[bitcoin-dev] Revault: a multi-party vault architecture

2020-04-24 Thread darosior via bitcoin-dev 
Hi all,

Kevin Loaec and I have been working on a new multiparty vault architecture and 
I think it reached the point where we’d welcome some feedback.


Intended usage and limitations
==

The aim is to secure the shared storage of coins without relying on a trusted 
third party and by disincentivizing theft attempts, while not restricting the 
usage of the funds for day-to-day operations.

Revault uses N-of-N multisigs and thus does not protect against intentional 
locking of funds (such as refusal to sign, or key erasure). Therefore it 
assumes its users (likely companies with already on-going agreements between 
shareholders) to be able to solve intentional blockage outside the Bitcoin 
network (such as through legal contracts).


The actual architecture
===

We called it revault as it relies on pre-signed and revocable (revaultable) 
transactions.
The users pre-sign a transaction chain as the only used way to spend from a 
vault output.
They would have signed a set of transactions to either cancel a spend attempt 
or lock the funds for some time beforehand. The funds are always better locked 
for a long time than stolen.


The transactions


The system is composed of mainly 6 transaction types (with N the number of 
stakeholders) :

- The “vault” transaction which pays to a N-of-N, by which funds are received.
- The “emergency” transaction, which spends the vault output and pays to a 
[here goes a
high value]-days timelocked N-of-N (with N differents but statics keys, assumed 
to be physically stored in hard(/long) to access locations).
- The “unvault” transaction, which spends the vault output and pays to [either 
the vault’s N-of-N, or *after X blocks* to a subset of the stakeholders AND a 
co-signing server].
- The “unvault emergency” transaction, which spends the unvault output and pays 
to the
same script as the first emergency transaction.
- The “cancel” transaction, which spends the unvault output and pays back to a 
new vault utxo.
- The “spend” transaction, which spends the unvault output and pays to an 
external address (potentially contained in a list of destinations previously 
agreed-upon by all the stakeholders).


The process
---

The stakeholders would exchange the signatures of all the revaulting 
transactions after the reception of a new vault utxo, and then exchange the 
signatures of the unvaulting transaction. Before doing so, the coins are not 
available to be spent.

In order to spend a vault, the subset of the stakeholders who manages the funds 
(for example, the traders of an investment fund) would make the cosigning 
server (which only signs a transaction once) sign the spend transaction.
They would then present it to the other watchers which would ACK the spend (if 
paying to an authorized address), and broadcast the "unvault" transaction. 
Finally, and after X blocks have passed they would be able to broadcast the 
spend transaction.
If a stakeholder's watcher detects an unvaulting transaction without knowing 
about its child “spend” transaction, it triggers an automatic “cancel” 
transaction (not encumbered by the timelock).

At any point -even in the middle of a spend- any of the stakeholder can trigger 
an emergency transaction if anything nasty is happening.
Any network watcher noticing the broadcast of an emergency transaction would 
also broadcast all other vaults’ emergency transactions.

This network watching and revaulting power can be replicated (watchtowers) to 
further decrease the reliance on a single machine or internet access.


Pre-signed transactions fun
---

In order to avoid our security assumptions to be as weak as betting on the 
value of the feerate in the future, stakeholders exchange SINGLE | ANYONECANPAY 
signatures for the revaulting transactions and append their own as SIGHASH_ALL 
before broadcasting.
They can add another input (and potentially output) in order to bump the fees 
before doing so.

We protect ourselves from the bug by leveraging the fact the revaulting (namely 
the "emergency", "unvault emergency", and "cancel" transactions) only have 
*strictly* one input and one output. The change being part of the spend 
transaction.

In addition, revaulting transactions may signal for RBF to cover a feerate 
increase after the broadcast. Anyhow, a significant breathing room can be added 
to the feerate as these transactions are not intended to be used under normal 
circumstances.


Worth mentioning


The original draft of this architecture was first designed by Kevin Loaec who 
was hired by NOIA to do so. It was inspired by Bryan Bishop’s single-party 
vault architecture 
(https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-August/017229.html),
 who published a demo implementation of it last week 
(https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-April/017755.html,
 https://github.com/kanzure/python-vaults).
Kevin

Re: [bitcoin-dev] Fwd: (Semi)Traceless 2-party coinjoin off-chain protocol using schnorr signatures

2020-04-24 Thread German Luna via bitcoin-dev 
Good morning ZmnSCPxj,

The issues you point out are indeed important to note. Thank you for your
wonderful feedback!

* There is a practical limit to the number of UTXOs you would be willing to
> receive in the swap.
>   * Every UTXO you receive increases the potential fee you have to pay to
> spend them, meaning you would strongly dislike receiving 100 UTXOs that sum
> up to 1mBTC.
>
Absolutely agree. It wouldn't be particularly nice to have to manage that.

  * Thus, a practical blockchain analyst can bound the size of the sets
> involved, and the problem becomes less than NP in practice.
>
Definitely, though they first have to consider all subsets of a fixed size
with values bounded above by the value of the unknown sum. So the analyst
has to search through all fixed size sets (up to the practical bound) whose
elements are less than a maximum sum. This is a number of choices that is
(in a crude estimation) exponential (in the size of the UTXO set), and
polynomial in the number UTXOs below that maximum sum value on-chain which
can be pretty big at sufficiently large value-transfers.

* If you have a single UTXO and split it, then swap, anyone looking at the
> history can conjecture that the split involved is part of a CoinSwap.
>   * The split is now a hint on how the subset sums can be tried.
>
You're right that anybody could conjecture that it is involved in a
CoinSwap, however in my proposed protocol the swap would like a (schnorr)
P2PKH to the chain so you'd have to make that conjecture for every UTXO, so
it's not much of a hint. Especially so noting that one, both or none of the
outputs could be part of a swap.

* If after the CoinSwap you spend the UTXOs you received in a single
> transaction, then you just published the solution to the subset sum for
> your adversary.
>   * This ties in even further to the "practical limit on the number of
> UTXOs".
> * Because it is not safe to spend the UTXOs from a single CoinSwap
> together, you want to have fewer, larger UTXOs for more flexibility in
> spending later.
>
Yes, this is definitely a weakness and some over-the-top UTXO management
techniques (e.g. try to avoid combining different UTXOs in a known set into
the same transaction by default, where possible) would be needed or like
you say fewer larger UTXOs.

It's interesting to note one can pick some subset of recent UTXOs and add
up their output values, and select that as the amount of value transfer to
exchange in a given operation. Resulting in a bit of added obfuscation as
there are now seemingly (at least) 3 utxo sets that add up to similar or
identical values, but only two of which are really participating in the
swap.

I believe belcher and waxwing and nopara73 have been working far longer on
> privacy tech, and you should try to get in contact with them as well, they
> may know of other issues (or solutions to the above problems).
>
Thank you for your input and suggestions! I will reach out to them.

-- 
Germán
Mathematician
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev