Re: [bitcoin-dev] BIP clearing house addresses

2016-08-08 Thread Matthew Roberts via bitcoin-dev 
Not everyone who uses centralized exchanges are there to obtain the
currency though. A large portion are speculators who need to be able to
enter and exit complex positions in milliseconds and don't care about
decentralization, security, and often even the asset that they're buying.

Try telling everyone who currently uses Btc-e to go do their margin trading
over lightning channels, for example. They're not going to want to do that
because these exchanges are already meeting their needs perfectly well, and
like I argued before -- it would be very hard to do that as efficiently
with any other design (there are major drawbacks for traders with a
decentralized exchange.)

Like it or not, these exchanges play an integral role in the current
Bitcoin eco-system since they allow us to most efficiently discover price
and help improve liquidity. A decentralized exchange isn't going to stop
any more centralized exchanges from being hacked even if they are more
secure simply because traders don't want to use them.

(Sorry for the duplicate message Erik, I haven't used many mailing lists
before. I think I have the hang of it now though :) )

On Mon, Aug 8, 2016 at 8:59 AM, Erik Aronesty  wrote:

> I still feel like you're better off getting rid of "hot wallets" and use
> lightning-esqe networks to route orders.  I don't think either speed or
> flexibility is an issue there.
>
> IMO, the point of Bitcoin is to avoid the centralization that seems to be
> happening on the network now.   By making "hot wallets" more "secure", we
> encourage things to keep heading downhill with massive centralized
> crappy-security exchanges.
>
> Because, ultimately, there's no security that will prevent an inside
> job.   And all of these thefts have, in my opinion, been at least partly
> inside jobs.
>
> And centralization is the actually demon that needs slaying here.
>
> A client-side library with P2P order routing, tether.to + bitcoin 
> and you've got a decentralized exchange... with orders matched to users
> directly, and channel-trades executed instantly.   And "market makers"
> running nodes to facilitate routing, etc.
>
> No center... nothing to shut down or sue... and no one holds your funds.
> That's a real Bitcoin exchange.
>
>
>
> On Sun, Aug 7, 2016 at 1:35 AM, Matthew Roberts via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> I'm wondering if we're fully on the same page here. What I was thinking
>> was that this protection mechanism would be applied to the coins in the hot
>> wallet (I wasn't talking about moving coins from the cold wallet to the hot
>> wallet -- though such a mechanism is also needed.)
>>
>> With the hot wallet you would have an output script that only allowed
>> coins to be sent to a new transaction whose output script was then only
>> redeemable after N confirmations (the output is relative time-locked) but
>> which can also be recovered to a fixed fail-safe address before the
>> time-lock is reached (exactly like TierNolan already listed only the
>> time-locked destination shouldn't be completely fixed.) So the private key
>> for this hot wallet can still sign valid transactions to withdraw coins to
>> any known destination and these transactions still reach the blockchain.
>>
>> The key difference from a regular transaction is that the destination
>> only has access to the coins -after- the relative time-lock is reached (N
>> blocks after first confirm) so everyone knows where withdrawals are suppose
>> to be going and how many coins are being withdrawn at any given time.
>> Deposits to the hot wallet would therefore need to be encumbered by the
>> same protection so that from then on this time-lock to redeem coins can be
>> applied to every new transaction trying to move coins (withdrawn by a user
>> of the exchange or sent to the cold wallet.)
>>
>> Notice we don't care about the destination in the TX script for the hot
>> wallet because to process user's withdrawals we can't know ahead of time
>> where they need to be sent (so it isn't possible to use a fixed address
>> here – though you might want to remove the clearing phase and set a fixed
>> address for coins sent from the hot wallet to the cold wallet.) The benefit
>> here comes from being able to see what withdrawals are being cleared,
>> matching those up to our expectations, and being able to "cancel"
>> withdrawals if they look suspicious, and you get the benefits for transfers
>> made from the hot wallet to the cold wallet and visa-versa.
>>
>>
>> This approach is good for a number of crucial services:
>>
>> 1. Wallets could be built that grouped coins into different "accounts"
>> with different time-frames required for clearing / unlocking coins. Your
>> savings or investment account would say -- take up to a week to clear --
>> whereas your everyday account used for smaller purchases (with less money)
>> would only take a few hours. This could all be linked up to services that
>> notified you of

Re: [bitcoin-dev] BIP clearing house addresses

2016-08-08 Thread Tier Nolan via bitcoin-dev 
With channels and the exchange acting as hub, you can do instant trades
between altcoins.

This doesn't work with fiat accounts.  A "100% reserve" company could issue
fiat tokens.  The exchange could then trade those tokens.

This eliminates the counter-party risk for the exchange.  If the exchange
dies, you still have your (alt)coins and also fiat tokens.

There is still risk that the token company could go bankrupt though.  This
could be mitigated by that company requiring only "cashing out" tokens to
accounts which have been verified.

The company could set up a blockchain where it signed the blocks rather
than mining and could get money from transaction fees and also minting fees
(say it charges 1% for minting new tokens)

I wonder what how the law would work for that.  It isn't actually doing
trading, it is just issuing tokens and redeeming them.
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] BIP clearing house addresses

2016-08-08 Thread Erik Aronesty via bitcoin-dev 
I'm not convinced you need to hold people's funds to provide those
features. Maybe the millisecond thing.   But 99 out of 100 traders would
accept a 100 millisecond latency in exchange for 0 counterparty risk.
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] BIP clearing house addresses

2016-08-08 Thread Tier Nolan via bitcoin-dev 
On Mon, Aug 8, 2016 at 1:48 AM, Matthew Roberts  wrote:

> Not everyone who uses centralized exchanges are there to obtain the
> currency though. A large portion are speculators who need to be able to
> enter and exit complex positions in milliseconds and don't care about
> decentralization, security, and often even the asset that they're buying.
>

Centralized exchanges also allow for things like limit orders.  You don't
even have to be logged in and they can execute trades.  This couldn't be
done with channels.

> Try telling everyone who currently uses Btc-e to go do their margin
> trading over lightning channels, for example.
>

Using channels and a centralized exchange gets many of the benefits of a
distributed exchange.

The channel allows instant funding while allowing the customer to have full
control over the funds.  The customer could fund the channel and then move
money to the exchange when needed.

Even margin account holders might like the fact that it is clear which
funds are under their direct control and which funds are held by the
exchange.

If they are using bitcoin funds as collateral for a margin trade, then
inherently the exchange has to have control over those funds.  A 2 of 3
system where the customer, exchange and a 3rd party arbitration agency
holds keys might be acceptable to the exchange.
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] BIP clearing house addresses

2016-08-07 Thread Erik Aronesty via bitcoin-dev 
I still feel like you're better off getting rid of "hot wallets" and use
lightning-esqe networks to route orders.  I don't think either speed or
flexibility is an issue there.

IMO, the point of Bitcoin is to avoid the centralization that seems to be
happening on the network now.   By making "hot wallets" more "secure", we
encourage things to keep heading downhill with massive centralized
crappy-security exchanges.

Because, ultimately, there's no security that will prevent an inside job.
And all of these thefts have, in my opinion, been at least partly inside
jobs.

And centralization is the actually demon that needs slaying here.

A client-side library with P2P order routing, tether.to + bitcoin   and
you've got a decentralized exchange... with orders matched to users
directly, and channel-trades executed instantly.   And "market makers"
running nodes to facilitate routing, etc.

No center... nothing to shut down or sue... and no one holds your funds.
That's a real Bitcoin exchange.



On Sun, Aug 7, 2016 at 1:35 AM, Matthew Roberts via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> I'm wondering if we're fully on the same page here. What I was thinking
> was that this protection mechanism would be applied to the coins in the hot
> wallet (I wasn't talking about moving coins from the cold wallet to the hot
> wallet -- though such a mechanism is also needed.)
>
> With the hot wallet you would have an output script that only allowed
> coins to be sent to a new transaction whose output script was then only
> redeemable after N confirmations (the output is relative time-locked) but
> which can also be recovered to a fixed fail-safe address before the
> time-lock is reached (exactly like TierNolan already listed only the
> time-locked destination shouldn't be completely fixed.) So the private key
> for this hot wallet can still sign valid transactions to withdraw coins to
> any known destination and these transactions still reach the blockchain.
>
> The key difference from a regular transaction is that the destination only
> has access to the coins -after- the relative time-lock is reached (N blocks
> after first confirm) so everyone knows where withdrawals are suppose to be
> going and how many coins are being withdrawn at any given time. Deposits to
> the hot wallet would therefore need to be encumbered by the same protection
> so that from then on this time-lock to redeem coins can be applied to every
> new transaction trying to move coins (withdrawn by a user of the exchange
> or sent to the cold wallet.)
>
> Notice we don't care about the destination in the TX script for the hot
> wallet because to process user's withdrawals we can't know ahead of time
> where they need to be sent (so it isn't possible to use a fixed address
> here – though you might want to remove the clearing phase and set a fixed
> address for coins sent from the hot wallet to the cold wallet.) The benefit
> here comes from being able to see what withdrawals are being cleared,
> matching those up to our expectations, and being able to "cancel"
> withdrawals if they look suspicious, and you get the benefits for transfers
> made from the hot wallet to the cold wallet and visa-versa.
>
>
> This approach is good for a number of crucial services:
>
> 1. Wallets could be built that grouped coins into different "accounts"
> with different time-frames required for clearing / unlocking coins. Your
> savings or investment account would say -- take up to a week to clear --
> whereas your everyday account used for smaller purchases (with less money)
> would only take a few hours. This could all be linked up to services that
> notified you of your money being moved + made any phone calls needed to
> verify any larger transfers.
>
> The service could also be entrusted with the “cancellation” key which can
> only be used to move money to your offline fail-safe address. This would be
> quite an interesting way to mitigate fraud without the user having to be
> trusted to do anything (except I suppose – not storing their recovery keys
> online … but this could be partially solved with BIP 32-style “master”
> public keys + hardware wallets + multi-sig, N factor auth, etc ...)
>
> 2. Gambling websites that process a lot of Bitcoins also have a hot wallet
> which could be better protected by this.
>
> 3. Various other e-commerce websites also accept Bitcoins directly. (Deep
> web markets come to mind -- hey, people breaking the law need good security
> too.)
>
> 4. Provable dead man's switches on the protocol level is another idea --
> no need to keep special time-locked transactions around and rely on them to
> be broadcast = more reliable escrow services.
>
> 5. And obviously exchange hot (and cold) wallets - enemy number 1.
>
> I hope that makes sense. I think I initially managed to confuse a lot of
> people by talking about revoking transactions / “settlement layers”, etc.
> But IMO: all of this needs to take place on the

Re: [bitcoin-dev] BIP clearing house addresses

2016-08-06 Thread Matthew Roberts via bitcoin-dev 
I'm wondering if we're fully on the same page here. What I was thinking was
that this protection mechanism would be applied to the coins in the hot
wallet (I wasn't talking about moving coins from the cold wallet to the hot
wallet -- though such a mechanism is also needed.)

With the hot wallet you would have an output script that only allowed coins
to be sent to a new transaction whose output script was then only
redeemable after N confirmations (the output is relative time-locked) but
which can also be recovered to a fixed fail-safe address before the
time-lock is reached (exactly like TierNolan already listed only the
time-locked destination shouldn't be completely fixed.) So the private key
for this hot wallet can still sign valid transactions to withdraw coins to
any known destination and these transactions still reach the blockchain.

The key difference from a regular transaction is that the destination only
has access to the coins -after- the relative time-lock is reached (N blocks
after first confirm) so everyone knows where withdrawals are suppose to be
going and how many coins are being withdrawn at any given time. Deposits to
the hot wallet would therefore need to be encumbered by the same protection
so that from then on this time-lock to redeem coins can be applied to every
new transaction trying to move coins (withdrawn by a user of the exchange
or sent to the cold wallet.)

Notice we don't care about the destination in the TX script for the hot
wallet because to process user's withdrawals we can't know ahead of time
where they need to be sent (so it isn't possible to use a fixed address
here – though you might want to remove the clearing phase and set a fixed
address for coins sent from the hot wallet to the cold wallet.) The benefit
here comes from being able to see what withdrawals are being cleared,
matching those up to our expectations, and being able to "cancel"
withdrawals if they look suspicious, and you get the benefits for transfers
made from the hot wallet to the cold wallet and visa-versa.


This approach is good for a number of crucial services:

1. Wallets could be built that grouped coins into different "accounts" with
different time-frames required for clearing / unlocking coins. Your savings
or investment account would say -- take up to a week to clear -- whereas
your everyday account used for smaller purchases (with less money) would
only take a few hours. This could all be linked up to services that
notified you of your money being moved + made any phone calls needed to
verify any larger transfers.

The service could also be entrusted with the “cancellation” key which can
only be used to move money to your offline fail-safe address. This would be
quite an interesting way to mitigate fraud without the user having to be
trusted to do anything (except I suppose – not storing their recovery keys
online … but this could be partially solved with BIP 32-style “master”
public keys + hardware wallets + multi-sig, N factor auth, etc ...)

2. Gambling websites that process a lot of Bitcoins also have a hot wallet
which could be better protected by this.

3. Various other e-commerce websites also accept Bitcoins directly. (Deep
web markets come to mind -- hey, people breaking the law need good security
too.)

4. Provable dead man's switches on the protocol level is another idea -- no
need to keep special time-locked transactions around and rely on them to be
broadcast = more reliable escrow services.

5. And obviously exchange hot (and cold) wallets - enemy number 1.

I hope that makes sense. I think I initially managed to confuse a lot of
people by talking about revoking transactions / “settlement layers”, etc.
But IMO: all of this needs to take place on the blockchain with a new set
of OP_CODES and other than the fixed address issue with OP_SPENDTO, I think
the general idea would still work.


tl; dr, A pseudo-reversal mechanism for transactions would mean that stolen
private keys were no longer such an issue. This is desperately needed for
exchanges, wallets, and other services that are forced to manage private
keys, and whose users (I argue) already expect for this to be possible (or
at least will when they're hacked.)




On Sat, Aug 6, 2016 at 9:13 PM, Tier Nolan via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> On Sat, Aug 6, 2016 at 11:39 AM, s7r via bitcoin-dev  linuxfoundation.org> wrote:
>
>> * reversal of transactions is impossible
>>
>
> I think it would be more accurate to say that the requirement is that
> reversal doesn't happen unexpectedly.
>
> If it is clear in the script that reversal is possible, then obviously the
> recipient can take that into consideration.
>
>
>> * keep private keys private and safe. Lose them, it's like losing cash,
>> you can just forget about it.
>>
>
> Key management is a thing.  Managing risk by keeping some keys offline is
> an important part of that.
>
>
>> * while we try hard to make 0-conf as safe

Re: [bitcoin-dev] BIP clearing house addresses

2016-08-04 Thread Erik Aronesty via bitcoin-dev 
https://www.reddit.com/r/Bitcoin/comments/4w016b/use_of_payment_channels_to_mitigate_exchange_risk/

On Thu, Aug 4, 2016 at 12:53 AM, Matthew Roberts via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> >This is already possible. Just nLockTime your withdrawls for some future
> block. Don't sign any transaction that isn't nLockTime'd at least N blocks
> beyond the present tip.
>
> The problem with nLockTimed transactions is a centralized exchange isn't
> going to know ahead of time where those locked transactions need to go or
> the amount that needs to be signed so you will end up having to keep the
> private key around. If there was a way to create these transactions offline
> with special SIG_HASH flags (and I don't think there is) there's nothing
> about nLockTime that forces that the transactions be broadcast straight
> away and plus: since the TXs aren't confirmed until the lock-time expires
> they can be overwritten anyway.
>
> I think given the requirements that a centralized exchange has:
> TierNolan's idea is the best so far. Essentially, you have a new type of
> output script that forces the redeemer to use a designated output script
> template in the redeeming transaction, meaning that you can actually force
> people to send coins into another transaction with "relative lock-timed"
> outputs. The new transaction can then only be redeemed at the destination
> after the relative lock-time expires OR it can be moved before-hand to a
> designated off-line recovery address. This is much better than creating a
> new transaction system, IMO.
>
> >And the refund TXN would need to be able to go to a new address entirely.
>
> Agreed.
>
> On Thu, Aug 4, 2016 at 1:49 PM, Andrew Johnson  > wrote:
>
>> "This is already possible. Just nLockTime your withdrawls for some future
>> block. Don't sign any transaction that isn't nLockTime'd at least N blocks
>> beyond the present tip."
>>
>> This would have prevented the Bitfinex hack if BitGo did this, but it
>> wouldn't have helped if the Bitfinex offline key had been compromised
>> instead of BitGo doing the 2nd sig.  In the BFX hack the TXNs were signed
>> by Bitfinex's hot key and BitGo's key, they required 2 of 2.
>>
>> If I'm understanding correctly, what Matthew is proposing is a new type
>> of UTXO that is only valid to be spent as an nLockTime transaction and can
>> be reversed by some sort of RBF-type transaction within that time period, I
>> believe.
>>
>> But I don't think this will work. What do you do if the keys are
>> compromised?  What's to stop the attacker from locking the coins up
>> indefinitely by repeatedly broadcasting a refund transaction each time you
>> try to spend to an uncompromised address?
>>
>> You'd need a third distinct key required for the refund TXN that's
>> separate from the keys used to sign the initial nLockTime TXN.  And the
>> refund TXN would need to be able to go to a new address entirely.
>>
>> On Aug 3, 2016 11:28 PM, "Luke Dashjr via bitcoin-dev" <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> On Wednesday, August 03, 2016 6:16:20 PM Matthew Roberts via bitcoin-dev
>>> wrote:
>>> > In light of the recent hack: what does everyone think of the idea of
>>> > creating a new address type that has a reversal key and settlement
>>> layer
>>> > that can be used to revoke transactions?
>>>
>>> This isn't something that makes sense at the address, since it
>>> represents the
>>> recipient and not the sender. Transactions are not sent from addresses
>>> ever.
>>>
>>> > You could specify so that transactions "sent" from these addresses must
>>> > receive N confirmations before they can't be revoked, after which the
>>> > transaction is "settled" and the coins become redeemable from their
>>> > destination output. A settlement phase would also mean that a
>>> transaction's
>>> > progress was publicly visible so transparent fraud prevention and
>>> auditing
>>> > would become possible by anyone.
>>>
>>> This is already possible. Just nLockTime your withdrawls for some future
>>> block. Don't sign any transaction that isn't nLockTime'd at least N
>>> blocks
>>> beyond the present tip.
>>>
>>> Luke
>>> ___
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>
>
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] BIP clearing house addresses

2016-08-04 Thread Andrew Johnson via bitcoin-dev 
"This is already possible. Just nLockTime your withdrawls for some future
block. Don't sign any transaction that isn't nLockTime'd at least N blocks
beyond the present tip."

This would have prevented the Bitfinex hack if BitGo did this, but it
wouldn't have helped if the Bitfinex offline key had been compromised
instead of BitGo doing the 2nd sig.  In the BFX hack the TXNs were signed
by Bitfinex's hot key and BitGo's key, they required 2 of 2.

If I'm understanding correctly, what Matthew is proposing is a new type of
UTXO that is only valid to be spent as an nLockTime transaction and can be
reversed by some sort of RBF-type transaction within that time period, I
believe.

But I don't think this will work. What do you do if the keys are
compromised?  What's to stop the attacker from locking the coins up
indefinitely by repeatedly broadcasting a refund transaction each time you
try to spend to an uncompromised address?

You'd need a third distinct key required for the refund TXN that's separate
from the keys used to sign the initial nLockTime TXN.  And the refund TXN
would need to be able to go to a new address entirely.

On Aug 3, 2016 11:28 PM, "Luke Dashjr via bitcoin-dev" <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> On Wednesday, August 03, 2016 6:16:20 PM Matthew Roberts via bitcoin-dev
> wrote:
> > In light of the recent hack: what does everyone think of the idea of
> > creating a new address type that has a reversal key and settlement layer
> > that can be used to revoke transactions?
>
> This isn't something that makes sense at the address, since it represents
> the
> recipient and not the sender. Transactions are not sent from addresses
> ever.
>
> > You could specify so that transactions "sent" from these addresses must
> > receive N confirmations before they can't be revoked, after which the
> > transaction is "settled" and the coins become redeemable from their
> > destination output. A settlement phase would also mean that a
> transaction's
> > progress was publicly visible so transparent fraud prevention and
> auditing
> > would become possible by anyone.
>
> This is already possible. Just nLockTime your withdrawls for some future
> block. Don't sign any transaction that isn't nLockTime'd at least N blocks
> beyond the present tip.
>
> Luke
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] BIP clearing house addresses

2016-08-04 Thread Matthew Roberts via bitcoin-dev 
>This is already possible. Just nLockTime your withdrawls for some future
block. Don't sign any transaction that isn't nLockTime'd at least N blocks
beyond the present tip.

The problem with nLockTimed transactions is a centralized exchange isn't
going to know ahead of time where those locked transactions need to go or
the amount that needs to be signed so you will end up having to keep the
private key around. If there was a way to create these transactions offline
with special SIG_HASH flags (and I don't think there is) there's nothing
about nLockTime that forces that the transactions be broadcast straight
away and plus: since the TXs aren't confirmed until the lock-time expires
they can be overwritten anyway.

I think given the requirements that a centralized exchange has: TierNolan's
idea is the best so far. Essentially, you have a new type of output script
that forces the redeemer to use a designated output script template in the
redeeming transaction, meaning that you can actually force people to send
coins into another transaction with "relative lock-timed" outputs. The new
transaction can then only be redeemed at the destination after the relative
lock-time expires OR it can be moved before-hand to a designated off-line
recovery address. This is much better than creating a new transaction
system, IMO.

>And the refund TXN would need to be able to go to a new address entirely.

Agreed.

On Thu, Aug 4, 2016 at 1:49 PM, Andrew Johnson 
wrote:

> "This is already possible. Just nLockTime your withdrawls for some future
> block. Don't sign any transaction that isn't nLockTime'd at least N blocks
> beyond the present tip."
>
> This would have prevented the Bitfinex hack if BitGo did this, but it
> wouldn't have helped if the Bitfinex offline key had been compromised
> instead of BitGo doing the 2nd sig.  In the BFX hack the TXNs were signed
> by Bitfinex's hot key and BitGo's key, they required 2 of 2.
>
> If I'm understanding correctly, what Matthew is proposing is a new type of
> UTXO that is only valid to be spent as an nLockTime transaction and can be
> reversed by some sort of RBF-type transaction within that time period, I
> believe.
>
> But I don't think this will work. What do you do if the keys are
> compromised?  What's to stop the attacker from locking the coins up
> indefinitely by repeatedly broadcasting a refund transaction each time you
> try to spend to an uncompromised address?
>
> You'd need a third distinct key required for the refund TXN that's
> separate from the keys used to sign the initial nLockTime TXN.  And the
> refund TXN would need to be able to go to a new address entirely.
>
> On Aug 3, 2016 11:28 PM, "Luke Dashjr via bitcoin-dev" <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> On Wednesday, August 03, 2016 6:16:20 PM Matthew Roberts via bitcoin-dev
>> wrote:
>> > In light of the recent hack: what does everyone think of the idea of
>> > creating a new address type that has a reversal key and settlement layer
>> > that can be used to revoke transactions?
>>
>> This isn't something that makes sense at the address, since it represents
>> the
>> recipient and not the sender. Transactions are not sent from addresses
>> ever.
>>
>> > You could specify so that transactions "sent" from these addresses must
>> > receive N confirmations before they can't be revoked, after which the
>> > transaction is "settled" and the coins become redeemable from their
>> > destination output. A settlement phase would also mean that a
>> transaction's
>> > progress was publicly visible so transparent fraud prevention and
>> auditing
>> > would become possible by anyone.
>>
>> This is already possible. Just nLockTime your withdrawls for some future
>> block. Don't sign any transaction that isn't nLockTime'd at least N blocks
>> beyond the present tip.
>>
>> Luke
>> ___
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] BIP clearing house addresses

2016-08-04 Thread Matthew Roberts via bitcoin-dev 
This would honestly work. It forces the attacker to go through with the
clearing phase which simultaneously makes it possible to "cancel" the TX
through another logic branch before the timeout occurs. I'd say that would
meet the needs of a clearing mechanism / fraud prevention system for an
exchange perfectly while requiring minimal changes to the software.

Very, very smart idea. A++, would read again.

On Thu, Aug 4, 2016 at 9:55 AM, Tier Nolan via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> On Wed, Aug 3, 2016 at 7:16 PM, Matthew Roberts via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> The reason why I bring this up is existing OP codes and TX types don't
>> seem suitable for a secure clearing mechanism;
>>
>
> I think reversing transactions is not likely to be acceptable.  You could
> add an opcode that requires that an output be set to something.
>
> [target script] SPENDTO
>
> This would require that [target script] is the script for the
> corresponding output.  This is a purely local check.
>
> For example, if SPENDTO executes as part of the script for input 3, then
> it checks that output 3 uses the given script as its scriptPubKey.  The
> value of input 3 and output 3 would have to be the same too.
>
> This allows check sequence verify to be used to lock the spending script
> for a while.  This doesn't allow reversal, but would give a 24 hour window
> where the spenders can reverse the transaction.
>
> [IF <1 day> CSV DROP  CHECKSIG ELSE  key> CHECKSIG] SPENDTO  CHECKSIG
>
> Someone with the live public key can create a transaction that spends the
> funds to the script in the square brackets.
>
> Once that transaction hits the blockchain, then someone with the  protected key> has 24 hours to spend the output before the person with the
> live keys can send the funds onward.
>
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] BIP clearing house addresses

2016-08-03 Thread Luke Dashjr via bitcoin-dev 
On Wednesday, August 03, 2016 6:16:20 PM Matthew Roberts via bitcoin-dev 
wrote:
> In light of the recent hack: what does everyone think of the idea of
> creating a new address type that has a reversal key and settlement layer
> that can be used to revoke transactions?

This isn't something that makes sense at the address, since it represents the 
recipient and not the sender. Transactions are not sent from addresses ever.

> You could specify so that transactions "sent" from these addresses must
> receive N confirmations before they can't be revoked, after which the
> transaction is "settled" and the coins become redeemable from their
> destination output. A settlement phase would also mean that a transaction's
> progress was publicly visible so transparent fraud prevention and auditing
> would become possible by anyone.

This is already possible. Just nLockTime your withdrawls for some future 
block. Don't sign any transaction that isn't nLockTime'd at least N blocks 
beyond the present tip.

Luke
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] BIP clearing house addresses

2016-08-03 Thread Tier Nolan via bitcoin-dev 
On Wed, Aug 3, 2016 at 7:16 PM, Matthew Roberts via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> The reason why I bring this up is existing OP codes and TX types don't
> seem suitable for a secure clearing mechanism;
>

I think reversing transactions is not likely to be acceptable.  You could
add an opcode that requires that an output be set to something.

[target script] SPENDTO

This would require that [target script] is the script for the corresponding
output.  This is a purely local check.

For example, if SPENDTO executes as part of the script for input 3, then it
checks that output 3 uses the given script as its scriptPubKey.  The value
of input 3 and output 3 would have to be the same too.

This allows check sequence verify to be used to lock the spending script
for a while.  This doesn't allow reversal, but would give a 24 hour window
where the spenders can reverse the transaction.

[IF <1 day> CSV DROP  CHECKSIG ELSE  CHECKSIG] SPENDTO  CHECKSIG

Someone with the live public key can create a transaction that spends the
funds to the script in the square brackets.

Once that transaction hits the blockchain, then someone with the  has 24 hours to spend the output before the person with the
live keys can send the funds onward.
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev