Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
> [...] we can use 2-party ECDSA to create 2-of-2 multisignature addresses that > look the same as regular single-signature addresses[2]. Even the old-style > p2pkh addresses starting with 1 can be CoinSwap addresses. Probably worth considering that p2pkh, p2wpkh and p2sh are vulnerable to the (well-known) birthday attack with 2^80 operations on average if they encode a multisig policy [0]. This is a large number but not the security margin we are used to. It is possible to reduce the feasibility of the attack by requiring 2^80 interactions instead of purely offline operations. This works by adding a commitment round for all public keys involved in the policy. Now in order to test whether a public key results in a collision, the attacker must first engage in a commitment protocol with that public key. The "Fast Secure Two-Party ECDSA Signing" protocol by Lindell [1] already has such a commitment round (for reasons unrelated to Bitcoin). For example, the Gotham City two-party ECDSA wallet [2] has this security model because it builds on the Lindell scheme and uses p2sh-p2wpkh. [0] https://bitcoin.stackexchange.com/questions/54841/birthday-attack-on-p2sh [1] https://eprint.iacr.org/2017/552.pdf [2] https://github.com/KZen-networks/gotham-city On 5/25/20 1:21 PM, Chris Belcher via bitcoin-dev wrote: > === Abstract === > > Imagine a future where a user Alice has bitcoins and wants to send them > with maximal privacy, so she creates a special kind of transaction. For > anyone looking at the blockchain her transaction appears completely > normal with her coins seemingly going from address A to address B. But > in reality her coins end up in address Z which is entirely unconnected > to either A or B. > > Now imagine another user, Carol, who isn't too bothered by privacy and > sends her bitcoin using a regular wallet which exists today. But because > Carol's transaction looks exactly the same as Alice's, anybody analyzing > the blockchain must now deal with the possibility that Carol's > transaction actually sent her coins to a totally unconnected address. So > Carol's privacy is improved even though she didn't change her behaviour, > and perhaps had never even heard of this software. > > In a world where advertisers, social media and other companies want to > collect all of Alice's and Carol's data, such privacy improvement would > be incredibly valuable. And also the doubt added to every transaction > would greatly boost the fungibility of bitcoin and so make it a better > form of money. > > This undetectable privacy can be developed today by implementing > CoinSwap, although by itself that isn't enough. There must be many > building blocks which together make a good system. The software could be > standalone as a kind of bitcoin mixing app, but it could also be a > library that existing wallets can implement allowing their users to send > Bitcoin transactions with much greater privacy. > > == CoinSwap == > > Like CoinJoin, CoinSwap was invented in 2013 by Greg Maxwell[1]. Unlike > CoinJoin it is relatively complicated to implement and so far has not > been deployed. But the idea holds great promise, and fixes many of the > problems of some kinds of CoinJoins. CoinSwap is the next step for > on-chain bitcoin privacy. > > CoinSwap is a way of trading one coin for another coin in a > non-custodial way. It is closely related to the idea of an atomic swap. > Alice and Bob can trade coins with each other by first sending to a > CoinSwap address and having those coins then sent to Bob: > > Alice's Address 1 > CoinSwap Address 1 > Bob's Address 1 > > An entirely separate set of transactions gives Bob's coins to Alice in > return: > > Bob's Address 2 > CoinSwap Address 2 > Alice's Address 2 > > Where the symbol > is a bitcoin transaction. > > Privacy is improved because an observer of the blockchain cannot link > Alice's Address 1 to Alice's Address 2, as there is no transaction > between them. Alice's Address 2 could either be an address in Alice's > wallet, or the address of someone else she wants to transfer money to. > CoinSwap therefore breaks the transaction graph heuristic, which is the > assumption that if a transaction A -> B is seen then the ownership of > funds actually went from A to B. > > CoinSwap doesnt break any of bitcoin's assumptions or features like an > auditable supply or pruning. It can be built on today's bitcoin without > any new soft forks. > > CoinSwap can't improve privacy much on its own, so it requires other > building block to create a truly private system. > > === ECDSA-2P === > > The original CoinSwap idea uses 2-of-2 multisig. We can get a slightly > bigger anonymity set by using 2-of-3 multisigs with a fake third public > key. For a much greater anonymity set we can use 2-party ECDSA to create > 2-of-2 multisignature addresses that look the same as regular > single-signature addresses[2]. Even the old-style p2pkh addresses > starting
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Hello ZmnSCPxj, On 10/06/2020 11:58, ZmnSCPxj wrote: > Good morning Chris, > >>> Let me propose an alternative: swap-on-receive+swap-on-change. >> >> That's an interesting point, thanks for the thought. This scheme might >> not be appropriate for every threat model and use case. >> For example, if someone wants to use bitcoin just as a foreign currency >> for its privacy and censorship-resistant properties. So for example if >> they want to pay for a VPN anonymously, so they buy bitcoins and >> immediately send all of them to the VPN merchant. The swap-on-receive >> wouldn't be appropriate for them because they'll be doing a coinswap >> straight away to the VPN merchant. So perhaps this plan could be an >> optional mode of operation (which may or may not be the default). The >> scheme obviously is useful when bitcoin is being used more as a >> day-to-day money. > > > No, I think you misunderstand my proposal. > > If the user is doing swap-on-receive, the user already has an anonymous UTXO, > they can just transfer it directly in full to the VPN without using a > CoinSwap. > > The number of CoinSwaps involved is the same: one. > > So the difference is: > > * swap-on-receive: > * I get some coins from an exchange, giving them my contact information and > bank information and all the places I have ever inhabited in my entire > existence and an unfertilized egg sample and an archive of my diary and let > them invasively scan my cognitive substrate. > * I send the coins to my CoinSwap wallet. > * The CoinSwap wallet automaticaly CoinSwaps the coins into a new UTXO. > * One CoinSwap. > * I tell the CoinSwap wallet to send it all to the VPN. > * My CoinSwap wallet knows my coins are already cleaned, so it creates a > plain 1-input 1-output transaction directly to the VPN address. > > * swap-on-pay: > * I get some coins from an exchange, giving them my contact information and > bank information and all the places I have ever inhabited in my entire > existence and an unfertilized egg sample and an archive of my diary and let > them invasively scan my cognitive substrate. > * I send the coins to my CoinSwap wallet. > * I tell the CoinSwap wallet to send it all to the VPN. > * My CoinSwap wallet automatically arranges a CoinSwap into the VPN > address. > * One CoinSwap. > > So in both cases the same expected number of CoinSwaps is done, i.e. one. > > Note that there are still details like how much onchain fees are and how much > CoinSwap maker fees are and etc etc but they exist for both flows anyway. > So I would still be buying slightly more than my target amount, and if there > is any change I could just designate it to be added to the mining fees or a > donation to ZmnSCPxj, because ZmnSCPxj is so awesome. > > What swap-on-receive+swap-on-change instead does is just amortize the timing > of the CoinSwaps, so that you CoinSwap as soon as you receive, instead of as > soon as you have to pay, so that sending payments is as fast as non-CoinSwap > onchain wallets. > > > Regards, > ZmnSCPxj > Right, I get it. Good explanation. In your swap-on-receive example the exchange also can't tell how long your coins remain unspent in your wallet, which they could in swap-on-pay. This is very useful information for an exchange because it tells them about what hodlers are doing, and they might trade against them. (e.g. opening big short positions right after they see many long term hodl'd coins being moved) ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Hello Lee, Thanks for the review. On 10/06/2020 01:43, Mr. Lee Chiffre wrote: > >> >> === Combining multi-transaction with routing === >> >> Routing and multi-transaction must be combined to get both benefits. If >> Alice owns multiple UTXOs (of value 6 BTC, 8 BTC and 1 BTC) then this is >> easy with this configuration: >> >> Alice >> (6 BTC) (8 BTC) (1 BTC) >>| | | >>| | | >>v v v >> Bob >> (5 BTC) (5 BTC) (5 BTC) >>| | | >>| | | >>v v v >> Charlie >> (9 BTC) (5 BTC) (1 BTC) >>| | | >>| | | >>v v v >> Dennis >> (7 BTC) (4 BTC) (4 BTC) >>| | | >>| | | >>v v v >> Alice >> > > > > > > > Great work Chris and you have my respects for your contributions to > Bitcoin. A concern I have with bitcoin is scalability and privacy. Both > are important. The reasons people bash on Monero is also the same issue > Bitcoin has. The very large transaction size to achieve acceptable privacy > on a distributed financial network. Im not shilling Monero here. I am only > saying that bitcoin transactions with similar privacy properties are at > least equally as large as Monero transactions. Coinjoin on Monero can be > compared to ring signatures in Monero from the view of using decoys to > help conceal the source. From this proposal is this to say that > transactions will be at least 12 times larger in size to achieve the > property of privacy that bitcoin is currently missing? > > Another thing to consider is that if coinswaps cannot be sent as a payment > then a coinswap needs to take place after every transaction to keep the > privacy and unlinkability from your other bitcoin transactions. > > I always thought that CoinSwap would be and is a very much needed thing > that needs developed. The ability to swap coins with other people in a > trustless way and way that is not linkable to the public blockchain. But > how can this be scalable at all with the multiple branches and layers? > This is a good idea in theory but my concern would be the scalability > issues this creates. > > Do you have any comments on this? > Thank you > You are right to be concerned about scalability. Here's a few of my thoughts on this: An issue with Monero (or any cryptocurrency based on the ring signature input signing scheme) isn't just that transactions are bigger in bytes. Monero full nodes can't know when a TXO has been spent, so pruning is impossible in Monero and the list of TXOs perpetually grows, this is unlike in bitcoin where full nodes know if a UTXO has been spent and so can delete it in pruning. The storage space needed for Bitcoin's UTXO set sometimes actually gets smaller. Note that Monero software actually has a feature called "pruning" so sometimes the terminology gets confused when people say "wait, Monero _does_ have pruning". But this pruning doesn't do the same thing as Bitcoin's pruning, the disk space still grows as O(TXOcount) which is much faster compared to Bitcoin's O(UTXOcount). And when designing this CoinSwap system I've been careful to make sure it doesn't break pruning (or other resources saving features, for example CoinSwap can be made to work with the blocksonly feature of Bitcoin Core). So bitcoin-with-CoinSwap's scalability isnt anywhere near as bad as Monero's. You're right to talk about decoys. Decoys are not a good way to obtain privacy because they can be broken by repeated interactions.. I really like this talk about why decoys are not a good solution to privacy in many cases: talk: https://www.youtube.com/watch?v=YgtF7psIKWg=youtu.be=3701 transcript: https://tokyo2018.scalingbitcoin.org/transcript/tokyo2018/how-much-privacy-is-enough Equal-output CoinJoins also work with decoys. Like in JoinMarket you could analyze those CoinJoins to say that the inputs and outputs of the makers in a CoinJoin are actually just decoys. Fixed-denomination CoinJoins like in Wasabi or Samourai also use much more block space because of the reduced divisibility, for example Wasabi coinjoins can only be done with about 0.1 BTC, so if you want to mix 1 BTC then you have to do 10 such CoinJoins, costing 10 times the block space. CoinSwap doesn't work by adding decoys, it improves privacy in the same way as Lightning: by moving information off-chain. You could perhaps analyze CoinSwap as using decoys if you say that the decoys are almost every other bitcoin transaction happening on the blockchain, and that can be almost as big as you want. One full block has about 3000 outputs, so if you wait a day between the CoinSwap funding and spending transactions then that's 144*3000 = 432000 decoys (this calculation is simplified, but it's a good starting point). If CoinJoin or Monero transactions had that
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Good morning Chris, > > Let me propose an alternative: swap-on-receive+swap-on-change. > > That's an interesting point, thanks for the thought. This scheme might > not be appropriate for every threat model and use case. > For example, if someone wants to use bitcoin just as a foreign currency > for its privacy and censorship-resistant properties. So for example if > they want to pay for a VPN anonymously, so they buy bitcoins and > immediately send all of them to the VPN merchant. The swap-on-receive > wouldn't be appropriate for them because they'll be doing a coinswap > straight away to the VPN merchant. So perhaps this plan could be an > optional mode of operation (which may or may not be the default). The > scheme obviously is useful when bitcoin is being used more as a > day-to-day money. No, I think you misunderstand my proposal. If the user is doing swap-on-receive, the user already has an anonymous UTXO, they can just transfer it directly in full to the VPN without using a CoinSwap. The number of CoinSwaps involved is the same: one. So the difference is: * swap-on-receive: * I get some coins from an exchange, giving them my contact information and bank information and all the places I have ever inhabited in my entire existence and an unfertilized egg sample and an archive of my diary and let them invasively scan my cognitive substrate. * I send the coins to my CoinSwap wallet. * The CoinSwap wallet automaticaly CoinSwaps the coins into a new UTXO. * One CoinSwap. * I tell the CoinSwap wallet to send it all to the VPN. * My CoinSwap wallet knows my coins are already cleaned, so it creates a plain 1-input 1-output transaction directly to the VPN address. * swap-on-pay: * I get some coins from an exchange, giving them my contact information and bank information and all the places I have ever inhabited in my entire existence and an unfertilized egg sample and an archive of my diary and let them invasively scan my cognitive substrate. * I send the coins to my CoinSwap wallet. * I tell the CoinSwap wallet to send it all to the VPN. * My CoinSwap wallet automatically arranges a CoinSwap into the VPN address. * One CoinSwap. So in both cases the same expected number of CoinSwaps is done, i.e. one. Note that there are still details like how much onchain fees are and how much CoinSwap maker fees are and etc etc but they exist for both flows anyway. So I would still be buying slightly more than my target amount, and if there is any change I could just designate it to be added to the mining fees or a donation to ZmnSCPxj, because ZmnSCPxj is so awesome. What swap-on-receive+swap-on-change instead does is just amortize the timing of the CoinSwaps, so that you CoinSwap as soon as you receive, instead of as soon as you have to pay, so that sending payments is as fast as non-CoinSwap onchain wallets. Regards, ZmnSCPxj ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Good morning ZmnSCPxj, On 06/06/2020 02:40, ZmnSCPxj wrote: > Good morning Chris, > >> I think I'm having trouble understanding this, does it work like this: >> >> Say we're in the 2-party coinswap case (Alice and Bob) >> >> We have Alice's funding transaction: >> Alice UTXO ---> 2of2 multisig (Alice+Bob) >> >> And we have the regular contract transaction >> 2of2 multisig (Alice+Bob) ---> Alice+timelock1 OR Bob+hashlock >> >> And you propose a second pre-signed transaction? >> 2of2 multisig (Alice+Bob) ---> Bob+timelock2 > > No, it is: > > 2of2 multisig (Alice+Bob) --(nLockTime=locktime1)-> Alice > > The timelock is imposed as a `nLockTime`, not as an `OP_CLTV` (so not in the > output of the tx, but part of the tx), and the backout returns the funds to > Alice, not sends it to Bob. > This transaction is created *before* the contract transaction. > > The order is: > > * Create (but not sign) Alice funding tx (Alice --> Alice+Bob). > * Create and sign Alice backout transaction (Alice+Bob > -(nLockTime=locktime1)-> Alice). > * Create (but not sign) Bob funding tx (Bob --> Alice+Bob+sharedSecret). > * Create and sign Bob backout transaction (Alice+Bob+sharedSecret > -(nLocktime=locktime2)-> Bob) where timelock2 < timelock1. > * Sign and broadcast funding txes. > * At this point, even if Bob funding tx is confirmed but Alice funding tx > is not, Bob can recover funds with the backout, but Alice cannot steal the > funds (since there is no hashlock branch at this point). > * When Alice funding tx is confirmed, create and sign contract transaction > (Alice+Bob --> Alice+timelock1 OR Bob+hashlock). > * When Bob funding tx is confirmed and Bob has received the Alice contract > transaction, create and sign Bob contract transaction (Alice+Bob+sharedSecret > --> Bob+timelock2 OR Alice+hashlock). > * Continue as normal. > > In effect, the backout transaction creates a temporary Spilman unidirectional > time-bound channel. > We just reuse the same timelock on the HTLC we expect to instantiate, as the > time bound of the Spilman channel; the timelock exists anyway, we might as > well reuse it for the Spilman. > > Creation of the contract tx invalidates the backout tx (the backout tx is > `nLockTime`d, the contract tx has no such encumbrance), but the backout > allows Alice and Bob to fund their txes simultaneously without risk of race > loss. > However, they do still have to wait for (deep) confirmation before signing > contract transactions, and Bob has to wait for the incoming contract > transaction as well before it signs its outgoing contract transaction. > > The protocol is trivially extendable with more than one Bob. > > The insight basically is that we can split CoinSwap into a "channel > establishment" phase and "HTLC forwarding" phase followed by "HTLC > resolution" and "private key handover". > HTLC forwarding and HTLC resolution are "done offchain" in the channels, and > channel establishment can be done in any order, including reverse. > > Indeed, the Spilman channel need not have the same timelock as the HTLC it > will eventually host: it could have a shorter timelock, since the contract > transaction has no `nLockTime` it can be instantiated (with loss of privacy > due to the nonstandard script) before the Spilman timeout. > > Regards, > ZmnSCPxj > Thanks for the explanation. I understand now, and I understand how this makes it possible for all funding transactions in a coinswap route to be confirmed in the same block. However, I think this also breaks private key handover. Here's why: Recall that in a Alice/Bob coinswap we have two funding transactions (Alice --> multisig(Alice, Bob) and Bob --> multisig(Bob,Alice)), and two contract transactions (multisig(Alice, Bob) --> Alice+OP_CSV_timelock OR Bob+hashlock and multisig(Bob,Alice --> Bob+OP_CSV_timelock OR Alice+hashlock). After the hashlock preimage becomes known to all then Alice and Bob give their multisig privkey to the other party. Bob now has both privkeys in the multisig(Alice,Bob) so he can sign any transaction he wants spending from it, but the contract transaction still exists. So until Bob actually spends from the multisig he must always be watching the blockchain, and if Alice broadcasts the contract transaction then Bob must immediately spend from it using the hash preimage branch. If Bob waits too long and the OP_CSV timelock value passes then Alice can steal Bob's money by spending with that path. The OP_CSV timelock only starts ticking when the contract transaction actually confirms, and this is crucial for making privkey handover practical because it means the coins in the multisig can stay unspent indefinitely. However, I think this does not apply to the scheme you described which uses nLockTime, because after the privkeys are handed over Alice's backout transaction (Alice+Bob -(nLockTime=locktime1)-> Alice) still exists, and Alice could broadcast it. Once locktime1 passes then Alice can
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Good morning Mr. Lee, > > === Combining multi-transaction with routing === > > Routing and multi-transaction must be combined to get both benefits. If > > Alice owns multiple UTXOs (of value 6 BTC, 8 BTC and 1 BTC) then this is > > easy with this configuration: > > > > Alice > > (6 BTC) (8 BTC) (1 BTC) > >| | | > >| | | > >v v v > > Bob > > (5 BTC) (5 BTC) (5 BTC) > >| | | > >| | | > >v v v > > Charlie > > (9 BTC) (5 BTC) (1 BTC) > >| | | > >| | | > >v v v > > Dennis > > (7 BTC) (4 BTC) (4 BTC) > >| | | > >| | | > >v v v > > Alice > > > > Great work Chris and you have my respects for your contributions to > Bitcoin. A concern I have with bitcoin is scalability and privacy. Both > are important. The reasons people bash on Monero is also the same issue > Bitcoin has. The very large transaction size to achieve acceptable privacy > on a distributed financial network. Im not shilling Monero here. I am only > saying that bitcoin transactions with similar privacy properties are at > least equally as large as Monero transactions. Coinjoin on Monero can be > compared to ring signatures in Monero from the view of using decoys to > help conceal the source. From this proposal is this to say that > transactions will be at least 12 times larger in size to achieve the > property of privacy that bitcoin is currently missing? CoinSwap lets you buy privacy at whatever rate is manageable for you. You can buy a simple non-routed non-multitransaction CoinSwap, for example, instead of larger sections like the above, depending on your privacy needs. Even doing a non-routed non-multitransaction CoinSwap would help fungibility of those doing more complex setups, because the tiny CoinSwaps you make are made of "the same things" that the more complex CoinSwaps are made of. > > Another thing to consider is that if coinswaps cannot be sent as a payment > then a coinswap needs to take place after every transaction to keep the > privacy and unlinkability from your other bitcoin transactions. > > I always thought that CoinSwap would be and is a very much needed thing > that needs developed. The ability to swap coins with other people in a > trustless way and way that is not linkable to the public blockchain. But > how can this be scalable at all with the multiple branches and layers? > This is a good idea in theory but my concern would be the scalability > issues this creates. > > Do you have any comments on this? > Thank you Overall, multiple mixing techniques cover a wide range of cost and privacy. * PayJoins are cheap and almost free (you are coordinating with only one other participant who is strongly incentivized to cooperate with you, and making a single overall tx) but buys you only a small dollop of privacy (transaction can be misinterpreted by chain analysis, but probabilistic analysis can be "reasonably accurate" for a few transactions). * Equal-valued CoinJoins are slightly more expensive than PayJoins but give a good amount of privacy (you are coordinating with multiple participants, and probably paying coordination/participation fees, but *which* output is yours will give probabilistic analysis a run for its money, although it is obvious that you *did* participate in a CoinJoin). * CoinSwaps are a good bit more expensive than equal-valud CoinJoins but give a significant amount of privacy for their cost (you are coordinating with multiple participants and paying coordination/participation fees *and* you run the risk of getting your funds timelocked in case of network communications problems or active hacking attempts, but it is hard for chain analysis to even *realize* that a CoinSwap even occurred, i.e. it is steganographic). Chris argues that CoinSwap gives better privacy:cost ratios than equal-valued CoinJoins, you can wait and see if he gives more supporting arguments regarding this, but overall the various mixing tech exists to give choice on how much privacy you buy. Regards, ZmnSCPxj ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
> > === Combining multi-transaction with routing === > > Routing and multi-transaction must be combined to get both benefits. If > Alice owns multiple UTXOs (of value 6 BTC, 8 BTC and 1 BTC) then this is > easy with this configuration: > > Alice > (6 BTC) (8 BTC) (1 BTC) >| | | >| | | >v v v > Bob > (5 BTC) (5 BTC) (5 BTC) >| | | >| | | >v v v > Charlie > (9 BTC) (5 BTC) (1 BTC) >| | | >| | | >v v v > Dennis > (7 BTC) (4 BTC) (4 BTC) >| | | >| | | >v v v > Alice > Great work Chris and you have my respects for your contributions to Bitcoin. A concern I have with bitcoin is scalability and privacy. Both are important. The reasons people bash on Monero is also the same issue Bitcoin has. The very large transaction size to achieve acceptable privacy on a distributed financial network. Im not shilling Monero here. I am only saying that bitcoin transactions with similar privacy properties are at least equally as large as Monero transactions. Coinjoin on Monero can be compared to ring signatures in Monero from the view of using decoys to help conceal the source. From this proposal is this to say that transactions will be at least 12 times larger in size to achieve the property of privacy that bitcoin is currently missing? Another thing to consider is that if coinswaps cannot be sent as a payment then a coinswap needs to take place after every transaction to keep the privacy and unlinkability from your other bitcoin transactions. I always thought that CoinSwap would be and is a very much needed thing that needs developed. The ability to swap coins with other people in a trustless way and way that is not linkable to the public blockchain. But how can this be scalable at all with the multiple branches and layers? This is a good idea in theory but my concern would be the scalability issues this creates. Do you have any comments on this? Thank you -- lee.chif...@secmail.pro PGP 97F0C3AE985A191DA0556BCAA82529E2025BDE35 ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
> Coinjoin on Monero can be > compared to ring signatures in Monero from the view of using decoys to > help conceal the source. From this proposal is this to say that > transactions will be at least 12 times larger in size to achieve the > property of privacy that bitcoin is currently missing? > This was a typo. Coinjoin on BITCOIN, can be compared to ring signatures in Monero form the view of using decoys to help conceal the source. The same thing that makes monero transactions large and a scalability concern is the same thing that bitcoin suffers from with using privacy focused transactions. ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Good morning a third time Chris, Now unrelated to the funding order, but one of the reasons why timeliness is desirable for CoinSwap is that if possible, we want to ensure that sends from a user wallet are not correlatable with receives into that wallet. Thus, there is the strong suggestion that before sending to a payee, the user wallet should swap, then use the swapped funds to pay the payee, i.e. swap-on-pay. JoinMarket does this in `sendpayment.py`, for example, and this is the recommended way to perform payments out of the JoinMarket wallet. Let me propose an alternative: swap-on-receive+swap-on-change. ZeroLink already suggests that wallets maintain two internal wallets: a pre-mix wallet and a post-mix wallet. With swap-on-receive, when the user wants a receive address, the wallet gets it from the pre-mix wallet address. Then, when wallet notices any unspent funds on any pre-mix wallet address, the wallet automatically swaps it into the post-mix wallet. This is swap-on-receive. Long-term HODLing goes into post-mix wallet addresses. Then, when sending, the wallet selects from the post-mix wallet coins, and spends those coins directly into the payee address. If there is no exact amount, it has to have change. The change output does *not* go to the pre-mix or post-mix wallet address. Instead, it goes to a 2-of-2 funding outpoint for a new swap immediately. This lets the payee receive its funds quickly, as soon as the transaction confirms, without waiting for the CoinSwap to complete. Of course, the user now has to be online to *fully* receive funds (the user cannot spend the funds until it is in the post-mix wallet). Regards, ZmnSCPxj ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Good morning again Chris, I am uncertain if you are aware, but some years ago somebody claimed that 2p-ECDSA could use Scriptless Script as well over on lightning-dev. * https://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20180426/fe978423/attachment-0001.pdf * https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-April/001221.html I cannot claim to follow the math enough to say it is actually secure, but the idea does exist. If this is sufficiently secure, we can fold the Spilman backout into the scriptless script swap as well. * Alice creates secret keypairs A[0] = a[0] * G, A[1] = a[1] * G * Bob creates secret keypairs B[0] = b[0] * G, B[1] = b[1] * G * Alice creates (but does not sign) funding from Alice -> A[0] && B[0] * Bob provides partial signature for A[0] && B[0] -(nLockTime=locktime1)-> Alice to Alice and Alice completes this signature and stashes it. * Bob creates (but does not sign) funding from Bob -> A[1] && B[1] * Alice provides partial signature for A[1] && B[1] -(nLockTime=lockTime2)-> Bob to Bob and Bob completes this signature and stashes it. * Alice and Bob sign and broadcast their funding transactions. * This can safely be done in any order; Bob will refuse to continue with the protocol until it sees Alice funding is confirmed, and will abort if locktime2 is too near. * Alice waits for Bob funding tx to confirm. * Alice provides a 2p-ECDSA adaptor signature for A[1] && B[1] --> Alice; the adaptor signature, when completed, reveals the secret a[0] to Bob. * Bob waits for Alice funding tx to confirm. * Bob provides the partial signature for the given adaptor signature for A[1] && B[1] --> Alice and Alice completes this signature and stashes it. * Alice gives a[0] outright to Bob. * Bob gives b[1] outright to Alice. * Alice spends the A[1] && B[1] output before locktime2. * Bob spends the A[0] && B[0] output before locktime1. I also pointed out the griefing problem in Lightning also applies to SwapMarket. Bob can limit the griefing problem by requiring that locktime2 <= now + 12, and requiring that locktime1 >= now + 60. This means that Alice has to lock its funds for 10 hours if it forces Bob to lock its funds for 2 hours, making it undesirable as an attack on competing makers. This does prevent chaining (no maker is going to accept the outgoing), but if Alice wants chaining it can always use the private key handed over to immediately start a funding tx with another Bob. (This is not a good solution for griefing in the Lightning Network since channels are intended to be reused there, whereas the Spilman channels in CoinSwap exist only to allow funding transactions to confirm in any order onchain, and are used only for the specific swap; in Lightning the forwarding node has an incentive to release the incoming HTLC immediately instead of imposing the incoming wait time since the funding can be reused for a different payment, but in CoinSwap it cannot be reused anyway, so it could just let the incoming timelock lapse instead of releasing that encumbrance as would be done in Lightning.) Regards, ZmnSCPxj ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Good morning Chris, > I think I'm having trouble understanding this, does it work like this: > > Say we're in the 2-party coinswap case (Alice and Bob) > > We have Alice's funding transaction: > Alice UTXO ---> 2of2 multisig (Alice+Bob) > > And we have the regular contract transaction > 2of2 multisig (Alice+Bob) ---> Alice+timelock1 OR Bob+hashlock > > And you propose a second pre-signed transaction? > 2of2 multisig (Alice+Bob) ---> Bob+timelock2 No, it is: 2of2 multisig (Alice+Bob) --(nLockTime=locktime1)-> Alice The timelock is imposed as a `nLockTime`, not as an `OP_CLTV` (so not in the output of the tx, but part of the tx), and the backout returns the funds to Alice, not sends it to Bob. This transaction is created *before* the contract transaction. The order is: * Create (but not sign) Alice funding tx (Alice --> Alice+Bob). * Create and sign Alice backout transaction (Alice+Bob -(nLockTime=locktime1)-> Alice). * Create (but not sign) Bob funding tx (Bob --> Alice+Bob+sharedSecret). * Create and sign Bob backout transaction (Alice+Bob+sharedSecret -(nLocktime=locktime2)-> Bob) where timelock2 < timelock1. * Sign and broadcast funding txes. * At this point, even if Bob funding tx is confirmed but Alice funding tx is not, Bob can recover funds with the backout, but Alice cannot steal the funds (since there is no hashlock branch at this point). * When Alice funding tx is confirmed, create and sign contract transaction (Alice+Bob --> Alice+timelock1 OR Bob+hashlock). * When Bob funding tx is confirmed and Bob has received the Alice contract transaction, create and sign Bob contract transaction (Alice+Bob+sharedSecret --> Bob+timelock2 OR Alice+hashlock). * Continue as normal. In effect, the backout transaction creates a temporary Spilman unidirectional time-bound channel. We just reuse the same timelock on the HTLC we expect to instantiate, as the time bound of the Spilman channel; the timelock exists anyway, we might as well reuse it for the Spilman. Creation of the contract tx invalidates the backout tx (the backout tx is `nLockTime`d, the contract tx has no such encumbrance), but the backout allows Alice and Bob to fund their txes simultaneously without risk of race loss. However, they do still have to wait for (deep) confirmation before signing contract transactions, and Bob has to wait for the incoming contract transaction as well before it signs its outgoing contract transaction. The protocol is trivially extendable with more than one Bob. The insight basically is that we can split CoinSwap into a "channel establishment" phase and "HTLC forwarding" phase followed by "HTLC resolution" and "private key handover". HTLC forwarding and HTLC resolution are "done offchain" in the channels, and channel establishment can be done in any order, including reverse. Indeed, the Spilman channel need not have the same timelock as the HTLC it will eventually host: it could have a shorter timelock, since the contract transaction has no `nLockTime` it can be instantiated (with loss of privacy due to the nonstandard script) before the Spilman timeout. Regards, ZmnSCPxj ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Good day ZmnSCPxj, >>> But S6 has the mild advantage that all the funding transactions paying to >>> 2-of-2s can appear on the same block, whereas chaining swaps will have a >>> particular order of when the transactions appear onchain, which might be >>> used to derive the order of swaps. >> >> On the other hand, funds claiming in S6 is also ordered in time, so >> someone paying attention to the mempool could guess as well the order of >> swaps. >> >> I think this is wrong, and that it's possible for the funding >> transactions of chained/routed swaps to all be in the same block as well. >> >> In CoinSwap it's possible to get DOS'd without the other side spending >> money if you broadcast your funding transaction first and the other side >> simply disappears. You'd get your money back but you have to waste time >> and spend miner fees. The other side didn't spend money to do this, not >> even miner fees. >> >> From the point of view of us as a maker in the route, we know we won't >> get DOS'd like this for free if we only broadcast our funding >> transaction once we've seen the other side's funding transaction being >> broadcast first. This should work as long as the two transactions have a >> similar fee rate. There might be an attack involving hash power: If the >> other side has a small amount of hash power and mines only their funding >> transaction in a manner similar to a finney attack, then our funding >> transaction should get mined very soon afterwards by another miner and >> the protocol will continue as normal. If the other side has knowledge of >> the preimage and uses it to do CPFP and take the money, then we can >> learn that preimage and do our own CPFP to get our money back too. > > How about RBF? > > A taker Alice can broadcast the funding tx spending its own funds. > The funding tx spends funds controlled unilaterally by Alice. > Alice can sign a replacement transaction for those funds, spending them to an > address with unilateral control, and making the funding tx output with all > the obligations attached never get confirmed in the first place. > > The chances may be small --- Bob can certainly monitor for Alice broadcasting > a replacement and counter-broadcast its own replacement --- but the risk > still exists. > TANSTAAGM (There Aint No Such Thing As A Global Mempool) also means Alice > could arrange the replacement by other means, such as not using the > RBF-enabled flag, broadcasting the self-paying replacement near miner nodes, > and broadcasting the CoinSwap-expected funding tx near the Bob fullnode; Bob > fullnode will then reject attempts to replace it, but miners will also reject > the CoinSwap-expected funding tx and it will not confirm anyway. > > > With the pre-SAS 4-tx setup, this potentially allows Alice to steal the funds > of Bob; after Alice gets its funding-tx-replacement confirmed together with > the Bob honest-funding-tx, Alice can use the contract transaction and publish > the preimage to take the Bob funds. > Since the Alice-side funding tx has been replaced, knowledge of the hash > preimage will not help Bob any: the Alice funding tx has been replaced and > Bob cannot use the preimage to claim it (it does not exist). > > > With SAS Alice cannot outright steal the Bob funds, but the Bob funds will > now be locked in a 2-of-2 and Alice can take it hostage (either Bob gives up > on the funds, i.e. donates its value to all HODLers, or Bob gives most of the > value to Alice). > > > For the avoidance of theft, it is probably better for Bob to wait for > Alice-side funding tx to confirm, probably deeply because reorgs suck. > > This at least makes it costly to perform this attack; you have to lock more > of your funds longer in order to induce a competitor to lock its funds. > > > Come to think of it, the same issue probably holds for S6 as well, the > funding tx with the longest timelock has to confirm first before the next is > even broadcast, bleah. Your RBF observation actually blows my idea out of the water. Not just because of RBF but because of an attack by a miner. Supposing that Alice starts with knowledge of the hash preimage, if she uses RBF to make her funding transaction never confirm but allows Bob's funding transaction to confirm, then Alice can use her preimage to take the money from Bob's funding transaction. Bob will learn the value of the preimage but it won't be much good to him because Alice's funding transaction isn't valid anymore. Alice will get money from her funding transaction and also money from Bob's funding transaction. Because of this attack, it's pretty clear that a CoinSwap peer who starts _without_ knowledge of the preimage must wait for the other side's funding transaction to actually confirm, perhaps even with multiple confirmations if they fear that the other side has access to hashpower. For example, a miner could play the role of Alice and use this attack to almost-risklessly steal Bob's
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Good morning yet again Chris, > > For the avoidance of theft, it is probably better for Bob to wait for > > Alice-side funding tx to confirm, probably deeply because reorgs suck. I realized that the *other* improvement I proposed in the [CoinSwapCS issue](https://github.com/AdamISZ/CoinSwapCS/issues/53) would help with this. Specifically, `nLockTime`-protected Backouts. Suppose we have an S6 route as so, with Alice as taker and Bob1 and Bob2 as makers: Alice -> Bob1 -> Bob2 -> Alice We assume here that Bob1 and Bob2 directly talk to Alice and that if Bob1 wants to talk to Bob2 it is done via Alice, so in the below if we say "Bob1 sends to Bob2" we imply that this is done via Alice. 1. Alice solicits fresh pubkeys from Bob1 and Bob2. 2. Alice gives timeouts L1 and L2 to Bob1, and L2 and L3 to Bob2, such that L1 > L2 > L3, as well as negotiated amount, fees, etc. 3. Alice creates (but does NOT sign) a funding tx paying to Alice && Bob1 and gives the txid to Bob1. 4. Bob1 creates and signs a tx spending from the Alice funding tx and paying to Alice, with `nLockTime = L1`, and gives the signature to Alice. 5. Bob1 creates (but does NOT sign) a funding tx paying to Bob1 && Bob2 and gives the txid to Bob2. 6. Bob2 creates and signs a tx spending from the Bob1 funding tx and paying to Bob1, with `nLockTime = L2`, and gives the signature to Bob1. 7. Bob2 creates (but does NOT sign) a funding tx paying to Bob2 && Alice and gives the txid to Alice. 8. Alice creates and signs a tx spending from the Bob2 funding tx and paying to Bob2, with `nLockTime = L3`, and gives the signature to Bob2. 9. Alice signals everyone to sign their respecting funding txes and broadcast them. The rest of the CoinSwap protocol executes as normal once the funding txes are deeply confirmed. The only thing that Bob1 (resp. Bob2) needs to wait for is that the signatures for the incoming HTLC / PTLC have been received before forwarding to the next hop. This allows all funding txes to be confirmed in the same block, or even in some suitable random order (by having Alice send the signal out at different times/blocks to different makers). The `nLockTime`d backout transactions are sufficient to allow everyone to recover their funds unilaterally in case one of the other funding txes do not confirm. A similar technique can be done for SAS as well, but this removes the lack of encumbrance in the LTC-side output of SAS, which removes the advantage of having an otherwise unencumbered output. In effect, the above creates Spilman unidirectional payment channels along the route, bringing the fiddly timing details offchain where it is less visible to observers. -- However, note that this still allows a form of griefing attack. Basically, Alice can induce Bob1 and Bob2 to lock their funds for some time, by completing the above ritual, but not signing and broadcasting its own funding tx. Bob1 and Bob2 will have been induced to lock their funds for L2 and L3, respectively, while Alice only has to RBF away its own funding tx. Alice might do this if it is actually another maker and it wants to take out its competitors Bob1 and Bob2, reducing their available liquidity for a time and cornering the SwapMarket. This can be mitigated by replacing step 9 with: 9. Alice gives its signed funding tx to Bob1. 10. Bob1 gives its signed funding tx to Bob2. 11. Bob2 gives its signed funding tx to Alice. 12. Alice signals everyone to broadcast their funding txes. Then Bob1 (resp. Bob2) can monitor the mempool/blockchain and check as well if its outgoing funding tx has been broadcast/confirmed, and if so broadcast the incoming funding tx. Or better, if Bob1 (resp. Bob2) does not receive the Alice signal fast enough, it will broadcast its incoming funding tx anyway. This is only a mitigation: Alice could have pre-prepared a replacement to the funding tx that it broadcasts near miners just before it signals Bob1 and Bob2 to broadcast all transactions. For full protection against griefing attacks, Bob1 (resp. Bob2) have to wait for the incoming funding tx to be confirmed deeply before broadcasting its outgoing funding tx as well. Regards, ZmnSCPxj ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Good morning Chris again, > For the avoidance of theft, it is probably better for Bob to wait for > Alice-side funding tx to confirm, probably deeply because reorgs suck. Over in Lightning-land, we have a concept called "irrevocably committed". This is a state where a newly-created contract can no longer be cancelled, by publishing an older state. In Lightning, there is a short timeframe where a new state, and its directly previous state, are both still valid, until the previous state is revoked. Only once the previous state (that does not contain the contract) has been revoked, and only the latest state is valid, can a forwarding node actually forward the payment. This is roughly equivalent to the funding tx for the CoinSwap being confirmed. Until a transaction is confirmed, the UTXOs it spends (i.e. the previous state) can still be validly spent by other alternate transactions. Regards, ZmnSCPxj ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Good morning Chris, > > Good morning Ruben and Chris, > > > I am not in fact convinced that PayJoin-with-CoinSwap adds that much > > privacy. > > These transactions: > > > > +---+ +---+ > > Alice ---| |--| |--- Bob > > Alice ---| | | | > > Bob ---| | +---+ > > +---+ > > > > > > Are not really much different in coin ownership analysis from these: > > > > +---++---+ > > Alice ---| || |--- Bob > > Alice ---| | +--| | > > +---+ | +---+ > > Bob -+ > > > > The main benefit of PayJoin-with-CoinSwap is it breaks the > common-input-ownership heuristic, which is a major widely used > heuristic. It would be a big win if that heuristic could be broken. > > PayJoin-with-CoinSwap would be useful if Alice is trying to recover some > privacy which was previously degraded, for example if she is spending > from a reused address or from an address linked to her identity. If she > does a PayJoin with the reused address then some other economic entity > would have his activity linked with Alice's. > > Just the fact that PayJoin-with-CoinSwap exists would improve privacy > for people who don't use it, for example if someone buys bitcoin from an > exchange that knows their identity and then co-spends it with other > coins they obtained another way. The fact that PayJoin exists means an > adversary cannot assume for sure that this user really owns that other > address which was co-spent. This doesn't apply for regular CoinSwap, > which only ever breaks the transaction graph heuristic, so in our > example the destination the coins are sent to would be uncertain, but > that the co-spent inputs are owned by the same person would be certain > in a world where PayJoin didn't exist. Alice can do PayJoin with a payee Carol that supports normal PayJoin, for similar overall results. Though I suppose there is a mild advantage still with supporting it on the funding tx of the first transaction, as you noted. > > But S6 has the mild advantage that all the funding transactions paying to > > 2-of-2s can appear on the same block, whereas chaining swaps will have a > > particular order of when the transactions appear onchain, which might be > > used to derive the order of swaps. > > On the other hand, funds claiming in S6 is also ordered in time, so > someone paying attention to the mempool could guess as well the order of > swaps. > > I think this is wrong, and that it's possible for the funding > transactions of chained/routed swaps to all be in the same block as well. > > In CoinSwap it's possible to get DOS'd without the other side spending > money if you broadcast your funding transaction first and the other side > simply disappears. You'd get your money back but you have to waste time > and spend miner fees. The other side didn't spend money to do this, not > even miner fees. > > From the point of view of us as a maker in the route, we know we won't > get DOS'd like this for free if we only broadcast our funding > transaction once we've seen the other side's funding transaction being > broadcast first. This should work as long as the two transactions have a > similar fee rate. There might be an attack involving hash power: If the > other side has a small amount of hash power and mines only their funding > transaction in a manner similar to a finney attack, then our funding > transaction should get mined very soon afterwards by another miner and > the protocol will continue as normal. If the other side has knowledge of > the preimage and uses it to do CPFP and take the money, then we can > learn that preimage and do our own CPFP to get our money back too. How about RBF? A taker Alice can broadcast the funding tx spending its own funds. The funding tx spends funds controlled unilaterally by Alice. Alice can sign a replacement transaction for those funds, spending them to an address with unilateral control, and making the funding tx output with all the obligations attached never get confirmed in the first place. The chances may be small --- Bob can certainly monitor for Alice broadcasting a replacement and counter-broadcast its own replacement --- but the risk still exists. TANSTAAGM (There Aint No Such Thing As A Global Mempool) also means Alice could arrange the replacement by other means, such as not using the RBF-enabled flag, broadcasting the self-paying replacement near miner nodes, and broadcasting the CoinSwap-expected funding tx near the Bob fullnode; Bob fullnode will then reject attempts to replace it, but miners will also reject the CoinSwap-expected funding tx and it will not confirm anyway. With the pre-SAS 4-tx setup, this potentially allows Alice to steal the funds of Bob; after Alice gets its funding-tx-replacement confirmed together with the Bob honest-funding-tx, Alice can use the contract transaction and publish the preimage to take the Bob funds. Since the Alice-side funding tx
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Hello ZmnSCPxj, On 31/05/2020 03:30, ZmnSCPxj via bitcoin-dev wrote: > Good morning Ruben and Chris, > I am not in fact convinced that PayJoin-with-CoinSwap adds *that* much > privacy. > > These transactions: > > +---+ +---+ > Alice ---| |--| |--- Bob > Alice ---| | | | > Bob ---| | +---+ > +---+ > > Are not really much different in coin ownership analysis from these: > > +---++---+ > Alice ---| || |--- Bob > Alice ---| | +--| | > +---+ | +---+ > Bob -+ The main benefit of PayJoin-with-CoinSwap is it breaks the common-input-ownership heuristic, which is a major widely used heuristic. It would be a big win if that heuristic could be broken. PayJoin-with-CoinSwap would be useful if Alice is trying to recover some privacy which was previously degraded, for example if she is spending from a reused address or from an address linked to her identity. If she does a PayJoin with the reused address then some other economic entity would have his activity linked with Alice's. Just the fact that PayJoin-with-CoinSwap exists would improve privacy for people who don't use it, for example if someone buys bitcoin from an exchange that knows their identity and then co-spends it with other coins they obtained another way. The fact that PayJoin exists means an adversary cannot assume for sure that this user really owns that other address which was co-spent. This doesn't apply for regular CoinSwap, which only ever breaks the transaction graph heuristic, so in our example the destination the coins are sent *to* would be uncertain, but that the co-spent inputs are owned by the same person would be certain in a world where PayJoin didn't exist. > It also removes the need for Bob to reveal additional UTXOs to Alice during > the swap protocol; yes PoDLE mitigates the privacy probing attack that Alice > can mount on Bob, but it is helpful to remember this is "only" a mitigation. Opening up the possibility of spying for free is a real downside for PayJoin-with-CoinSwap. Using decoy UTXOs as described in my design document, rather than PoDLE, seems like a better way of resisting these attacks. This is because at the cost of a little bit more bandwidth and CPU its possible to make the probability of an attacker successfully guessing the maker's real UTXOs to be as low as you want. > But S6 has the mild advantage that all the funding transactions paying to > 2-of-2s *can* appear on the same block, whereas chaining swaps will have a > particular order of when the transactions appear onchain, which might be used > to derive the order of swaps. On the other hand, funds claiming in S6 is also ordered in time, so someone paying attention to the mempool could guess as well the order of swaps. I think this is wrong, and that it's possible for the funding transactions of chained/routed swaps to all be in the same block as well. In CoinSwap it's possible to get DOS'd without the other side spending money if you broadcast your funding transaction first and the other side simply disappears. You'd get your money back but you have to waste time and spend miner fees. The other side didn't spend money to do this, not even miner fees. >From the point of view of us as a maker in the route, we know we won't get DOS'd like this for free if we only broadcast our funding transaction once we've seen the other side's funding transaction being broadcast first. This should work as long as the two transactions have a similar fee rate. There might be an attack involving hash power: If the other side has a small amount of hash power and mines only their funding transaction in a manner similar to a finney attack, then our funding transaction should get mined very soon afterwards by another miner and the protocol will continue as normal. If the other side has knowledge of the preimage and uses it to do CPFP and take the money, then we can learn that preimage and do our own CPFP to get our money back too. So in a routed coinswap setup it should be possible for Alice the taker to broadcast her funding transaction first, which will lead to all the makers broadcasting their funding transactions as well once they see the other side has broadcast first. Then it would be possible for all those funding transactions to be confirmed in the same block. I hope I haven't missed anything, because if this doesn't work and each maker must wait for confirmations, then the UX of routed CoinSwap would degrade: a CoinSwap route of 5 makers would require at least 5 blocks to be mined. Of course this setup can leak the ordering of the routes because the funding transaction would appear in the mempool in that order, but this could be beaten if some Alices choose to intentionally spread out the funding transaction broadcasts among multiple blocks for privacy reasons. An interesting tangent could be to see if it's possible to make private key
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Hi ZmnSCPxj, >If Alice is paying to a non-SAS aware payee Yeah, I agree that this use case is not possible without a third transaction (preferably from the timelocked side, in the case of SAS). My point was merely that you can swap and simultaneously merge some of your outputs into the post-swap non-timelocked output, though perhaps that is not very useful. Cheers, Ruben On Mon, Jun 1, 2020 at 4:34 AM ZmnSCPxj wrote: > Good morning Ruben, > > > > > > That assumes there will be a second transaction. With SAS I believe we > can avoid that, and make it look like this: > > > > +---+ > > Alice ---| |--- Bob > > Alice ---| | > > Bob ---| | > > +---+ > > If Alice is paying to a non-SAS aware payee that just provides an onchain > address (i.e. all current payees today), then the 2-of-2 output it gets > from the swap (both of whose keys it learns at the end of the swap) is > **not** the payee onchain address. > And it cannot just hand over both private keys, because the payee will > still want unambiguous ownership of the entire UTXO. > So it needs a second transaction anyway. > (with Schnorr then Alice and payee Carol can act as a single entity/taker > to Bob, a la Lightning Nodelets using Composable MuSig, but that is a > pretty big increase in protocol complexity) > > If Alice does not want to store the remote-generated privkey as well, and > use only an HD key, then it also has to make the second transaction. > Alice might want to provide the same assurances as current wallets that > memorizing a 12-word or so mnemonic is sufficient backup for all the funds > (other than funds currently being swapped), and so would not want to leave > any funds in a 2-of-2. > > If Bob is operating as a maker, then it also cannot directly use the > 2-of-2 output it gets from the swap, and has to make a new 2-of-2 output, > for the *next* taker that arrives to request its services. > > So there is always going to be a second transaction in a SwapMarket > system, I think. > > > What SAS / private key turnover gets us is that there is not a *third* > transaction to move from a 1-of-1 to the next address that makers and > takers will be moving anyway, and that the protocol does not have to add > communication provisions for special things like adding maker inputs or > specifying all destination addresses for the second stage and so on, > because those can be done unilaterally once the private key is turned over. > > > > >A thing I have been trying to work out is whether SAS can be done with > more than one participant, like in S6 > > > > S6 requires timelocks for each output in order to function, so I doubt > it can be made to work with SAS. > > Hmmm right right. > > Naively it seems both chaining SAS/private key turnover to multiple > makers, and a multi-maker S6 augmented with private key turnover, would > result in the same number of transactions onchain, but I probably have to > go draw some diagrams or something first. > > But S6 has the mild advantage that all the funding transactions paying to > 2-of-2s *can* appear on the same block, whereas chaining swaps will have a > particular order of when the transactions appear onchain, which might be > used to derive the order of swaps. > On the other hand, funds claiming in S6 is also ordered in time, so > someone paying attention to the mempool could guess as well the order of > swaps. > > > Regards, > ZmnSCPxj > ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Good morning Ruben, > > That assumes there will be a second transaction. With SAS I believe we can > avoid that, and make it look like this: > > +---+ > Alice ---| |--- Bob > Alice ---| | > Bob ---| | > +---+ If Alice is paying to a non-SAS aware payee that just provides an onchain address (i.e. all current payees today), then the 2-of-2 output it gets from the swap (both of whose keys it learns at the end of the swap) is **not** the payee onchain address. And it cannot just hand over both private keys, because the payee will still want unambiguous ownership of the entire UTXO. So it needs a second transaction anyway. (with Schnorr then Alice and payee Carol can act as a single entity/taker to Bob, a la Lightning Nodelets using Composable MuSig, but that is a pretty big increase in protocol complexity) If Alice does not want to store the remote-generated privkey as well, and use only an HD key, then it also has to make the second transaction. Alice might want to provide the same assurances as current wallets that memorizing a 12-word or so mnemonic is sufficient backup for all the funds (other than funds currently being swapped), and so would not want to leave any funds in a 2-of-2. If Bob is operating as a maker, then it also cannot directly use the 2-of-2 output it gets from the swap, and has to make a new 2-of-2 output, for the *next* taker that arrives to request its services. So there is always going to be a second transaction in a SwapMarket system, I think. What SAS / private key turnover gets us is that there is not a *third* transaction to move from a 1-of-1 to the next address that makers and takers will be moving anyway, and that the protocol does not have to add communication provisions for special things like adding maker inputs or specifying all destination addresses for the second stage and so on, because those can be done unilaterally once the private key is turned over. > >A thing I have been trying to work out is whether SAS can be done with more > >than one participant, like in S6 > > S6 requires timelocks for each output in order to function, so I doubt it can > be made to work with SAS. Hmmm right right. Naively it seems both chaining SAS/private key turnover to multiple makers, and a multi-maker S6 augmented with private key turnover, would result in the same number of transactions onchain, but I probably have to go draw some diagrams or something first. But S6 has the mild advantage that all the funding transactions paying to 2-of-2s *can* appear on the same block, whereas chaining swaps will have a particular order of when the transactions appear onchain, which might be used to derive the order of swaps. On the other hand, funds claiming in S6 is also ordered in time, so someone paying attention to the mempool could guess as well the order of swaps. Regards, ZmnSCPxj ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Hi ZmnSCPxj, >Just to be clear, you mean we can use the MuSig key-combination protocol for the non-timelocked SAS output, but (of course) not the signing protocol which is inherently Schnorr. Then knowledge of both of the original private keys is enough to derive the single combined private key. That's correct. >basically private key handover gets us PayJoin for free That assumes there will be a second transaction. With SAS I believe we can avoid that, and make it look like this: +---+ Alice ---| |--- Bob Alice ---| | Bob ---| | +---+ This is basically what I was trying to explain in my previous email: "I believe PayJoin can also be applied to the non-timelocked side. This does require adding a transaction that undoes the PayJoin in case the swap gets aborted, which means MuSig can't be used. Everything else stays the same: only one tx if successful, and no timelock (= instant settlement)" I don't have a strong opinion on whether it is actually useful to combine CoinSwap with PayJoin. >A thing I have been trying to work out is whether SAS can be done with more than one participant, like in S6 S6 requires timelocks for each output in order to function, so I doubt it can be made to work with SAS. I've also tried applying SAS to partially blind swaps and ran into likability issues, though it's less clear to me whether there is some fundamental reason why it couldn't work there. Cheers, Ruben On Sun, May 31, 2020 at 4:31 AM ZmnSCPxj wrote: > Good morning Ruben and Chris, > > > >For a much greater anonymity set we can use 2-party ECDSA to create > 2-of-2 multisignature addresses that look the same as regular > single-signature addresses > > > > This may perhaps be counter-intuitive, but SAS doesn't actually require > multisig for one of the two outputs, so a single key will suffice. ECDSA is > a signing algorithm that doesn't support single key multisig (at least not > without 2p-ECDSA), but notice how for the non-timelocked SAS output we > never actually have to sign anything together with the other party. We swap > one of the two keys, and the final owner will create a signature completely > on their own. No multisig required, which means we can simply use MuSig, > even today without Schnorr. > > Just to be clear, you mean we can use the MuSig key-combination protocol > for the non-timelocked SAS output, but (of course) not the signing protocol > which is inherently Schnorr. > > Then knowledge of both of the original private keys is enough to derive > the single combined private key. > > > Of course the other output will still have to be a 2-of-2, for which you > rightly note 2p-ECDSA could be considered. It may also be interesting to > combine a swap with the opening of a Lightning channel. E.g. Alice and Bob > want to open a channel with 1 BTC each, but Alice funds it in her entirety > with 2 BTC, and Bob gives 1 BTC to Alice in a swap. This makes it difficult > to tell Bob entered the Lightning Network, especially if the channel is > opened in a state that isn't perfectly balanced. And Alice will gain an > uncorrelated single key output. > > Dual-funding could be done by a single-funding Lightning open followed by > an onchain-to-offchain swap. > Though the onchain swap would have to be done, at least currently, with > hashes. > > > >=== PayJoin with CoinSwap === > > > > While it's probably clear how to do it on the timelocked side of SAS, I > believe PayJoin can also be applied to the non-timelocked side. This does > require adding a transaction that undoes the PayJoin in case the swap gets > aborted, which means MuSig can't be used. Everything else stays the same: > only one tx if successful, and no timelock (= instant settlement). I can > explain it in detail, if it happens to catch your interest. > > I am not in fact convinced that PayJoin-with-CoinSwap adds *that* much > privacy. > > These transactions: > > +---+ +---+ > Alice ---| |--| |--- Bob > Alice ---| | | | > Bob ---| | +---+ > +---+ > > Are not really much different in coin ownership analysis from these: > > +---++---+ > Alice ---| || |--- Bob > Alice ---| | +--| | > +---+ | +---+ > Bob -+ > > The latter is possible due to private key handover, the intermediate > output becomes owned solely by Bob and Bob can add many more inputs to that > second transaction unilaterally for even greater confusion to chain > analysis, basically private key handover gets us PayJoin for free. > It also removes the need for Bob to reveal additional UTXOs to Alice > during the swap protocol; yes PoDLE mitigates the privacy probing attack > that Alice can mount on Bob, but it is helpful to remember this is "only" a > mitigation. > > Now of course things are different if Alice is paying some exact amount to > Carol, and Alice wants to dissociate her funds from the payment. > The difference
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Good morning Ruben and Chris, > >For a much greater anonymity set we can use 2-party ECDSA to create 2-of-2 > >multisignature addresses that look the same as regular single-signature > >addresses > > This may perhaps be counter-intuitive, but SAS doesn't actually require > multisig for one of the two outputs, so a single key will suffice. ECDSA is a > signing algorithm that doesn't support single key multisig (at least not > without 2p-ECDSA), but notice how for the non-timelocked SAS output we never > actually have to sign anything together with the other party. We swap one of > the two keys, and the final owner will create a signature completely on their > own. No multisig required, which means we can simply use MuSig, even today > without Schnorr. Just to be clear, you mean we can use the MuSig key-combination protocol for the non-timelocked SAS output, but (of course) not the signing protocol which is inherently Schnorr. Then knowledge of both of the original private keys is enough to derive the single combined private key. > Of course the other output will still have to be a 2-of-2, for which you > rightly note 2p-ECDSA could be considered. It may also be interesting to > combine a swap with the opening of a Lightning channel. E.g. Alice and Bob > want to open a channel with 1 BTC each, but Alice funds it in her entirety > with 2 BTC, and Bob gives 1 BTC to Alice in a swap. This makes it difficult > to tell Bob entered the Lightning Network, especially if the channel is > opened in a state that isn't perfectly balanced. And Alice will gain an > uncorrelated single key output. Dual-funding could be done by a single-funding Lightning open followed by an onchain-to-offchain swap. Though the onchain swap would have to be done, at least currently, with hashes. > >=== PayJoin with CoinSwap === > > While it's probably clear how to do it on the timelocked side of SAS, I > believe PayJoin can also be applied to the non-timelocked side. This does > require adding a transaction that undoes the PayJoin in case the swap gets > aborted, which means MuSig can't be used. Everything else stays the same: > only one tx if successful, and no timelock (= instant settlement). I can > explain it in detail, if it happens to catch your interest. I am not in fact convinced that PayJoin-with-CoinSwap adds *that* much privacy. These transactions: +---+ +---+ Alice ---| |--| |--- Bob Alice ---| | | | Bob ---| | +---+ +---+ Are not really much different in coin ownership analysis from these: +---++---+ Alice ---| || |--- Bob Alice ---| | +--| | +---+ | +---+ Bob -+ The latter is possible due to private key handover, the intermediate output becomes owned solely by Bob and Bob can add many more inputs to that second transaction unilaterally for even greater confusion to chain analysis, basically private key handover gets us PayJoin for free. It also removes the need for Bob to reveal additional UTXOs to Alice during the swap protocol; yes PoDLE mitigates the privacy probing attack that Alice can mount on Bob, but it is helpful to remember this is "only" a mitigation. Now of course things are different if Alice is paying some exact amount to Carol, and Alice wants to dissociate her funds from the payment. The difference is then: +---++---+ Alice ---| || |--- Bob Alice ---| |--+ | | Bob ---| | | +---+ +---+ +- Alice Change +---++---+ Bob ---| || |--- Carol | |--+ +---+ +---+ | +- Bob Change Versus: +---++---+ Alice ---| || |--- Bob Alice ---| | +--| | +---+ | +---+ Bob -+ +---++---+ Bob ---| || |--- Carol | |--+ | |--- Alice Change +---+ | +---+ +- Bob Change In the above, with PayJoin on the first-layer transaction, the Alice Change is correlated with Alice and Bob inputs, whereas with the PayJoin on the second the Alice change is correlated with Bob inputs and Carol outputs. But if Alice, using commodity CoinSwap wallets, always has a policy that all sends are via CoinSwap (a reasonable policy, similar to the policy in JoinMarket of ensuring that all spends out of the wallet are via CoinJoin), then the above two trees are not much different for Alice in practice. The Alice Change will be swapped with some other maker anyway when it gets spent, so what it correlates with will not be much of a problem for Alice. At the same time, with PayJoin on the second-layer transaction (possible due to private key turnover, which is an inherent part of the SAS protocol): * Bob does not have to reveal any other coins it owns to Alice other than what it is directly
Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility
Hey Chris, Excellent write-up. I learned a few new things while reading this (particularly how to overcome the heuristics for address reuse and address types), so thank you for that. I have a few thoughts about how what you wrote relates to Succinct Atomic Swaps (SAS)[0]. Perhaps it's useful. >For a much greater anonymity set we can use 2-party ECDSA to create 2-of-2 multisignature addresses that look the same as regular single-signature addresses This may perhaps be counter-intuitive, but SAS doesn't actually require multisig for one of the two outputs, so a single key will suffice. ECDSA is a signing algorithm that doesn't support single key multisig (at least not without 2p-ECDSA), but notice how for the non-timelocked SAS output we never actually have to sign anything together with the other party. We swap one of the two keys, and the final owner will create a signature completely on their own. No multisig required, which means we can simply use MuSig, even today without Schnorr. Of course the other output will still have to be a 2-of-2, for which you rightly note 2p-ECDSA could be considered. It may also be interesting to combine a swap with the opening of a Lightning channel. E.g. Alice and Bob want to open a channel with 1 BTC each, but Alice funds it in her entirety with 2 BTC, and Bob gives 1 BTC to Alice in a swap. This makes it difficult to tell Bob entered the Lightning Network, especially if the channel is opened in a state that isn't perfectly balanced. And Alice will gain an uncorrelated single key output. As a side note, we could use the same MuSig observation on 2-of-2 outputs that need multisig by turning the script into (A & B) OR MuSig(A,B), which would shave off quite a few bytes by allowing single sig spending once the private key is handed over, but this would also make the output stick out like a sore thumb... Only useful if privacy is not a concern. >=== Multi-transaction CoinSwaps to avoid amount correlation === This can apply cleanly to SAS, and can even be done without passing on any extra secrets by generating a sharedSecret (Diffie-Hellman key exchange). Non-timelocked: CoinSwap AddressB = aliceSecret + bobSecret CoinSwap AddressC = aliceSecret + bobSecret + hash(sharedSecret,0)*G CoinSwap AddressD = aliceSecret + bobSecret + hash(sharedSecret,1)*G The above is MuSig compatible (single key outputs), there are no timelocks to worry about, and the addresses cannot be linked on-chain. >they would still need to watch the chain and respond in case a hash-time-locked contract transaction is broadcasted Small detail, but it should be noted that this would require the atomic swap to be set up in a specific way with relative timelocks. >=== PayJoin with CoinSwap === While it's probably clear how to do it on the timelocked side of SAS, I believe PayJoin can also be applied to the non-timelocked side. This does require adding a transaction that undoes the PayJoin in case the swap gets aborted, which means MuSig can't be used. Everything else stays the same: only one tx if successful, and no timelock (= instant settlement). I can explain it in detail, if it happens to catch your interest. Cheers, Ruben [0] Succinct Atomic Swaps (SAS) https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-May/017846.html On Mon, May 25, 2020 at 3:21 PM Chris Belcher via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > === Abstract === > > Imagine a future where a user Alice has bitcoins and wants to send them > with maximal privacy, so she creates a special kind of transaction. For > anyone looking at the blockchain her transaction appears completely > normal with her coins seemingly going from address A to address B. But > in reality her coins end up in address Z which is entirely unconnected > to either A or B. > > Now imagine another user, Carol, who isn't too bothered by privacy and > sends her bitcoin using a regular wallet which exists today. But because > Carol's transaction looks exactly the same as Alice's, anybody analyzing > the blockchain must now deal with the possibility that Carol's > transaction actually sent her coins to a totally unconnected address. So > Carol's privacy is improved even though she didn't change her behaviour, > and perhaps had never even heard of this software. > > In a world where advertisers, social media and other companies want to > collect all of Alice's and Carol's data, such privacy improvement would > be incredibly valuable. And also the doubt added to every transaction > would greatly boost the fungibility of bitcoin and so make it a better > form of money. > > This undetectable privacy can be developed today by implementing > CoinSwap, although by itself that isn't enough. There must be many > building blocks which together make a good system. The software could be > standalone as a kind of bitcoin mixing app, but it could also be a > library that existing wallets can implement allowing their users to send > Bitcoin
