Date: Sat, 04 Apr 2020 12:07:28 +0000
To: Nadav Kohen <nadav@suredbits.com>,
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
From: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Reply-To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Message-ID: <fTTGFnQW00u5V8SFA29RIMEsAPMS6MojiCdFDCXVHGCE5GRp31ilw5xXeuMoZVREDCWvm-N_KFvPvPZ1qfgnCE6hUT8O1Lh6FZIYzrmuOGM=@protonmail.com>
In-Reply-To: <CALGTLwOu+R6ZmzYb4ESc9kjgrpspmmdWogF_Z=msQB8dTqD0xQ@mail.gmail.com>
References: <CAJvkSseW9OZ50yQiS7e0zt9tQt4v9aoikgGs_54_kMN-ORkQgw@mail.gmail.com>
 <20200331103508.asvxujkhtifj6n7i@ganymede>
 <CAJvkSsfWoTTUOUYjQDrP-xrwB8FwAGUaDKSrYX3=-+wAE3yDLA@mail.gmail.com>
 <CAJvkSseMqFUJD7rj1AAZPMy0Hf6tufkvrHFgzsViPEirWMWx_A@mail.gmail.com>
 <CALGTLwOu+R6ZmzYb4ESc9kjgrpspmmdWogF_Z=msQB8dTqD0xQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: Tom Trevethan <tom@commerceblock.com>
Subject: Re: [bitcoin-dev] Statechain implementations
Precedence: list

Good morning Nadav,

Indeed.

It seems to me that practical deployments of statechains requires the state=
chain operator to be a trusted federation, possibly a k-of-n.
This is slightly better than a federated sidechain because the money can al=
ways be reclaimed on the blockchain layer very quickly in case of a loss of=
 trust in the federation.
If the k-of-n is arranged in such a way that the signers can be identified =
(such as by use of old `OP_CHECKMULTISIG` or some combination of the propos=
ed `OP_CHECKSIGADD`) then it has the same "auditability", i.e. you can iden=
tify the pseudonyms of the members who cheated (which is not worth much, as=
 getting a new pseudonym is trivial).

It is helpful to remember that a k-of-n federation can only be trusted if y=
ou have full trust in at least (n - k + 1) members of the federation.

Regards,
ZmnSCPxj

> Hey all,
>
> So my main concern with the proposal as written is that the Statechain En=
tity (SE) can untraceably=C2=A0scam its users with the following attack:
> 1) Buy the utxo (have it transferred to a key it knows), this first step =
can be skipped if the utxo was created by the SE.
> 2) Transfer the UTXO to someone else, let it be for however long
> 3) When it wishes to steal the UTXO, the SE now knows its own shard s_n a=
nd it=C2=A0 knows the full private key, x, from when it owned the UTXO (and=
 had both shards), and so it can compute x/s_n =3D the current users shard.=
 It can then sign for the current user, and forge a state transition to a k=
ey it owns before spending the UTXO on chain.
>
> The main problem here is that the user who had their funds stolen cannot =
prove to anyone that this has happened since the attack compromises their k=
ey.
> That said, I think this problem is easily fixed by adding a new user key =
to the protocol with which they must sign in order for the transfer to be c=
onsidered valid on the state chain. This way, if the SE wishes to steal the=
 funds (which they still can), at least it is traceable/provable that this =
SE is not trustworthy as there is no evidence of a valid transfer for the f=
unds that have been stolen.
>
> Best,
> Nadav
>
> On Thu, Apr 2, 2020 at 7:22 PM Tom Trevethan via bitcoin-dev <bitcoin-dev=
@lists.linuxfoundation.org> wrote:
>
> > Thanks for all of the input and comments - I do now think that the decr=
ementing nSequence relative locktime backup system with kick-off transactio=
n is the way to go, including a fee penalty via CPFP to disincentivise=
=C2=A0DoS, as suggested.=C2=A0
> > I have started a more detailed document specifying the proposed protoco=
l in more detail:=C2=A0https://github.com/commerceblock/mercury/blob/master=
/statechains.md=C2=A0which includes improvements to the transfer=C2=A0mecha=
nism (and an explanation of how this can be used to transfer/novate positio=
ns in DLCs). Always happy to get more feedback or PRs.=C2=A0
> >
> > Tom
> >
> > On Tue, Mar 31, 2020 at 12:41 PM Tom Trevethan <tom@commerceblock.com> =
wrote:
> >
> > > Hi David,
> > >
> > > Just for clarity, I left nChain over 2 years ago (having worked there=
 since 2016). While there, I (along with other researchers) were given free=
 rein to work on any ideas we wanted to. I had been interested in the scali=
ng of Bitcoin off-chain, and this was one of several things I spent time on=
 (including things like sidechains,=C2=A0pegs and threshold signatures). Th=
is patent application came out of an idea I had to transfer ownership of UT=
XOs off-chain that has some similarities to the statechains proposal, which=
 has shown there is interest and demand for this type of system.=C2=A0
> > >
> > > Although I think the existence of this application is something to be=
 mindful of, there are several important things to note:
> > >
> > > 1. Although there are similarities, the current ideas are significant=
ly different to those in the application.=C2=A0
> > > 2. The key transfer protocol as described in the application is not s=
ecure (for several reasons, including as discussed above, by Albert and Bob=
 etc.) - and a different mechanism is required.=C2=A0
> > > 3. Decrementing timelocks (as suggested in the application) are prior=
 art (Decker-Wattenhofer 2015), and in any case any implementation will mos=
t likely use an 'invalidation tree' relative locktime backup mechanism for =
open-ended UTXOs.=C2=A0
> > > 4. The patent application has not been granted (it was made in May 20=
17) and the international search report rejected it on the grounds of prior=
 art.=C2=A0
> > >
> > > Tom
> > >
> > > On Tue, Mar 31, 2020 at 11:36 AM David A. Harding <dave@dtrt.org> wro=
te:
> > >
> > > > On Wed, Mar 25, 2020 at 01:52:10PM +0000, Tom Trevethan via bitcoin=
-dev wrote:
> > > > > Hi all,
> > > > >
> > > > > We are starting to work on an implementation of the statechains c=
oncept (
> > > > > https://medium.com/@RubenSomsen/statechains-non-custodial-off-cha=
in-bitcoin-transfer-1ae4845a4a39),
> > > > >
> > > > > [...]
> > > > > There are two main modifications we are looking at:
> > > > > [...]
> > > > >
> > > > > 2. Replacing the 2-of-2 multisig output (paying to statechain ent=
ity SE key
> > > > > and transitory key) with a single P2(W)PKH output where the publi=
c key
> > > > > shared between the SE and the current owner. The SE and the curre=
nt owner
> > > > > can then sign with a 2-of-2 ECDSA MPC.
> > > >
> > > > Dr. Trevethan,
> > > >
> > > > Would you be able to explain how your proposal to use statechains w=
ith
> > > > 2P-ECDSA relates to your patent assigned to nChain Holdings for "Se=
cure
> > > > off-chain blockchain transactions"?[1]=C2=A0
> > > >
> > > > =C2=A0 =C2=A0 [1] https://patents.google.com/patent/US20200074464A1
> > > >
> > > > Here are some excerpts from the application that caught my attentio=
n in
> > > > the context of statechains in general and your proposal to this lis=
t in
> > > > particular:
> > > >
> > > > > an exchange platform that is trusted to implement and operate the
> > > > > transaction protocol, without requiring an on-chain transaction. =
The
> > > > > off-chain transactions enable one computer system to generate mul=
tiple
> > > > > transactions that are recordable to a blockchain in different
> > > > > circumstances
> > > > >
> > > > > [...]
> > > > >
> > > > > at least some of the off-chain transactions are valid for recordi=
ng on
> > > > > the blockchain even in the event of a catastrophic failure of the
> > > > > exchange (e.g., exchange going permanently off-line or loosing ke=
y
> > > > > shares).
> > > > >
> > > > > [...]
> > > > >
> > > > > there may be provided a computer readable storage medium includin=
g a
> > > > > two-party elliptic curve digital signature algorithm (two-party E=
CDSA)
> > > > > script comprising computer executable instructions which, when
> > > > > executed, configure a processor to perform functions of a two-par=
ty
> > > > > elliptic curve digital signature algorithm described herein.
> > > > >
> > > > > [...]
> > > > >
> > > > > In this instance the malicious actor would then also have to coll=
ude
> > > > > with a previous owner of the funds to recreate the full key. Beca=
use
> > > > > an attack requires either the simultaneous theft of both exchange=
 and
> > > > > depositor keys or collusion with previous legitimate owners of fu=
nds,
> > > > > the opportunities for a malicious attacker to compromise the exch=
ange
> > > > > platform are limited.
> > > >
> > > > Thank you,
> > > >
> > > > -Dave
> >
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev