Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-06-19 Thread Jonas Nick via bitcoin-dev
> [...] we can use 2-party ECDSA to create 2-of-2 multisignature addresses that
> look the same as regular single-signature addresses[2]. Even the old-style
> p2pkh addresses starting with 1 can be CoinSwap addresses.

Probably worth considering that p2pkh, p2wpkh and p2sh are vulnerable to the
(well-known) birthday attack with 2^80 operations on average if they encode a
multisig policy [0]. This is a large number but not the security margin we are
used to.

It is possible to reduce the feasibility of the attack by requiring 2^80
interactions instead of purely offline operations. This works by adding a
commitment round for all public keys involved in the policy. Now in order to
test whether a public key results in a collision, the attacker must first engage
in a commitment protocol with that public key. The "Fast Secure Two-Party ECDSA
Signing" protocol by Lindell [1] already has such a commitment round (for
reasons unrelated to Bitcoin). For example, the Gotham City two-party ECDSA
wallet [2] has this security model because it builds on the Lindell scheme and
uses p2sh-p2wpkh.

[0] https://bitcoin.stackexchange.com/questions/54841/birthday-attack-on-p2sh
[1] https://eprint.iacr.org/2017/552.pdf
[2] https://github.com/KZen-networks/gotham-city


On 5/25/20 1:21 PM, Chris Belcher via bitcoin-dev wrote:
> === Abstract ===
> 
> Imagine a future where a user Alice has bitcoins and wants to send them
> with maximal privacy, so she creates a special kind of transaction. For
> anyone looking at the blockchain her transaction appears completely
> normal with her coins seemingly going from address A to address B. But
> in reality her coins end up in address Z which is entirely unconnected
> to either A or B.
> 
> Now imagine another user, Carol, who isn't too bothered by privacy and
> sends her bitcoin using a regular wallet which exists today. But because
> Carol's transaction looks exactly the same as Alice's, anybody analyzing
> the blockchain must now deal with the possibility that Carol's
> transaction actually sent her coins to a totally unconnected address. So
> Carol's privacy is improved even though she didn't change her behaviour,
> and perhaps had never even heard of this software.
> 
> In a world where advertisers, social media and other companies want to
> collect all of Alice's and Carol's data, such privacy improvement would
> be incredibly valuable. And also the doubt added to every transaction
> would greatly boost the fungibility of bitcoin and so make it a better
> form of money.
> 
> This undetectable privacy can be developed today by implementing
> CoinSwap, although by itself that isn't enough. There must be many
> building blocks which together make a good system. The software could be
> standalone as a kind of bitcoin mixing app, but it could also be a
> library that existing wallets can implement allowing their users to send
> Bitcoin transactions with much greater privacy.
> 
> == CoinSwap ==
> 
> Like CoinJoin, CoinSwap was invented in 2013 by Greg Maxwell[1]. Unlike
> CoinJoin it is relatively complicated to implement and so far has not
> been deployed. But the idea holds great promise, and fixes many of the
> problems of some kinds of CoinJoins. CoinSwap is the next step for
> on-chain bitcoin privacy.
> 
> CoinSwap is a way of trading one coin for another coin in a
> non-custodial way. It is closely related to the idea of an atomic swap.
> Alice and Bob can trade coins with each other by first sending to a
> CoinSwap address and having those coins then sent to Bob:
> 
> Alice's Address 1 > CoinSwap Address 1 > Bob's Address 1
> 
> An entirely separate set of transactions gives Bob's coins to Alice in
> return:
> 
> Bob's Address 2 > CoinSwap Address 2 > Alice's Address 2
> 
> Where the symbol > is a bitcoin transaction.
> 
> Privacy is improved because an observer of the blockchain cannot link
> Alice's Address 1 to Alice's Address 2, as there is no transaction
> between them. Alice's Address 2 could either be an address in Alice's
> wallet, or the address of someone else she wants to transfer money to.
> CoinSwap therefore breaks the transaction graph heuristic, which is the
> assumption that if a transaction A -> B is seen then the ownership of
> funds actually went from A to B.
> 
> CoinSwap doesnt break any of bitcoin's assumptions or features like an
> auditable supply or pruning. It can be built on today's bitcoin without
> any new soft forks.
> 
> CoinSwap can't improve privacy much on its own, so it requires other
> building block to create a truly private system.
> 
> === ECDSA-2P ===
> 
> The original CoinSwap idea uses 2-of-2 multisig. We can get a slightly
> bigger anonymity set by using 2-of-3 multisigs with a fake third public
> key. For a much greater anonymity set we can use 2-party ECDSA to create
> 2-of-2 multisignature addresses that look the same as regular
> single-signature addresses[2]. Even the old-style p2pkh addresses
> starting 

Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-06-10 Thread Chris Belcher via bitcoin-dev
Hello ZmnSCPxj,

On 10/06/2020 11:58, ZmnSCPxj wrote:
> Good morning Chris,
> 
>>> Let me propose an alternative: swap-on-receive+swap-on-change.
>>
>> That's an interesting point, thanks for the thought. This scheme might
>> not be appropriate for every threat model and use case.
>> For example, if someone wants to use bitcoin just as a foreign currency
>> for its privacy and censorship-resistant properties. So for example if
>> they want to pay for a VPN anonymously, so they buy bitcoins and
>> immediately send all of them to the VPN merchant. The swap-on-receive
>> wouldn't be appropriate for them because they'll be doing a coinswap
>> straight away to the VPN merchant. So perhaps this plan could be an
>> optional mode of operation (which may or may not be the default). The
>> scheme obviously is useful when bitcoin is being used more as a
>> day-to-day money.
> 
> 
> No, I think you misunderstand my proposal.
> 
> If the user is doing swap-on-receive, the user already has an anonymous UTXO, 
> they can just transfer it directly in full to the VPN without using a 
> CoinSwap.
> 
> The number of CoinSwaps involved is the same: one.
> 
> So the difference is:
> 
> * swap-on-receive:
>   * I get some coins from an exchange, giving them my contact information and 
> bank information and all the places I have ever inhabited in my entire 
> existence and an unfertilized egg sample and an archive of my diary and let 
> them invasively scan my cognitive substrate.
>   * I send the coins to my CoinSwap wallet.
>   * The CoinSwap wallet automaticaly CoinSwaps the coins into a new UTXO.
> * One CoinSwap.
>   * I tell the CoinSwap wallet to send it all to the VPN.
> * My CoinSwap wallet knows my coins are already cleaned, so it creates a 
> plain 1-input 1-output transaction directly to the VPN address.
> 
> * swap-on-pay:
>   * I get some coins from an exchange, giving them my contact information and 
> bank information and all the places I have ever inhabited in my entire 
> existence and an unfertilized egg sample and an archive of my diary and let 
> them invasively scan my cognitive substrate.
>   * I send the coins to my CoinSwap wallet.
>   * I tell the CoinSwap wallet to send it all to the VPN.
> * My CoinSwap wallet automatically arranges a CoinSwap into the VPN 
> address.
>   * One CoinSwap.
> 
> So in both cases the same expected number of CoinSwaps is done, i.e. one.
> 
> Note that there are still details like how much onchain fees are and how much 
> CoinSwap maker fees are and etc etc but they exist for both flows anyway.
> So I would still be buying slightly more than my target amount, and if there 
> is any change I could just designate it to be added to the mining fees or a 
> donation to ZmnSCPxj, because ZmnSCPxj is so awesome.
> 
> What swap-on-receive+swap-on-change instead does is just amortize the timing 
> of the CoinSwaps, so that you CoinSwap as soon as you receive, instead of as 
> soon as you have to pay, so that sending payments is as fast as non-CoinSwap 
> onchain wallets.
> 
> 
> Regards,
> ZmnSCPxj
> 

Right, I get it. Good explanation.

In your swap-on-receive example the exchange also can't tell how long
your coins remain unspent in your wallet, which they could in
swap-on-pay. This is very useful information for an exchange because it
tells them about what hodlers are doing, and they might trade against
them. (e.g. opening big short positions right after they see many long
term hodl'd coins being moved)

___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-06-10 Thread Chris Belcher via bitcoin-dev
Hello Lee,

Thanks for the review.

On 10/06/2020 01:43, Mr. Lee Chiffre wrote:
> 
>>
>> === Combining multi-transaction with routing ===
>>
>> Routing and multi-transaction must be combined to get both benefits. If
>> Alice owns multiple UTXOs (of value 6 BTC, 8 BTC and 1 BTC) then this is
>> easy with this configuration:
>>
>>  Alice
>> (6 BTC) (8 BTC) (1 BTC)
>>|   |   |
>>|   |   |
>>v   v   v
>>   Bob
>> (5 BTC) (5 BTC) (5 BTC)
>>|   |   |
>>|   |   |
>>v   v   v
>> Charlie
>> (9 BTC) (5 BTC) (1 BTC)
>>|   |   |
>>|   |   |
>>v   v   v
>> Dennis
>> (7 BTC) (4 BTC) (4 BTC)
>>|   |   |
>>|   |   |
>>v   v   v
>>  Alice
>>
> 
> 
> 
> 
> 
> 
> Great work Chris and you have my respects for your contributions to
> Bitcoin. A concern I have with bitcoin is scalability and privacy. Both
> are important. The reasons people bash on Monero is also the same issue
> Bitcoin has. The very large transaction size to achieve acceptable privacy
> on a distributed financial network. Im not shilling Monero here. I am only
> saying that bitcoin transactions with similar privacy properties are at
> least equally as large as Monero transactions. Coinjoin on Monero can be
> compared to ring signatures in Monero from the view of using decoys to
> help conceal the source. From this proposal is this to say that
> transactions will be at least 12 times larger in size to achieve the
> property of privacy that bitcoin is currently missing?
> 
> Another thing to consider is that if coinswaps cannot be sent as a payment
> then a coinswap needs to take place after every transaction to keep the
> privacy and unlinkability from your other bitcoin transactions.
> 
> I always thought that CoinSwap would be and is a very much needed thing
> that needs developed. The ability to swap coins with other people in a
> trustless way and way that is not linkable to the public blockchain. But
> how can this be scalable at all with the multiple branches and layers?
> This is a good idea in theory but my concern would be the scalability
> issues this creates.
> 
> Do you have any comments on this?
> Thank you
> 

You are right to be concerned about scalability.

Here's a few of my thoughts on this:

An issue with Monero (or any cryptocurrency based on the ring signature
input signing scheme) isn't just that transactions are bigger in bytes.
Monero full nodes can't know when a TXO has been spent, so pruning is
impossible in Monero and the list of TXOs perpetually grows, this is
unlike in bitcoin where full nodes know if a UTXO has been spent and so
can delete it in pruning. The storage space needed for Bitcoin's UTXO
set sometimes actually gets smaller.

Note that Monero software actually has a feature called "pruning" so
sometimes the terminology gets confused when people say "wait, Monero
_does_ have pruning". But this pruning doesn't do the same thing as
Bitcoin's pruning, the disk space still grows as O(TXOcount) which is
much faster compared to Bitcoin's O(UTXOcount).

And when designing this CoinSwap system I've been careful to make sure
it doesn't break pruning (or other resources saving features, for
example CoinSwap can be made to work with the blocksonly feature of
Bitcoin Core). So bitcoin-with-CoinSwap's scalability isnt anywhere near
as bad as Monero's.

You're right to talk about decoys. Decoys are not a good way to obtain
privacy because they can be broken by repeated interactions.. I really
like this talk about why decoys are not a good solution to privacy in
many cases:

talk: https://www.youtube.com/watch?v=YgtF7psIKWg=youtu.be=3701
transcript:
https://tokyo2018.scalingbitcoin.org/transcript/tokyo2018/how-much-privacy-is-enough

Equal-output CoinJoins also work with decoys. Like in JoinMarket you
could analyze those CoinJoins to say that the inputs and outputs of the
makers in a CoinJoin are actually just decoys. Fixed-denomination
CoinJoins like in Wasabi or Samourai also use much more block space
because of the reduced divisibility, for example Wasabi coinjoins can
only be done with about 0.1 BTC, so if you want to mix 1 BTC then you
have to do 10 such CoinJoins, costing 10 times the block space.

CoinSwap doesn't work by adding decoys, it improves privacy in the same
way as Lightning: by moving information off-chain.

You could perhaps analyze CoinSwap as using decoys if you say that the
decoys are almost every other bitcoin transaction happening on the
blockchain, and that can be almost as big as you want. One full block
has about 3000 outputs, so if you wait a day between the CoinSwap
funding and spending transactions then that's 144*3000 = 432000 decoys
(this calculation is simplified, but it's a good starting point). If
CoinJoin or Monero transactions had that 

Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-06-10 Thread ZmnSCPxj via bitcoin-dev
Good morning Chris,

> > Let me propose an alternative: swap-on-receive+swap-on-change.
>
> That's an interesting point, thanks for the thought. This scheme might
> not be appropriate for every threat model and use case.
> For example, if someone wants to use bitcoin just as a foreign currency
> for its privacy and censorship-resistant properties. So for example if
> they want to pay for a VPN anonymously, so they buy bitcoins and
> immediately send all of them to the VPN merchant. The swap-on-receive
> wouldn't be appropriate for them because they'll be doing a coinswap
> straight away to the VPN merchant. So perhaps this plan could be an
> optional mode of operation (which may or may not be the default). The
> scheme obviously is useful when bitcoin is being used more as a
> day-to-day money.


No, I think you misunderstand my proposal.

If the user is doing swap-on-receive, the user already has an anonymous UTXO, 
they can just transfer it directly in full to the VPN without using a CoinSwap.

The number of CoinSwaps involved is the same: one.

So the difference is:

* swap-on-receive:
  * I get some coins from an exchange, giving them my contact information and 
bank information and all the places I have ever inhabited in my entire 
existence and an unfertilized egg sample and an archive of my diary and let 
them invasively scan my cognitive substrate.
  * I send the coins to my CoinSwap wallet.
  * The CoinSwap wallet automaticaly CoinSwaps the coins into a new UTXO.
* One CoinSwap.
  * I tell the CoinSwap wallet to send it all to the VPN.
* My CoinSwap wallet knows my coins are already cleaned, so it creates a 
plain 1-input 1-output transaction directly to the VPN address.

* swap-on-pay:
  * I get some coins from an exchange, giving them my contact information and 
bank information and all the places I have ever inhabited in my entire 
existence and an unfertilized egg sample and an archive of my diary and let 
them invasively scan my cognitive substrate.
  * I send the coins to my CoinSwap wallet.
  * I tell the CoinSwap wallet to send it all to the VPN.
* My CoinSwap wallet automatically arranges a CoinSwap into the VPN address.
  * One CoinSwap.

So in both cases the same expected number of CoinSwaps is done, i.e. one.

Note that there are still details like how much onchain fees are and how much 
CoinSwap maker fees are and etc etc but they exist for both flows anyway.
So I would still be buying slightly more than my target amount, and if there is 
any change I could just designate it to be added to the mining fees or a 
donation to ZmnSCPxj, because ZmnSCPxj is so awesome.

What swap-on-receive+swap-on-change instead does is just amortize the timing of 
the CoinSwaps, so that you CoinSwap as soon as you receive, instead of as soon 
as you have to pay, so that sending payments is as fast as non-CoinSwap onchain 
wallets.


Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-06-10 Thread Chris Belcher via bitcoin-dev
Good morning ZmnSCPxj,

On 06/06/2020 02:40, ZmnSCPxj wrote:
> Good morning Chris,
> 
>> I think I'm having trouble understanding this, does it work like this:
>>
>> Say we're in the 2-party coinswap case (Alice and Bob)
>>
>> We have Alice's funding transaction:
>> Alice UTXO ---> 2of2 multisig (Alice+Bob)
>>
>> And we have the regular contract transaction
>> 2of2 multisig (Alice+Bob) ---> Alice+timelock1 OR Bob+hashlock
>>
>> And you propose a second pre-signed transaction?
>> 2of2 multisig (Alice+Bob) ---> Bob+timelock2
> 
> No, it is:
> 
> 2of2 multisig (Alice+Bob) --(nLockTime=locktime1)-> Alice
> 
> The timelock is  imposed as a `nLockTime`, not as an `OP_CLTV` (so not in the 
> output of the tx, but part of the tx), and the backout returns the funds to 
> Alice, not sends it to Bob.
> This transaction is created *before* the contract transaction.
> 
> The order is:
> 
> * Create (but not sign) Alice funding tx (Alice --> Alice+Bob).
> * Create and sign Alice backout transaction (Alice+Bob 
> -(nLockTime=locktime1)-> Alice).
> * Create (but not sign) Bob funding tx (Bob --> Alice+Bob+sharedSecret).
> * Create and sign Bob backout transaction (Alice+Bob+sharedSecret 
> -(nLocktime=locktime2)-> Bob) where timelock2 < timelock1.
> * Sign and broadcast funding txes.
>   * At this point, even if Bob funding tx is confirmed but Alice funding tx 
> is not, Bob can recover funds with the backout, but Alice cannot steal the 
> funds (since there is no hashlock branch at this point).
> * When Alice funding tx is confirmed, create and sign contract transaction 
> (Alice+Bob --> Alice+timelock1 OR Bob+hashlock).
> * When Bob funding tx is confirmed and Bob has received the Alice contract 
> transaction, create and sign Bob contract transaction (Alice+Bob+sharedSecret 
> --> Bob+timelock2 OR Alice+hashlock).
> * Continue as normal.
> 
> In effect, the backout transaction creates a temporary Spilman unidirectional 
> time-bound channel.
> We just reuse the same timelock on the HTLC we expect to instantiate, as the 
> time bound of the Spilman channel; the timelock exists anyway, we might as 
> well reuse it for the Spilman.
> 
> Creation of the contract tx invalidates the backout tx (the backout tx is 
> `nLockTime`d, the contract tx has no such encumbrance), but the backout 
> allows Alice and Bob to fund their txes simultaneously without risk of race 
> loss.
> However, they do still have to wait for (deep) confirmation before signing 
> contract transactions, and Bob has to wait for the incoming contract 
> transaction as well before it signs its outgoing contract transaction.
> 
> The protocol is trivially extendable with more than one Bob.
> 
> The insight basically is that we can split CoinSwap into a "channel 
> establishment" phase and "HTLC forwarding" phase followed by "HTLC 
> resolution" and "private key handover".
> HTLC forwarding and HTLC resolution are "done offchain" in the channels, and 
> channel establishment can be done in any order, including reverse.
> 
> Indeed, the Spilman channel need not have the same timelock as the HTLC it 
> will eventually host: it could have a shorter timelock, since the contract 
> transaction has no `nLockTime` it can be instantiated (with loss of privacy 
> due to the nonstandard script) before the Spilman timeout.
> 
> Regards,
> ZmnSCPxj
> 

Thanks for the explanation. I understand now, and I understand how this
makes it possible for all funding transactions in a coinswap route to be
confirmed in the same block.

However, I think this also breaks private key handover. Here's why:

Recall that in a Alice/Bob coinswap we have two funding transactions
(Alice --> multisig(Alice, Bob) and Bob --> multisig(Bob,Alice)), and
two contract transactions (multisig(Alice, Bob) -->
Alice+OP_CSV_timelock OR Bob+hashlock and multisig(Bob,Alice -->
Bob+OP_CSV_timelock OR Alice+hashlock). After the hashlock preimage
becomes known to all then Alice and Bob give their multisig privkey to
the other party.

Bob now has both privkeys in the multisig(Alice,Bob) so he can sign any
transaction he wants spending from it, but the contract transaction
still exists. So until Bob actually spends from the multisig he must
always be watching the blockchain, and if Alice broadcasts the contract
transaction then Bob must immediately spend from it using the hash
preimage branch. If Bob waits too long and the OP_CSV timelock value
passes then Alice can steal Bob's money by spending with that path. The
OP_CSV timelock only starts ticking when the contract transaction
actually confirms, and this is crucial for making privkey handover
practical because it means the coins in the multisig can stay unspent
indefinitely.

However, I think this does not apply to the scheme you described which
uses nLockTime, because after the privkeys are handed over Alice's
backout transaction (Alice+Bob -(nLockTime=locktime1)-> Alice) still
exists, and Alice could broadcast it. Once locktime1 passes then Alice
can 

Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-06-10 Thread ZmnSCPxj via bitcoin-dev
Good morning Mr. Lee,


> > === Combining multi-transaction with routing ===
> > Routing and multi-transaction must be combined to get both benefits. If
> > Alice owns multiple UTXOs (of value 6 BTC, 8 BTC and 1 BTC) then this is
> > easy with this configuration:
> >
> >  Alice
> > (6 BTC) (8 BTC) (1 BTC)
> >|   |   |
> >|   |   |
> >v   v   v
> >   Bob
> > (5 BTC) (5 BTC) (5 BTC)
> >|   |   |
> >|   |   |
> >v   v   v
> > Charlie
> > (9 BTC) (5 BTC) (1 BTC)
> >|   |   |
> >|   |   |
> >v   v   v
> > Dennis
> > (7 BTC) (4 BTC) (4 BTC)
> >|   |   |
> >|   |   |
> >v   v   v
> >  Alice
> >
>
> Great work Chris and you have my respects for your contributions to
> Bitcoin. A concern I have with bitcoin is scalability and privacy. Both
> are important. The reasons people bash on Monero is also the same issue
> Bitcoin has. The very large transaction size to achieve acceptable privacy
> on a distributed financial network. Im not shilling Monero here. I am only
> saying that bitcoin transactions with similar privacy properties are at
> least equally as large as Monero transactions. Coinjoin on Monero can be
> compared to ring signatures in Monero from the view of using decoys to
> help conceal the source. From this proposal is this to say that
> transactions will be at least 12 times larger in size to achieve the
> property of privacy that bitcoin is currently missing?

CoinSwap lets you buy privacy at whatever rate is manageable for you.
You can buy a simple non-routed non-multitransaction CoinSwap, for example, 
instead of larger sections like the above, depending on your privacy needs.
Even doing a non-routed non-multitransaction CoinSwap would help fungibility of 
those doing more complex setups, because the tiny CoinSwaps you make are made 
of "the same things" that the more complex CoinSwaps are made of.

>
> Another thing to consider is that if coinswaps cannot be sent as a payment
> then a coinswap needs to take place after every transaction to keep the
> privacy and unlinkability from your other bitcoin transactions.
>
> I always thought that CoinSwap would be and is a very much needed thing
> that needs developed. The ability to swap coins with other people in a
> trustless way and way that is not linkable to the public blockchain. But
> how can this be scalable at all with the multiple branches and layers?
> This is a good idea in theory but my concern would be the scalability
> issues this creates.
>
> Do you have any comments on this?
> Thank you

Overall, multiple mixing techniques cover a wide range of cost and privacy.

* PayJoins are cheap and almost free (you are coordinating with only one other 
participant who is strongly incentivized to cooperate with you, and making a 
single overall tx) but buys you only a small dollop of privacy (transaction can 
be misinterpreted by chain analysis, but probabilistic analysis can be 
"reasonably accurate" for a few transactions).
* Equal-valued CoinJoins are slightly more expensive than PayJoins but give a 
good amount of privacy (you are coordinating with multiple participants, and 
probably paying coordination/participation fees, but *which* output is yours 
will give probabilistic analysis a run for its money, although it is obvious 
that you *did* participate in a CoinJoin).
* CoinSwaps are a good bit more expensive than equal-valud CoinJoins but give a 
significant amount of privacy for their cost (you are coordinating with 
multiple participants and paying coordination/participation fees *and* you run 
the risk of getting your funds timelocked in case of network communications 
problems or active hacking attempts, but it is hard for chain analysis to even 
*realize* that a CoinSwap even occurred, i.e. it is steganographic).

Chris argues that CoinSwap gives better privacy:cost ratios than equal-valued 
CoinJoins, you can wait and see if he gives more supporting arguments regarding 
this, but overall the various mixing tech exists to give choice on how much 
privacy you buy.

Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-06-09 Thread Mr. Lee Chiffre via bitcoin-dev


>
> === Combining multi-transaction with routing ===
>
> Routing and multi-transaction must be combined to get both benefits. If
> Alice owns multiple UTXOs (of value 6 BTC, 8 BTC and 1 BTC) then this is
> easy with this configuration:
>
>  Alice
> (6 BTC) (8 BTC) (1 BTC)
>|   |   |
>|   |   |
>v   v   v
>   Bob
> (5 BTC) (5 BTC) (5 BTC)
>|   |   |
>|   |   |
>v   v   v
> Charlie
> (9 BTC) (5 BTC) (1 BTC)
>|   |   |
>|   |   |
>v   v   v
> Dennis
> (7 BTC) (4 BTC) (4 BTC)
>|   |   |
>|   |   |
>v   v   v
>  Alice
>






Great work Chris and you have my respects for your contributions to
Bitcoin. A concern I have with bitcoin is scalability and privacy. Both
are important. The reasons people bash on Monero is also the same issue
Bitcoin has. The very large transaction size to achieve acceptable privacy
on a distributed financial network. Im not shilling Monero here. I am only
saying that bitcoin transactions with similar privacy properties are at
least equally as large as Monero transactions. Coinjoin on Monero can be
compared to ring signatures in Monero from the view of using decoys to
help conceal the source. From this proposal is this to say that
transactions will be at least 12 times larger in size to achieve the
property of privacy that bitcoin is currently missing?

Another thing to consider is that if coinswaps cannot be sent as a payment
then a coinswap needs to take place after every transaction to keep the
privacy and unlinkability from your other bitcoin transactions.

I always thought that CoinSwap would be and is a very much needed thing
that needs developed. The ability to swap coins with other people in a
trustless way and way that is not linkable to the public blockchain. But
how can this be scalable at all with the multiple branches and layers?
This is a good idea in theory but my concern would be the scalability
issues this creates.

Do you have any comments on this?
Thank you


-- 
lee.chif...@secmail.pro
PGP 97F0C3AE985A191DA0556BCAA82529E2025BDE35

___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-06-09 Thread Mr. Lee Chiffre via bitcoin-dev


> Coinjoin on Monero can be
> compared to ring signatures in Monero from the view of using decoys to
> help conceal the source. From this proposal is this to say that
> transactions will be at least 12 times larger in size to achieve the
> property of privacy that bitcoin is currently missing?
>


This was a typo. Coinjoin on BITCOIN, can be compared to ring signatures
in Monero form the view of using decoys to help conceal the source.


The same thing that makes monero transactions large and a scalability
concern is the same thing that bitcoin suffers from with using privacy
focused transactions.

___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-06-05 Thread ZmnSCPxj via bitcoin-dev
Good morning a third time Chris,

Now unrelated to the funding order, but one of the reasons why timeliness is 
desirable for CoinSwap is that if possible, we want to ensure that sends from a 
user wallet are not correlatable with receives into that wallet.
Thus, there is the strong suggestion that before sending to a payee, the user 
wallet should swap, then use the swapped funds to pay the payee, i.e. 
swap-on-pay.
JoinMarket does this in `sendpayment.py`, for example, and this is the 
recommended way to perform payments out of the JoinMarket wallet.

Let me propose an alternative: swap-on-receive+swap-on-change.

ZeroLink already suggests that wallets maintain two internal wallets: a pre-mix 
wallet and a post-mix wallet.
With swap-on-receive, when the user wants a receive address, the wallet gets it 
from the pre-mix wallet address.
Then, when wallet notices any unspent funds on any pre-mix wallet address, the 
wallet automatically swaps it into the post-mix wallet.
This is swap-on-receive.
Long-term HODLing goes into post-mix wallet addresses.

Then, when sending, the wallet selects from the post-mix wallet coins, and 
spends those coins directly into the payee address.
If there is no exact amount, it has to have change.
The change output does *not* go to the pre-mix or post-mix wallet address.
Instead, it goes to a 2-of-2 funding outpoint for a new swap immediately.

This lets the payee receive its funds quickly, as soon as the transaction 
confirms, without waiting for the CoinSwap to complete.
Of course, the user now has to be online to *fully* receive funds (the user 
cannot spend the funds until it is in the post-mix wallet).

Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-06-05 Thread ZmnSCPxj via bitcoin-dev
Good morning again Chris,

I am uncertain if you are aware, but some years ago somebody claimed that 
2p-ECDSA could use Scriptless Script as well over on lightning-dev.

* 
https://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20180426/fe978423/attachment-0001.pdf
* 
https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-April/001221.html

I cannot claim to follow the math enough to say it is actually secure, but the 
idea does exist.

If this is sufficiently secure, we can fold the Spilman backout into the 
scriptless script swap as well.

* Alice creates secret keypairs A[0] = a[0] * G, A[1] = a[1] * G
* Bob creates secret keypairs B[0] = b[0] * G, B[1] = b[1] * G
* Alice creates (but does not sign) funding from Alice -> A[0] && B[0]
* Bob provides partial signature for A[0] && B[0] -(nLockTime=locktime1)-> 
Alice to Alice and Alice completes this signature and stashes it.
* Bob creates (but does not sign) funding from Bob -> A[1] && B[1]
* Alice provides partial signature for A[1] && B[1] -(nLockTime=lockTime2)-> 
Bob to Bob and Bob completes this signature and stashes it.
* Alice and Bob sign and broadcast their funding transactions.
  * This can safely be done in any order; Bob will refuse to continue with the 
protocol until it sees Alice funding is confirmed, and will abort if locktime2 
is too near.
* Alice waits for Bob funding tx to confirm.
* Alice provides a 2p-ECDSA adaptor signature for A[1] && B[1] --> Alice; the 
adaptor signature, when completed, reveals the secret a[0] to Bob.
* Bob waits for Alice funding tx to confirm.
* Bob provides the partial signature for the given adaptor signature for A[1] 
&& B[1] --> Alice and  Alice completes this signature and stashes it.
* Alice gives a[0] outright to Bob.
* Bob gives b[1] outright to Alice.
* Alice spends the A[1] && B[1] output before locktime2.
* Bob spends the A[0] && B[0] output before locktime1.

I also pointed out the griefing problem in Lightning also applies to SwapMarket.
Bob can limit the griefing problem by requiring that locktime2 <= now + 12, and 
requiring that locktime1 >= now + 60.
This means that Alice has to lock its funds for 10 hours if it forces Bob to 
lock its funds for 2 hours, making it undesirable as an attack on competing 
makers.
This does prevent chaining (no maker is going to accept the outgoing), but if 
Alice wants chaining it can always use the private key handed over to 
immediately start a funding tx with another Bob.

(This is not a good solution for griefing in the Lightning Network since 
channels are intended to be reused there, whereas the Spilman channels in 
CoinSwap exist only to allow funding transactions to confirm in any order 
onchain, and are used only for the specific swap; in Lightning the forwarding 
node has an incentive to release the incoming HTLC immediately instead of 
imposing the incoming wait time since the funding can be reused for a different 
payment, but in CoinSwap it cannot be reused anyway, so it could just let the 
incoming timelock lapse instead of releasing that encumbrance as would be done 
in Lightning.)

Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-06-05 Thread ZmnSCPxj via bitcoin-dev
Good morning Chris,

> I think I'm having trouble understanding this, does it work like this:
>
> Say we're in the 2-party coinswap case (Alice and Bob)
>
> We have Alice's funding transaction:
> Alice UTXO ---> 2of2 multisig (Alice+Bob)
>
> And we have the regular contract transaction
> 2of2 multisig (Alice+Bob) ---> Alice+timelock1 OR Bob+hashlock
>
> And you propose a second pre-signed transaction?
> 2of2 multisig (Alice+Bob) ---> Bob+timelock2

No, it is:

2of2 multisig (Alice+Bob) --(nLockTime=locktime1)-> Alice

The timelock is  imposed as a `nLockTime`, not as an `OP_CLTV` (so not in the 
output of the tx, but part of the tx), and the backout returns the funds to 
Alice, not sends it to Bob.
This transaction is created *before* the contract transaction.

The order is:

* Create (but not sign) Alice funding tx (Alice --> Alice+Bob).
* Create and sign Alice backout transaction (Alice+Bob -(nLockTime=locktime1)-> 
Alice).
* Create (but not sign) Bob funding tx (Bob --> Alice+Bob+sharedSecret).
* Create and sign Bob backout transaction (Alice+Bob+sharedSecret 
-(nLocktime=locktime2)-> Bob) where timelock2 < timelock1.
* Sign and broadcast funding txes.
  * At this point, even if Bob funding tx is confirmed but Alice funding tx is 
not, Bob can recover funds with the backout, but Alice cannot steal the funds 
(since there is no hashlock branch at this point).
* When Alice funding tx is confirmed, create and sign contract transaction 
(Alice+Bob --> Alice+timelock1 OR Bob+hashlock).
* When Bob funding tx is confirmed and Bob has received the Alice contract 
transaction, create and sign Bob contract transaction (Alice+Bob+sharedSecret 
--> Bob+timelock2 OR Alice+hashlock).
* Continue as normal.

In effect, the backout transaction creates a temporary Spilman unidirectional 
time-bound channel.
We just reuse the same timelock on the HTLC we expect to instantiate, as the 
time bound of the Spilman channel; the timelock exists anyway, we might as well 
reuse it for the Spilman.

Creation of the contract tx invalidates the backout tx (the backout tx is 
`nLockTime`d, the contract tx has no such encumbrance), but the backout allows 
Alice and Bob to fund their txes simultaneously without risk of race loss.
However, they do still have to wait for (deep) confirmation before signing 
contract transactions, and Bob has to wait for the incoming contract 
transaction as well before it signs its outgoing contract transaction.

The protocol is trivially extendable with more than one Bob.

The insight basically is that we can split CoinSwap into a "channel 
establishment" phase and "HTLC forwarding" phase followed by "HTLC resolution" 
and "private key handover".
HTLC forwarding and HTLC resolution are "done offchain" in the channels, and 
channel establishment can be done in any order, including reverse.

Indeed, the Spilman channel need not have the same timelock as the HTLC it will 
eventually host: it could have a shorter timelock, since the contract 
transaction has no `nLockTime` it can be instantiated (with loss of privacy due 
to the nonstandard script) before the Spilman timeout.

Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-06-05 Thread Chris Belcher via bitcoin-dev
Good day ZmnSCPxj,

>>> But S6 has the mild advantage that all the funding transactions paying to 
>>> 2-of-2s can appear on the same block, whereas chaining swaps will have a 
>>> particular order of when the transactions appear onchain, which might be 
>>> used to derive the order of swaps.
>>
>> On the other hand, funds claiming in S6 is also ordered in time, so
>> someone paying attention to the mempool could guess as well the order of
>> swaps.
>>
>> I think this is wrong, and that it's possible for the funding
>> transactions of chained/routed swaps to all be in the same block as well.
>>
>> In CoinSwap it's possible to get DOS'd without the other side spending
>> money if you broadcast your funding transaction first and the other side
>> simply disappears. You'd get your money back but you have to waste time
>> and spend miner fees. The other side didn't spend money to do this, not
>> even miner fees.
>>
>> From the point of view of us as a maker in the route, we know we won't
>> get DOS'd like this for free if we only broadcast our funding
>> transaction once we've seen the other side's funding transaction being
>> broadcast first. This should work as long as the two transactions have a
>> similar fee rate. There might be an attack involving hash power: If the
>> other side has a small amount of hash power and mines only their funding
>> transaction in a manner similar to a finney attack, then our funding
>> transaction should get mined very soon afterwards by another miner and
>> the protocol will continue as normal. If the other side has knowledge of
>> the preimage and uses it to do CPFP and take the money, then we can
>> learn that preimage and do our own CPFP to get our money back too.
> 
> How about RBF?
> 
> A taker Alice can broadcast the funding tx spending its own funds.
> The funding tx spends funds controlled unilaterally by Alice.
> Alice can sign a replacement transaction for those funds, spending them to an 
> address with unilateral control, and making the funding tx output with all 
> the obligations attached never get confirmed in the first place.
> 
> The chances may be small --- Bob can certainly monitor for Alice broadcasting 
> a replacement and counter-broadcast its own replacement --- but the risk 
> still exists.
> TANSTAAGM (There Aint No Such Thing As A Global Mempool) also means Alice 
> could arrange the replacement by other means, such as not using the 
> RBF-enabled flag, broadcasting the self-paying replacement near miner nodes, 
> and broadcasting the CoinSwap-expected funding tx near the Bob fullnode; Bob 
> fullnode will then reject attempts to replace it, but miners will also reject 
> the CoinSwap-expected funding tx and it will not confirm anyway.
> 
> 
> With the pre-SAS 4-tx setup, this potentially allows Alice to steal the funds 
> of Bob; after Alice gets its funding-tx-replacement confirmed together with 
> the Bob honest-funding-tx, Alice can use the contract transaction and publish 
> the preimage to take the Bob funds.
> Since the Alice-side funding tx has been replaced, knowledge of the hash 
> preimage will not help Bob any: the Alice funding tx has been replaced and 
> Bob cannot use the preimage to claim it (it does not exist).
> 
> 
> With SAS Alice cannot outright steal the Bob funds, but the Bob funds will 
> now be locked in a 2-of-2 and Alice can take it hostage (either Bob gives up 
> on the funds, i.e. donates its value to all HODLers, or Bob gives most of the 
> value to Alice).
> 
> 
> For the avoidance of theft, it is probably better for Bob to wait for 
> Alice-side funding tx to confirm, probably deeply because reorgs suck.
> 
> This at least makes it costly to perform this attack; you have to lock more 
> of your funds longer in order to induce a competitor to lock its funds.
> 
> 
> Come to think of it, the same issue probably holds for S6 as well, the 
> funding tx with the longest timelock has to confirm first before the next is 
> even broadcast, bleah.

Your RBF observation actually blows my idea out of the water. Not just
because of RBF but because of an attack by a miner.

Supposing that Alice starts with knowledge of the hash preimage, if she
uses RBF to make her funding transaction never confirm but allows Bob's
funding transaction to confirm, then Alice can use her preimage to take
the money from Bob's funding transaction. Bob will learn the value of
the preimage but it won't be much good to him because Alice's funding
transaction isn't valid anymore. Alice will get money from her funding
transaction and also money from Bob's funding transaction.

Because of this attack, it's pretty clear that a CoinSwap peer who
starts _without_ knowledge of the preimage must wait for the other
side's funding transaction to actually confirm, perhaps even with
multiple confirmations if they fear that the other side has access to
hashpower. For example, a miner could play the role of Alice and use
this attack to almost-risklessly steal Bob's 

Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-06-04 Thread ZmnSCPxj via bitcoin-dev
Good morning yet again Chris,

> > For the avoidance of theft, it is probably better for Bob to wait for 
> > Alice-side funding tx to confirm, probably deeply because reorgs suck.

I realized that the *other* improvement I proposed in the [CoinSwapCS 
issue](https://github.com/AdamISZ/CoinSwapCS/issues/53) would help with this.
Specifically, `nLockTime`-protected Backouts.

Suppose we have an S6 route as so, with Alice as taker and Bob1 and Bob2 as 
makers:

Alice -> Bob1 -> Bob2 -> Alice

We assume here that Bob1 and Bob2 directly talk to Alice and that if Bob1 wants 
to talk to Bob2 it is done via Alice, so in the below if we say "Bob1 sends to 
Bob2" we imply that this is done via Alice.

1.  Alice solicits fresh pubkeys from Bob1 and Bob2.
2.  Alice gives timeouts L1 and L2 to Bob1, and L2 and L3 to Bob2, such that L1 
> L2 > L3, as well as negotiated amount, fees, etc.
3.  Alice creates (but does NOT sign) a funding tx paying to Alice && Bob1 and 
gives the txid to Bob1.
4.  Bob1 creates and signs a tx spending from the Alice funding tx and paying 
to Alice, with `nLockTime = L1`, and gives the signature to Alice.
5.  Bob1 creates (but does NOT sign) a funding tx paying to Bob1 && Bob2 and 
gives the txid to Bob2.
6.  Bob2 creates and signs a tx spending from the Bob1 funding tx and paying to 
Bob1, with `nLockTime = L2`, and gives the signature to Bob1.
7.  Bob2 creates (but does NOT sign) a funding tx paying to Bob2 && Alice and 
gives the txid to Alice.
8.  Alice creates and signs a tx spending from the Bob2 funding tx and paying 
to Bob2, with `nLockTime = L3`, and gives the signature to Bob2.
9.  Alice signals everyone to sign their respecting funding txes and broadcast 
them.

The rest of the CoinSwap protocol executes as normal once the funding txes are 
deeply confirmed.
The only thing that Bob1 (resp. Bob2) needs to wait for is that the signatures 
for the incoming HTLC / PTLC have been received before forwarding to the next 
hop.
This allows all funding txes to be confirmed in the same block, or even in some 
suitable random order (by having Alice send the signal out at different 
times/blocks to different makers).

The `nLockTime`d backout transactions are sufficient to allow everyone to 
recover their funds unilaterally in case one of the other funding txes do not 
confirm.

A similar technique can be done for SAS as well, but this removes the lack of 
encumbrance in the LTC-side output of SAS, which removes the advantage of 
having an otherwise unencumbered output.

In effect, the above creates Spilman unidirectional payment channels along the 
route, bringing the fiddly timing details offchain where it is less visible to 
observers.

--

However, note that this still allows a form of griefing attack.
Basically, Alice can induce Bob1 and Bob2 to lock their funds for some time, by 
completing the above ritual, but not signing and broadcasting its own funding 
tx.
Bob1 and Bob2 will have been induced to lock their funds for L2 and L3, 
respectively, while Alice only has to RBF away its own funding tx.

Alice might do this if it is actually another maker and it wants to take out 
its competitors Bob1 and Bob2, reducing their available liquidity for a time 
and cornering the SwapMarket.


This can be mitigated by replacing step 9 with:

9.  Alice gives its signed funding tx to Bob1.
10.  Bob1 gives its signed funding tx to Bob2.
11.  Bob2 gives its signed funding tx to Alice.
12.  Alice signals everyone to broadcast their funding txes.

Then Bob1 (resp. Bob2) can monitor the mempool/blockchain and check as well if 
its outgoing funding tx has been broadcast/confirmed, and if so broadcast the 
incoming funding tx.
Or better, if Bob1 (resp. Bob2) does not receive the Alice signal fast enough, 
it will broadcast its incoming funding tx anyway.

This is only a mitigation: Alice could have pre-prepared a replacement to the 
funding tx that it broadcasts near miners just before it signals Bob1 and Bob2 
to broadcast all transactions.

For full protection against griefing attacks, Bob1 (resp. Bob2) have to wait 
for the incoming funding tx to be confirmed deeply before broadcasting its 
outgoing funding tx as well.

Regards,
ZmnSCPxj

___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-06-03 Thread ZmnSCPxj via bitcoin-dev
Good morning Chris again,


> For the avoidance of theft, it is probably better for Bob to wait for 
> Alice-side funding tx to confirm, probably deeply because reorgs suck.


Over in Lightning-land, we have a concept called "irrevocably committed".
This is a state where a newly-created contract can no longer be cancelled, by 
publishing an older state.
In Lightning, there is a short timeframe where a new state, and its directly 
previous state, are both still valid, until the previous state is revoked.
Only once the previous state (that does not contain the contract) has been 
revoked, and only the latest state is valid, can a forwarding node actually 
forward the payment.


This is roughly equivalent to the funding tx for the CoinSwap being confirmed.
Until a transaction is confirmed, the UTXOs it spends (i.e. the previous state) 
can still be validly spent by other alternate transactions.


Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-06-02 Thread ZmnSCPxj via bitcoin-dev
Good morning Chris,

> > Good morning Ruben and Chris,
>
> > I am not in fact convinced that PayJoin-with-CoinSwap adds that much 
> > privacy.
> > These transactions:
> >
> >  +---+  +---+
> > Alice ---|   |--|   |--- Bob
> > Alice ---|   |  |   |
> >   Bob ---|   |  +---+
> >  +---+
> >
> >
> > Are not really much different in coin ownership analysis from these:
> >
> >  +---++---+
> > Alice ---|   ||   |--- Bob
> > Alice ---|   | +--|   |
> >  +---+ |  +---+
> >   Bob -+
> >
>
> The main benefit of PayJoin-with-CoinSwap is it breaks the
> common-input-ownership heuristic, which is a major widely used
> heuristic. It would be a big win if that heuristic could be broken.
>
> PayJoin-with-CoinSwap would be useful if Alice is trying to recover some
> privacy which was previously degraded, for example if she is spending
> from a reused address or from an address linked to her identity. If she
> does a PayJoin with the reused address then some other economic entity
> would have his activity linked with Alice's.
>
> Just the fact that PayJoin-with-CoinSwap exists would improve privacy
> for people who don't use it, for example if someone buys bitcoin from an
> exchange that knows their identity and then co-spends it with other
> coins they obtained another way. The fact that PayJoin exists means an
> adversary cannot assume for sure that this user really owns that other
> address which was co-spent. This doesn't apply for regular CoinSwap,
> which only ever breaks the transaction graph heuristic, so in our
> example the destination the coins are sent to would be uncertain, but
> that the co-spent inputs are owned by the same person would be certain
> in a world where PayJoin didn't exist.

Alice can do PayJoin with a payee Carol that supports normal PayJoin, for 
similar overall results.

Though I suppose there is a mild advantage still with supporting it on the 
funding tx of the first transaction, as you noted.

> > But S6 has the mild advantage that all the funding transactions paying to 
> > 2-of-2s can appear on the same block, whereas chaining swaps will have a 
> > particular order of when the transactions appear onchain, which might be 
> > used to derive the order of swaps.
>
> On the other hand, funds claiming in S6 is also ordered in time, so
> someone paying attention to the mempool could guess as well the order of
> swaps.
>
> I think this is wrong, and that it's possible for the funding
> transactions of chained/routed swaps to all be in the same block as well.
>
> In CoinSwap it's possible to get DOS'd without the other side spending
> money if you broadcast your funding transaction first and the other side
> simply disappears. You'd get your money back but you have to waste time
> and spend miner fees. The other side didn't spend money to do this, not
> even miner fees.
>
> From the point of view of us as a maker in the route, we know we won't
> get DOS'd like this for free if we only broadcast our funding
> transaction once we've seen the other side's funding transaction being
> broadcast first. This should work as long as the two transactions have a
> similar fee rate. There might be an attack involving hash power: If the
> other side has a small amount of hash power and mines only their funding
> transaction in a manner similar to a finney attack, then our funding
> transaction should get mined very soon afterwards by another miner and
> the protocol will continue as normal. If the other side has knowledge of
> the preimage and uses it to do CPFP and take the money, then we can
> learn that preimage and do our own CPFP to get our money back too.

How about RBF?

A taker Alice can broadcast the funding tx spending its own funds.
The funding tx spends funds controlled unilaterally by Alice.
Alice can sign a replacement transaction for those funds, spending them to an 
address with unilateral control, and making the funding tx output with all the 
obligations attached never get confirmed in the first place.

The chances may be small --- Bob can certainly monitor for Alice broadcasting a 
replacement and counter-broadcast its own replacement --- but the risk still 
exists.
TANSTAAGM (There Aint No Such Thing As A Global Mempool) also means Alice could 
arrange the replacement by other means, such as not using the RBF-enabled flag, 
broadcasting the self-paying replacement near miner nodes, and broadcasting the 
CoinSwap-expected funding tx near the Bob fullnode; Bob fullnode will then 
reject attempts to replace it, but miners will also reject the 
CoinSwap-expected funding tx and it will not confirm anyway.


With the pre-SAS 4-tx setup, this potentially allows Alice to steal the funds 
of Bob; after Alice gets its funding-tx-replacement confirmed together with the 
Bob honest-funding-tx, Alice can use the contract transaction and publish the 
preimage to take the Bob funds.
Since the Alice-side funding tx 

Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-06-02 Thread Chris Belcher via bitcoin-dev
Hello ZmnSCPxj,

On 31/05/2020 03:30, ZmnSCPxj via bitcoin-dev wrote:
> Good morning Ruben and Chris,

> I am not in fact convinced that PayJoin-with-CoinSwap adds *that* much 
> privacy.
> 
> These transactions:
> 
>  +---+  +---+
> Alice ---|   |--|   |--- Bob
> Alice ---|   |  |   |
>   Bob ---|   |  +---+
>  +---+
> 
> Are not really much different in coin ownership analysis from these:
> 
>  +---++---+
> Alice ---|   ||   |--- Bob
> Alice ---|   | +--|   |
>  +---+ |  +---+
>   Bob -+

The main benefit of PayJoin-with-CoinSwap is it breaks the
common-input-ownership heuristic, which is a major widely used
heuristic. It would be a big win if that heuristic could be broken.

PayJoin-with-CoinSwap would be useful if Alice is trying to recover some
privacy which was previously degraded, for example if she is spending
from a reused address or from an address linked to her identity. If she
does a PayJoin with the reused address then some other economic entity
would have his activity linked with Alice's.

Just the fact that PayJoin-with-CoinSwap exists would improve privacy
for people who don't use it, for example if someone buys bitcoin from an
exchange that knows their identity and then co-spends it with other
coins they obtained another way. The fact that PayJoin exists means an
adversary cannot assume for sure that this user really owns that other
address which was co-spent. This doesn't apply for regular CoinSwap,
which only ever breaks the transaction graph heuristic, so in our
example the destination the coins are sent *to* would be uncertain, but
that the co-spent inputs are owned by the same person would be certain
in a world where PayJoin didn't exist.

> It also removes the need for Bob to reveal additional UTXOs to Alice during 
> the swap protocol; yes PoDLE mitigates the privacy probing attack that Alice 
> can mount on Bob, but it is helpful to remember this is "only" a mitigation.

Opening up the possibility of spying for free is a real downside for
PayJoin-with-CoinSwap. Using decoy UTXOs as described in my design
document, rather than PoDLE, seems like a better way of resisting these
attacks. This is because at the cost of a little bit more bandwidth and
CPU its possible to make the probability of an attacker successfully
guessing the maker's real UTXOs to be as low as you want.

> But S6 has the mild advantage that all the funding transactions paying to 
> 2-of-2s *can* appear on the same block, whereas chaining swaps will have a 
> particular order of when the transactions appear onchain, which might be used 
> to derive the order of swaps.
On the other hand, funds claiming in S6 is also ordered in time, so
someone paying attention to the mempool could guess as well the order of
swaps.

I think this is wrong, and that it's possible for the funding
transactions of chained/routed swaps to all be in the same block as well.

In CoinSwap it's possible to get DOS'd without the other side spending
money if you broadcast your funding transaction first and the other side
simply disappears. You'd get your money back but you have to waste time
and spend miner fees. The other side didn't spend money to do this, not
even miner fees.

>From the point of view of us as a maker in the route, we know we won't
get DOS'd like this for free if we only broadcast our funding
transaction once we've seen the other side's funding transaction being
broadcast first. This should work as long as the two transactions have a
similar fee rate. There might be an attack involving hash power: If the
other side has a small amount of hash power and mines only their funding
transaction in a manner similar to a finney attack, then our funding
transaction should get mined very soon afterwards by another miner and
the protocol will continue as normal. If the other side has knowledge of
the preimage and uses it to do CPFP and take the money, then we can
learn that preimage and do our own CPFP to get our money back too.

So in a routed coinswap setup it should be possible for Alice the taker
to broadcast her funding transaction first, which will lead to all the
makers broadcasting their funding transactions as well once they see the
other side has broadcast first. Then it would be possible for all those
funding transactions to be confirmed in the same block.

I hope I haven't missed anything, because if this doesn't work and each
maker must wait for confirmations, then the UX of routed CoinSwap would
degrade: a CoinSwap route of 5 makers would require at least 5 blocks to
be mined.

Of course this setup can leak the ordering of the routes because the
funding transaction would appear in the mempool in that order, but this
could be beaten if some Alices choose to intentionally spread out the
funding transaction broadcasts among multiple blocks for privacy reasons.

An interesting tangent could be to see if it's possible to make private
key 

Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-06-01 Thread Ruben Somsen via bitcoin-dev
Hi ZmnSCPxj,

>If Alice is paying to a non-SAS aware payee

Yeah, I agree that this use case is not possible without a third
transaction (preferably from the timelocked side, in the case of SAS). My
point was merely that you can swap and simultaneously merge some of your
outputs into the post-swap non-timelocked output, though perhaps that is
not very useful.

Cheers,
Ruben



On Mon, Jun 1, 2020 at 4:34 AM ZmnSCPxj  wrote:

> Good morning Ruben,
>
>
> >
> > That assumes there will be a second transaction. With SAS I believe we
> can avoid that, and make it look like this:
> >
> >  +---+
> > Alice ---|   |--- Bob
> > Alice ---|   |
> >   Bob ---|   |
> >  +---+
>
> If Alice is paying to a non-SAS aware payee that just provides an onchain
> address (i.e. all current payees today), then the 2-of-2 output it gets
> from the swap (both of whose keys it learns at the end of the swap) is
> **not** the payee onchain address.
> And it cannot just hand over both private keys, because the payee will
> still want unambiguous ownership of the entire UTXO.
> So it needs a second transaction anyway.
> (with Schnorr then Alice and payee Carol can act as a single entity/taker
> to Bob, a la Lightning Nodelets using Composable MuSig, but that is a
> pretty big increase in protocol complexity)
>
> If Alice does not want to store the remote-generated privkey as well, and
> use only an HD key, then it also has to make the second transaction.
> Alice might want to provide the same assurances as current wallets that
> memorizing a 12-word or so mnemonic is sufficient backup for all the funds
> (other than funds currently being swapped), and so would not want to leave
> any funds in a 2-of-2.
>
> If Bob is operating as a maker, then it also cannot directly use the
> 2-of-2 output it gets from the swap, and has to make a new 2-of-2 output,
> for the *next* taker that arrives to request its services.
>
> So there is always going to be a second transaction in a SwapMarket
> system, I think.
>
>
> What SAS / private key turnover gets us is that there is not a *third*
> transaction to move from a 1-of-1 to the next address that makers and
> takers will be moving anyway, and that the protocol does not have to add
> communication provisions for special things like adding maker inputs or
> specifying all destination addresses for the second stage and so on,
> because those can be done unilaterally once the private key is turned over.
>
>
> > >A thing I have been trying to work out is whether SAS can be done with
> more than one participant, like in S6
> >
> > S6 requires timelocks for each output in order to function, so I doubt
> it can be made to work with SAS.
>
> Hmmm right right.
>
> Naively it seems both chaining SAS/private key turnover to multiple
> makers, and a multi-maker S6 augmented with private key turnover, would
> result in the same number of transactions onchain, but I probably have to
> go draw some diagrams or something first.
>
> But S6 has the mild advantage that all the funding transactions paying to
> 2-of-2s *can* appear on the same block, whereas chaining swaps will have a
> particular order of when the transactions appear onchain, which might be
> used to derive the order of swaps.
> On the other hand, funds claiming in S6 is also ordered in time, so
> someone paying attention to the mempool could guess as well the order of
> swaps.
>
>
> Regards,
> ZmnSCPxj
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-05-31 Thread ZmnSCPxj via bitcoin-dev
Good morning Ruben,


>
> That assumes there will be a second transaction. With SAS I believe we can 
> avoid that, and make it look like this:
>
>              +---+
>     Alice ---|   |--- Bob
>     Alice ---|   |
>       Bob ---|   |
>              +---+

If Alice is paying to a non-SAS aware payee that just provides an onchain 
address (i.e. all current payees today), then the 2-of-2 output it gets from 
the swap (both of whose keys it learns at the end of the swap) is **not** the 
payee onchain address.
And it cannot just hand over both private keys, because the payee will still 
want unambiguous ownership of the entire UTXO.
So it needs a second transaction anyway.
(with Schnorr then Alice and payee Carol can act as a single entity/taker to 
Bob, a la Lightning Nodelets using Composable MuSig, but that is a pretty big 
increase in protocol complexity)

If Alice does not want to store the remote-generated privkey as well, and use 
only an HD key, then it also has to make the second transaction.
Alice might want to provide the same assurances as current wallets that 
memorizing a 12-word or so mnemonic is sufficient backup for all the funds 
(other than funds currently being swapped), and so would not want to leave any 
funds in a 2-of-2.

If Bob is operating as a maker, then it also cannot directly use the 2-of-2 
output it gets from the swap, and has to make a new 2-of-2 output, for the 
*next* taker that arrives to request its services.

So there is always going to be a second transaction in a SwapMarket system, I 
think.


What SAS / private key turnover gets us is that there is not a *third* 
transaction to move from a 1-of-1 to the next address that makers and takers 
will be moving anyway, and that the protocol does not have to add communication 
provisions for special things like adding maker inputs or specifying all 
destination addresses for the second stage and so on, because those can be done 
unilaterally once the private key is turned over.


> >A thing I have been trying to work out is whether SAS can be done with more 
> >than one participant, like in S6
>
> S6 requires timelocks for each output in order to function, so I doubt it can 
> be made to work with SAS.

Hmmm right right.

Naively it seems both chaining SAS/private key turnover to multiple makers, and 
a multi-maker S6 augmented with private key turnover, would result in the same 
number of transactions onchain, but I probably have to go draw some diagrams or 
something first.

But S6 has the mild advantage that all the funding transactions paying to 
2-of-2s *can* appear on the same block, whereas chaining swaps will have a 
particular order of when the transactions appear onchain, which might be used 
to derive the order of swaps.
On the other hand, funds claiming in S6 is also ordered in time, so someone 
paying attention to the mempool could guess as well the order of swaps.


Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-05-31 Thread Ruben Somsen via bitcoin-dev
Hi ZmnSCPxj,

>Just to be clear, you mean we can use the MuSig key-combination protocol
for the non-timelocked SAS output, but (of course) not the signing protocol
which is inherently Schnorr. Then knowledge of both of the original private
keys is enough to derive the single combined private key.

That's correct.

>basically private key handover gets us PayJoin for free

That assumes there will be a second transaction. With SAS I believe we can
avoid that, and make it look like this:

 +---+
Alice ---|   |--- Bob
Alice ---|   |
  Bob ---|   |
 +---+

This is basically what I was trying to explain in my previous email: "I
believe PayJoin can also be applied to the non-timelocked side. This does
require adding a transaction that undoes the PayJoin in case the swap gets
aborted, which means MuSig can't be used. Everything else stays the same:
only one tx if successful, and no timelock (= instant settlement)"

I don't have a strong opinion on whether it is actually useful to combine
CoinSwap with PayJoin.

>A thing I have been trying to work out is whether SAS can be done with
more than one participant, like in S6

S6 requires timelocks for each output in order to function, so I doubt it
can be made to work with SAS.

I've also tried applying SAS to partially blind swaps and ran into
likability issues, though it's less clear to me whether there is some
fundamental reason why it couldn't work there.

Cheers,
Ruben

On Sun, May 31, 2020 at 4:31 AM ZmnSCPxj  wrote:

> Good morning Ruben and Chris,
>
> > >For a much greater anonymity set we can use 2-party ECDSA to create
> 2-of-2 multisignature addresses that look the same as regular
> single-signature addresses
> >
> > This may perhaps be counter-intuitive, but SAS doesn't actually require
> multisig for one of the two outputs, so a single key will suffice. ECDSA is
> a signing algorithm that doesn't support single key multisig (at least not
> without 2p-ECDSA), but notice how for the non-timelocked SAS output we
> never actually have to sign anything together with the other party. We swap
> one of the two keys, and the final owner will create a signature completely
> on their own. No multisig required, which means we can simply use MuSig,
> even today without Schnorr.
>
> Just to be clear, you mean we can use the MuSig key-combination protocol
> for the non-timelocked SAS output, but (of course) not the signing protocol
> which is inherently Schnorr.
>
> Then knowledge of both of the original private keys is enough to derive
> the single combined private key.
>
> > Of course the other output will still have to be a 2-of-2, for which you
> rightly note 2p-ECDSA could be considered. It may also be interesting to
> combine a swap with the opening of a Lightning channel. E.g. Alice and Bob
> want to open a channel with 1 BTC each, but Alice funds it in her entirety
> with 2 BTC, and Bob gives 1 BTC to Alice in a swap. This makes it difficult
> to tell Bob entered the Lightning Network, especially if the channel is
> opened in a state that isn't perfectly balanced. And Alice will gain an
> uncorrelated single key output.
>
> Dual-funding could be done by a single-funding Lightning open followed by
> an onchain-to-offchain swap.
> Though the onchain swap would have to be done, at least currently, with
> hashes.
>
> > >=== PayJoin with CoinSwap ===
> >
> > While it's probably clear how to do it on the timelocked side of SAS, I
> believe PayJoin can also be applied to the non-timelocked side. This does
> require adding a transaction that undoes the PayJoin in case the swap gets
> aborted, which means MuSig can't be used. Everything else stays the same:
> only one tx if successful, and no timelock (= instant settlement). I can
> explain it in detail, if it happens to catch your interest.
>
> I am not in fact convinced that PayJoin-with-CoinSwap adds *that* much
> privacy.
>
> These transactions:
>
>  +---+  +---+
> Alice ---|   |--|   |--- Bob
> Alice ---|   |  |   |
>   Bob ---|   |  +---+
>  +---+
>
> Are not really much different in coin ownership analysis from these:
>
>  +---++---+
> Alice ---|   ||   |--- Bob
> Alice ---|   | +--|   |
>  +---+ |  +---+
>   Bob -+
>
> The latter is possible due to private key handover, the intermediate
> output becomes owned solely by Bob and Bob can add many more inputs to that
> second transaction unilaterally for even greater confusion to chain
> analysis, basically private key handover gets us PayJoin for free.
> It also removes the need for Bob to reveal additional UTXOs to Alice
> during the swap protocol; yes PoDLE mitigates the privacy probing attack
> that Alice can mount on Bob, but it is helpful to remember this is "only" a
> mitigation.
>
> Now of course things are different if Alice is paying some exact amount to
> Carol, and Alice wants to dissociate her funds from the payment.
> The difference 

Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-05-30 Thread ZmnSCPxj via bitcoin-dev
Good morning Ruben and Chris,

> >For a much greater anonymity set we can use 2-party ECDSA to create 2-of-2 
> >multisignature addresses that look the same as regular single-signature 
> >addresses
>
> This may perhaps be counter-intuitive, but SAS doesn't actually require 
> multisig for one of the two outputs, so a single key will suffice. ECDSA is a 
> signing algorithm that doesn't support single key multisig (at least not 
> without 2p-ECDSA), but notice how for the non-timelocked SAS output we never 
> actually have to sign anything together with the other party. We swap one of 
> the two keys, and the final owner will create a signature completely on their 
> own. No multisig required, which means we can simply use MuSig, even today 
> without Schnorr.

Just to be clear, you mean we can use the MuSig key-combination protocol for 
the non-timelocked SAS output, but (of course) not the signing protocol which 
is inherently Schnorr.

Then knowledge of both of the original private keys is enough to derive the 
single combined private key.

> Of course the other output will still have to be a 2-of-2, for which you 
> rightly note 2p-ECDSA could be considered. It may also be interesting to 
> combine a swap with the opening of a Lightning channel. E.g. Alice and Bob 
> want to open a channel with 1 BTC each, but Alice funds it in her entirety 
> with 2 BTC, and Bob gives 1 BTC to Alice in a swap. This makes it difficult 
> to tell Bob entered the Lightning Network, especially if the channel is 
> opened in a state that isn't perfectly balanced. And Alice will gain an 
> uncorrelated single key output.

Dual-funding could be done by a single-funding Lightning open followed by an 
onchain-to-offchain swap.
Though the onchain swap would have to be done, at least currently, with hashes.

> >=== PayJoin with CoinSwap ===
>
> While it's probably clear how to do it on the timelocked side of SAS, I 
> believe PayJoin can also be applied to the non-timelocked side. This does 
> require adding a transaction that undoes the PayJoin in case the swap gets 
> aborted, which means MuSig can't be used. Everything else stays the same: 
> only one tx if successful, and no timelock (= instant settlement). I can 
> explain it in detail, if it happens to catch your interest.

I am not in fact convinced that PayJoin-with-CoinSwap adds *that* much privacy.

These transactions:

 +---+  +---+
Alice ---|   |--|   |--- Bob
Alice ---|   |  |   |
  Bob ---|   |  +---+
 +---+

Are not really much different in coin ownership analysis from these:

 +---++---+
Alice ---|   ||   |--- Bob
Alice ---|   | +--|   |
 +---+ |  +---+
  Bob -+

The latter is possible due to private key handover, the intermediate output 
becomes owned solely by Bob and Bob can add many more inputs to that second 
transaction unilaterally for even greater confusion to chain analysis, 
basically private key handover gets us PayJoin for free.
It also removes the need for Bob to reveal additional UTXOs to Alice during the 
swap protocol; yes PoDLE mitigates the privacy probing attack that Alice can 
mount on Bob, but it is helpful to remember this is "only" a mitigation.

Now of course things are different if Alice is paying some exact amount to 
Carol, and Alice wants to dissociate her funds from the payment.
The difference is then:

 +---++---+
Alice ---|   ||   |--- Bob
Alice ---|   |--+ |   |
  Bob ---|   |  | +---+
 +---+  +- Alice Change

 +---++---+
  Bob ---|   ||   |--- Carol
 |   |--+ +---+
 +---+  |
+- Bob Change

Versus:

 +---++---+
Alice ---|   ||   |--- Bob
Alice ---|   | +--|   |
 +---+ |  +---+
  Bob -+

 +---++---+
  Bob ---|   ||   |--- Carol
 |   |--+ |   |--- Alice Change
 +---+  | +---+
+- Bob Change

In the above, with PayJoin on the first-layer transaction, the Alice Change is 
correlated with Alice and Bob inputs, whereas with the PayJoin on the second 
the Alice change is correlated with Bob inputs and Carol outputs.

But if Alice, using commodity CoinSwap wallets, always has a policy that all 
sends are via CoinSwap (a reasonable policy, similar to the policy in 
JoinMarket of ensuring that all spends out of the wallet are via CoinJoin), 
then the above two trees are not much different for Alice in practice.
The Alice Change will be swapped with some other maker anyway when it gets 
spent, so what it correlates with will not be much of a problem for Alice.
At the same time, with PayJoin on the second-layer transaction (possible due to 
private key turnover, which is an inherent part of the SAS protocol):

* Bob does not have to reveal any other coins it owns to Alice other than what 
it is directly 

Re: [bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-05-30 Thread Ruben Somsen via bitcoin-dev
Hey Chris,

Excellent write-up. I learned a few new things while reading this
(particularly how to overcome the heuristics for address reuse and address
types), so thank you for that.

I have a few thoughts about how what you wrote relates to Succinct Atomic
Swaps (SAS)[0]. Perhaps it's useful.

>For a much greater anonymity set we can use 2-party ECDSA to create 2-of-2
multisignature addresses that look the same as regular single-signature
addresses

This may perhaps be counter-intuitive, but SAS doesn't actually require
multisig for one of the two outputs, so a single key will suffice. ECDSA is
a signing algorithm that doesn't support single key multisig (at least not
without 2p-ECDSA), but notice how for the non-timelocked SAS output we
never actually have to sign anything together with the other party. We swap
one of the two keys, and the final owner will create a signature completely
on their own. No multisig required, which means we can simply use MuSig,
even today without Schnorr.

Of course the other output will still have to be a 2-of-2, for which you
rightly note 2p-ECDSA could be considered. It may also be interesting to
combine a swap with the opening of a Lightning channel. E.g. Alice and Bob
want to open a channel with 1 BTC each, but Alice funds it in her entirety
with 2 BTC, and Bob gives 1 BTC to Alice in a swap. This makes it difficult
to tell Bob entered the Lightning Network, especially if the channel is
opened in a state that isn't perfectly balanced. And Alice will gain an
uncorrelated single key output.

As a side note, we could use the same MuSig observation on 2-of-2 outputs
that need multisig by turning the script into (A & B) OR MuSig(A,B), which
would shave off quite a few bytes by allowing single sig spending once the
private key is handed over, but this would also make the output stick out
like a sore thumb... Only useful if privacy is not a concern.

>=== Multi-transaction CoinSwaps to avoid amount correlation ===

This can apply cleanly to SAS, and can even be done without passing on any
extra secrets by generating a sharedSecret (Diffie-Hellman key exchange).

Non-timelocked:
CoinSwap AddressB = aliceSecret + bobSecret
CoinSwap AddressC = aliceSecret + bobSecret + hash(sharedSecret,0)*G
CoinSwap AddressD  = aliceSecret + bobSecret + hash(sharedSecret,1)*G

The above is MuSig compatible (single key outputs), there are no timelocks
to worry about, and the addresses cannot be linked on-chain.

>they would still need to watch the chain and respond in case a
hash-time-locked contract transaction is broadcasted

Small detail, but it should be noted that this would require the atomic
swap to be set up in a specific way with relative timelocks.

>=== PayJoin with CoinSwap ===

While it's probably clear how to do it on the timelocked side of SAS, I
believe PayJoin can also be applied to the non-timelocked side. This does
require adding a transaction that undoes the PayJoin in case the swap gets
aborted, which means MuSig can't be used. Everything else stays the same:
only one tx if successful, and no timelock (= instant settlement). I can
explain it in detail, if it happens to catch your interest.

Cheers,
Ruben


[0]  Succinct Atomic Swaps (SAS)
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-May/017846.html

On Mon, May 25, 2020 at 3:21 PM Chris Belcher via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> === Abstract ===
>
> Imagine a future where a user Alice has bitcoins and wants to send them
> with maximal privacy, so she creates a special kind of transaction. For
> anyone looking at the blockchain her transaction appears completely
> normal with her coins seemingly going from address A to address B. But
> in reality her coins end up in address Z which is entirely unconnected
> to either A or B.
>
> Now imagine another user, Carol, who isn't too bothered by privacy and
> sends her bitcoin using a regular wallet which exists today. But because
> Carol's transaction looks exactly the same as Alice's, anybody analyzing
> the blockchain must now deal with the possibility that Carol's
> transaction actually sent her coins to a totally unconnected address. So
> Carol's privacy is improved even though she didn't change her behaviour,
> and perhaps had never even heard of this software.
>
> In a world where advertisers, social media and other companies want to
> collect all of Alice's and Carol's data, such privacy improvement would
> be incredibly valuable. And also the doubt added to every transaction
> would greatly boost the fungibility of bitcoin and so make it a better
> form of money.
>
> This undetectable privacy can be developed today by implementing
> CoinSwap, although by itself that isn't enough. There must be many
> building blocks which together make a good system. The software could be
> standalone as a kind of bitcoin mixing app, but it could also be a
> library that existing wallets can implement allowing their users to send
> Bitcoin 

[bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

2020-05-25 Thread Chris Belcher via bitcoin-dev
=== Abstract ===

Imagine a future where a user Alice has bitcoins and wants to send them
with maximal privacy, so she creates a special kind of transaction. For
anyone looking at the blockchain her transaction appears completely
normal with her coins seemingly going from address A to address B. But
in reality her coins end up in address Z which is entirely unconnected
to either A or B.

Now imagine another user, Carol, who isn't too bothered by privacy and
sends her bitcoin using a regular wallet which exists today. But because
Carol's transaction looks exactly the same as Alice's, anybody analyzing
the blockchain must now deal with the possibility that Carol's
transaction actually sent her coins to a totally unconnected address. So
Carol's privacy is improved even though she didn't change her behaviour,
and perhaps had never even heard of this software.

In a world where advertisers, social media and other companies want to
collect all of Alice's and Carol's data, such privacy improvement would
be incredibly valuable. And also the doubt added to every transaction
would greatly boost the fungibility of bitcoin and so make it a better
form of money.

This undetectable privacy can be developed today by implementing
CoinSwap, although by itself that isn't enough. There must be many
building blocks which together make a good system. The software could be
standalone as a kind of bitcoin mixing app, but it could also be a
library that existing wallets can implement allowing their users to send
Bitcoin transactions with much greater privacy.

== CoinSwap ==

Like CoinJoin, CoinSwap was invented in 2013 by Greg Maxwell[1]. Unlike
CoinJoin it is relatively complicated to implement and so far has not
been deployed. But the idea holds great promise, and fixes many of the
problems of some kinds of CoinJoins. CoinSwap is the next step for
on-chain bitcoin privacy.

CoinSwap is a way of trading one coin for another coin in a
non-custodial way. It is closely related to the idea of an atomic swap.
Alice and Bob can trade coins with each other by first sending to a
CoinSwap address and having those coins then sent to Bob:

Alice's Address 1 > CoinSwap Address 1 > Bob's Address 1

An entirely separate set of transactions gives Bob's coins to Alice in
return:

Bob's Address 2 > CoinSwap Address 2 > Alice's Address 2

Where the symbol > is a bitcoin transaction.

Privacy is improved because an observer of the blockchain cannot link
Alice's Address 1 to Alice's Address 2, as there is no transaction
between them. Alice's Address 2 could either be an address in Alice's
wallet, or the address of someone else she wants to transfer money to.
CoinSwap therefore breaks the transaction graph heuristic, which is the
assumption that if a transaction A -> B is seen then the ownership of
funds actually went from A to B.

CoinSwap doesnt break any of bitcoin's assumptions or features like an
auditable supply or pruning. It can be built on today's bitcoin without
any new soft forks.

CoinSwap can't improve privacy much on its own, so it requires other
building block to create a truly private system.

=== ECDSA-2P ===

The original CoinSwap idea uses 2-of-2 multisig. We can get a slightly
bigger anonymity set by using 2-of-3 multisigs with a fake third public
key. For a much greater anonymity set we can use 2-party ECDSA to create
2-of-2 multisignature addresses that look the same as regular
single-signature addresses[2]. Even the old-style p2pkh addresses
starting with 1 can be CoinSwap addresses.

Because the transactions blend in with the rest of bitcoin, an
application based on CoinSwap would provide much more privacy than the
existing equal-output coinjoin apps (JoinMarket, Wasabi Wallet and
Samourai Wallet's Whirlpool). CoinSwaps would also be cheaper for the
same amount of privacy, as CoinJoin users usually create multiple
CoinJoins to get effective privacy, for example JoinMarket's tumbler
script does between 7-12 coinjoins (which are bigger than regular
transactions too) when run with default parameters.

Schnorr signatures with Musig provide a much easier way to create
invisible 2-of-2 multisig, but it is not as suitable for CoinSwap. This
is because the anonymity set for ECDSA would be much greater. All
addresses today are ECDSA, and none are schnorr. We'd have to wait for
schnorr to be added to bitcoin and then wait for users to adopt it. We
see with segwit that even after nearly 3 years that segwit adoption is
only about 60%, and segwit actually has a sizeable financial incentive
for adoption via lower fees. Schnorr when used for single-sig doesn't
have such an incentive, as Schnorr single-sig costs the same size as
today's p2wpkh, so we can expect adoption to be even slower. (Of course
there is an incentive for multisig transactions, but most transactions
are single-sig). As schnorr adoption increases this CoinSwap system
could start to use it, but for a long time I suspect it will mostly be
using