacrifice would still be 100, because it only
depends on the bitcoin value and locktime. In your equation Y+Z > X,
using a fidelity bond for more applications increases the
left-hand-side, while the right-hand-side X remains the same. As
protection from a sybil attack is calculated using only X, it makes no
difference what Y and Z are, the takers can still always calculate that
"to sybil attack the coinjoin I'm about to make, it costs A btc locked
up for B time".
I think another perspective here is that a maker with a single fidelity bond
between both Teleport and Joinmarket has a single identity in both systems.
Recall that not only makers can be secretly surveillors, but takers can also be
secretly surveillors.
Ideally, the maker should not tie its identity in one system to its identity in
another system, as that degrades the privacy of the maker as well.
And the privacy of the maker is the basis of the privacy of its takers.
It is the privacy of the coins the maker offers, that is being purchased by the
takers.
A taker can be a surveillor as well, and because the identity between
JoinMarket and Teleport is tied via the single shared fidelity bond, a taker
can perform partial-protocol attacks (i.e. aborting at the last step) to
identify UTXOs of particular makers.
And it can perform attacks on both systems to identify the ownership of maker
coins in both systems.
Since the coins in one system are tied to that system, this increases the
information available to the surveillor: it is now able to associate coins in
JoinMarket with coins in Teleport, via the shared fidelity bond identity.
It would be acceptable for both systems to share an identity if coins were
shared between the JoinMarket and Teleport maker clients, but at that point
they would arguably be a single system, not two separate systems, and that is
what you should work towards.
Regards,
ZmnSCPxj
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
